[Samba] UID mapping

Peter Shevchenko peter.shevchenko at cecs.anu.edu.au
Tue Jun 14 17:10:30 MDT 2011 

 
 
----------------original message-----------------
From: "Jonathan Buzzard" jonathan at buzzard.me.uk
To: "Martin Rootes" M.J.Rootes at shu.ac.uk
CC: "Samba" samba at lists.samba.org
Date: Tue, 14 Jun 2011 23:28:49 +0100
-------------------------------------------------
 
 
> Martin Rootes wrote:
>> Hi,
>> 
>> I'm trying to convert an old system on Solaris 10 that uses the 
>> smbpasswd file authentication method to a system that authenticates 
>> against Active Directory. I've managed to get winbind working but of 
>> course this just allocates UIDs as it sees fit whereas the smbpasswd 
>> file method used the UID from the /etc/passwd file. The user codes on 
>> the Solaris server match the user codes in AD but if I just switch over 
>> to winbind the UIDs will not match. If there were only a small number of 
>> users I could simply change the ownership of the users home directories 
>> to match the winbind allocated UID but unfortunately there are thousands 
>> of users and so this would be a mammoth task. I've has a look at various 
>> bits of documentation but can't get my head around the best strategy. 
>> Has anyone needed to do something similar and if so how did you go about 
>> it?
>> 
>> Also the users' home directories are distributed around multiple 
>> directories and I would prefer to continue to use the home directory 
>> information from /etc/passwd as opposed to using "template homedir" 
>> (although I assume that I could leave the directories in place and just 
>> set up links to them). I've had also had a look at the PADL nss_ldap 
>> stuff but can't get it to compile, it seems to be looking for SASL, 
>> would the SASL version on the Sun Freeware site work?
>> 
> 
> Would not filling out the rfc2307 information in the AD not be the way 
> forward? Then winbind would not be allocating UID's but using what was 
> set in the AD which you could match with your current settings. In 
> addition you could have your home directories wherever you want on a per 
> user basis depending on what you have set in the AD.
> 
> If you are going to be using AD then it is best not to fight it, and any 
> AD server after 2003 R2 has the rfc2307 scheme extensions activated, you 
> just need to populate the fields. Though I appreciate that sometimes 
> this can be easier said than done if you don't have control over the AD 
> servers.
> 
> 
> JAB.
> 
> -- 
> Jonathan A. Buzzard Email: jonathan (at) buzzard.me.uk
> Fife, United Kingdom.
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
> 

I have been working on exactly this problem. I looked into the rfc2307scheme
extensions and it looked like a lot of trouble. The samba HowTo has this to
say about it.

"The use of this method is messy. The information provided in the following
is for guidance only and is very definitely not complete. This method does
work; it is used in a number of large sites and has an acceptable level of
performance." see
http://samba.org/samba/docs/man/Samba-HOWTO-Collection/idmapper.html

I also noticed that, to quote the HowTo again "If winbindd is not running,
smbd (which calls winbindd) will fall back to using purely local information
from /etc/passwd and /etc/group and no dynamic mapping will be used. On an
operating system that has been enabled with the NSS, the resolution of user
and group information will be accomplished via NSS." see
http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/winbind.html.
This is the solution that I am now implementing. It looks to be working but
I still have some testing to do. This is the way that another system works
here and we have had no trouble with it. If you have multiple domains then
you have to be vary careful doing this. We have one master OpenLDAP server
and we create accounts on all domains from that. We know that John on one
domain is the same person as John on all the others. The linux samba servers
are just setup so that nss gets account info from the master LDAP server but
the smb.conf gets Auth info from the AD Domian controller. Password changing
on the windows and linux machines have been disabled and all password
changes are done through a website. This site then updates the LDAP and AD
passwords.

Peter
-- 

-- 
Peter Shevchenko Ph: +61 2 6125 1548
Email: Peter.Shevchenko at anu.edu.au
IT Administrator

ANU College of Engineering and
Computer Science

More information about the samba mailing list