samba - Mar 2021 - Understanding ID mapping between a campus AD and a local LDAP

On 23/03/2021 23:48, Jonathon A Anderson wrote:
> This was still unsuccessful, but hopefully this is enough information for
us to figure out what I'm doing wrong.
>
> Forgive the redactions; I hope they don't get in the way; but if they
do let me know. In general, if I'm using the same string as a redaction, the
values are the same.
>
> First, here's my record in AD. (There's more to it, of course, but
I think these are the relevant bits.)
>
> -
> [root at opsdev1 ~]# ldapsearch -LLL -x -H ldap://ad.[redacted]:389 -b
ou=people,dc=ad,dc=[redacted] -D 'AD\[myusername]' -W
'(sAMAccountName=[myusername])' CN sAMAccountName uidNumber
> Enter LDAP Password:
> dn: CN=[myusername],OU=People,DC=ad,DC=[redacted]
> cn: [myusername]
> sAMAccountName: [myusername]
> uidNumber: 416810
> -

OK, I have been doing a bit of investigation about idmap_nss and I do 
not think it is going to work as is. If you read 'man idmap_nss', you 
will find this:

This example shows how to use idmap_nss to check the local accounts for 
its own domain while using allocation to create new mappings for trusted 
domains

I read this as being that it will only work if you run your samba server 
as a standalone server with a trust to your AD.

Most of the idmap backends were designed before AD and aren't really 
practicable with AD. The main backends that are used with AD are: 'ad', 
'rid' and 'autorid'. For what you are trying to do, I think you
need to
add/change the uidNumber & gidNumber attributes in AD to match the users 
& groups in /etc/passwd and /etc/group, then remove them from 
/etc/passwd and /etc/group, finally use the winbind 'ad' backend.

Rowland

> I read this as being that it will only work if you run your samba server
> as a standalone server with a trust to your AD.
How is that different from what I'm trying to do?

~jonathon

________________________________________
From: samba <samba-bounces at lists.samba.org> on behalf of Rowland penny
via samba <samba at lists.samba.org>
Sent: Wednesday, March 24, 2021 3:13 AM
To: samba at lists.samba.org
Subject: Re: [Samba] Understanding ID mapping between a campus AD and a local
LDAP

On 23/03/2021 23:48, Jonathon A Anderson wrote:
> This was still unsuccessful, but hopefully this is enough information for
us to figure out what I'm doing wrong.
>
> Forgive the redactions; I hope they don't get in the way; but if they
do let me know. In general, if I'm using the same string as a redaction, the
values are the same.
>
> First, here's my record in AD. (There's more to it, of course, but
I think these are the relevant bits.)
>
> -
> [root at opsdev1 ~]# ldapsearch -LLL -x -H ldap://ad.[redacted]:389 -b
ou=people,dc=ad,dc=[redacted] -D 'AD\[myusername]' -W
'(sAMAccountName=[myusername])' CN sAMAccountName uidNumber
> Enter LDAP Password:
> dn: CN=[myusername],OU=People,DC=ad,DC=[redacted]
> cn: [myusername]
> sAMAccountName: [myusername]
> uidNumber: 416810
> -

OK, I have been doing a bit of investigation about idmap_nss and I do
not think it is going to work as is. If you read 'man idmap_nss', you
will find this:

This example shows how to use idmap_nss to check the local accounts for
its own domain while using allocation to create new mappings for trusted
domains

I read this as being that it will only work if you run your samba server
as a standalone server with a trust to your AD.

Most of the idmap backends were designed before AD and aren't really
practicable with AD. The main backends that are used with AD are: 'ad',
'rid' and 'autorid'. For what you are trying to do, I think you
need to
add/change the uidNumber & gidNumber attributes in AD to match the users
& groups in /etc/passwd and /etc/group, then remove them from
/etc/passwd and /etc/group, finally use the winbind 'ad' backend.

Rowland




--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba