[Samba] Understanding ID mapping between a campus AD and a local LDAP
Rowland penny
rpenny at samba.org
Tue Mar 23 18:46:18 UTC 2021
On 23/03/2021 17:50, Jonathon A Anderson wrote:
> Here's a copy of our [global] section, with three attempted alternative idmap sections.
>
> backend=ad works as we'd expect, but produces undesired behavior when the local identity uidNumber is different than the AD uidNumber.
You will only find uidNumber attributes in AD or ldap.
>
> Neither backend=rfc2307 nor backend=nss appear to provide the desired behavior I described earlier, of using the local uid (number) identity of the local user with the same name as the AD user.
OK, the first thing I noticed, you do not appear to have any 'idmap
config' lines for the default (*) domain, you must have lines like these:
idmap config * : backend = tdb
idmap config AD : range = RANGE
Where 'RANGE' is a range of numbers that do not overlap the 'AD' domain,
so something like 20000001-20001000
> [global]
>
> # idmap config AD : backend = ad
> # idmap config AD : range = 1000-20000000
> # idmap config AD : schema_mode = rfc2307
> # idmap config AD : unix_nss_info = yes
> # idmap config AD : unix_primary_group = yes
The above lines will only work if your users have a uidNumber attribute
containing a unique number inside the 1000-20000000, your groups have a
gidNumber inside the same range, Domain Users must have a gidNumber and
your users must also have a gidNumber attribute containing the gidNumber
of the group that will be their unix primary group.
>
> idmap config AD : backend = rfc2307
> idmap config AD : range = 1000-20000000
> idmap config AD : ldap_server = stand-alone
> idmap config AD : ldap_url = ldap://ldap.[redacted]
> idmap config AD : bind_path_user = ou=UCB,ou=People,dc=[redacted]
> idmap config AD : bind_path_group = ou=UCB,ou=Groups,dc=[redacted]
To use the rfc2307 backend, you must have uidNumber & gidNumber
attributes as per the 'ad' backend, the 'ldap server =' should be 'ad'.
I not entirely sure this will work, because AD doesn't use the POSIX
objectclasses by default, so if the search expects these, it will fail.
>
> # idmap config AD : backend = nss
> # idmap config AD : range = 1000-20000000
If you are going to try the 'nss' backend again, try removing 'winbind
use default domain = yes'
Rowland
More information about the samba
mailing list