samba - Mar 2021 - Understanding ID mapping between a campus AD and a local LDAP

Here's a copy of our [global] section, with three attempted alternative
idmap sections.

backend=ad works as we'd expect, but produces undesired behavior when the
local identity uidNumber is different than the AD uidNumber.

Neither backend=rfc2307 nor backend=nss appear to provide the desired behavior I
described earlier, of using the local uid (number) identity of the local user
with the same name as the AD user.

-

[global]
dns proxy          = no
encrypt passwords  = yes
kerberos method    = system keytab
load printers      = no
map to guest       = Bad User
max log size       = 5000
passdb backend     = tdbsam
password server    = *
realm              = AD.[redacted]
restrict anonymous = 2
security           = ADS
server string      = %h samba
workgroup          = AD

dos charset  = CP850
unix charset = UTF-8

# idmap config AD : backend            = ad
# idmap config AD : range              = 1000-20000000
# idmap config AD : schema_mode        = rfc2307
# idmap config AD : unix_nss_info      = yes
# idmap config AD : unix_primary_group = yes

idmap config AD : backend = rfc2307
idmap config AD : range = 1000-20000000
idmap config AD : ldap_server = stand-alone
idmap config AD : ldap_url = ldap://ldap.[redacted]
idmap config AD : bind_path_user = ou=UCB,ou=People,dc=[redacted]
idmap config AD : bind_path_group = ou=UCB,ou=Groups,dc=[redacted]

# idmap config AD : backend  = nss
# idmap config AD : range = 1000-20000000

winbind enum groups        = yes
winbind enum users         = yes
winbind expand groups      = 1
winbind use default domain = yes

log level = 3

________________________________________
From: samba <samba-bounces at lists.samba.org> on behalf of Rowland penny
via samba <samba at lists.samba.org>
Sent: Tuesday, March 23, 2021 11:39 AM
To: sambalist
Subject: Re: [Samba] Understanding ID mapping between a campus AD and a local
LDAP

On 23/03/2021 17:13, Jonathon A Anderson wrote:
> We cannot stop using our local LDAP at this point. The legacy issue is
real--we have a lot of data with the current uidNumbers--but we also have users
in our local LDAP that are _not_ in the campus AD, because we have accounts from
other institutions as well (stored in different OUs, and tracked via sssd as
discrete domains). Those accounts are out-of-scope for this SMB effort, but they
do necessitate that we run our own directory server.
>
> This still leaves me confused as to what the point of Samba idmap is,
though, if it's not meant to translate a remote identity by resolving it to
a local identity.

OK, there are a few idmap backends:

idmap_ldap is an allocating backend: I do not think you could use this
with AD.

idmap_nss maps Unix users and groups to Windows accounts: This would
require local Unix users & groups (with the same names) in AD and
/etc/passwd & /etc/group, so would use the local ID's. Not really
required as the 'rid' backend will work similarly without the local
users & groups.

idmap_rfc2307 reads id mappings from RFC2307 records in an LDAP server:
This will use any uidNumber & gidNumber attributes in AD

idmap_ad reads all RFC2307 records in an AD server

idmap_rid calculates id mappings from SID's in an AD server

idmap_autorid works in a similar way to idmap_rid, but works with
multiple domains

It might help if you post the smb.conf files you have tried.

Rowland



--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

On 23/03/2021 17:50, Jonathon A Anderson wrote:
> Here's a copy of our [global] section, with three attempted alternative
idmap sections.
>
> backend=ad works as we'd expect, but produces undesired behavior when
the local identity uidNumber is different than the AD uidNumber.

You will only find uidNumber attributes in AD or ldap.
>
> Neither backend=rfc2307 nor backend=nss appear to provide the desired
behavior I described earlier, of using the local uid (number) identity of the
local user with the same name as the AD user.

OK, the first thing I noticed, you do not appear to have any 'idmap 
config' lines for the default (*) domain, you must have lines like these:

idmap config * : backend = tdb
idmap config AD : range = RANGE

Where 'RANGE' is a range of numbers that do not overlap the 'AD'
domain,
so something like 20000001-20001000
> [global]
>
> # idmap config AD : backend            = ad
> # idmap config AD : range              = 1000-20000000
> # idmap config AD : schema_mode        = rfc2307
> # idmap config AD : unix_nss_info      = yes
> # idmap config AD : unix_primary_group = yes

The above lines will only work if your users have a uidNumber attribute 
containing a unique number inside the 1000-20000000, your groups have a 
gidNumber inside the same range, Domain Users must have a gidNumber and 
your users must also have a gidNumber attribute containing the gidNumber 
of the group that will be their unix primary group.
>
> idmap config AD : backend = rfc2307
> idmap config AD : range = 1000-20000000
> idmap config AD : ldap_server = stand-alone
> idmap config AD : ldap_url = ldap://ldap.[redacted]
> idmap config AD : bind_path_user = ou=UCB,ou=People,dc=[redacted]
> idmap config AD : bind_path_group = ou=UCB,ou=Groups,dc=[redacted]

To use the rfc2307 backend, you must have uidNumber & gidNumber 
attributes as per the 'ad' backend, the 'ldap server =' should
be 'ad'.
I not entirely sure this will work, because AD doesn't use the POSIX 
objectclasses by default, so if the search expects these, it will fail.
>
> # idmap config AD : backend  = nss
> # idmap config AD : range = 1000-20000000

If you are going to try the 'nss' backend again, try removing
'winbind
use default domain = yes'

Rowland

Am 23.03.21 um 18:50 schrieb Jonathon A Anderson via
samba:
> # idmap config AD : backend  = nss
> # idmap config AD : range = 1000-20000000
The idmap nss should actually do what you want to do. Are your ldap 
users known to the system?

does "id username" produce an output you would expect from your LDAP
server?

The the idmap_nss backend should map users (from LDAP) with the same 
name to the user from AD. I had this running a long time ago but I cant 
find my notes on this.

Regards

Christian

-- 
Dr. Christian Naumer
Vice President
Unit Head Bioprocess Development

B.R.A.I.N Aktiengesellschaft
Darmstaedter Str. 34-36, D-64673 Zwingenberg
e-mail cn at brain-biotech.com, homepage www.brain-biotech.com
phone +49-6251-9331-30 / fax +49-6251-9331-11

Sitz der Gesellschaft: Zwingenberg/Bergstrasse
Registergericht AG Darmstadt, HRB 24758
Vorstand: Adriaan Moelker (Vorstandsvorsitzender), 
Lukas Linnig
Aufsichtsratsvorsitzender: Dr. Georg Kellinghusen