NIS/ldap name-based id mapping from Active directory and idmap_nss

Nimrod Sapir NIMRODS at il.ibm.com
Thu Jul 12 01:49:46 MDT 2012 

Andrew Bartlett <abartlet at samba.org> wrote on 12/07/2012 07:34:16:

> From: Andrew Bartlett <abartlet at samba.org>
> To: Nimrod Sapir/Israel/IBM at IBMIL, 
> Cc: samba-technical <samba-technical at lists.samba.org>, Dan Cohen1/
> Israel/IBM at IBMIL, Lior Chen/Israel/IBM at IBMIL
> Date: 12/07/2012 07:34
> Subject: Re: NIS/ldap name-based id mapping from Active directory 
> and idmap_nss
> 
> On Wed, 2012-07-11 at 18:16 +0300, Nimrod Sapir wrote:

> > If I understand correctly, Samba simply strips the domain name from 
the 
> > user name and resolves the user name ("myUser") as if it was a local 
user. 
> > So, if the user myUser existed on the local machine, it's UID would 
have 
> > been used instead (assuming the nsswitch is configured to use local 
> > users). Also, I discovered that idmap_nss does not enforce the idmap 
range 
> > restrictions (using a call to idmap_unix_id_is_in_range). So, if I 
created 
> > a domain user called "root" and created a connection, I would get root 

> > access to the machine!
> 
> We trust the directory absolutely.  If arbitrary named users are being
> created, then I think that is the real problem. 
> 

I think that idmap_nss should at least enforce the id ranges defined in 
"idmap config DOMAINNAME:range". I created a local patch in my local code 
that use idmap_unix_id_is_in_range and returns the appropriate error code 
(as done in other id mapping methods) - is there any reason not to add 
this restriction to the idmap_nss code?
> > I assume the same method will work if I replace the NIS with an ldap 
> > server, but I haven't tried it yet.
> > 
> > Is there a better way to do Active directory - NIS/ldap integration 
for an 
> > existing name->uid NIS/ldap database? I tried googling it and got some 

> > conflicting information.
> 
> Is using idmap_nss really a problem?  Of course we could have it
> optionally only honour for certain UID values, but it really seems the
> best starting point. 

Here is one problem which may occur - Assuming the customer does not have 
direct access to the machine, and the machine has a pre-defined set of 
user accounts which it is shipped with. If I do not enforce any uid range, 
the name resolution may accidentally hit one of the local users (if those 
conflict with the names defined in NIS). If I do enforce a range (so that 
I reserve the range for the local users) this range may conflict with the 
range already in use in the customer's NIS, and may prevent some accounts 
to be mapped correctly (unless user UID is changed, which is not a simple 
procedure). 

Thanks
        Nimrod

More information about the samba-technical mailing list