[Samba] Understanding ID mapping between a campus AD and a local LDAP
Jonathon A Anderson
jonathon.anderson at colorado.edu
Tue Mar 23 17:50:55 UTC 2021
Here's a copy of our [global] section, with three attempted alternative idmap sections.
backend=ad works as we'd expect, but produces undesired behavior when the local identity uidNumber is different than the AD uidNumber.
Neither backend=rfc2307 nor backend=nss appear to provide the desired behavior I described earlier, of using the local uid (number) identity of the local user with the same name as the AD user.
-
[global]
dns proxy = no
encrypt passwords = yes
kerberos method = system keytab
load printers = no
map to guest = Bad User
max log size = 5000
passdb backend = tdbsam
password server = *
realm = AD.[redacted]
restrict anonymous = 2
security = ADS
server string = %h samba
workgroup = AD
dos charset = CP850
unix charset = UTF-8
# idmap config AD : backend = ad
# idmap config AD : range = 1000-20000000
# idmap config AD : schema_mode = rfc2307
# idmap config AD : unix_nss_info = yes
# idmap config AD : unix_primary_group = yes
idmap config AD : backend = rfc2307
idmap config AD : range = 1000-20000000
idmap config AD : ldap_server = stand-alone
idmap config AD : ldap_url = ldap://ldap.[redacted]
idmap config AD : bind_path_user = ou=UCB,ou=People,dc=[redacted]
idmap config AD : bind_path_group = ou=UCB,ou=Groups,dc=[redacted]
# idmap config AD : backend = nss
# idmap config AD : range = 1000-20000000
winbind enum groups = yes
winbind enum users = yes
winbind expand groups = 1
winbind use default domain = yes
log level = 3
________________________________________
From: samba <samba-bounces at lists.samba.org> on behalf of Rowland penny via samba <samba at lists.samba.org>
Sent: Tuesday, March 23, 2021 11:39 AM
To: sambalist
Subject: Re: [Samba] Understanding ID mapping between a campus AD and a local LDAP
On 23/03/2021 17:13, Jonathon A Anderson wrote:
> We cannot stop using our local LDAP at this point. The legacy issue is real--we have a lot of data with the current uidNumbers--but we also have users in our local LDAP that are _not_ in the campus AD, because we have accounts from other institutions as well (stored in different OUs, and tracked via sssd as discrete domains). Those accounts are out-of-scope for this SMB effort, but they do necessitate that we run our own directory server.
>
> This still leaves me confused as to what the point of Samba idmap is, though, if it's not meant to translate a remote identity by resolving it to a local identity.
OK, there are a few idmap backends:
idmap_ldap is an allocating backend: I do not think you could use this
with AD.
idmap_nss maps Unix users and groups to Windows accounts: This would
require local Unix users & groups (with the same names) in AD and
/etc/passwd & /etc/group, so would use the local ID's. Not really
required as the 'rid' backend will work similarly without the local
users & groups.
idmap_rfc2307 reads id mappings from RFC2307 records in an LDAP server:
This will use any uidNumber & gidNumber attributes in AD
idmap_ad reads all RFC2307 records in an AD server
idmap_rid calculates id mappings from SID's in an AD server
idmap_autorid works in a similar way to idmap_rid, but works with
multiple domains
It might help if you post the smb.conf files you have tried.
Rowland
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
More information about the samba
mailing list