Trever L. Adams
2008-Jun-11 07:34 UTC
[Samba] Samba4, multi-domain Forest and Unix ID mapping
Good day, I wasn't sure whether this should go to the user list or the samba-technical list. I chose here based on the descriptions of the list. Forgive me if my understanding of the naming is inaccurate. It is my understanding that Samba3 (and I believe 4, as well) has a very powerful SID<->UID mapping mechanism which will auto create the UID in a range. This is what I mean by Unix ID mapping. I have read that this as of yet won't work in a forest, even if the organization is only one organization. I am hoping this isn't true. I am beginning to look at Samba4 for future implementations within organizations I do work for. However, it appears I will need multiple domain in one forest functionality. Is this implemented or at least planned? If it is implemented/planned is it possible to do the automatic Unix ID mapping per above? If it is all one domain, is it possible to do this if all the domain controllers/active directory machines are Samba 4? Basically, can each domain have its own UID mapping setup and they will work in the forest IF, and ONLY IF, the UID mapping doesn't overlap? The exact mechanism my questions may bring into mind may be bad. Here is the situation, explained in the context of an extended family network: Each family has its own domain (Windows and DNS), policies, etc. Each has its own file servers, mail domains (DNS), etc. Each may share file and printers with other families. This needs to work in Windows and Linux. However, here is the killer, root access to Linux machines is not shared across domains. Nor should Windows system/net/domain admin abilities. However, guests from other families (within the extended family) need to be able to view the shared files as well as login (without administrative privileges) on computers in the other domains (think visiting family). To do this, auto SID<->UID maps are a must. Domains within the forest will start at 6 at least and grow from there. (This is example isn't far from the kinds of things businesses and families ask me to do.) Is all of this possible, planned, or just out there? Thank you, Trever Adams P.S. Please, reply directly as well as to the list as I am not on the list and only keep up from time to time. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 259 bytes Desc: OpenPGP digital signature Url : http://lists.samba.org/archive/samba/attachments/20080611/5d5f5285/signature.bin
When you say "forest" are you referring to a user authentication database implementing multiple linked lists that do not share a common root? Cause I don't know of any reason you'd have trouble running samba in the woods. It's heavily wooded around my house and the timber never causes any problems. The local Ents are all OK with samba. Samba 3 & 4 do indeed incorporate "idmapping" which works pretty much as you describe. The command syntax has grown a lot recently and has not yet been fully documented, but I'd say it's quite powerful. If you can get your interdomain trusts set up right I think you can do what you want, but it's probably going to be dependent on how well you can control access to your directory backend. You haven't specified what directory backend you are running... Microsoft AD? Novell eDirectory? OpenLDAP? Sun? IBM? Fedora DS? There are lots... --Charlie On Wed, Jun 11, 2008 at 3:33 AM, Trever L. Adams <trever.adams@gmail.com> wrote:> Good day, > > I wasn't sure whether this should go to the user list or the > samba-technical list. I chose here based on the descriptions of the list. > > Forgive me if my understanding of the naming is inaccurate. It is my > understanding that Samba3 (and I believe 4, as well) has a very powerful > SID<->UID mapping mechanism which will auto create the UID in a range. > This is what I mean by Unix ID mapping. > > I have read that this as of yet won't work in a forest, even if the > organization is only one organization. I am hoping this isn't true. > > I am beginning to look at Samba4 for future implementations within > organizations I do work for. However, it appears I will need multiple > domain in one forest functionality. Is this implemented or at least planned? > > If it is implemented/planned is it possible to do the automatic Unix ID > mapping per above? If it is all one domain, is it possible to do this if > all the domain controllers/active directory machines are Samba 4? > Basically, can each domain have its own UID mapping setup and they will > work in the forest IF, and ONLY IF, the UID mapping doesn't overlap? The > exact mechanism my questions may bring into mind may be bad. > > Here is the situation, explained in the context of an extended family > network: > > Each family has its own domain (Windows and DNS), policies, etc. Each > has its own file servers, mail domains (DNS), etc. Each may share file > and printers with other families. This needs to work in Windows and Linux. > > However, here is the killer, root access to Linux machines is not shared > across domains. Nor should Windows system/net/domain admin abilities. > However, guests from other families (within the extended family) need to > be able to view the shared files as well as login (without > administrative privileges) on computers in the other domains (think > visiting family). > > To do this, auto SID<->UID maps are a must. Domains within the forest > will start at 6 at least and grow from there. (This is example isn't far > from the kinds of things businesses and families ask me to do.) > > Is all of this possible, planned, or just out there? > > Thank you, > Trever Adams > > P.S. Please, reply directly as well as to the list as I am not on the > list and only keep up from time to time. > > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/listinfo/samba >
Andrew Bartlett
2008-Jun-26 12:01 UTC
[Samba] Samba4, multi-domain Forest and Unix ID mapping
On Wed, 2008-06-11 at 01:33 -0600, Trever L. Adams wrote:> Good day, > > I wasn't sure whether this should go to the user list or the > samba-technical list. I chose here based on the descriptions of the list. > > Forgive me if my understanding of the naming is inaccurate. It is my > understanding that Samba3 (and I believe 4, as well) has a very powerful > SID<->UID mapping mechanism which will auto create the UID in a range. > This is what I mean by Unix ID mapping. > > I have read that this as of yet won't work in a forest, even if the > organization is only one organization. I am hoping this isn't true.We can map any arbitary SID to unix ID, in principal.> I am beginning to look at Samba4 for future implementations within > organizations I do work for. However, it appears I will need multiple > domain in one forest functionality. Is this implemented or at least planned?Samba4 is currently just a single domain, mostly because we have not looked at what it would take to extend it.> If it is implemented/planned is it possible to do the automatic Unix ID > mapping per above? If it is all one domain, is it possible to do this if > all the domain controllers/active directory machines are Samba 4? > Basically, can each domain have its own UID mapping setup and they will > work in the forest IF, and ONLY IF, the UID mapping doesn't overlap? The > exact mechanism my questions may bring into mind may be bad.You could easily use a modal like idmap_rid to automatically handle the mappings, assuming certain limits in the ranges of SIDs expected to be valid.> Here is the situation, explained in the context of an extended family > network: > > Each family has its own domain (Windows and DNS), policies, etc. Each > has its own file servers, mail domains (DNS), etc. Each may share file > and printers with other families. This needs to work in Windows and Linux. > > However, here is the killer, root access to Linux machines is not shared > across domains. Nor should Windows system/net/domain admin abilities. > However, guests from other families (within the extended family) need to > be able to view the shared files as well as login (without > administrative privileges) on computers in the other domains (think > visiting family). > > To do this, auto SID<->UID maps are a must. Domains within the forest > will start at 6 at least and grow from there. (This is example isn't far > from the kinds of things businesses and families ask me to do.) > > Is all of this possible, planned, or just out there?We would need more help to understand your requirements, and figure out the best way to implement them, and what assistance you will be able to provide to get there. It is best to discuss this on the samba-technical list. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Red Hat Inc. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part Url : http://lists.samba.org/archive/samba/attachments/20080626/218a2c43/attachment.bin