samba - Mar 2021 - Understanding ID mapping between a campus AD and a local LDAP

On 23/03/2021 17:13, Jonathon A Anderson wrote:
> We cannot stop using our local LDAP at this point. The legacy issue is
real--we have a lot of data with the current uidNumbers--but we also have users
in our local LDAP that are _not_ in the campus AD, because we have accounts from
other institutions as well (stored in different OUs, and tracked via sssd as
discrete domains). Those accounts are out-of-scope for this SMB effort, but they
do necessitate that we run our own directory server.
>
> This still leaves me confused as to what the point of Samba idmap is,
though, if it's not meant to translate a remote identity by resolving it to
a local identity.

OK, there are a few idmap backends:

idmap_ldap is an allocating backend: I do not think you could use this 
with AD.

idmap_nss maps Unix users and groups to Windows accounts: This would 
require local Unix users & groups (with the same names) in AD and 
/etc/passwd & /etc/group, so would use the local ID's. Not really 
required as the 'rid' backend will work similarly without the local 
users & groups.

idmap_rfc2307 reads id mappings from RFC2307 records in an LDAP server: 
This will use any uidNumber & gidNumber attributes in AD

idmap_ad reads all RFC2307 records in an AD server

idmap_rid calculates id mappings from SID's in an AD server

idmap_autorid works in a similar way to idmap_rid, but works with 
multiple domains

It might help if you post the smb.conf files you have tried.

Rowland

Here's a copy of our [global] section, with three attempted alternative
idmap sections.

backend=ad works as we'd expect, but produces undesired behavior when the
local identity uidNumber is different than the AD uidNumber.

Neither backend=rfc2307 nor backend=nss appear to provide the desired behavior I
described earlier, of using the local uid (number) identity of the local user
with the same name as the AD user.

-

[global]
dns proxy          = no
encrypt passwords  = yes
kerberos method    = system keytab
load printers      = no
map to guest       = Bad User
max log size       = 5000
passdb backend     = tdbsam
password server    = *
realm              = AD.[redacted]
restrict anonymous = 2
security           = ADS
server string      = %h samba
workgroup          = AD

dos charset  = CP850
unix charset = UTF-8

# idmap config AD : backend            = ad
# idmap config AD : range              = 1000-20000000
# idmap config AD : schema_mode        = rfc2307
# idmap config AD : unix_nss_info      = yes
# idmap config AD : unix_primary_group = yes

idmap config AD : backend = rfc2307
idmap config AD : range = 1000-20000000
idmap config AD : ldap_server = stand-alone
idmap config AD : ldap_url = ldap://ldap.[redacted]
idmap config AD : bind_path_user = ou=UCB,ou=People,dc=[redacted]
idmap config AD : bind_path_group = ou=UCB,ou=Groups,dc=[redacted]

# idmap config AD : backend  = nss
# idmap config AD : range = 1000-20000000

winbind enum groups        = yes
winbind enum users         = yes
winbind expand groups      = 1
winbind use default domain = yes

log level = 3

________________________________________
From: samba <samba-bounces at lists.samba.org> on behalf of Rowland penny
via samba <samba at lists.samba.org>
Sent: Tuesday, March 23, 2021 11:39 AM
To: sambalist
Subject: Re: [Samba] Understanding ID mapping between a campus AD and a local
LDAP

On 23/03/2021 17:13, Jonathon A Anderson wrote:
> We cannot stop using our local LDAP at this point. The legacy issue is
real--we have a lot of data with the current uidNumbers--but we also have users
in our local LDAP that are _not_ in the campus AD, because we have accounts from
other institutions as well (stored in different OUs, and tracked via sssd as
discrete domains). Those accounts are out-of-scope for this SMB effort, but they
do necessitate that we run our own directory server.
>
> This still leaves me confused as to what the point of Samba idmap is,
though, if it's not meant to translate a remote identity by resolving it to
a local identity.

OK, there are a few idmap backends:

idmap_ldap is an allocating backend: I do not think you could use this
with AD.

idmap_nss maps Unix users and groups to Windows accounts: This would
require local Unix users & groups (with the same names) in AD and
/etc/passwd & /etc/group, so would use the local ID's. Not really
required as the 'rid' backend will work similarly without the local
users & groups.

idmap_rfc2307 reads id mappings from RFC2307 records in an LDAP server:
This will use any uidNumber & gidNumber attributes in AD

idmap_ad reads all RFC2307 records in an AD server

idmap_rid calculates id mappings from SID's in an AD server

idmap_autorid works in a similar way to idmap_rid, but works with
multiple domains

It might help if you post the smb.conf files you have tried.

Rowland



--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba