samba - Feb 2009 - using winbind to map existing unix to AD users

On our campus, we have an AD forest.  Our particular department has a 
number of samba servers that authenticate to one tree of that AD forest.
All of our users have accounts in LDAP for unix and AD for windows.
We don't want/need winbind for authentication.  However, we would like the 
ability of setting ACLs on the samba server from windows clients.  So, I 
assume I need a mapping of unix uid to AD SID.

It seems winbind is the solution for this, however it seems to want to 
generate the uids rather than using getpwent to look that up.

Is there something simple that I'm overlooking?  Otherwise, I'm 
considering using idmap_ldap and pre-filling that ldap directory base
with the mappings myself.  :-(  Perhaps setup winbind with anon bind
or something so that it _can't_ add anything itself; just look things up.

I also saw one can use a 'net' command to pre-fill gid->sid mappings.
That might be nice/easy too, but I don't see anything similar for
uid->sid mappings.

thank you

Tom Lieuallen
Oregon State University

On Tuesday 24 February 2009 09:23:57 Tom Lieuallen
wrote:
> It seems winbind is the solution for this, however it seems to want to
> generate the uids rather than using getpwent to look that up.
There are a few different plugins winbind can use to perform the uid<->sid
mapping. By default samba uses the tdb mapper which, as you describe, will 
generate uid maps on the fly. In my environment we have uid/gid info populated 
in active directory so our samba server is able to use the idmap_ad or 
idmap_adex modules to lookup uid info from ad. Depending on your environment 
you may be able to use the idmap_nss or idmap_ldap modules. See the idmap man 
pages on http://us6.samba.org/samba/docs/man/manpages-3/

Christian McHugh
Northern Arizona University

On Tue, Feb 24, 2009 at 9:23 AM, Tom Lieuallen <toml@engr.orst.edu> wrote:
>
> On our campus, we have an AD forest.  Our particular department has a
> number of samba servers that authenticate to one tree of that AD forest.
> All of our users have accounts in LDAP for unix and AD for windows.
> We don't want/need winbind for authentication.  However, we would like
the
> ability of setting ACLs on the samba server from windows clients.  So, I
> assume I need a mapping of unix uid to AD SID.
>
> It seems winbind is the solution for this, however it seems to want to
> generate the uids rather than using getpwent to look that up.
>
> Is there something simple that I'm overlooking?
>
May be you can use "idmap backend = rid" to use RID of the user SID to
generate the UID and GID?

http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/idmapper.html#id2599635

HTH,
-Kums

Andrew Chaplin wrote:
> idmap backend = nss
> 
> It took me a while to figure that one out and I only got it after 
> someone posted something on this list that was somewhat related.
> 
> I'm using it with 3.0.33 included in Solaris 10 and it works like a 
> charm for win clients.  OSX clients are a different story due to issues 
> with Finder.
This appears to be the right answer for our situation.  It didn't work 
for me with samba 3.3.0, but it did with 3.3.1.

thank you

Tom Lieuallen