[Samba] Question on proper handling of usernames
christian.mchugh at nau.edu
Fri May 1 17:44:53 GMT 2009
I would like to try to start up a conversation about the "proper" handling of
usernames by samba/winbind. I know our current active directory setup is not
really considered supported via samba and I would like to know if the samba
developers think this might change, or if there are any recommendations for my
*** Since this came out rather long, here is a quick summary...
Samba with "use default domain" is able to serve \\server\JOINED-
DOMAIN\username, but not \\server\OTHER-DOMAIN\username since it cannot lookup
the user account in AD to be able to get the location of the home directory.
In discussions with samba developers in the past I got the impression this is
simply a WONT-FIX case, but for my environment I would really like it to work.
I am "just" a lowly systems administrator, and do not posses the necessary
skill set to provide a patch to implement this, do I have any options?
*** ... and the long version
Due to historical and political reasons, my university has two domains
contained in a single forest: NAU for faculty and staff and NAU-STUDENTS for
students. The problem arises in that many faculty/staff have at one point taken
a class which means that they also have both an NAU and NAU-STUDENTS account.
Additionally, we are using the rfc2307 AD attributes, and unix uid is the same
for both accounts. So should a user log in from either domain they should be
able to access the same mapped drive (I realize this is not technically
supported by samba, but idmap_ad does work with this setup)
Currently in my college, we run a samba fileserver and all of our users have
its drive mapped (we also have UNIX/Linux clients that have nfs mounted home
dirs). We are currently using a third party product to handle pam/nsswitch
which interprets a username as just username. Meaning NAU-STUDENTS\mcm75 or
NAU\mcm75 are considered the same (since they share the same uid).
In testing samba 3.3 and later releases, as I stated, idmap_ad does seem to
work (idmap_adex seems broken #5973) as far as a user from a windows host
connecting. However, as an admin I do occasionally find myself needing to get
into a user's homedirectory. In this case we have the admin users permission
setup to allow this, as well as the use default domain parameter. This
combination allows me to access home directories of users in the same domain
as the server is joined, so in this case NAU-STUDENTS. The problem lies in
trying to access home directories of users that only have accounts in NAU. At
that point trying \\server\nau-only-username, samba/winbind are not able to
resolve the username to lookup the location of the home directory to properly
serve it out (#6188). I get the impression that the domain\username is
considered more proper by the samba devs, but are there any plans to
eventually support a domain lookup option? This could replace the current use
default domain, such as:
lookup domains = NAU NAU-STUDENTS
where winbind when not finding a match on username, would first attempt a lookup
on NAU\username followed by NAU-STUDENTS\username
Alternatively, do I have any other options as far as supporting the
\\server\nau-only-username admin access problem?
Northern Arizona University
More information about the samba