Erik Forsberg
2006-May-17 13:41 UTC
[Samba] Multiple Clients, Winbind and idmap in LDAP, documentation incorrect?
Hi! I have a setup with several Linux machines running samba-3.0.22-10.1.17 (from SuSE 10 OSS), authenticating against an AD. Since one of the machines is exporting an NFS share mounted by the rest of the machines, I need SID <-> uid/gid mapping to be shared between all Linux machines, which led me into using an OpenLDAP server as idmap backend. My smb.conf is found at the end of this mail. I got this working, but several questions were raised during implementation: *) The documentation, more specifically chapter 13 in the official howto, doesn't seem to cover this kind of setup. Both "IDMAP Storage in LDAP Using Winbind" and "IDMAP and NSS Using LDAP from ADS with RFC2307bis Schema Extension" talks about using nss_ldap to fetch account information. This doesn't work very well in my kind of setup, for several reasons. First, the LDAP database isn't populated with all users automatically, but only "on demand". You have to ask for a user via NSS in order to populate the idmap with that user's SID <-> uid/gid mapping. Also, since there is no posixAccount/posixGroup information added, nss_ldap won't find any users. Either the documentation is not written for my kind of setup, or it's just plain wrong. I'm a little bit confused on what kind of setup the documentation in question is written for. *) Even though I use ldap as idmap backend, it seems like /var/lib/samba/winbind_idmap.tdb is still used. Running 'net idmap dump /var/lib/samba/winbindd_idmap.tdb' reveals that entries that I've asked for with 'getent passwd <username>' or 'getent group <groupname>' are stored in the .tdb. Is this intended behaviour, and if so, why? If I for some reason decide I want to wipe out my entire idmap mapping, do I have to remove not only the data in LDAP, but also the winbindd_idmap.tdb on each server? *) Mapping of numerical user id to username and numerical group id to groupname seems to work only for users/groups that have been asked for using the username as key in NSS on the same server. This is confusing in my setup, since one of the machines is exporting an NFS share with home directories to the other machines. For example, if a user has been logged in to machine1 but not to machine2, doing an 'ls /home' on machine2 will not list the username owning the home directory of the user, but instead the numerical id of the user. In this case, I would expect winbind to try to search the LDAP backend for the uidNumber, find the SID added when the user logged in to machine1, and then lookup the username in the AD. Perhaps there's a good reason this doesn't happen? -- begin smb.conf -- [global] idmap uid = 10000-50000 idmap gid = 10000-50000 template shell = /bin/bash winbind separator = + winbind use default domain = true winbind enum groups = yes winbind enum users = yes workgroup = UTB security = ads realm = utb.example.com password server = * wins server = 192.168.5.12 192.168.5.3 # client use spnego = yes encrypt passwords = yes # client schannel = no # disable netbios = yes idmap backend = ldap:ldap://tl1.utb.example.com ldap admin dn = cn=manager,ou=idmap ldap suffix = ou=idmap -- end smb.conf -- Thanks, \EF -- Erik Forsberg OpenSource-based Thin Client Technology Systems Analyst/Developer Phone: +46-13-21 46 00 Cendio AB Web: http://www.cendio.com
Jeremy Allison
2006-May-19 00:21 UTC
[Samba] Multiple Clients, Winbind and idmap in LDAP, documentation incorrect?
On Wed, May 17, 2006 at 03:15:33PM +0200, Erik Forsberg wrote:> *) Even though I use ldap as idmap backend, it seems like > /var/lib/samba/winbind_idmap.tdb is still used. Running 'net idmap > dump /var/lib/samba/winbindd_idmap.tdb' reveals that entries that I've > asked for with 'getent passwd <username>' or 'getent group > <groupname>' are stored in the .tdb. Is this intended behaviour, and > if so, why?Caching. Jeremy.