samba - Jan 2008 - Retry: Mapping AD domain users to UNIX users

I posted this last week but haven't heard anything. I'm not sure if this
is because nobody knows the answer (can't believe that!) or I'm missing
something obvious in the documentation and people are thinking "Read The
Fine Manual". Whatever the reason, if anyone has any insights into this
problem I'd be very grateful for their comments.

We're using Samba 3.0.23b (binaries downloaded from Sunfreeware) on
Solaris 9 as a member server, using "security = DOMAIN" in an Active
Directory 2003 domain. The server is primarily an application server,
running SAS software, but we have a share to Windows to enable users to
save programs and data from their Windows XP workstations. Historically
we've been using PC Netlink, Sun's version of Lanman, but this isn't
compatible with AD 2003 so we need to move to Samba.

We're struggling to establish a mapping between domain user accounts and
UNIX user accounts that are similarly named (the same naming convention
is used for both). My understanding of Samba, albeit sketchy, was that
it could automatically make a mapping between local and domain accounts
of the same name. However, this doesn't appear to be happening. If I set
a file's permissions for a specified user in Solaris it appears in the
file's security within Windows, but the user is listed as a Unix User
along the lines of:

u123456 (Unix User\u123456)

I was expecting that there should be an implicit mapping between u123456
in Solaris and domain\u123456 but maybe I've got the wrong end of the
stick. We need to maintain the local users so that we can control who
has access to the server software, and we maintain password aging both
on the server and the domain so maintaining a separate password database
for Samba would be a complication. an Extract from nsswitch.conf and
(edited) smb.conf and included below.

As you will see from nsswitch.conf, we are using winbind. wbinfo will
resolve any domain information and getent passwd will return domain user
accounts.

Many thanks in advance.

nsswitch.conf:

passwd:     files winbind
group:      files winbind

hosts:      files dns winbind

smb.conf:

[global]
	workgroup = our-domain-name
	netbios aliases = mc18unxa
# dual nics: the netmask is correct for our network
	interfaces = xx.xx.xxx.xx/255.255.240.0,
yy.yy.yyy.yy/255.255.240.0
	security = DOMAIN
	null passwords = Yes
	password server = *
	passdb backend = tdbsam
	lanman auth = No
	client NTLMv2 auth = Yes
	client lanman auth = No
	client plaintext auth = No
	log level = 1
	log file = /var/samba/log/log.%m
	max log size = 50000
	load printers = No
	dns proxy = No
	ldap ssl = no
	idmap uid = 10000-100000000
	idmap gid = 10000-100000000
	winbind enum users = Yes
	winbind enum groups = Yes
	winbind use default domain = Yes
	create mask = 0644
	directory mask = 0775
	hosts deny = none
	case sensitive = No
	preserve case = No
      domain master = no
      local master = no
      preferred master = no
      os level = 0

[dosptn]
	path = /dosptn
	read only = No
	inherit permissions = Yes
	guest ok = Yes


----------------------------------------
Nigel Pain
The Scottish Government
Corporate Systems Support
Information Systems and Information Services (ISIS)
Victoria Quay 
EDINBURGH 
EH6 6QQ 
UK




********************************************************

This e-mail (and any files or other attachments transmitted with it) is intended
solely for the attention of the addressee(s).  Unauthorised use, disclosure,
storage, copying or distribution of any part of this e-mail is not permitted. 
If you are not the intended recipient please destroy the email, remove any
copies from your system and inform the sender immediately by return.

 

Communications with the Scottish Government may be monitored or recorded in
order to secure the effective operation of the system and for other lawful
purposes.  The views or opinions contained within this e-mail may not
necessarily reflect those of the Scottish Government.

********************************************************


The original of this email was scanned for viruses by the Government Secure
Intranet virus scanning service supplied by Cable&Wireless in partnership
with MessageLabs. (CCTM Certificate Number 2007/11/0032.) On leaving the GSi
this email was certified virus free.
Communications via the GSi may be automatically logged, monitored and/or
recorded for legal purposes.

Further information:
 
Someone suggested that the problem might be because of the AD user names
being uppercase, which could be resolved with a usermap file. There are
some AD user IDs that are uppercase (whereas all the UNIX ones are
lowercase). However, I thought that the automatic mapping took care of
that? Also, I wanted to avoid having an explicit usermap file as that's
one extra thing to manage. Maybe I'm expecting too much of Samba?
 
I tried configuring for a usermap file and adding an account mapping
into it. However, the security properties on the Windows side still
display the account in the form:
 
u123456 (Unix User\u123456)
 
Regards,
Nigel

---------------------------------------- 
Nigel Pain 
The Scottish Government 
Corporate Systems Support 
Information Systems and Information Services (ISIS) 
Victoria Quay 
EDINBURGH 
EH6 6QQ 
UK 


********************************************************

This e-mail (and any files or other attachments transmitted with it) is intended
solely for the attention of the addressee(s).  Unauthorised use, disclosure,
storage, copying or distribution of any part of this e-mail is not permitted. 
If you are not the intended recipient please destroy the email, remove any
copies from your system and inform the sender immediately by return.

 

Communications with the Scottish Government may be monitored or recorded in
order to secure the effective operation of the system and for other lawful
purposes.  The views or opinions contained within this e-mail may not
necessarily reflect those of the Scottish Government.

********************************************************


The original of this email was scanned for viruses by the Government Secure
Intranet virus scanning service supplied by Cable&Wireless in partnership
with MessageLabs. (CCTM Certificate Number 2007/11/0032.) On leaving the GSi
this email was certified virus free.
Communications via the GSi may be automatically logged, monitored and/or
recorded for legal purposes.

perhaps it is not a good idea to use the same names for a Unix User and
the AD User.

If for example you have unix-user xyz with uid=7738

and an AD-User xyz so the AD-USer xyz gets via winbind perhaps uid=199300

What answer should
id xyz

give?

Bardo

Nigel.Pain@scotland.gsi.gov.uk schrieb:
> I posted this last week but haven't heard anything. I'm not sure if
this
> is because nobody knows the answer (can't believe that!) or I'm
missing
> something obvious in the documentation and people are thinking "Read
The
> Fine Manual". Whatever the reason, if anyone has any insights into
this
> problem I'd be very grateful for their comments.
> 
> We're using Samba 3.0.23b (binaries downloaded from Sunfreeware) on
> Solaris 9 as a member server, using "security = DOMAIN" in an
Active
> Directory 2003 domain. The server is primarily an application server,
> running SAS software, but we have a share to Windows to enable users to
> save programs and data from their Windows XP workstations. Historically
> we've been using PC Netlink, Sun's version of Lanman, but this
isn't
> compatible with AD 2003 so we need to move to Samba.
> 
> We're struggling to establish a mapping between domain user accounts
and
> UNIX user accounts that are similarly named (the same naming convention
> is used for both). My understanding of Samba, albeit sketchy, was that
> it could automatically make a mapping between local and domain accounts
> of the same name. However, this doesn't appear to be happening. If I
set
> a file's permissions for a specified user in Solaris it appears in the
> file's security within Windows, but the user is listed as a Unix User
> along the lines of:
> 
> u123456 (Unix User\u123456)
> 
> I was expecting that there should be an implicit mapping between u123456
> in Solaris and domain\u123456 but maybe I've got the wrong end of the
> stick. We need to maintain the local users so that we can control who
> has access to the server software, and we maintain password aging both
> on the server and the domain so maintaining a separate password database
> for Samba would be a complication. an Extract from nsswitch.conf and
> (edited) smb.conf and included below.
> 
> As you will see from nsswitch.conf, we are using winbind. wbinfo will
> resolve any domain information and getent passwd will return domain user
> accounts.
> 
> Many thanks in advance.
> 
> nsswitch.conf:
> 
> passwd:     files winbind
> group:      files winbind
> 
> hosts:      files dns winbind
> 
> smb.conf:
> 
> [global]
> 	workgroup = our-domain-name
> 	netbios aliases = mc18unxa
> # dual nics: the netmask is correct for our network
> 	interfaces = xx.xx.xxx.xx/255.255.240.0,
> yy.yy.yyy.yy/255.255.240.0
> 	security = DOMAIN
> 	null passwords = Yes
> 	password server = *
> 	passdb backend = tdbsam
> 	lanman auth = No
> 	client NTLMv2 auth = Yes
> 	client lanman auth = No
> 	client plaintext auth = No
> 	log level = 1
> 	log file = /var/samba/log/log.%m
> 	max log size = 50000
> 	load printers = No
> 	dns proxy = No
> 	ldap ssl = no
> 	idmap uid = 10000-100000000
> 	idmap gid = 10000-100000000
> 	winbind enum users = Yes
> 	winbind enum groups = Yes
> 	winbind use default domain = Yes
> 	create mask = 0644
> 	directory mask = 0775
> 	hosts deny = none
> 	case sensitive = No
> 	preserve case = No
>       domain master = no
>       local master = no
>       preferred master = no
>       os level = 0
> 
> [dosptn]
> 	path = /dosptn
> 	read only = No
> 	inherit permissions = Yes
> 	guest ok = Yes
> 
> 
> ----------------------------------------
> Nigel Pain
> The Scottish Government
> Corporate Systems Support
> Information Systems and Information Services (ISIS)
> Victoria Quay 
> EDINBURGH 
> EH6 6QQ 
> UK
> 
> 
> 
> 
> ********************************************************
> 
> This e-mail (and any files or other attachments transmitted with it) is
intended solely for the attention of the addressee(s).  Unauthorised use,
disclosure, storage, copying or distribution of any part of this e-mail is not
permitted.  If you are not the intended recipient please destroy the email,
remove any copies from your system and inform the sender immediately by return.
> 
>  
> 
> Communications with the Scottish Government may be monitored or recorded in
order to secure the effective operation of the system and for other lawful
purposes.  The views or opinions contained within this e-mail may not
necessarily reflect those of the Scottish Government.
> 
> ********************************************************
> 
> 
> The original of this email was scanned for viruses by the Government Secure
Intranet virus scanning service supplied by Cable&Wireless in partnership
with MessageLabs. (CCTM Certificate Number 2007/11/0032.) On leaving the GSi
this email was certified virus free.
> Communications via the GSi may be automatically logged, monitored and/or
recorded for legal purposes.

This is where I don't really understand how Samba works! My
understanding was that there would be an implicit mapping between domain
accounts and local accounts of the same name. Therefore, if permissions
were set for the local user within UNIX, those would propagate to the
equivalent domain user. I can see where there could be confusion with
UIDs using Winbind. Am I better not using it?

Regards,
Nigel
----------------------------------------
Nigel Pain
The Scottish Government
Corporate Systems Support
Information Systems and Information Services (ISIS)
Victoria Quay 
EDINBURGH 
EH6 6QQ 
UK 
> -----Original Message-----
> From: Bardo Wolf [mailto:b.wolf@uib.de] 
> Sent: 23 January 2008 13:14
> To: Pain NDA (Nigel)
> Cc: samba@lists.samba.org
> Subject: Re: [Samba] Retry: Mapping AD domain users to UNIX users
> 
> 
> perhaps it is not a good idea to use the same names for a 
> Unix User and the AD User.
> 
> If for example you have unix-user xyz with uid=7738
> 
> and an AD-User xyz so the AD-USer xyz gets via winbind 
> perhaps uid=199300
> 
> What answer should
> id xyz
> 
> give?
> 
> Bardo
> 
********************************************************

This e-mail (and any files or other attachments transmitted with it) is intended
solely for the attention of the addressee(s).  Unauthorised use, disclosure,
storage, copying or distribution of any part of this e-mail is not permitted. 
If you are not the intended recipient please destroy the email, remove any
copies from your system and inform the sender immediately by return.

 

Communications with the Scottish Government may be monitored or recorded in
order to secure the effective operation of the system and for other lawful
purposes.  The views or opinions contained within this e-mail may not
necessarily reflect those of the Scottish Government.

********************************************************


The original of this email was scanned for viruses by the Government Secure
Intranet virus scanning service supplied by Cable&Wireless in partnership
with MessageLabs. (CCTM Certificate Number 2007/11/0032.) On leaving the GSi
this email was certified virus free.
Communications via the GSi may be automatically logged, monitored and/or
recorded for legal purposes.

That looks hopeful. However, we are using 3.0.23b (binaries downloaded from
samba.org, not SunFreeware as I previously said). I hesitate to try compiling a
more recent version as I've not managed to compile successfully so far!

Regards,
Nigel
----------------------------------------
Nigel Pain
Corporate Systems Support
ISIS
1-C (South)
Victoria Quay
Ext. 47237
Mob. 07795 618362
Email: Pain NDA (Nigel) 
Go to http://sascluster/sdmu_wiki/FrontPage for more information

Please shut down and switch off your PC when you go to lunch or a meeting

> -----Original Message-----
> From: Hansj?rg Maurer [mailto:Hansjoerg.Maurer@dlr.de] 
> Sent: 23 January 2008 13:20
> To: Pain NDA (Nigel)
> Cc: samba@lists.samba.org
> Subject: Re: [Samba] Retry: Mapping AD domain users to UNIX users
> 
> 
> *******************************************************************
> This email has been received from an external party and 
> has been swept for the presence of computer viruses.
> *******************************************************************
> Hi
> 
> with recent (< =3.0.26 I think) samba Versions it is possible to use
> 
> http://us3.samba.org/samba/docs/man/manpages-3/idmap_nss.8.html
> 
>         idmap domains =  DOMNAME
>         idmap config DOMNAME:backend  = nss
>         idmap config DOMNAME:readonly = yes
> 
> in our case.
> 
> We are running 3.0.28 in security = ADS,
> and Linux gets the same usernames from NIS vis nss.
> 
> They are correctly mapped , and zhe windows security dialog 
> shows DOMNAME\username
> 
> Regards
> 
> Hansj?rg
> 
> 
> 
********************************************************

This e-mail (and any files or other attachments transmitted with it) is intended
solely for the attention of the addressee(s).  Unauthorised use, disclosure,
storage, copying or distribution of any part of this e-mail is not permitted. 
If you are not the intended recipient please destroy the email, remove any
copies from your system and inform the sender immediately by return.

 

Communications with the Scottish Government may be monitored or recorded in
order to secure the effective operation of the system and for other lawful
purposes.  The views or opinions contained within this e-mail may not
necessarily reflect those of the Scottish Government.

********************************************************


The original of this email was scanned for viruses by the Government Secure
Intranet virus scanning service supplied by Cable&Wireless in partnership
with MessageLabs. (CCTM Certificate Number 2007/11/0032.) On leaving the GSi
this email was certified virus free.
Communications via the GSi may be automatically logged, monitored and/or
recorded for legal purposes.

On Wed, 23 Jan 2008, Nigel.Pain@scotland.gsi.gov.uk wrote:
> We're using Samba 3.0.23b (binaries downloaded from Sunfreeware) on
> Solaris 9 as a member server, using "security = DOMAIN" in an
Active
> Directory 2003 domain. The server is primarily an application server,
> running SAS software, but we have a share to Windows to enable users to
> save programs and data from their Windows XP workstations. Historically
> we've been using PC Netlink, Sun's version of Lanman, but this
isn't
> compatible with AD 2003 so we need to move to Samba.
>
> We're struggling to establish a mapping between domain user accounts
and
> UNIX user accounts that are similarly named (the same naming convention
> is used for both). My understanding of Samba, albeit sketchy, was that
> it could automatically make a mapping between local and domain accounts
> of the same name. However, this doesn't appear to be happening. If I
set
> a file's permissions for a specified user in Solaris it appears in the
> file's security within Windows, but the user is listed as a Unix User
> along the lines of:
>
> u123456 (Unix User\u123456)
>
> I was expecting that there should be an implicit mapping between u123456
> in Solaris and domain\u123456 but maybe I've got the wrong end of the
> stick. We need to maintain the local users so that we can control who
> has access to the server software, and we maintain password aging both
> on the server and the domain so maintaining a separate password database
> for Samba would be a complication. an Extract from nsswitch.conf and
> (edited) smb.conf and included below.
>
> As you will see from nsswitch.conf, we are using winbind. wbinfo will
> resolve any domain information and getent passwd will return domain user
> accounts.
If your Solaris system already has unix system accounts with the same 
usernames as the Windows accounts, then you do not need to run winbind. 
That's how we run our Solaris and Linux systems here.  Unix users are 
populated from ldap using the nss_ldap module, and Samba is a member of 
the domain (security=domain).

 	Andy

Bless you Hans! I've been trying to figure this out for a while now.  I did
not know that idmap_nss existed!
> -----Original Message-----
> From: samba-bounces+mikes=hartwellcorp.com@lists.samba.org 
> [mailto:samba-bounces+mikes=hartwellcorp.com@lists.samba.org] 
> On Behalf Of Hansj?rg Maurer
> Sent: Wednesday, January 23, 2008 5:20 AM
> To: Nigel.Pain@scotland.gsi.gov.uk
> Cc: samba@lists.samba.org
> Subject: Re: [Samba] Retry: Mapping AD domain users to UNIX users
> 
> Hi
> 
> with recent (< =3.0.26 I think) samba Versions it is possible to use
> 
> http://us3.samba.org/samba/docs/man/manpages-3/idmap_nss.8.html
> 
>         idmap domains =  DOMNAME
>         idmap config DOMNAME:backend  = nss
>         idmap config DOMNAME:readonly = yes
> 
> in our case.
> 
> We are running 3.0.28 in security = ADS,
> and Linux gets the same usernames from NIS vis nss.
> 
> They are correctly mapped , and zhe windows security dialog shows
> DOMNAME\username
> 
> Regards
> 
> Hansj?rg
> 
> 
> 
> 
> Nigel.Pain@scotland.gsi.gov.uk wrote:
> > Further information:
> >  
> > Someone suggested that the problem might be because of the 
> AD user names
> > being uppercase, which could be resolved with a usermap 
> file. There are
> > some AD user IDs that are uppercase (whereas all the UNIX ones are
> > lowercase). However, I thought that the automatic mapping 
> took care of
> > that? Also, I wanted to avoid having an explicit usermap 
> file as that's
> > one extra thing to manage. Maybe I'm expecting too much of Samba?
> >  
> > I tried configuring for a usermap file and adding an account mapping
> > into it. However, the security properties on the Windows side still
> > display the account in the form:
> >  
> > u123456 (Unix User\u123456)
> >  
> > Regards,
> > Nigel
> >
> > ---------------------------------------- 
> > Nigel Pain 
> > The Scottish Government 
> > Corporate Systems Support 
> > Information Systems and Information Services (ISIS) 
> > Victoria Quay 
> > EDINBURGH 
> > EH6 6QQ 
> > UK 
> >
> >
> > ********************************************************
> >
> > This e-mail (and any files or other attachments transmitted 
> with it) is intended solely for the attention of the 
> addressee(s).  Unauthorised use, disclosure, storage, copying 
> or distribution of any part of this e-mail is not permitted.  
> If you are not the intended recipient please destroy the 
> email, remove any copies from your system and inform the 
> sender immediately by return.
> >
> >  
> >
> > Communications with the Scottish Government may be 
> monitored or recorded in order to secure the effective 
> operation of the system and for other lawful purposes.  The 
> views or opinions contained within this e-mail may not 
> necessarily reflect those of the Scottish Government.
> >
> > ********************************************************
> >
> >
> > The original of this email was scanned for viruses by the 
> Government Secure Intranet virus scanning service supplied by 
> Cable&Wireless in partnership with MessageLabs. (CCTM 
> Certificate Number 2007/11/0032.) On leaving the GSi this 
> email was certified virus free.
> > Communications via the GSi may be automatically logged, 
> monitored and/or recorded for legal purposes.
> >   
> 
> -- 
> _________________________________________________________________
> 
> Deutsches Zentrum fuer Luft- und Raumfahrt e.V.
> in der Helmholtz-Gemeinschaft
> 
> Institut fuer Robotik und Mechatronik
> 
> Dr. Hansj?rg Maurer
> 
> LAN- und Systemmanager
> 
> M?nchner Strasse 20
> 82234 Wessling
> Germany 
> 
> Telefon: 08153/28-2431 
> Telefax: 08153/28-1134
> 
> E-Mail: Hansjoerg.Maurer@dlr.de
> Internet: http://www.robotic.dlr.de/
> 
> __________________________________________________________________
> 
> 
> There are 10 types of people in this world, 
> those who understand binary and those who don't.
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/listinfo/samba
>

Many thanks (somewhat belated) to all those who made suggestions about
this matter. However, I'm still no further forward, having tried:
 
Using a usermap file to translate between upper and lower case account
names.
(Finally) managing to compile 3.0.28 and using idmap_nss.
Not using Winbind.
 
In all cases, user accounts appear in file properties on Windows
machines as:
 
u123456 (Unix User\u123456)
 
I'm sure I must be missing something somewhere.

---------------------------------------- 
Nigel Pain 
The Scottish Government 
Corporate Systems Support 
Information Systems and Information Services (ISIS) 
Victoria Quay 
EDINBURGH 
EH6 6QQ 
UK 


********************************************************

This e-mail (and any files or other attachments transmitted with it) is intended
solely for the attention of the addressee(s).  Unauthorised use, disclosure,
storage, copying or distribution of any part of this e-mail is not permitted. 
If you are not the intended recipient please destroy the email, remove any
copies from your system and inform the sender immediately by return.

 

Communications with the Scottish Government may be monitored or recorded in
order to secure the effective operation of the system and for other lawful
purposes.  The views or opinions contained within this e-mail may not
necessarily reflect those of the Scottish Government.

********************************************************


The original of this email was scanned for viruses by the Government Secure
Intranet virus scanning service supplied by Cable&Wireless in partnership
with MessageLabs. (CCTM Certificate Number 2007/11/0032.) On leaving the GSi
this email was certified virus free.
Communications via the GSi may be automatically logged, monitored and/or
recorded for legal purposes.

I expect to be giving idmap_nss a try in the next week or so.  I'll let you
know how it works out.


________________________________

	From: brandon hall [mailto:brandonhall0@gmail.com] 
	Sent: Sunday, January 27, 2008 6:30 PM
	To: Michael St. Laurent
	Cc: Hansj?rg Maurer; samba@lists.samba.org
	Subject: Re: [Samba] Retry: Mapping AD domain users to UNIX users
	
	
	About two months ago I actually tried setting up an enviornment in vmware with
samba plus using active directory RFC 2307 schema extensions to get username
information mapped properly between multiple nfs and samba servers.
	 
	I failed because I think documentation at that time using idmap_nss was
lacking. I found lots of winbind howtos and documentation, but very little
regarding what I wanted to do. I would definately use the latest samba
(3.0.25+), even though installing it on solaris is a nightmare, you'll be
better off in the long run.
	 
	Has anyone successfully done this? I got everything working including kerberos
and joining the domains, except for a proper smb.conf file.