Luke Mewburn
2004-Oct-27 03:45 UTC
[Samba] winbind: using idmap only if user doesn't exist in UNIX getpw*(3) ?
Greetings all.
I have a requirement to use winbind to allocate UID/GIDs for
users but only if they aren't in the non-winbind nsswitch sources.
I.e, given
smb.conf ; samba 3.0.7
realm = DOMAIN
workgroup = DOMAIN
log level = 3 idmap:10 winbind:10
idmap gid = 50000-59999
idmap uid = 50000-59999
ADS users:
DOMAIN\adsuser1 ; only in ADS, not NIS
DOMAIN\adsuser2 ; only in ADS, not NIS
DOMAIN\user1
DOMAIN\user2
NIS passwd:
user1:*:10001:20000:&:/home/user1:/bin/sh
user2:*:10002:20000:&:/home/user2:/bin/sh
I want name<->uid loops to return "10001" for user1 and a
winbind allocated UID for adsuser* (e.g, 50000).
I have had no succes so far configuring samba 3.0.7 to do this.
What I've tried so far (stopping smbd/nmbd/winbindd and removing
winbindd_idmap.tdb between tests)
a)
nsswitch.conf
passwd: files nis winbind
group: files nis winbind
smb.conf
winbind trusted domains only = no
nsswitch test results:
% id user1
uid=10001(user1) gid=20000(group0) groups=20000(group0)
% id adsuser1
id: adsuser1: No such user
% id 'DOMAIN\adsuser1'
uid=50000(DOMAIN\adsuser1) gid=50005(DOMAIN\Domain Users)
groups=50005(DOMAIN\Domain Users)
Accessing as DOMAIN\adsuser1 connects as uid=50000,gid=50005.
This is expected; we want winbind to fake a UID/GID.
Accessing as DOMAIN\user1 connects as uid=50001,gid=50005.
This is NOT expected.
As far as I can tell, it's because samba first tries
getpwnam("DOMAIN\user1") which isn't found by NIS but
winbind(8) fakes up an entry.
b)
nsswitch.conf
passwd: files nis
group: files nis
smb.conf
winbind trusted domains only = no
nsswitch test results:
% id user1
uid=10001(user1) gid=20000(group0) groups=20000(group0)
% id adsuser1
id: adsuser1: No such user
% id 'DOMAIN\adsuser1'
id: DOMAIN\adsuser1: No such user
Accessing as DOMAIN\user1 connects as uid=10001,gid=20000.
This is expected.
Accessing as DOMAIN\adsuser1 fails, because there's no
corresponding name->UID mapping in NIS.
This is expected based on the nsswitch.conf configuration,
but not what I want.
c)
nsswitch.conf
passwd: files nis winbind
group: files nis winbind
smb.conf
winbind trusted domains only = yes
nsswitch test results:
% id user1
uid=10001(user1) gid=20000(group0) groups=20000(group0)
% id adsuser1
id: adsuser1: No such user
% id 'DOMAIN\adsuser1'
id: DOMAIN\adsuser1: No such user
Accessing as DOMAIN\user1 connects as uid=10001,gid=20000.
This is expected.
Accessing as DOMAIN\adsuser1 fails, because there's no
corresponding name->UID mapping in NIS, and winbind
refuses to fake one up:
winbindd_getpwnam: My domain -- rejecting getpwnam()
for DOMAIN\ADSUSER1
What can I do to get winbind to fake one up?
At this point, I'm lost for a solution based on existing functionality.
I am considering hacking in another option which changes the
behaviour of "winbind trusted domains only" so that winbind will
provide a fallback mapping for users in the trusted domain that
aren't found by getpwnam(3) (i.e, the other UNIX getpw*() nsswitch
sources, such as "files nis".).
Is there any way to achieve what I want, or do I need to hack the
functionality into samba?
Thanks,
Luke.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 186 bytes
Desc: not available
Url :
http://lists.samba.org/archive/samba/attachments/20041027/7a2d40d4/attachment.bin
Luke Mewburn
2004-Oct-28 04:43 UTC
[Samba] winbind: using idmap only if user doesn't exist in UNIX getpw*(3) ?
On Wed, Oct 27, 2004 at 01:23:43PM -0500, Gerald (Jerry) Carter wrote: | On Wed, 27 Oct 2004, Luke Mewburn wrote: | > | > I have a requirement to use winbind to allocate UID/GIDs for | > users but only if they aren't in the non-winbind nsswitch sources. | > | > I have had no succes so far configuring samba 3.0.7 to do this. | | Because winbindd is not designed to do this. It's currently an all or | none thing. Ok. I'm working on a solution for this in my private tree. I'll feed back the changes if the samba team is interested. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 186 bytes Desc: not available Url : http://lists.samba.org/archive/samba/attachments/20041028/781548b7/attachment.bin