Chapter 14. Identity Mapping (IDMAP)

@@ -30,7 +30,7 @@ another, and that is where the fun begins! - + @@ -44,7 +44,7 @@ or if there is a need to keep the security name-space separate (i.e., the user FRANCISCUS\FJones^[4] free from inadvertent cross-over, close attention should be given to the way that the IDMAP facility is configured.

- + @@ -62,7 +62,7 @@ There are four basic server deployment types, as documented in .

Standalone Samba Server

- + A standalone Samba server is an implementation that is not a member of a Windows NT4 domain, a Windows 200X Active Directory domain, or a Samba domain. @@ -86,13 +86,13 @@ on Server Types and Security Modes. extensively makes use of Windows SIDs.

- + Samba-3 domain member servers and clients must interact correctly with MS Windows SIDs. Incoming Windows SIDs must be translated to local UNIX UIDs and GIDs. Outgoing information from the Samba server must provide to MS Windows clients and servers appropriate SIDs.

- + A Samba member of a Windows networking domain (NT4-style or ADS) can be configured to handle identity mapping in a variety of ways. The mechanism it uses depends on whether or not @@ -100,7 +100,7 @@ on Server Types and Security Modes. The configuration options are briefly described here:

Winbind is not used; users and groups are local:

- + @@ -129,9 +129,9 @@ on Server Types and Security Modes. - + - + This configuration may be used with standalone Samba servers, domain member @@ -143,7 +143,7 @@ on Server Types and Security Modes. - + In this situation user and group accounts are treated as if they are local accounts. The only way in which this differs from having local accounts is that the accounts are stored in a repository that can be shared. In practice @@ -152,9 +152,9 @@ on Server Types and Security Modes. - + - + This configuration may be used with standalone Samba servers, domain member servers (NT4 or ADS), and for a PDC that uses either an smbpasswd @@ -171,7 +171,7 @@ on Server Types and Security Modes. domain. The domain control can be provided by Samba-3, MS Windows NT4, or MS Windows Active Directory.

- + @@ -185,7 +185,7 @@ on Server Types and Security Modes. - + This configuration is not convenient or practical in sites that have more than one Samba server and that require the same UID or GID for the same user or group across all servers. One of the hazards of this method is that in the event that the winbind @@ -208,9 +208,9 @@ on Server Types and Security Modes. - + - + This facility requires the allocation of the idmap uid and the @@ -225,7 +225,7 @@ on Server Types and Security Modes. - + @@ -256,7 +256,7 @@ on Server Types and Security Modes. in precisely the same manner as when using winbind with a local IDMAP table.

- + The nss_ldap tool set can be used to access UIDs and GIDs via LDAP as well as via Active Directory. In order to use Active Directory, it is necessary to modify the ADS schema by @@ -307,8 +307,8 @@ on Server Types and Security Modes. through a snap-in module to the normal ADS account management MMC interface.

- - + + Security identifiers used within a domain must be managed to avoid conflict and to preserve itegrity. In an NT4 domain context, the PDC manages the distribution of all security credentials to the backup @@ -319,8 +319,8 @@ on Server Types and Security Modes. - - + + BDCs have read-only access to security credentials that are stored in LDAP. Changes in user or group account information are passed by the BDC to the PDC. Only the PDC can write @@ -380,7 +380,7 @@ Joined domain MEGANET2. Join to 'MIDEARTH' is OK

A failed join would report an error message like the following: - +

 root#  net rpc testjoin
 [2004/11/05 16:34:12, 0] utils/net_rpc_join.c:net_rpc_join_ok(66)
@@ -396,10 +396,10 @@ Join to domain 'MEGANET2' is not valid
 	
 	The procedure for joining an ADS domain is similar to the NT4 domain join, except the smb.conf file
 	will have the contents shown in ADS Domain Member Server smb.conf
-	
Example 14.2. ADS Domain Member Server smb.conf
# Global parameters
 
[global]
workgroup = BUTTERNET
netbios name = GARGOYLE
realm = BUTTERNET.BIZ
security = ADS
template shell = /bin/bash
idmap uid = 500-10000000
idmap gid = 500-10000000
winbind use default domain = Yes
winbind nested groups = Yes
printer admin = "BUTTERNET\Domain Admins"


+	
Example 14.2. ADS Domain Member Server smb.conf
# Global parameters
 
[global]
workgroup = BUTTERNET
netbios name = GARGOYLE
realm = BUTTERNET.BIZ
security = ADS
template shell = /bin/bash
idmap uid = 500-10000000
idmap gid = 500-10000000
winbind use default domain = Yes
winbind nested groups = Yes
printer admin = "BUTTERNET\Domain Admins"


 	
 	
-	
+	
 	
 	
 	
@@ -436,7 +436,7 @@ GARGOYLE$@'s password:
   ads_connect: No results returned
 Join to domain is not valid

- + @@ -459,7 +459,7 @@ Join to domain is not valid - + This alternate method of SID to UID/GID mapping can be achieved using the idmap_rid plug-in. This plug-in uses the RID of the user SID to derive the UID and GID by adding the RID to a base value specified. This utility requires that the parameter @@ -475,10 +475,10 @@ Join to domain is not valid

An example smb.conf file for and ADS domain environment is shown in ADS Domain Member smb.conf using idmap_rid. -

Example 14.3. ADS Domain Member smb.conf using idmap_rid

# Global parameters

[global]

workgroup = KPAK

netbios name = BIGJOE

realm = CORP.KPAK.COM

server string = Office Server

security = ADS

allow trusted domains = No

idmap backend = idmap_rid:KPAK=500-100000000

idmap uid = 500-100000000

idmap gid = 500-100000000

template shell = /bin/bash

winbind use default domain = Yes

winbind enum users = No

winbind enum groups = No

winbind nested groups = Yes

printer admin = "Domain Admins"

Example 14.3. ADS Domain Member smb.conf using idmap_rid

# Global parameters

[global]

workgroup = KPAK

netbios name = BIGJOE

realm = CORP.KPAK.COM

server string = Office Server

security = ADS

allow trusted domains = No

idmap backend = idmap_rid:KPAK=500-100000000

idmap uid = 500-100000000

idmap gid = 500-100000000

template shell = /bin/bash

winbind use default domain = Yes

winbind enum users = No

winbind enum groups = No

winbind nested groups = Yes

printer admin = "Domain Admins"

- - + + In a large domain with many users it is imperative to disable enumeration of users and groups. For example, at a site that has 22,000 users in Active Directory the winbind-based user and @@ -536,9 +536,9 @@ Join to domain is not valid root# getent passwd administrator administrator:x:1000:1013:Administrator:/home/BE/administrator:/bin/bash

IDMAP Storage in LDAP Using Winbind

- + The storage of IDMAP information in LDAP can be used with both NT4/Samba-3-style domains and ADS domains. OpenLDAP is a commonly used LDAP server for this purpose, although any standards-complying LDAP server can be used. It is therefore possible to deploy this IDMAP @@ -547,7 +547,7 @@ administrator:x:1000:1013:Administrator:/home/BE/administrator:/bin/bash

An example is for an ADS domain is shown in ADS Domain Member Server using LDAP. -

Example 14.4. ADS Domain Member Server using LDAP

# Global parameters

[global]

workgroup = SNOWSHOW

netbios name = GOODELF

realm = SNOWSHOW.COM

server string = Samba Server

security = ADS

log level = 1 ads:10 auth:10 sam:10 rpc:10

ldap admin dn = cn=Manager,dc=SNOWSHOW,dc=COM

ldap idmap suffix = ou=Idmap

ldap suffix = dc=SNOWSHOW,dc=COM

idmap backend = ldap:ldap://ldap.snowshow.com

idmap uid = 150000-550000

idmap gid = 150000-550000

template shell = /bin/bash

winbind use default domain = Yes

Example 14.4. ADS Domain Member Server using LDAP

# Global parameters

[global]

workgroup = SNOWSHOW

netbios name = GOODELF

realm = SNOWSHOW.COM

server string = Samba Server

security = ADS

log level = 1 ads:10 auth:10 sam:10 rpc:10

ldap admin dn = cn=Manager,dc=SNOWSHOW,dc=COM

ldap idmap suffix = ou=Idmap

ldap suffix = dc=SNOWSHOW,dc=COM

idmap backend = ldap:ldap://ldap.snowshow.com

idmap uid = 150000-550000

idmap gid = 150000-550000

template shell = /bin/bash

winbind use default domain = Yes

In the case of an NT4 or Samba-3-style domain the realm is not used, and the command used to join the domain is net rpc join. The above example also demonstrates @@ -679,7 +679,7 @@ Joined 'GOODELF' to realm 'SNOWSHOW.COM' In many cases a failure is indicated by a silent return to the command prompt with no indication of the reason for failure.

IDMAP and NSS Using LDAP from ADS with RFC2307bis Schema Extension

- + The use of this method is messy. The information provided in the following is for guidance only and is very definitely not complete. This method does work; it is used in a number of large sites @@ -687,7 +687,7 @@ Joined 'GOODELF' to realm 'SNOWSHOW.COM'

An example smb.conf file is shown in ADS Domain Member Server using RFC2307bis Schema Extension Date via NSS. -

Example 14.5. ADS Domain Member Server using RFC2307bis Schema Extension Date via NSS

# Global parameters

[global]

workgroup = BOBBY

realm = BOBBY.COM

security = ADS

idmap uid = 150000-550000

idmap gid = 150000-550000

template shell = /bin/bash

winbind cache time = 5

winbind use default domain = Yes

winbind trusted domains only = Yes

winbind nested groups = Yes

Example 14.5. ADS Domain Member Server using RFC2307bis Schema Extension Date via NSS

# Global parameters

[global]

workgroup = BOBBY

realm = BOBBY.COM

security = ADS

idmap uid = 150000-550000

idmap gid = 150000-550000

template shell = /bin/bash

winbind cache time = 5

winbind use default domain = Yes

winbind trusted domains only = Yes

winbind nested groups = Yes

The DMS must be joined to the domain using the usual procedure. Additionally, it is necessary to build and install the PADL nss_ldap tool set. Be sure to build this tool set with the -- cgit v1.2.3