Sebastian Lisic
2019-Dec-19 11:20 UTC
[Samba] unix_primary_group and unix_nss_info for rfc2307 idmap backend
Hi, In winbind, are there any plans to add the idmap_ad options "unix_primary_group" and "unix_nss_info" to the idmap_rfc2307 backend? I am using an ldap proxy to preserve the UNIX uids and gids between two domains, and it would be nice to also share the shell setting and the UNIX primary group as well.
Rowland penny
2019-Dec-19 13:27 UTC
[Samba] unix_primary_group and unix_nss_info for rfc2307 idmap backend
On 19/12/2019 11:20, Sebastian Lisic via samba wrote:> Hi, > > In winbind, are there any plans to add the idmap_ad options "unix_primary_group" and "unix_nss_info" to the idmap_rfc2307 backend? > > I am using an ldap proxy to preserve the UNIX uids and gids between two domains, and it would be nice to also share the shell setting and the UNIX primary group as well.This backend seems to be designed as a bridge between AD and an ldap server and only implements the 'idmap' API. It might be possible to modify it to obtain the attributes you refer to, but I do not think this is likely to be on anyone's TODO list. If your domains do have the required rfc2307 attributes and trusts in place, you could use the idmap_ad backend instead, provided they are all AD domains. Rowland
Rowland penny
2019-Dec-19 22:19 UTC
[Samba] unix_primary_group and unix_nss_info for rfc2307 idmap backend
On 19/12/2019 21:46, Sebastian Lisic wrote:> Thanks for the quick reply, Rowland! > > The problem I have is that the clients of each domain do not have access to the other domain's DC. Only the DCs of each domain can talk to one another. With Microsoft no longer allowing POSIX attributes to be replicated in the global catalog, I can't think of a way of besides an ldap proxy to pass along this information. >As far as I am aware, Microsoft still allows Posix attributes, they are part of the standard schema, they stopped IDMU, which removed the Unix attributes tab. You just have to maintain the rfc2307 attributes in another way, which you must be doing, because you want to use them. Rowland
Christof Schmitt
2019-Dec-19 23:25 UTC
[Samba] unix_primary_group and unix_nss_info for rfc2307 idmap backend
On Thu, Dec 19, 2019 at 10:19:28PM +0000, Rowland penny via samba wrote:> On 19/12/2019 21:46, Sebastian Lisic wrote: > >Thanks for the quick reply, Rowland! > > > >The problem I have is that the clients of each domain do not have access to the other domain's DC. Only the DCs of each domain can talk to one another. With Microsoft no longer allowing POSIX attributes to be replicated in the global catalog, I can't think of a way of besides an ldap proxy to pass along this information. > > > As far as I am aware, Microsoft still allows Posix attributes, they > are part of the standard schema, they stopped IDMU, which removed > the Unix attributes tab. You just have to maintain the rfc2307 > attributes in another way, which you must be doing, because you want > to use them.FYI, https://blogs.technet.microsoft.com/activedirectoryua/2016/02/09/identity-management-for-unix-idmu-is-deprecated-in-windows-server/ is a useful blog post about the RF2307 attributes. Christof