[Samba] IDMAP Issue

[Achim Gottinger]

Am 16.07.2016 um 21:59 schrieb Xen:
> Rowland penny schreef op 16-07-2016 20:25:
>> On 16/07/16 14:08, Xen wrote:
>>> Rowland penny schreef op 14-07-2016 14:50:
>>>
>>>> If you have any users in /etc/passwd that are also in AD i.e if you
>>>> have user 'fred' in /etc/passwd and there is also a user 'ABC+fred' in
>>>> AD, then sorry, but one of them will have to go, they would be treated
>>>> as the same user.
>>>
>>> Are you entirely sure this is true? I don't yet know how ID mapping 
>>> works in Samba.
>>
>> OK, where is rowland stored, can you tell from this:
>>
>> rowland at devstation:~$ getent passwd rowland
>> rowland:*:10000:10000:Rowland Penny:/home/rowland:/bin/bash
>
> Of course. But there are issues. getent passwd -s ldap rowland, will 
> answer the same question from a differnt service. Normally there is an 
> order in nsswitch.conf, but if you have a NSCD deamon installed, it 
> might mess that up.
>
> Maybe you mean that the ID mapping would work, but not accessing them 
> at the same time for normal operation?
>
> There is no way in nscd to disable forwarding from getUID lookups to 
> getName lookups. (So to speak). The moment you read a filesystem part 
> that has the UID for the "imported" user, NSCD will replace its entry 
> for "fred" with that of the LDAP / AD system.
>
> If you turn NSCD off, these issues are not there and you can only get 
> the /first/ named user of that name, depending on the order in 
> nsswitch.conf.
>
> Regardless I would assume IDmapping would directly request information 
> from a specific source (service, -s) instead of the first one it 
> encounters (general lookup).
>
> After all, the only valid users in the system are those that result 
> /after/ or /from/ the IDmap.
>
> So the /source/ of the IDmapping (the remote system) can never be 
> anything that is requested through getent.
>
> Only the result of it should make it to the getent database, right.
>
> Therefore you may have issues duplicate users, but not with mapping 
> them in the first place, because that first thing has nothing to do 
> with getent yet.
>
>
>> No, as far as I can tell, IDmapping is all about mapping a user (or
>> group) from somewhere else (i.e. AD) to a local Unix user (or group).
>> Thinking about it, mapping is probably the wrong word, but I cannot
>> think of a better word now that you cannot have a local user with the
>> same name as one in AD.
>
> Yeah I meant that with importing. Sorry!.
>
> It's just a shame I think that NSCD does not honour the nsswitch order 
> for my personal use case.
>
> It just keeps one version of each name, and overwrites it with the 
> latest request (if requested by ID).
>
Try unscd insted of nscd it works better in conjunction with samba.