samba - Mar 2005 - Samba-Guide chapter 10

Hi John T. et al.,
here is my comment about the Samba-Guide chapter 10.
In my opinion this chapter is a good place to explain the nature of Samba:
joining the unix and the windows world by mapping.
In most of the cases discussed on this list a unix server is used only as a
container
for the windows world. The Samba team tries to smooth the differences between
unix and
windows and to put windows functionality into unix. For me everything is merged
into one big cloud.
As an administrator I want to look behind the scene and to understand the
different cases
which Samba as an all-purpose software can serve for.
We don't use Samba as a general tool for everything. For the user and group
management we have
an external Oracle database. From this database we feed a mixed mode AD for the
windows world
and a LDAP for the unix world using there nss_ldap.
A windowsusername = DOMAIN\unixusername and some windowsgroupname =
DOMAIN\unixgroupname,
some windowsgroupnames differ from unixgroupnames. Both group membership trees
are identical
( LDAP supports nested unix groups). The password entries for unix and windows
are managed by
the external database. 
On our NFS and CIFS fileserver both worlds get in touch with the help of
winbind:
the idmap backend on a LDAP server is also feeded by our database, winbind has
only to
read the mappings. We don't use winbind for name resolution or automatic
creation of uid/gid.

In chapter 10 there are some common phrases about the winbind role, but in my
opinion
we need a more detailed explanation how it manages the mapping in different
cases.
More general, I would like to have a chapter from the mapping viewpoint.
For my particular case I had to read many different places in the documentation
(and I'm reading it the third month) to find a working configuration (which
I'll send to the
list if you would like ), but there are still some open questions:

- Must the idmap be a one-to-one mapping or can several sid point to one uid/gid
?
  or is the username map the only tool in this case (and what about a groupname
map ) ?
- Why does the user mapping mechanism differ from the group mapping mechanism ?
- How is a windows group membership mapped automatically to a unix membership 
  (We do it by the external database) ?
- How are the 14 different windows security attributes mapped into the Posix
ACLs and
  how are the Posix ACLs displayed in windows ?

I hope this email is not too confusingly, but I tried be short.
Regards
M.Schlett

On Tuesday 29 March 2005 09:56, Dr. Matthias Schlett (987)
wrote:
> Hi John T. et al.,
> here is my comment about the Samba-Guide chapter 10.
The Samba-Guide (Samba-3 by Example) is not intended as a comprehensive 
technical overview of how Samba works. It is meant as a quick guide that will 
help our users to create a working network environment. The premise behind 
the Samba-Guide is "learn be seeing Samba work" - not "see how
every nut and
bolt of Samba works". The nuts and bolts should be covered in the 
Samba-HOWTO-Collection.
> In my opinion this chapter is a good place to explain the nature of Samba:
> joining the unix and the windows world by mapping.
This is handled in the Samba-HOWTO-Collection. Is that the wrong place?
> In most of the cases discussed on this list a unix server is used only as a
> container for the windows world. The Samba team tries to smooth the
> differences between unix and windows and to put windows functionality into
> unix. For me everything is merged into one big cloud. As an administrator I
> want to look behind the scene and to understand the different cases which
> Samba as an all-purpose software can serve for.
Right. Refer to the Samba-HOWTO-Collection and if that is deficient it must be 
updated.
> We don't use Samba as a general tool for everything. For the user and
group
> management we have an external Oracle database. From this database we feed
> a mixed mode AD for the windows world and a LDAP for the unix world using
> there nss_ldap.
> A windowsusername = DOMAIN\unixusername and some windowsgroupname >
DOMAIN\unixgroupname, some windowsgroupnames differ from unixgroupnames.
AS shown in the Samba-Guide and as explained in detail in the 
Samba-HOWTO-Collection a Windows username should be the same as a UNIX 
username. The 'username map' facility is a kludge for handling out-lying
cases where the names must for a particular reason differ, not as a panacea 
for general use. The 'username map' facility violates one of the
principle
rules of using Samba - that there must be only unique resolution of 
login_ID<=>UID<=>SID as any ambiguity may end up biting the hand
off.

The same rules apply to group mappings. The tool for setting up group mappings 
is: 'net groupmap [add | modify | delete] ntgroup=[...] unixgroup=[...]'

> Both group membership trees are identical ( LDAP supports nested unix
> groups). The password entries for unix and windows are managed by the
> external database.
> On our NFS and CIFS fileserver both worlds get in touch with the help of
> winbind: the idmap backend on a LDAP server is also feeded by our database,
> winbind has only to read the mappings. We don't use winbind for name
> resolution or automatic creation of uid/gid.
What do you see as the role of winbind?
> In chapter 10 there are some common phrases about the winbind role, but in
> my opinion we need a more detailed explanation how it manages the mapping
> in different cases. More general, I would like to have a chapter from the
> mapping viewpoint. For my particular case I had to read many different
> places in the documentation (and I'm reading it the third month) to
find a
> working configuration (which I'll send to the list if you would like ),
but
> there are still some open questions:
Have you referred to the Samba-HOWTO-Collection? Both the HOWTO and the Guide 
have recently been significantly updated. They are available on-line at:

	http://www.samba.org/samba/docs/
> - Must the idmap be a one-to-one mapping or can several sid point to one
> uid/gid ? or is the username map the only tool in this case (and what about
IDMAP can handle only single and unambiguous mapping of SID to UID and vica 
versa.
> a groupname map ) ? - Why does the user mapping mechanism differ from the
> group mapping mechanism ? - How is a windows group membership mapped
> automatically to a unix membership (We do it by the external database) ?
Groups are only explicitly mapped since 3.0.0. That is why you need to create 
the mapping using the 'net groupmap' facility.
> - How are the 14 different windows security attributes mapped into the
> Posix ACLs and how are the Posix ACLs displayed in windows ?
Perhaps Jeremy can best answer this.
>
> I hope this email is not too confusingly, but I tried be short.

- John T.
-- 
John H Terpstra
Samba-Team Member
Phone: +1 (650) 580-8668

Author:
The Official Samba-3 HOWTO & Reference Guide, ISBN: 0131453556
Samba-3 by Example, ISBN: 0131472216
Hardening Linux, ISBN: 0072254971
Other books in production.