idmap_ad group id mapping.

Nimrod Sapir NIMRODS at il.ibm.com
Wed Aug 1 09:59:59 MDT 2012 

Hi Adam

I'm not sure I understand all your comments below. It still seems to me 
that for a customer using SFU for ID mapping, the consistent and intuitive 
way to determine the GID for a AD account which has UID in the schema is 
the Primary group name/GID entry. When looking at the UNIX attributes tab 
it is very obvious that this field is meant by Microsoft to be used as the 
matching GID for the UID. Also, the way it is defined enforces the user to 
provide GID to every UID, either by choosing a group which has GID, or by 
adding it manually to the schema. 

Yesterday, I dived into the code trying to understand how this patch can 
be done. The fix doesn't seem to be trivial at all, as the flow that leads 
from the first AD query of the user to the SID->GID resolution in AD is 
quite complicated. I added some hacks to winbind_ads.c and idmap_ad.c, but 
with partial success. adding the "winbind nss info = rfc2307" did change 
the flow a bit, but eventually the smbd process runs using the gid of the 
primary group rather than the gid written in the Primary group name/GID 
field. 

Do you think that the change described is of interest to the community? Do 
you have any suggestion regarding the easiest way to change the flow to 
match this behavior?

Thanks
Nimrod



Michael Adam <obnox at samba.org> wrote on 12/07/2012 17:48:42:

> From: Michael Adam <obnox at samba.org>
> To: Nimrod Sapir/Israel/IBM at IBMIL, 
> Cc: Dan Cohen1/Israel/IBM at IBMIL, Lior Chen/Israel/IBM at IBMIL, samba-
> technical <samba-technical at lists.samba.org>
> Date: 12/07/2012 17:48
> Subject: Re: idmap_ad group id mapping.
> 
> Nimrod Sapir wrote:
> > Michael Adam <obnox at samba.org> wrote on 12/07/2012 01:20:57:
> > > 
> > > Yes, this is actually how it should work:
> > > Samba takes the windows user token and turns it into
> > > a unix token. Here the expected thing is to turn the windows
> > > groups into unix groups (by id mapping) one-to-one.
> > > 
> > > I would say that the windows admins should give the
> > > user a primary (windows) group that also carries a gidnumber
> > > unix attribute. I can't see why a windows admin would give
> > > the user a primary windows group (maybe w/o gid number) and
> > > primary gid number in the unix attributes that refers to a
> > > different windows group or to no windows group at all.
> > > 
> > > But it seems to be a rather frequent request.
> > > If it is really important, then we could make it configurable
> > > to let samba choose the primary gid from the windows user
> > > sfu attributes as the unix primary gid.
> > 
> > I would say that the existing behavior is reasonable (as well as 
expecting 
> > the user to enforce the gid value of the primary group) if the 
"primary 
> > group name/GID" field was not there, right below the UID field. I, as 
a 
> > user, was sure that this field would determine the GID. I believe this 
is 
> > also what Microsoft expect from systems which are using this scheme 
> > (otherwise, why is it there?),
> 
> Well, I think the primary use of this is Unix/NFS interaction.
> Also, from Windows 2003R2 on, the schema extensions are part of
> the so called "services for NFS"...
> 
> http://technet.microsoft.com/en-us/library/cc782783%28v=ws.10%29
> http://technet.microsoft.com/en-us/library/cc753302%28v=ws.10%29.aspx
> 
> This is meant for systems that unlike samba/winbindd don't do
> an id mapping of the windows SIDs themselves.
> 
> > and from the perspective of a customer which has large Active
> > Directory, and want to allocate different GID to different
> > users, the existing behavior is error-prone while the second
> > approach ensures consistency.
> 
> The point is that the samba server is more on the windows side
> than on the unix side, from the windows clients' point of view.
> So we should by default map the windows world to the unix world
> as 1:1 as possible. We can optionally add in the primary gid
> from the unix attributes in the idmap_ad scenario. But what
> relevance would the primary windows group have, if it is also
> mapped to a GID?
> 
> Difficult.
> 
> There is by the way already a mechanism for choosing the
> gid from idmap_ad: you need to configure the nss_info
> correspondingly. Set
> 
> "winbind nss info = sfu"
> 
> in addition to your idmap config (or = rfc2307, you have to check).
> Please read the "smb.conf" manpage for more background.
> 
> Cheers - Michael
> 
> 
> [attachment "atti45z3.dat" deleted by Nimrod Sapir/Israel/IBM]

More information about the samba-technical mailing list