samba - Jul 2016 - IDMAP Issue

Rowland penny schreef op 14-07-2016 14:50:
> If you have any users in /etc/passwd that are also in AD i.e if you
> have user 'fred' in /etc/passwd and there is also a user
'ABC+fred' in
> AD, then sorry, but one of them will have to go, they would be treated
> as the same user.
Are you entirely sure this is true? I don't yet know how ID mapping 
works in Samba.

But. Is the whole idea of IDmapping not importing from a remote server? 
(or service?).

Then, should the two groups not always be treated as separate? Why can't 
you perform ID mapping only for the remote users? (AD).

That seems to be the whole point of it, right?

On 16/07/16 14:08, Xen wrote:
> Rowland penny schreef op 14-07-2016 14:50:
>
>> If you have any users in /etc/passwd that are also in AD i.e if you
>> have user 'fred' in /etc/passwd and there is also a user
'ABC+fred' in
>> AD, then sorry, but one of them will have to go, they would be treated
>> as the same user.
>
> Are you entirely sure this is true? I don't yet know how ID mapping 
> works in Samba.
OK, where is rowland stored, can you tell from this:

rowland at devstation:~$ getent passwd rowland
rowland:*:10000:10000:Rowland Penny:/home/rowland:/bin/bash

>
> But. Is the whole idea of IDmapping not importing from a remote 
> server? (or service?).
>
No, as far as I can tell, IDmapping is all about mapping a user (or 
group) from somewhere else (i.e. AD) to a local Unix user (or group). 
Thinking about it, mapping is probably the wrong word, but I cannot 
think of a better word now that you cannot have a local user with the 
same name as one in AD.


Rowland
> Then, should the two groups not always be treated as separate? Why 
> can't you perform ID mapping only for the remote users? (AD).
>
> That seems to be the whole point of it, right?

Rowland penny schreef op 16-07-2016 20:25:
> On 16/07/16 14:08, Xen wrote:
>> Rowland penny schreef op 14-07-2016 14:50:
>> 
>>> If you have any users in /etc/passwd that are also in AD i.e if you
>>> have user 'fred' in /etc/passwd and there is also a user
'ABC+fred'
>>> in
>>> AD, then sorry, but one of them will have to go, they would be 
>>> treated
>>> as the same user.
>> 
>> Are you entirely sure this is true? I don't yet know how ID mapping
>> works in Samba.
> 
> OK, where is rowland stored, can you tell from this:
> 
> rowland at devstation:~$ getent passwd rowland
> rowland:*:10000:10000:Rowland Penny:/home/rowland:/bin/bash
Of course. But there are issues. getent passwd -s ldap rowland, will 
answer the same question from a differnt service. Normally there is an 
order in nsswitch.conf, but if you have a NSCD deamon installed, it 
might mess that up.

Maybe you mean that the ID mapping would work, but not accessing them at 
the same time for normal operation?

There is no way in nscd to disable forwarding from getUID lookups to 
getName lookups. (So to speak). The moment you read a filesystem part 
that has the UID for the "imported" user, NSCD will replace its entry 
for "fred" with that of the LDAP / AD system.

If you turn NSCD off, these issues are not there and you can only get 
the /first/ named user of that name, depending on the order in 
nsswitch.conf.

Regardless I would assume IDmapping would directly request information 
from a specific source (service, -s) instead of the first one it 
encounters (general lookup).

After all, the only valid users in the system are those that result 
/after/ or /from/ the IDmap.

So the /source/ of the IDmapping (the remote system) can never be 
anything that is requested through getent.

Only the result of it should make it to the getent database, right.

Therefore you may have issues duplicate users, but not with mapping them 
in the first place, because that first thing has nothing to do with 
getent yet.

> No, as far as I can tell, IDmapping is all about mapping a user (or
> group) from somewhere else (i.e. AD) to a local Unix user (or group).
> Thinking about it, mapping is probably the wrong word, but I cannot
> think of a better word now that you cannot have a local user with the
> same name as one in AD.
Yeah I meant that with importing. Sorry!.

It's just a shame I think that NSCD does not honour the nsswitch order 
for my personal use case.

It just keeps one version of each name, and overwrites it with the 
latest request (if requested by ID).