[Samba] UID mapping

Robert Freeman-Day presgas at gmail.com
Wed Jun 15 13:18:24 MDT 2011 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 06/15/2011 10:29 AM, Jonathan Buzzard wrote:
> 
> On Tue, 2011-06-14 at 23:41 +0000, Peter Shevchenko wrote:
> 
> [SNIP]
> 
>> I have been working on exactly this problem. I looked into the 
>> rfc2307scheme extensions and it looked like a lot of trouble. The samba 
>> HowTo has this to say about it.
>>
>> "The use of this method is messy. The information provided in the 
>> following is for guidance only and is very definitely not complete. This 
>> method does work; it is used in a number of large sites and has an 
>> acceptable level of performance." see
>> samba.org/samba/docs/man/Samba-HOWTO-Collection/idmapper.html
> 
> That is *not* the method I was suggesting to use. I was suggesting using
> the idmap_ad backend and winbind directly. No ldap or similar in sight
> excepting that AD is ldap.
> 
> This is the configuration that I use in smb.conf
> 
> # deal with NSS and the whole UID/SID id mapping stuff
>         idmap backend = tdb
>         idmap uid = 2000000 - 2999999 
>         idmap gid = 2000000 - 2999999
>         idmap config LIFESCI-AD : backend = ad
>         idmap config LIFESCI-AD : schema_mode = rfc2307
>         idmap config LIFESCI-AD : readonly = yes
>         idmap config LIFESCI-AD : range = 500 - 1999999
>         idmap cache time = 120
>         idmap negative cache time = 20
>         winbind nss info = rfc2307
>         winbind expand groups = 2
>         winbind nested groups = yes
>         winbind use default domain = yes
>         winbind enum users = yes
>         winbind enum groups = yes
>         winbind refresh tickets = yes
>         winbind offline logon = false
> 
> With nsswitch.conf looking like
> 
> passwd:     files winbind
> shadow:     files
> group:      files winbind
> 
> 
> I would say the documentation on how to get his working is not great,
> the biggest stumbling block being the need for the non overlapping range
> for the plain tdb backend which is all required despite the fact it is
> never used.
> 
> Yes you need to have winbind running at all times for it to work but it
> does work.
> 
> 
> JAB.
> 

The environment I work in did not fully implement the rfc schema.  I
would use the hash idmap backend:
http://www.samba.org/samba/docs/man/manpages-3/idmap_hash.8.html

- -- 
________

Robert Freeman-Day

https://launchpad.net/~presgas
GPG Public Key:
http://keyserver.ubuntu.com:11371/pks/lookup?op=get&search=0xBA9DF9ED3E4C7D36
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk35BYAACgkQup357T5MfTYwFACgtaTV82agesB7NdUOskJJtP3V
il8AoIEzjcTbql+mrbqGeprErmJZCN0c
=xjsP
-----END PGP SIGNATURE-----

More information about the samba mailing list