Erik Forsberg
2006-May-17 13:41 UTC
[Samba] Multiple Clients, Winbind and idmap in LDAP, documentation incorrect?
Hi!
I have a setup with several Linux machines running
samba-3.0.22-10.1.17 (from SuSE 10 OSS), authenticating against an
AD. Since one of the machines is exporting an NFS share mounted by
the rest of the machines, I need SID <-> uid/gid mapping to be shared
between all Linux machines, which led me into using an OpenLDAP server
as idmap backend. My smb.conf is found at the end of this mail.
I got this working, but several questions were raised during
implementation:
*) The documentation, more specifically chapter 13 in the official
howto, doesn't seem to cover this kind of setup. Both "IDMAP Storage
in LDAP Using Winbind" and "IDMAP and NSS Using LDAP from ADS with
RFC2307bis Schema Extension" talks about using nss_ldap to fetch
account information.
This doesn't work very well in my kind of setup, for several
reasons. First, the LDAP database isn't populated with all users
automatically, but only "on demand". You have to ask for a user via
NSS in order to populate the idmap with that user's SID <-> uid/gid
mapping. Also, since there is no posixAccount/posixGroup information
added, nss_ldap won't find any users.
Either the documentation is not written for my kind of setup, or it's
just plain wrong. I'm a little bit confused on what kind of setup the
documentation in question is written for.
*) Even though I use ldap as idmap backend, it seems like
/var/lib/samba/winbind_idmap.tdb is still used. Running 'net idmap
dump /var/lib/samba/winbindd_idmap.tdb' reveals that entries that I've
asked for with 'getent passwd <username>' or 'getent group
<groupname>' are stored in the .tdb. Is this intended behaviour, and
if so, why?
If I for some reason decide I want to wipe out my entire idmap
mapping, do I have to remove not only the data in LDAP, but also the
winbindd_idmap.tdb on each server?
*) Mapping of numerical user id to username and numerical group id to
groupname seems to work only for users/groups that have been asked
for using the username as key in NSS on the same server. This is
confusing in my setup, since one of the machines is exporting an NFS
share with home directories to the other machines.
For example, if a user has been logged in to machine1 but not to
machine2, doing an 'ls /home' on machine2 will not list the username
owning the home directory of the user, but instead the numerical id
of the user.
In this case, I would expect winbind to try to search the LDAP
backend for the uidNumber, find the SID added when the user logged in
to machine1, and then lookup the username in the AD. Perhaps there's
a good reason this doesn't happen?
-- begin smb.conf --
[global]
idmap uid = 10000-50000
idmap gid = 10000-50000
template shell = /bin/bash
winbind separator = +
winbind use default domain = true
winbind enum groups = yes
winbind enum users = yes
workgroup = UTB
security = ads
realm = utb.example.com
password server = *
wins server = 192.168.5.12 192.168.5.3
# client use spnego = yes
encrypt passwords = yes
# client schannel = no
# disable netbios = yes
idmap backend = ldap:ldap://tl1.utb.example.com
ldap admin dn = cn=manager,ou=idmap
ldap suffix = ou=idmap
-- end smb.conf --
Thanks,
\EF
--
Erik Forsberg OpenSource-based Thin Client Technology
Systems Analyst/Developer Phone: +46-13-21 46 00
Cendio AB Web: http://www.cendio.com
Jeremy Allison
2006-May-19 00:21 UTC
[Samba] Multiple Clients, Winbind and idmap in LDAP, documentation incorrect?
On Wed, May 17, 2006 at 03:15:33PM +0200, Erik Forsberg wrote:> *) Even though I use ldap as idmap backend, it seems like > /var/lib/samba/winbind_idmap.tdb is still used. Running 'net idmap > dump /var/lib/samba/winbindd_idmap.tdb' reveals that entries that I've > asked for with 'getent passwd <username>' or 'getent group > <groupname>' are stored in the .tdb. Is this intended behaviour, and > if so, why?Caching. Jeremy.