[Samba] samba4 DC, internal winbind_server: external idmap problem

Tue Dec 10 05:45:18 MST 2013

On Sun, 2013-12-08 at 20:50 +0400, Andy Igoshin wrote:
> On Sun, 08 Dec 2013 09:58:59 +0100
> steve <steve at steve-ss.com> wrote:
> > On Sun, 2013-12-08 at 01:08 +0400, Andy Igoshin wrote:  
> > > On Sat, 07 Dec 2013 19:05:51 +0100
> > > steve <steve at steve-ss.com> wrote:
> > > 
> > > some explanations:
> > > 
> > > we use sssd which takes data from our ldap-based system.  
> > 
> > Well done. Absolutely perfect. 
> >
> >  
> > > # getent passwd test2 at dom.domain.ru
> > > test2 at dom.domain.ru:*:1113535:1113535:test2:/home/dom.domain.ru/test2:/bin/bash  
> > 
> > OK. 
> > So now we chop off test2 using cut or sed or something
> > then proceed as follows
> > samba-tool user create test2
> > 
> > Now chop off and assemble the following into a file, say, test2.ldif
> > Note the handy ':' delimiters;)
> > 
> > dn: cn=test2,cn=Users,dc=dom,dc=domain,d=ru
> > changetype: modify
> > add: uidNumber
> > uidNumber: 1113535
> > -
> > add: gidNumber
> > gidNumber: 1113535
> > -
> > add:unixHomeDirectory
> > unixHomeDirectory: /home/dom.domain.ru/test2
> > -
> > add: loginShell
> > loginShell: /bin/bash
> > 
> > Now stick it into AD:
> > 
> > ldbmodify --url=/path/to/your/private/sam.ldb test2.ldif
> > 
> > repeat for each user you wish to add: getent passwd and chop and
> > assemble a line at a time perhaps?
> > 
> > You now have your existing ldap sitting comfortably in AD. sssd is the
> > perfect tool for pulling this info too but of course now, you're on
> > the DC or your Linux clients.  
> 
> yes, it works if i set 'idmap_ldb:use rfc2307 = yes' .
> 
> in our infrastructure there is an integration with windows AD.
> user management works via ldap, passwords sync via patched ms ssod.
> i can extend this integration in such way that
> uidNumber/gidNumber/etc attributes are automatically added into
> samba AD.
> 
> but when i started to play with samba4 i hoped it behaves
> "more unix way". if to talk from the state where we are now then 
> for instance something like
> 'idmap_ldb:use sss = yes' (or use nss = yes ?)
> 
> i took a look at source4/winbind/idmap.c and also python code.
> it seems it is rather easy to add 'idmap_ldb:use sss = yes'
> functionality there. but here is the question - would it be samba way?
> would samba team accept such patch?

Hi
As from version 1.10, sssd includes its own (very nice) AD backend. I'm
not sure what extra functionality you wish to code, save to say, the
sssd config on the DC is already very straightforward as it is. I know
that the devs are working hard to get winbind working on the DC too at
the moment; it's on their roadmap for the next version I think. You
could ask about your proposed sss code on samba-technical. The coders
don't look here that much I don't think.
HTH
Steve