2013-01-25 20:43 keltezéssel, Rob McCorkell írta:
Samba3 allowed for the setting of idmaps and passdb backends to
configure how users were pulled in. This made integrating with
existing LDAP databases, other other forms of authentication easy,
since Samba could be configured to present the same UID and GID as
directly from the [insert other auth method here] system. All was good.
Unfortunately Samba4 seems to have removed much of that functionality.
I understand that in an AD context, passdb backend doesn't really make
very much sense, so removing that was fair. What I do not understand
is why Winbind cannot be configured to use certain idmaps, more
specifically the RID mapping. This would make it significantly easier
to integrate LDAP authenticating clients into Samba4, for example
using nslcd to map the UIDs and GIDs. The current implementation is
forced into using allocated *IDs, which are not consistent across
machines.
But all in all this is not a big problem, since although machines get
different *IDs, they use the CIFS protocol which uses usernames
instead, so each machine knows who a user is. The problem is when a
server that runs Samba4 as a file server uses LDAP to get user
information. When a client connects, Samba4 the user UID which is
allocated. Samba4 then finds the home share, but since the UID on the
home share (dutifully mapped by nslcd from the RID on the end of the
objectSid) doesn't match the allocated one, it refuses access.
All that nslcd does in this case is map a UID to the RID from the
objectSid in LDAP. This is a very simple mapping - just get the end of
the string, where the first bit is the domain SID. Samba3 supported
RID mapping in this fashion, but I do not understand why this was not
ported across to Samba4. It would only change the UIDs and GIDs as
seen by Samba, which as far as I know are used very little within
Samba, where the objectSid is used instead.
Of course, it could be that I have a massive misunderstanding of the
internals of Samba4, and there is a reason why this functionality
wasn't brought across.
Rob
If you provision/run with idmap_ldb:use rfc2307 then you can assign each
user/group a uidNumber/gidNumber which then is/can be obeyed by samba/nslcd.
Regards
Geza Gemes
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba