samba - Dec 2019 - unix_primary_group and unix_nss_info for rfc2307 idmap backend

Hi,

In winbind, are there any plans to add the idmap_ad options
"unix_primary_group" and "unix_nss_info" to the
idmap_rfc2307 backend?

I am using an ldap proxy to preserve the UNIX uids and gids between two domains,
and it would be nice to also share the shell setting and the UNIX primary group
as well.

On 19/12/2019 11:20, Sebastian Lisic via samba wrote:
> Hi,
>
> In winbind, are there any plans to add the idmap_ad options
"unix_primary_group" and "unix_nss_info" to the
idmap_rfc2307 backend?
>
> I am using an ldap proxy to preserve the UNIX uids and gids between two
domains, and it would be nice to also share the shell setting and the UNIX
primary group as well.
This backend seems to be designed as a bridge between AD and an ldap 
server and only implements the 'idmap' API. It might be possible to 
modify it to obtain the attributes you refer to, but I do not think this 
is likely to be on anyone's TODO list.

If your domains do have the required rfc2307 attributes and trusts in 
place, you could use the idmap_ad backend instead, provided they are all 
AD domains.

Rowland

On 19/12/2019 21:46, Sebastian Lisic wrote:
> Thanks for the quick reply, Rowland!
>
> The problem I have is that the clients of each domain do not have access to
the other domain's DC. Only the DCs of each domain can talk to one another.
With Microsoft no longer allowing POSIX attributes to be replicated in the
global catalog, I can't think of a way of besides an ldap proxy to pass
along this information.
>
As far as I am aware, Microsoft still allows Posix attributes, they are 
part of the standard schema, they stopped IDMU, which removed the Unix 
attributes tab. You just have to maintain the rfc2307 attributes in 
another way, which you must be doing, because you want to use them.

Rowland

On Thu, Dec 19, 2019 at 10:19:28PM +0000, Rowland penny via samba
wrote:
> On 19/12/2019 21:46, Sebastian Lisic wrote:
> >Thanks for the quick reply, Rowland!
> >
> >The problem I have is that the clients of each domain do not have
access to the other domain's DC. Only the DCs of each domain can talk to one
another. With Microsoft no longer allowing POSIX attributes to be replicated in
the global catalog, I can't think of a way of besides an ldap proxy to pass
along this information.
> >
> As far as I am aware, Microsoft still allows Posix attributes, they
> are part of the standard schema, they stopped IDMU, which removed
> the Unix attributes tab. You just have to maintain the rfc2307
> attributes in another way, which you must be doing, because you want
> to use them.
FYI,

https://blogs.technet.microsoft.com/activedirectoryua/2016/02/09/identity-management-for-unix-idmu-is-deprecated-in-windows-server/
is a useful blog post about the RF2307 attributes.

Christof