[Samba] samba4 DC, internal winbind_server: external idmap problem

Andy Igoshin ai at vsu.ru
Sun Dec 8 09:50:25 MST 2013 

On Sun, 08 Dec 2013 09:58:59 +0100
steve <steve at steve-ss.com> wrote:
> On Sun, 2013-12-08 at 01:08 +0400, Andy Igoshin wrote:  
> > On Sat, 07 Dec 2013 19:05:51 +0100
> > steve <steve at steve-ss.com> wrote:
> > 
> > some explanations:
> > 
> > we use sssd which takes data from our ldap-based system.  
> 
> Well done. Absolutely perfect. 
>
>  
> > # getent passwd test2 at dom.domain.ru
> > test2 at dom.domain.ru:*:1113535:1113535:test2:/home/dom.domain.ru/test2:/bin/bash  
> 
> OK. 
> So now we chop off test2 using cut or sed or something
> then proceed as follows
> samba-tool user create test2
> 
> Now chop off and assemble the following into a file, say, test2.ldif
> Note the handy ':' delimiters;)
> 
> dn: cn=test2,cn=Users,dc=dom,dc=domain,d=ru
> changetype: modify
> add: uidNumber
> uidNumber: 1113535
> -
> add: gidNumber
> gidNumber: 1113535
> -
> add:unixHomeDirectory
> unixHomeDirectory: /home/dom.domain.ru/test2
> -
> add: loginShell
> loginShell: /bin/bash
> 
> Now stick it into AD:
> 
> ldbmodify --url=/path/to/your/private/sam.ldb test2.ldif
> 
> repeat for each user you wish to add: getent passwd and chop and
> assemble a line at a time perhaps?
> 
> You now have your existing ldap sitting comfortably in AD. sssd is the
> perfect tool for pulling this info too but of course now, you're on
> the DC or your Linux clients.  

yes, it works if i set 'idmap_ldb:use rfc2307 = yes' .

in our infrastructure there is an integration with windows AD.
user management works via ldap, passwords sync via patched ms ssod.
i can extend this integration in such way that
uidNumber/gidNumber/etc attributes are automatically added into
samba AD.

but when i started to play with samba4 i hoped it behaves
"more unix way". if to talk from the state where we are now then 
for instance something like
'idmap_ldb:use sss = yes' (or use nss = yes ?)

i took a look at source4/winbind/idmap.c and also python code.
it seems it is rather easy to add 'idmap_ldb:use sss = yes'
functionality there. but here is the question - would it be samba way?
would samba team accept such patch?


-- 
Andy Igoshin <ai at vsu.ru>                 Voronezh State University
sip:          ai at vsu.ru                  Network Operation Center
phone: +7 473 2281160, ext. 2020         Voronezh, Russia

More information about the samba mailing list