samba - Aug 2011 - Understanding UID/GID mapping models.

I am using either DOMAIN or ADS for authentication and am trying to
understand how UID/GID mapping rules are triggered.

This[1] seems to suggest that if I do not specify the idmap uid/gid
parameters in smb.conf, then authenticated usernames are mapped to
"local" user accounts having the same name.

If, however, I _do_ specify idmap uid/gid then one of the idmap_*
allocator modules is used.

Is my understanding correct there?

We have a mixed NIS/AD environment, and in most cases we do not use
idmap parameters and, as such, rely on the existence of an NIS account
to map UID/GID's.  However, when users attempt to set permissions from
Windows, it appears that a SID is passed to Samba which is unable to
map it into a valid file system ACL and the permissions aren't actually
set.

The only workaround I've found is to enable idmap so these SID's can be
resolved properly to NSS-sourced (in our case, NIS or local accounts)
UID/GID's.

I do something like this:

    idmap backend = tdb

    # Users without NIS accounts are assigned random UID/GID's from the
    # following pool (assuming they're allowed to connect)
    idmap uid = 1000000-10000000
    idmap gid = 1000000-10000000

    # NIS users should never have  UID/GID > 599999
    idmap config DOMAIN : backend = nss
    idmap config DOMAIN : range = 0-599999

This seems to work, but I'm looking to confirm that I have the correct
understanding.

Thanks,
Ray

From: Ray Van Dolson <rvandolson at esri.com>
Date: Tue, 30 Aug 2011 22:40:54 -0700
> I am using either DOMAIN or ADS for authentication and am trying to
> understand how UID/GID mapping rules are triggered.
> 
> This[1] seems to suggest that if I do not specify the idmap uid/gid
> parameters in smb.conf, then authenticated usernames are mapped to
> "local" user accounts having the same name.
> 
> If, however, I _do_ specify idmap uid/gid then one of the idmap_*
> allocator modules is used.
> 
> Is my understanding correct there?
Yes,
> We have a mixed NIS/AD environment, and in most cases we do not use
> idmap parameters and, as such, rely on the existence of an NIS account
> to map UID/GID's.  However, when users attempt to set permissions from
> Windows, it appears that a SID is passed to Samba which is unable to
> map it into a valid file system ACL and the permissions aren't actually
> set.
> 
> The only workaround I've found is to enable idmap so these SID's
can be
> resolved properly to NSS-sourced (in our case, NIS or local accounts)
> UID/GID's.
> 
> I do something like this:
> 
>     idmap backend = tdb
> 
>     # Users without NIS accounts are assigned random UID/GID's from the
>     # following pool (assuming they're allowed to connect)
>     idmap uid = 1000000-10000000
>     idmap gid = 1000000-10000000
> 
>     # NIS users should never have  UID/GID > 599999
>     idmap config DOMAIN : backend = nss
>     idmap config DOMAIN : range = 0-599999
> 
> This seems to work, but I'm looking to confirm that I have the correct
> understanding.
I think idmap_nss was prepared just for the environment like yours,
using both NIS or LDAP and Winbind.

---
TAKAHASHI Motonobu <monyo at samba.gr.jp>