samba - Apr 2004 - NT/ADS and UNIX user convergence using Samba

Hi-

I'm deploying a fileserver running Samba 3.0.2a in an environment that
contains NT and UNIX users.  I'd like to have my fileserver set up as
follows:

- Users connecting to the fileserver from NT boxes are authenticated against
the Win2K ADS Domain Controller.
- Users connecting to the fileserver from other UNIX boxes are authenticated
locally using NIS and access the shared volume via NFS.

Each user has an account on the Win2K ADS Domain, and also an account on the
NIS server.  I have this setup running now, but there's one problem:  When
the user accesses a file from a Windows client it's accessed using the
UID/GID generated by winbind, but when the user accesses a file from a UNIX
client it's accessed using the NIS UID/GID.  Effectively they have different
ownership.

I'd like this fileserver set up so that files created from either type of
client have the same ownership.  Basically I need to somehow map my ADS
UID/GID's to my UNIX UID/GID's.  I've looked around in the docs and
on the
web and can't find an answer (other than warnings that the winbind UIDs
should *not* map to existing UNIX UIDs - but this is what I want!).  I know
from working with NetApps in the past that there is a way to configure those
fileservers so that they attempt to do a username match from NT to/from
UNIX, and if the same named user exists, then it will use the same UID/GID.

I really want a way to set up a mapping file or something to the effect of
this:

# NT user                UNIX user
DOMAIN+user1     user1
DOMAIN+user2     user2

It is *not* important that users have login accounts on the fileserver ...
so one idea I had was this:
- Remove NIS from the nsswitch.conf entries on the fileserver.
- Edit my /etc/passwd file on my NIS server so that UID/GID entries for a
user are the same as they ones generated by winbind

Will this work?  Will I run into a problem down the road if I add a new
fileserver (if winbind's SID->UID/GID mapping is not the same on that new
server)?

Thanks in advance,
Steve

I'd like this fileserver set up so that files created from either type of
client have the same ownership. Basically I need to somehow map my ADS
UID/GID's to my UNIX UID/GID's.
It is *not* important that users have login accounts on the fileserver ... so
one idea I had was this: - Remove NIS from the nsswitch.conf entries on the
fileserver. - Edit my /etc/passwd file on my NIS server so that UID/GID entries
for a user are the same as they ones generated by winbind



Hi Steve,

	I think you have two options, use winbind and bin NIS or vice versa.
If you choose to use winbind as you identified you have to worry about mappings
being different on individual
Samba servers, the only way to get around this currently is to use LDAP as your
idmap backend. This stores
the UID to SID mappings centrally for multiple Samba servers to share.
If you choose to use NIS you will have to mess around with smbpasswd and net
groupmap to make users and
groups visiable as valid accounts for Samba. Also your NTLM passwords will not
be sync'd to the domain but
Kerberos auth will work seemlessly. AFAIK
Hope that helps,

	cheers Andy.

BBCi at http://www.bbc.co.uk/

This e-mail (and any attachments) is confidential and may contain personal views
which are not the views of the BBC unless specifically
stated.
If you have received it in error, please delete it from your system. Do not use,
copy or disclose the information in any way nor act in
reliance on it and notify the sender immediately. Please note that the BBC
monitors e-mails sent or received.
Further communication will signify your consent to this.

Edvard,
	I have also been struggling with Samba and ADS. I too have the
SID problem you mention. Is it possible for you to post the hack you did
to workaround this problem? I have searched and searched and your post
seems to be the first that confirms this problem, that I have reproduced
in my lab. There has been many posts that are probably related to this
problem, but nothing has been resolved.

Thank you,
Steve Aden


Privileged/Confidential Information may be contained in this message. If you are
not the addressee indicated in this message (or responsible for delivery of the
message to such person), you may not copy or deliver this message to anyone. In
such case, you should destroy this message and kindly notify the sender by reply
email. Opinions, conclusions and other information contained in this message
that do not relate to official business shall be understood as neither given nor
endorsed by ITS

-----Original Message-----
From: Edvard Fagerholm [mailto:efagerho@cc.hut.fi] 
Sent: Tuesday, April 06, 2004 12:54 PM
To: news.gmane.org
Cc: samba@lists.samba.org
Subject: [Samba] Re: NT/ADS and UNIX user convergence using Samba


On Tue, Apr 06, 2004 at 11:17:44AM -0400, news.gmane.org
wrote:
> > Hi Steve,
> >
> > I think you have two options, use winbind and bin NIS or vice versa.
> > If you choose to use winbind as you identified you have to worry
about
> mappings being different on individual
> > Samba servers, the only way to get around this currently is to use
LDAP as
> your idmap backend. This stores
> > the UID to SID mappings centrally for multiple Samba servers to
share.
> > If you choose to use NIS you will have to mess around with smbpasswd
and
> net groupmap to make users and
> > groups visiable as valid accounts for Samba. Also your NTLM
passwords will
> not be sync'd to the domain but
> > Kerberos auth will work seemlessly. AFAIK
> 
> Thanks.  I did a little more poking around and it seems like I'm
leaning
> towards using winbind as my definitive authorization for this server
and
> removing NIS from the fileserver.  If I do this, I'll need to get LDAP
up
> and running to control the mapping of SID -> UID so my NT SIDs map to
my NIS
> UIDs for UNIX NFS clients that mount the volume(s).  I've seen several
> descriptions of how to get the Samba side up (basically use the "idmap
> backend" option in smb.conf), but I'm completely new to LDAP, and
I
haven't
> found a simple description of how to set up an minimal LDAP server
(probably
> using OpenLDAP) on my linux box that would just contain the SID->UID
> mappings.
> 
> Does anyone have a simple example configuration for OpenLDAP that they
would
> like to share?  You can post, or email me directly at:
looper_man@yahoo.com
> 
> Thanks in advance,
> Steve
> 
Hi,

What you're trying to accomplish is exactly the same thing that I've
done on my
network. The solution that I'm using is to use AD4Unix. This modifies
the AD
LDAP-tree, so that you can add UID and GID entries for every user and
group
through a new tab that appears in user manager. The only problem is that
if
you've got a bunch of users, you need to manually allocate their UIDs
and to
every new user you add, you need to enable their "UNIX settings". So
after
installing it, you need to go through each and every user to enable
their UNIX
settings... However, it's only a few clicks per user...

On the samba server you simply use LDAP for passwd and group entries in
nsswitch and use the AD server as the LDAP. Then you need to configure
winbind
with "winbind trusted domains only = yes". However, this doesn't
work
out of
the box on Samba 3.0.2a, because there seems to be a bug with returning
incorrect SIDs, but I made a quick hack to Samba to make it work. I've
been
using this configuration since Samba 3.0.0, but the earlier versions
required a
bit more tinkering as there wasn't such a thing as "winbind trusted
domains
only".

The good side with this configuration is that you don't need to have an
idmap
backend and every bit of configuration is simply done through the user
manager.
The bad side is that modifying the AD LDAP-tree prevents you from
updating the
operating system on the AD server. There's some patch from M$ to make
updating
work, but you can't find it on their website; the only way to get it is
to
contact their customer support. I don't know why this is made so hard...

The other good thing is that you can add UNIX workstations to the
network and
let them authenticate through kerberos to the AD and share the files on
the
samba server to them through NFS. This way all user management both for
the
UNIX and windows workstations is done on the AD server. This makes it
easy to
integrate UNIX workstations to the windows network and you don't have to
install Samba on any of the UNIX workstations.

If you need more info you can e-mail me and I'll give you more detailed
information of how to make it work.

Regards,
Edvard
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba


_____________________________________________________
This message was content-scanned by IXC Shield 
Powered by GatewayDefender - BH0904ffcd.00000001.mml