[Samba] NT/ADS and UNIX user convergence using Samba

0 views
Skip to first unread message

news.gmane.org

unread,
Apr 5, 2004, 12:30:18 PM4/5/04
to
Hi-

I'm deploying a fileserver running Samba 3.0.2a in an environment that
contains NT and UNIX users. I'd like to have my fileserver set up as
follows:

- Users connecting to the fileserver from NT boxes are authenticated against
the Win2K ADS Domain Controller.
- Users connecting to the fileserver from other UNIX boxes are authenticated
locally using NIS and access the shared volume via NFS.

Each user has an account on the Win2K ADS Domain, and also an account on the
NIS server. I have this setup running now, but there's one problem: When
the user accesses a file from a Windows client it's accessed using the
UID/GID generated by winbind, but when the user accesses a file from a UNIX
client it's accessed using the NIS UID/GID. Effectively they have different
ownership.

I'd like this fileserver set up so that files created from either type of
client have the same ownership. Basically I need to somehow map my ADS
UID/GID's to my UNIX UID/GID's. I've looked around in the docs and on the
web and can't find an answer (other than warnings that the winbind UIDs
should *not* map to existing UNIX UIDs - but this is what I want!). I know
from working with NetApps in the past that there is a way to configure those
fileservers so that they attempt to do a username match from NT to/from
UNIX, and if the same named user exists, then it will use the same UID/GID.

I really want a way to set up a mapping file or something to the effect of
this:

# NT user UNIX user
DOMAIN+user1 user1
DOMAIN+user2 user2

It is *not* important that users have login accounts on the fileserver ...
so one idea I had was this:
- Remove NIS from the nsswitch.conf entries on the fileserver.
- Edit my /etc/passwd file on my NIS server so that UID/GID entries for a
user are the same as they ones generated by winbind

Will this work? Will I run into a problem down the road if I add a new
fileserver (if winbind's SID->UID/GID mapping is not the same on that new
server)?

Thanks in advance,
Steve

--
To unsubscribe from this list go to the following URL and read the
instructions: http://lists.samba.org/mailman/listinfo/samba

ww m-pubsyssamba

unread,
Apr 6, 2004, 10:40:12 AM4/6/04
to
I'd like this fileserver set up so that files created from either type of client have the same ownership. Basically I need to somehow map my ADS UID/GID's to my UNIX UID/GID's.
It is *not* important that users have login accounts on the fileserver ... so one idea I had was this: - Remove NIS from the nsswitch.conf entries on the fileserver. - Edit my /etc/passwd file on my NIS server so that UID/GID entries for a user are the same as they ones generated by winbind

Hi Steve,

I think you have two options, use winbind and bin NIS or vice versa.
If you choose to use winbind as you identified you have to worry about mappings being different on individual
Samba servers, the only way to get around this currently is to use LDAP as your idmap backend. This stores
the UID to SID mappings centrally for multiple Samba servers to share.
If you choose to use NIS you will have to mess around with smbpasswd and net groupmap to make users and
groups visiable as valid accounts for Samba. Also your NTLM passwords will not be sync'd to the domain but
Kerberos auth will work seemlessly. AFAIK
Hope that helps,

cheers Andy.

BBCi at http://www.bbc.co.uk/

This e-mail (and any attachments) is confidential and may contain personal views which are not the views of the BBC unless specifically
stated.
If you have received it in error, please delete it from your system. Do not use, copy or disclose the information in any way nor act in
reliance on it and notify the sender immediately. Please note that the BBC monitors e-mails sent or received.
Further communication will signify your consent to this.

news.gmane.org

unread,
Apr 6, 2004, 11:20:15 AM4/6/04
to
> Hi Steve,
>
> I think you have two options, use winbind and bin NIS or vice versa.
> If you choose to use winbind as you identified you have to worry about
mappings being different on individual
> Samba servers, the only way to get around this currently is to use LDAP as
your idmap backend. This stores
> the UID to SID mappings centrally for multiple Samba servers to share.
> If you choose to use NIS you will have to mess around with smbpasswd and
net groupmap to make users and
> groups visiable as valid accounts for Samba. Also your NTLM passwords will
not be sync'd to the domain but
> Kerberos auth will work seemlessly. AFAIK

Thanks. I did a little more poking around and it seems like I'm leaning
towards using winbind as my definitive authorization for this server and
removing NIS from the fileserver. If I do this, I'll need to get LDAP up
and running to control the mapping of SID -> UID so my NT SIDs map to my NIS
UIDs for UNIX NFS clients that mount the volume(s). I've seen several
descriptions of how to get the Samba side up (basically use the "idmap
backend" option in smb.conf), but I'm completely new to LDAP, and I haven't
found a simple description of how to set up an minimal LDAP server (probably
using OpenLDAP) on my linux box that would just contain the SID->UID
mappings.

Does anyone have a simple example configuration for OpenLDAP that they would
like to share? You can post, or email me directly at: loope...@yahoo.com

Thanks in advance,
Steve

Paul Gienger

unread,
Apr 6, 2004, 1:00:31 PM4/6/04
to
I just set up your situation on a couple of test boxes. You can follow
the steps here: http://www.openldap.org/doc/admin22/quickstart.html
start at step 8 if you've already gotten the OpenLDAP package installed
via your distro's package management routine. Set your domain equal to
your windows domain name, for example, my test domain here was
dc=active,dc=bis,dc=ae-solutions,dc=com where my windows domain was
"ACTIVE" with a fqdn of active.bis.ae-solutions.com. You then need to
add one idmap object under it, I can't be much more specific than that,
since I just found that someone hosed my ldap config on the test boxes.

news.gmane.org wrote:

--
Paul Gienger Office: 701-281-1884
Applied Engineering Inc. Cell: 701-306-6254
Information Systems Consultant Fax: 701-281-1322
URL: www.ae-solutions.com mailto:pgie...@ae-solutions.com

Edvard Fagerholm

unread,
Apr 6, 2004, 1:00:52 PM4/6/04
to

Hi,

What you're trying to accomplish is exactly the same thing that I've done on my
network. The solution that I'm using is to use AD4Unix. This modifies the AD
LDAP-tree, so that you can add UID and GID entries for every user and group
through a new tab that appears in user manager. The only problem is that if
you've got a bunch of users, you need to manually allocate their UIDs and to
every new user you add, you need to enable their "UNIX settings". So after
installing it, you need to go through each and every user to enable their UNIX
settings... However, it's only a few clicks per user...

On the samba server you simply use LDAP for passwd and group entries in
nsswitch and use the AD server as the LDAP. Then you need to configure winbind
with "winbind trusted domains only = yes". However, this doesn't work out of
the box on Samba 3.0.2a, because there seems to be a bug with returning
incorrect SIDs, but I made a quick hack to Samba to make it work. I've been
using this configuration since Samba 3.0.0, but the earlier versions required a
bit more tinkering as there wasn't such a thing as "winbind trusted domains
only".

The good side with this configuration is that you don't need to have an idmap
backend and every bit of configuration is simply done through the user manager.
The bad side is that modifying the AD LDAP-tree prevents you from updating the
operating system on the AD server. There's some patch from M$ to make updating
work, but you can't find it on their website; the only way to get it is to
contact their customer support. I don't know why this is made so hard...

The other good thing is that you can add UNIX workstations to the network and
let them authenticate through kerberos to the AD and share the files on the
samba server to them through NFS. This way all user management both for the
UNIX and windows workstations is done on the AD server. This makes it easy to
integrate UNIX workstations to the windows network and you don't have to
install Samba on any of the UNIX workstations.

If you need more info you can e-mail me and I'll give you more detailed
information of how to make it work.

Regards,
Edvard

Aden, Steve

unread,
Apr 7, 2004, 9:10:25 AM4/7/04
to
Edvard,
I have also been struggling with Samba and ADS. I too have the
SID problem you mention. Is it possible for you to post the hack you did
to workaround this problem? I have searched and searched and your post
seems to be the first that confirms this problem, that I have reproduced
in my lab. There has been many posts that are probably related to this
problem, but nothing has been resolved.

Thank you,
Steve Aden


Privileged/Confidential Information may be contained in this message. If you are not the addressee indicated in this message (or responsible for delivery of the message to such person), you may not copy or deliver this message to anyone. In such case, you should destroy this message and kindly notify the sender by reply email. Opinions, conclusions and other information contained in this message that do not relate to official business shall be understood as neither given nor endorsed by ITS

Hi,


_____________________________________________________
This message was content-scanned by IXC Shield
Powered by GatewayDefender - BH0904ffcd.00000001.mml

Edvard Fagerholm

unread,
Apr 7, 2004, 1:40:09 PM4/7/04
to
On Wed, Apr 07, 2004 at 09:02:35AM -0400, Aden, Steve wrote:
> Edvard,
> I have also been struggling with Samba and ADS. I too have the
> SID problem you mention. Is it possible for you to post the hack you did
> to workaround this problem? I have searched and searched and your post
> seems to be the first that confirms this problem, that I have reproduced
> in my lab. There has been many posts that are probably related to this
> problem, but nothing has been resolved.
>
> Thank you,
> Steve Aden
>

Just apply the attached patch to samba. The file to patch is:

samba-3.0.2a/sources/nsswitch/winbindd_sid.c

Then remember to put the following to your smb.conf:

winbind trusted domains only = yes

winbind use default domain = no (might be unneeded this just happens to be in
my config, because I needed it for my previous hack before the trusted domains
only stuff got implemented...)

Then specify the idmap ranges, so that they cover every uid and gid you specify
in AD4Unix. I myself use:

idmap uid = 1000-65000
idmap gid = 1000-65000

which covers my userbase quite well. I just traced the SID problem to that "if"
in the source and that "if" is probably there for a reason or it's simply a bug
and tests for the exact opposite that it should. I tried to post about it to the
technical mailing-list, but I didn't get any comments about it, so dunno. I
hope it doesn't mess up anything, but I've been running my previous hack on a
production server since august and haven't had any problems.

Regards,
Edvard

winbindd_sid.c.diff
Reply all
Reply to author
Forward
0 new messages