[Samba] IDMAP Issue

Xen list at xenhideout.nl
Sat Jul 16 19:59:40 UTC 2016


Rowland penny schreef op 16-07-2016 20:25:
> On 16/07/16 14:08, Xen wrote:
>> Rowland penny schreef op 14-07-2016 14:50:
>> 
>>> If you have any users in /etc/passwd that are also in AD i.e if you
>>> have user 'fred' in /etc/passwd and there is also a user 'ABC+fred' 
>>> in
>>> AD, then sorry, but one of them will have to go, they would be 
>>> treated
>>> as the same user.
>> 
>> Are you entirely sure this is true? I don't yet know how ID mapping 
>> works in Samba.
> 
> OK, where is rowland stored, can you tell from this:
> 
> rowland at devstation:~$ getent passwd rowland
> rowland:*:10000:10000:Rowland Penny:/home/rowland:/bin/bash

Of course. But there are issues. getent passwd -s ldap rowland, will 
answer the same question from a differnt service. Normally there is an 
order in nsswitch.conf, but if you have a NSCD deamon installed, it 
might mess that up.

Maybe you mean that the ID mapping would work, but not accessing them at 
the same time for normal operation?

There is no way in nscd to disable forwarding from getUID lookups to 
getName lookups. (So to speak). The moment you read a filesystem part 
that has the UID for the "imported" user, NSCD will replace its entry 
for "fred" with that of the LDAP / AD system.

If you turn NSCD off, these issues are not there and you can only get 
the /first/ named user of that name, depending on the order in 
nsswitch.conf.

Regardless I would assume IDmapping would directly request information 
from a specific source (service, -s) instead of the first one it 
encounters (general lookup).

After all, the only valid users in the system are those that result 
/after/ or /from/ the IDmap.

So the /source/ of the IDmapping (the remote system) can never be 
anything that is requested through getent.

Only the result of it should make it to the getent database, right.

Therefore you may have issues duplicate users, but not with mapping them 
in the first place, because that first thing has nothing to do with 
getent yet.


> No, as far as I can tell, IDmapping is all about mapping a user (or
> group) from somewhere else (i.e. AD) to a local Unix user (or group).
> Thinking about it, mapping is probably the wrong word, but I cannot
> think of a better word now that you cannot have a local user with the
> same name as one in AD.

Yeah I meant that with importing. Sorry!.

It's just a shame I think that NSCD does not honour the nsswitch order 
for my personal use case.

It just keeps one version of each name, and overwrites it with the 
latest request (if requested by ID).



More information about the samba mailing list