1<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter�14.�Identity Mapping (IDMAP)</title><link rel="stylesheet" href="../samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.74.0"><link rel="home" href="index.html" title="The Official Samba 3.5.x HOWTO and Reference Guide"><link rel="up" href="optional.html" title="Part�III.�Advanced Configuration"><link rel="prev" href="NetCommand.html" title="Chapter�13.�Remote and Local Management: The Net Command"><link rel="next" href="rights.html" title="Chapter�15.�User Rights and Privileges"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter�14.�Identity Mapping (IDMAP)</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="NetCommand.html">Prev</a>�</td><th width="60%" align="center">Part�III.�Advanced Configuration</th><td width="20%" align="right">�<a accesskey="n" href="rights.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="idmapper"></a>Chapter�14.�Identity Mapping (IDMAP)</h2></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="orgname">Samba Team</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><code class="email"><<a class="email" href="mailto:jht@samba.org">jht@samba.org</a>></code></p></div></div></div></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="idmapper.html#id2604465">Samba Server Deployment Types and IDMAP</a></span></dt><dd><dl><dt><span class="sect2"><a href="idmapper.html#id2604490">Standalone Samba Server</a></span></dt><dt><span class="sect2"><a href="idmapper.html#id2604553">Domain Member Server or Domain Member Client</a></span></dt><dt><span class="sect2"><a href="idmapper.html#id2605504">Primary Domain Controller</a></span></dt><dt><span class="sect2"><a href="idmapper.html#id2605739">Backup Domain Controller</a></span></dt></dl></dd><dt><span class="sect1"><a href="idmapper.html#id2605810">Examples of IDMAP Backend Usage</a></span></dt><dd><dl><dt><span class="sect2"><a href="idmapper.html#id2605874">Default Winbind TDB</a></span></dt><dt><span class="sect2"><a href="idmapper.html#id2606596">IDMAP_RID with Winbind</a></span></dt><dt><span class="sect2"><a href="idmapper.html#id2607186">IDMAP Storage in LDAP Using Winbind</a></span></dt><dt><span class="sect2"><a href="idmapper.html#id2607771">IDMAP and NSS Using LDAP from ADS with RFC2307bis Schema Extension</a></span></dt></dl></dd></dl></div><p> 2<a class="indexterm" name="id2604190"></a> 3<a class="indexterm" name="id2604196"></a> 4<a class="indexterm" name="id2604203"></a> 5<a class="indexterm" name="id2604210"></a> 6<a class="indexterm" name="id2604220"></a> 7<a class="indexterm" name="id2604226"></a> 8<a class="indexterm" name="id2604233"></a> 9The Microsoft Windows operating system has a number of features that impose specific challenges 10to interoperability with the operating systems on which Samba is implemented. This chapter deals 11explicitly with the mechanisms Samba-3 (version 3.0.8 and later) uses to overcome one of the 12key challenges in the integration of Samba servers into an MS Windows networking environment. 13This chapter deals with identity mapping (IDMAP) of Windows security identifiers (SIDs) 14to UNIX UIDs and GIDs. 15</p><p> 16To ensure sufficient coverage, each possible Samba deployment type is discussed. 17This is followed by an overview of how the IDMAP facility may be implemented. 18</p><p> 19<a class="indexterm" name="id2604257"></a> 20<a class="indexterm" name="id2604264"></a> 21<a class="indexterm" name="id2604270"></a> 22<a class="indexterm" name="id2604278"></a> 23The IDMAP facility is of concern where more than one Samba server (or Samba network client) 24is installed in a domain. Where there is a single Samba server, do not be too concerned regarding 25the IDMAP infrastructure the default behavior of Samba is nearly always sufficient. 26Where multiple Samba servers are used it is often necessary to move data off one server and onto 27another, and that is where the fun begins! 28</p><p> 29<a class="indexterm" name="id2604298"></a> 30<a class="indexterm" name="id2604304"></a> 31<a class="indexterm" name="id2604310"></a> 32<a class="indexterm" name="id2604317"></a> 33<a class="indexterm" name="id2604324"></a> 34<a class="indexterm" name="id2604331"></a> 35<a class="indexterm" name="id2604338"></a> 36<a class="indexterm" name="id2604344"></a> 37Where user and group account information is stored in an LDAP directory every server can have the same 38consistent UID and GID for users and groups. This is achieved using NSS and the nss_ldap tool. Samba 39can be configured to use only local accounts, in which case the scope of the IDMAP problem is somewhat 40reduced. This works reasonably well if the servers belong to a single domain, and interdomain trusts 41are not needed. On the other hand, if the Samba servers are NT4 domain members, or ADS domain members, 42or if there is a need to keep the security name-space separate (i.e., the user 43<code class="literal">DOMINICUS\FJones</code> must not be given access to the account resources of the user 44<code class="literal">FRANCISCUS\FJones</code><sup>[<a name="id2604373" href="#ftn.id2604373" class="footnote">4</a>]</sup> free from inadvertent cross-over, close attention should be given 45to the way that the IDMAP facility is configured. 46</p><p> 47<a class="indexterm" name="id2604402"></a> 48<a class="indexterm" name="id2604409"></a> 49<a class="indexterm" name="id2604416"></a> 50<a class="indexterm" name="id2604422"></a> 51<a class="indexterm" name="id2604429"></a> 52<a class="indexterm" name="id2604435"></a> 53The use of IDMAP is important where the Samba server will be accessed by workstations or servers from 54more than one domain, in which case it is important to run winbind so it can handle the resolution (ID mapping) 55of foreign SIDs to local UNIX UIDs and GIDs. 56</p><p> 57<a class="indexterm" name="id2604450"></a> 58The use of the IDMAP facility requires the execution of the <code class="literal">winbindd</code> upon Samba startup. 59</p><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2604465"></a>Samba Server Deployment Types and IDMAP</h2></div></div></div><p> 60<a class="indexterm" name="id2604473"></a> 61There are four basic server deployment types, as documented in <a class="link" href="ServerType.html" title="Chapter�3.�Server Types and Security Modes">the chapter 62on Server Types and Security Modes</a>. 63</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2604490"></a>Standalone Samba Server</h3></div></div></div><p> 64 <a class="indexterm" name="id2604498"></a> 65 <a class="indexterm" name="id2604505"></a> 66 <a class="indexterm" name="id2604512"></a> 67 A standalone Samba server is an implementation that is not a member of a Windows NT4 domain, 68 a Windows 200X Active Directory domain, or a Samba domain. 69 </p><p> 70 <a class="indexterm" name="id2604525"></a> 71 <a class="indexterm" name="id2604531"></a> 72 <a class="indexterm" name="id2604538"></a> 73 By definition, this means that users and groups will be created and controlled locally, and 74 the identity of a network user must match a local UNIX/Linux user login. The IDMAP facility 75 is therefore of little to no interest, winbind will not be necessary, and the IDMAP facility 76 will not be relevant or of interest. 77 </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2604553"></a>Domain Member Server or Domain Member Client</h3></div></div></div><p> 78 <a class="indexterm" name="id2604561"></a> 79 <a class="indexterm" name="id2604568"></a> 80 <a class="indexterm" name="id2604574"></a> 81 <a class="indexterm" name="id2604581"></a> 82 <a class="indexterm" name="id2604588"></a> 83 Samba-3 can act as a Windows NT4 PDC or BDC, thereby providing domain control protocols that 84 are compatible with Windows NT4. Samba-3 file and print sharing protocols are compatible with 85 all versions of MS Windows products. Windows NT4, as with MS Active Directory, 86 extensively makes use of Windows SIDs. 87 </p><p> 88 <a class="indexterm" name="id2604603"></a> 89 <a class="indexterm" name="id2604610"></a> 90 <a class="indexterm" name="id2604616"></a> 91 Samba-3 domain member servers and clients must interact correctly with MS Windows SIDs. Incoming 92 Windows SIDs must be translated to local UNIX UIDs and GIDs. Outgoing information from the Samba 93 server must provide to MS Windows clients and servers appropriate SIDs. 94 </p><p> 95 <a class="indexterm" name="id2604631"></a> 96 <a class="indexterm" name="id2604637"></a> 97 A Samba member of a Windows networking domain (NT4-style or ADS) can be configured to handle 98 identity mapping in a variety of ways. The mechanism it uses depends on whether or not 99 the <code class="literal">winbindd</code> daemon is used and how the winbind functionality is configured. 100 The configuration options are briefly described here: 101 </p><div class="variablelist"><dl><dt><span class="term">Winbind is not used; users and groups are local: </span></dt><dd><p> 102 <a class="indexterm" name="id2604668"></a> 103 <a class="indexterm" name="id2604675"></a> 104 <a class="indexterm" name="id2604682"></a> 105 <a class="indexterm" name="id2604689"></a> 106 <a class="indexterm" name="id2604695"></a> 107 <a class="indexterm" name="id2604702"></a> 108 <a class="indexterm" name="id2604709"></a> 109 <a class="indexterm" name="id2604716"></a> 110 <a class="indexterm" name="id2604722"></a> 111 <a class="indexterm" name="id2604729"></a> 112 <a class="indexterm" name="id2604736"></a> 113 Where <code class="literal">winbindd</code> is not used Samba (<code class="literal">smbd</code>) 114 uses the underlying UNIX/Linux mechanisms to resolve the identity of incoming 115 network traffic. This is done using the LoginID (account name) in the 116 session setup request and passing it to the getpwnam() system function call. 117 This call is implemented using the name service switch (NSS) mechanism on 118 modern UNIX/Linux systems. By saying "users and groups are local," 119 we are implying that they are stored only on the local system, in the 120 <code class="filename">/etc/passwd</code> and <code class="filename">/etc/group</code> respectively. 121 </p><p> 122 <a class="indexterm" name="id2604778"></a> 123 <a class="indexterm" name="id2604785"></a> 124 For example, when the user <code class="literal">BERYLIUM\WambatW</code> tries to open a 125 connection to a Samba server the incoming SessionSetupAndX request will make a 126 system call to look up the user <code class="literal">WambatW</code> in the 127 <code class="filename">/etc/passwd</code> file. 128 </p><p> 129 <a class="indexterm" name="id2604816"></a> 130 <a class="indexterm" name="id2604823"></a> 131 <a class="indexterm" name="id2604830"></a> 132 <a class="indexterm" name="id2604837"></a> 133 <a class="indexterm" name="id2604843"></a> 134 <a class="indexterm" name="id2604850"></a> 135 <a class="indexterm" name="id2604857"></a> 136 <a class="indexterm" name="id2604864"></a> 137 This configuration may be used with standalone Samba servers, domain member 138 servers (NT4 or ADS), and for a PDC that uses either an smbpasswd 139 or a tdbsam-based Samba passdb backend. 140 </p></dd><dt><span class="term">Winbind is not used; users and groups resolved via NSS: </span></dt><dd><p> 141 <a class="indexterm" name="id2604887"></a> 142 <a class="indexterm" name="id2604894"></a> 143 <a class="indexterm" name="id2604901"></a> 144 <a class="indexterm" name="id2604908"></a> 145 <a class="indexterm" name="id2604914"></a> 146 <a class="indexterm" name="id2604921"></a> 147 In this situation user and group accounts are treated as if they are local 148 accounts. The only way in which this differs from having local accounts is 149 that the accounts are stored in a repository that can be shared. In practice 150 this means that they will reside in either an NIS-type database or else in LDAP. 151 </p><p> 152 <a class="indexterm" name="id2604936"></a> 153 <a class="indexterm" name="id2604943"></a> 154 <a class="indexterm" name="id2604950"></a> 155 <a class="indexterm" name="id2604957"></a> 156 <a class="indexterm" name="id2604963"></a> 157 <a class="indexterm" name="id2604970"></a> 158 <a class="indexterm" name="id2604977"></a> 159 This configuration may be used with standalone Samba servers, domain member 160 servers (NT4 or ADS), and for a PDC that uses either an smbpasswd 161 or a tdbsam-based Samba passdb backend. 162 </p></dd><dt><span class="term">Winbind/NSS with the default local IDMAP table: </span></dt><dd><p> 163 <a class="indexterm" name="id2605000"></a> 164 <a class="indexterm" name="id2605006"></a> 165 <a class="indexterm" name="id2605013"></a> 166 <a class="indexterm" name="id2605020"></a> 167 There are many sites that require only a simple Samba server or a single Samba 168 server that is a member of a Windows NT4 domain or an ADS domain. A typical example 169 is an appliance like file server on which no local accounts are configured and 170 winbind is used to obtain account credentials from the domain controllers for the 171 domain. The domain control can be provided by Samba-3, MS Windows NT4, or MS Windows 172 Active Directory. 173 </p><p> 174 <a class="indexterm" name="id2605038"></a> 175 <a class="indexterm" name="id2605045"></a> 176 <a class="indexterm" name="id2605052"></a> 177 <a class="indexterm" name="id2605058"></a> 178 <a class="indexterm" name="id2605065"></a> 179 Winbind is a great convenience in this situation. All that is needed is a range of 180 UID numbers and GID numbers that can be defined in the <code class="filename">smb.conf</code> file. The 181 <code class="filename">/etc/nsswitch.conf</code> file is configured to use <code class="literal">winbind</code>, 182 which does all the difficult work of mapping incoming SIDs to appropriate UIDs and GIDs. 183 The SIDs are allocated a UID/GID in the order in which winbind receives them. 184 </p><p> 185 <a class="indexterm" name="id2605099"></a> 186 <a class="indexterm" name="id2605106"></a> 187 <a class="indexterm" name="id2605112"></a> 188 <a class="indexterm" name="id2605119"></a> 189 This configuration is not convenient or practical in sites that have more than one 190 Samba server and that require the same UID or GID for the same user or group across 191 all servers. One of the hazards of this method is that in the event that the winbind 192 IDMAP file becomes corrupted or lost, the repaired or rebuilt IDMAP file may allocate 193 UIDs and GIDs to different users and groups from what was there previously with the 194 result that MS Windows files that are stored on the Samba server may now not belong to 195 the rightful owners. 196 </p></dd><dt><span class="term">Winbind/NSS uses RID based IDMAP: </span></dt><dd><p> 197 <a class="indexterm" name="id2605148"></a> 198 <a class="indexterm" name="id2605154"></a> 199 <a class="indexterm" name="id2605161"></a> 200 <a class="indexterm" name="id2605168"></a> 201 The IDMAP_RID facility is new to Samba version 3.0.8. It was added to make life easier 202 for a number of sites that are committed to use of MS ADS, that do not apply 203 an ADS schema extension, and that do not have an installed an LDAP directory server just for 204 the purpose of maintaining an IDMAP table. If you have a single ADS domain (not a forest of 205 domains, and not multiple domain trees) and you want a simple cookie-cutter solution to the 206 IDMAP table problem, then IDMAP_RID is an obvious choice. 207 </p><p> 208 <a class="indexterm" name="id2605186"></a> 209 <a class="indexterm" name="id2605193"></a> 210 <a class="indexterm" name="id2605200"></a> 211 <a class="indexterm" name="id2605207"></a> 212 <a class="indexterm" name="id2605213"></a> 213 <a class="indexterm" name="id2605220"></a> 214 <a class="indexterm" name="id2605226"></a> 215 <a class="indexterm" name="id2605233"></a> 216 This facility requires the allocation of the <em class="parameter"><code>idmap uid</code></em> and the 217 <em class="parameter"><code>idmap gid</code></em> ranges, and within the <em class="parameter"><code>idmap uid</code></em> 218 it is possible to allocate a subset of this range for automatic mapping of the relative 219 identifier (RID) portion of the SID directly to the base of the UID plus the RID value. 220 For example, if the <em class="parameter"><code>idmap uid</code></em> range is <code class="constant">1000-100000000</code> 221 and the <em class="parameter"><code>idmap backend = idmap_rid:DOMAIN_NAME=1000-50000000</code></em>, and 222 a SID is encountered that has the value <code class="constant">S-1-5-21-34567898-12529001-32973135-1234</code>, 223 the resulting UID will be <code class="constant">1000 + 1234 = 2234</code>. 224 </p></dd><dt><span class="term">Winbind with an NSS/LDAP backend-based IDMAP facility: </span></dt><dd><p> 225 <a class="indexterm" name="id2605302"></a> 226 <a class="indexterm" name="id2605309"></a> 227 <a class="indexterm" name="id2605315"></a> 228 <a class="indexterm" name="id2605322"></a> 229 <a class="indexterm" name="id2605328"></a> 230 <a class="indexterm" name="id2605335"></a> 231 <a class="indexterm" name="id2605342"></a> 232 <a class="indexterm" name="id2605349"></a> 233 In this configuration <code class="literal">winbind</code> resolved SIDs to UIDs and GIDs from 234 the <em class="parameter"><code>idmap uid</code></em> and <em class="parameter"><code>idmap gid</code></em> ranges specified 235 in the <code class="filename">smb.conf</code> file, but instead of using a local winbind IDMAP table, it is stored 236 in an LDAP directory so that all domain member machines (clients and servers) can share 237 a common IDMAP table. 238 </p><p> 239 <a class="indexterm" name="id2605387"></a> 240 <a class="indexterm" name="id2605394"></a> 241 <a class="indexterm" name="id2605401"></a> 242 It is important that all LDAP IDMAP clients use only the master LDAP server because the 243 <em class="parameter"><code>idmap backend</code></em> facility in the <code class="filename">smb.conf</code> file does not correctly 244 handle LDAP redirects. 245 </p></dd><dt><span class="term">Winbind with NSS to resolve UNIX/Linux user and group IDs: </span></dt><dd><p> 246 The use of LDAP as the passdb backend is a smart solution for PDC, BDC, and 247 domain member servers. It is a neat method for assuring that UIDs, GIDs, and the matching 248 SIDs are consistent across all servers. 249 </p><p> 250 <a class="indexterm" name="id2605443"></a> 251 <a class="indexterm" name="id2605449"></a> 252 The use of the LDAP-based passdb backend requires use of the PADL nss_ldap utility or 253 an equivalent. In this situation winbind is used to handle foreign SIDs, that is, SIDs from 254 standalone Windows clients (i.e., not a member of our domain) as well as SIDs from 255 another domain. The foreign UID/GID is mapped from allocated ranges (idmap uid and idmap gid) 256 in precisely the same manner as when using winbind with a local IDMAP table. 257 </p><p> 258 <a class="indexterm" name="id2605467"></a> 259 <a class="indexterm" name="id2605474"></a> 260 <a class="indexterm" name="id2605481"></a> 261 The nss_ldap tool set can be used to access UIDs and GIDs via LDAP as well as via Active 262 Directory. In order to use Active Directory, it is necessary to modify the ADS schema by 263 installing either the AD4UNIX schema extension or using the Microsoft Services for UNIX 264 version 3.5 or later to extend the ADS schema so it maintains UNIX account credentials. 265 Where the ADS schema is extended, a Microsoft Management Console (MMC) snap-in is also 266 installed to permit the UNIX credentials to be set and managed from the ADS User and Computer 267 Management tool. Each account must be separately UNIX-enabled before the UID and GID data can 268 be used by Samba. 269 </p></dd></dl></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2605504"></a>Primary Domain Controller</h3></div></div></div><p> 270 <a class="indexterm" name="id2605512"></a> 271 <a class="indexterm" name="id2605519"></a> 272 <a class="indexterm" name="id2605526"></a> 273 <a class="indexterm" name="id2605532"></a> 274 Microsoft Windows domain security systems generate the user and group SID as part 275 of the process of creation of an account. Windows does not have a concept of the UNIX UID or a GID; rather, 276 it has its own type of security descriptor. When Samba is used as a domain controller, it provides a method 277 of producing a unique SID for each user and group. Samba generates a machine and a domain SID to which it 278 adds an RID that is calculated algorithmically from a base value that can be specified 279 in the <code class="filename">smb.conf</code> file, plus twice (2x) the UID or GID. This method is called “<span class="quote">algorithmic mapping</span>”. 280 </p><p> 281 <a class="indexterm" name="id2605561"></a> 282 For example, if a user has a UID of 4321, and the algorithmic RID base has a value of 1000, the RID will 283 be <code class="literal">1000 + (2 x 4321) = 9642</code>. Thus, if the domain SID is 284 <code class="literal">S-1-5-21-89238497-92787123-12341112</code>, the resulting SID is 285 <code class="literal">S-1-5-21-89238497-92787123-12341112-9642</code>. 286 </p><p> 287 <a class="indexterm" name="id2605593"></a> 288 <a class="indexterm" name="id2605600"></a> 289 <a class="indexterm" name="id2605606"></a> 290 <a class="indexterm" name="id2605613"></a> 291 The foregoing type of SID is produced by Samba as an automatic function and is either produced on the fly 292 (as is the case when using a <em class="parameter"><code>passdb backend = [tdbsam | smbpasswd]</code></em>), or may be stored 293 as a permanent part of an account in an LDAP-based ldapsam. 294 </p><p> 295 <a class="indexterm" name="id2605633"></a> 296 <a class="indexterm" name="id2605640"></a> 297 <a class="indexterm" name="id2605647"></a> 298 <a class="indexterm" name="id2605654"></a> 299 <a class="indexterm" name="id2605661"></a> 300 <a class="indexterm" name="id2605667"></a> 301 <a class="indexterm" name="id2605674"></a> 302 <a class="indexterm" name="id2605680"></a> 303 <a class="indexterm" name="id2605687"></a> 304 ADS uses a directory schema that can be extended to accommodate additional 305 account attributes such as UIDs and GIDs. The installation of Microsoft Service for UNIX 3.5 will expand 306 the normal ADS schema to include UNIX account attributes. These must of course be managed separately 307 through a snap-in module to the normal ADS account management MMC interface. 308 </p><p> 309 <a class="indexterm" name="id2605703"></a> 310 <a class="indexterm" name="id2605710"></a> 311 <a class="indexterm" name="id2605717"></a> 312 <a class="indexterm" name="id2605723"></a> 313 Security identifiers used within a domain must be managed to avoid conflict and to preserve integrity. 314 In an NT4 domain context, the PDC manages the distribution of all security credentials to the backup 315 domain controllers (BDCs). At this time the only passdb backend for a Samba domain controller that is suitable 316 for such information is an LDAP backend. 317 </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2605739"></a>Backup Domain Controller</h3></div></div></div><p> 318 <a class="indexterm" name="id2605747"></a> 319 <a class="indexterm" name="id2605753"></a> 320 <a class="indexterm" name="id2605760"></a> 321 <a class="indexterm" name="id2605767"></a> 322 <a class="indexterm" name="id2605774"></a> 323 <a class="indexterm" name="id2605781"></a> 324 <a class="indexterm" name="id2605788"></a> 325 BDCs have read-only access to security credentials that are stored in LDAP. 326 Changes in user or group account information are passed by the BDC to the PDC. Only the PDC can write 327 changes to the directory. 328 </p><p> 329 IDMAP information can be written directly to the LDAP server so long as all domain controllers 330 have access to the master (writable) LDAP server. Samba-3 at this time does not handle LDAP redirects 331 in the IDMAP backend. This means that it is is unsafe to use a slave (replicate) LDAP server with 332 the IDMAP facility. 333 </p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2605810"></a>Examples of IDMAP Backend Usage</h2></div></div></div><p> 334<a class="indexterm" name="id2605818"></a> 335<a class="indexterm" name="id2605827"></a> 336<a class="indexterm" name="id2605837"></a> 337<a class="indexterm" name="id2605844"></a> 338<a class="indexterm" name="id2605850"></a> 339Anyone who wishes to use <code class="literal">winbind</code> will find the following example configurations helpful. 340Remember that in the majority of cases <code class="literal">winbind</code> is of primary interest for use with 341domain member servers (DMSs) and domain member clients (DMCs). 342</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2605874"></a>Default Winbind TDB</h3></div></div></div><p> 343 Two common configurations are used: 344 </p><div class="itemizedlist"><ul type="disc"><li><p> 345 Networks that have an NT4 PDC (with or without BDCs) or a Samba PDC (with or without BDCs). 346 </p></li><li><p> 347 Networks that use MS Windows 200x ADS. 348 </p></li></ul></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2605898"></a>NT4-Style Domains (Includes Samba Domains)</h4></div></div></div><p> 349 <a class="link" href="idmapper.html#idmapnt4dms" title="Example�14.1.�NT4 Domain Member Server smb.conf">NT4 Domain Member Server smb.con</a> is a simple example of an NT4 DMS 350 <code class="filename">smb.conf</code> file that shows only the global section. 351 </p><div class="example"><a name="idmapnt4dms"></a><p class="title"><b>Example�14.1.�NT4 Domain Member Server smb.conf</b></p><div class="example-contents"><table class="simplelist" border="0" summary="Simple list"><tr><td># Global parameters</td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[global]</code></em></td></tr><tr><td><a class="indexterm" name="id2605950"></a><em class="parameter"><code>workgroup = MEGANET2</code></em></td></tr><tr><td><a class="indexterm" name="id2605962"></a><em class="parameter"><code>security = DOMAIN</code></em></td></tr><tr><td><a class="indexterm" name="id2605974"></a><em class="parameter"><code>idmap uid = 10000-20000</code></em></td></tr><tr><td><a class="indexterm" name="id2605986"></a><em class="parameter"><code>idmap gid = 10000-20000</code></em></td></tr><tr><td><a class="indexterm" name="id2605997"></a><em class="parameter"><code>template primary group = "Domain Users"</code></em></td></tr><tr><td><a class="indexterm" name="id2606010"></a><em class="parameter"><code>template shell = /bin/bash</code></em></td></tr></table></div></div><br class="example-break"><p> 352 <a class="indexterm" name="id2606025"></a> 353 <a class="indexterm" name="id2606031"></a> 354 The use of <code class="literal">winbind</code> requires configuration of NSS. Edit the <code class="filename">/etc/nsswitch.conf</code> 355 so it includes the following entries: 356</p><pre class="screen"> 357... 358passwd: files winbind 359shadow: files winbind 360group: files winbind 361... 362hosts: files [dns] wins 363... 364</pre><p> 365 The use of DNS in the hosts entry should be made only if DNS is used on site. 366 </p><p> 367 The creation of the DMS requires the following steps: 368 </p><div class="procedure"><ol type="1"><li><p> 369 Create or install an <code class="filename">smb.conf</code> file with the above configuration. 370 </p></li><li><p> 371 Execute: 372</p><pre class="screen"> 373<code class="prompt">root# </code> net rpc join -UAdministrator%password 374Joined domain MEGANET2. 375</pre><p> 376 <a class="indexterm" name="id2606100"></a> 377 The success of the join can be confirmed with the following command: 378</p><pre class="screen"> 379<code class="prompt">root# </code> net rpc testjoin 380Join to 'MIDEARTH' is OK 381</pre><p> 382 A failed join would report an error message like the following: 383 <a class="indexterm" name="id2606122"></a> 384</p><pre class="screen"> 385<code class="prompt">root# </code> net rpc testjoin 386[2004/11/05 16:34:12, 0] utils/net_rpc_join.c:net_rpc_join_ok(66) 387Join to domain 'MEGANET2' is not valid 388</pre><p> 389 </p></li><li><p> 390 <a class="indexterm" name="id2606149"></a> 391 <a class="indexterm" name="id2606156"></a> 392 <a class="indexterm" name="id2606162"></a> 393 Start the <code class="literal">nmbd, winbind,</code> and <code class="literal">smbd</code> daemons in the order shown. 394 </p></li></ol></div></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2606185"></a>ADS Domains</h4></div></div></div><p> 395 <a class="indexterm" name="id2606193"></a> 396 <a class="indexterm" name="id2606200"></a> 397 The procedure for joining an ADS domain is similar to the NT4 domain join, except the <code class="filename">smb.conf</code> file 398 will have the contents shown in <a class="link" href="idmapper.html#idmapadsdms" title="Example�14.2.�ADS Domain Member Server smb.conf">ADS Domain Member Server smb.conf</a> 399 </p><div class="example"><a name="idmapadsdms"></a><p class="title"><b>Example�14.2.�ADS Domain Member Server smb.conf</b></p><div class="example-contents"><table class="simplelist" border="0" summary="Simple list"><tr><td># Global parameters</td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[global]</code></em></td></tr><tr><td><a class="indexterm" name="id2606251"></a><em class="parameter"><code>workgroup = BUTTERNET</code></em></td></tr><tr><td><a class="indexterm" name="id2606263"></a><em class="parameter"><code>netbios name = GARGOYLE</code></em></td></tr><tr><td><a class="indexterm" name="id2606275"></a><em class="parameter"><code>realm = BUTTERNET.BIZ</code></em></td></tr><tr><td><a class="indexterm" name="id2606287"></a><em class="parameter"><code>security = ADS</code></em></td></tr><tr><td><a class="indexterm" name="id2606298"></a><em class="parameter"><code>template shell = /bin/bash</code></em></td></tr><tr><td><a class="indexterm" name="id2606310"></a><em class="parameter"><code>idmap uid = 500-10000000</code></em></td></tr><tr><td><a class="indexterm" name="id2606322"></a><em class="parameter"><code>idmap gid = 500-10000000</code></em></td></tr><tr><td><a class="indexterm" name="id2606334"></a><em class="parameter"><code>winbind use default domain = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2606346"></a><em class="parameter"><code>winbind nested groups = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2606358"></a><em class="parameter"><code>printer admin = "BUTTERNET\Domain Admins"</code></em></td></tr></table></div></div><br class="example-break"><p> 400 <a class="indexterm" name="id2606373"></a> 401 <a class="indexterm" name="id2606380"></a> 402 <a class="indexterm" name="id2606387"></a> 403 <a class="indexterm" name="id2606394"></a> 404 <a class="indexterm" name="id2606400"></a> 405 <a class="indexterm" name="id2606407"></a> 406 <a class="indexterm" name="id2606414"></a> 407 ADS DMS operation requires use of kerberos (KRB). For this to work, the <code class="filename">krb5.conf</code> 408 must be configured. The exact requirements depends on which version of MIT or Heimdal Kerberos is being 409 used. It is sound advice to use only the latest version, which at this time are MIT Kerberos version 410 1.3.5 and Heimdal 0.61. 411 </p><p> 412 The creation of the DMS requires the following steps: 413 </p><div class="procedure"><ol type="1"><li><p> 414 Create or install an <code class="filename">smb.conf</code> file with the above configuration. 415 </p></li><li><p> 416 Edit the <code class="filename">/etc/nsswitch.conf</code> file as shown above. 417 </p></li><li><p> 418 Execute: 419 <a class="indexterm" name="id2606472"></a> 420</p><pre class="screen"> 421<code class="prompt">root# </code> net ads join -UAdministrator%password 422Joined domain BUTTERNET. 423</pre><p> 424 The success or failure of the join can be confirmed with the following command: 425</p><pre class="screen"> 426<code class="prompt">root# </code> net ads testjoin 427Using short domain name -- BUTTERNET 428Joined 'GARGOYLE' to realm 'BUTTERNET.BIZ' 429</pre><p> 430 </p><p> 431 An invalid or failed join can be detected by executing: 432</p><pre class="screen"> 433<code class="prompt">root# </code> net ads testjoin 434GARGOYLE$@'s password: 435[2004/11/05 16:53:03, 0] utils/net_ads.c:ads_startup(186) 436 ads_connect: No results returned 437Join to domain is not valid 438</pre><p> 439 <a class="indexterm" name="id2606529"></a> 440 <a class="indexterm" name="id2606536"></a> 441 <a class="indexterm" name="id2606543"></a> 442 <a class="indexterm" name="id2606549"></a> 443 The specific error message may differ from the above because it depends on the type of failure that 444 may have occurred. Increase the <em class="parameter"><code>log level</code></em> to 10, repeat the test, 445 and then examine the log files produced to identify the nature of the failure. 446 </p></li><li><p> 447 Start the <code class="literal">nmbd</code>, <code class="literal">winbind</code>, and <code class="literal">smbd</code> daemons in the order shown. 448 </p></li></ol></div></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2606596"></a>IDMAP_RID with Winbind</h3></div></div></div><p> 449 <a class="indexterm" name="id2606604"></a> 450 <a class="indexterm" name="id2606610"></a> 451 <a class="indexterm" name="id2606617"></a> 452 <a class="indexterm" name="id2606624"></a> 453 The <code class="literal">idmap_rid</code> facility is a new tool that, unlike native winbind, creates a 454 predictable mapping of MS Windows SIDs to UNIX UIDs and GIDs. The key benefit of this method 455 of implementing the Samba IDMAP facility is that it eliminates the need to store the IDMAP data 456 in a central place. The downside is that it can be used only within a single ADS domain and 457 is not compatible with trusted domain implementations. 458 </p><p> 459 <a class="indexterm" name="id2606646"></a> 460 <a class="indexterm" name="id2606653"></a> 461 <a class="indexterm" name="id2606660"></a> 462 <a class="indexterm" name="id2606667"></a> 463 This alternate method of SID to UID/GID mapping can be achieved using the idmap_rid 464 plug-in. This plug-in uses the RID of the user SID to derive the UID and GID by adding the 465 RID to a base value specified. This utility requires that the parameter 466 “<span class="quote">allow trusted domains = No</span>” be specified, as it is not compatible 467 with multiple domain environments. The <em class="parameter"><code>idmap uid</code></em> and 468 <em class="parameter"><code>idmap gid</code></em> ranges must be specified. 469 </p><p> 470 <a class="indexterm" name="id2606699"></a> 471 <a class="indexterm" name="id2606706"></a> 472 The idmap_rid facility can be used both for NT4/Samba-style domains and Active Directory. 473 To use this with an NT4 domain, do not include the <em class="parameter"><code>realm</code></em> parameter; additionally, the 474 method used to join the domain uses the <code class="constant">net rpc join</code> process. 475 </p><p> 476 An example <code class="filename">smb.conf</code> file for and ADS domain environment is shown in <a class="link" href="idmapper.html#idmapadsridDMS" title="Example�14.3.�ADS Domain Member smb.conf using idmap_rid">ADS 477 Domain Member smb.conf using idmap_rid</a>. 478 </p><div class="example"><a name="idmapadsridDMS"></a><p class="title"><b>Example�14.3.�ADS Domain Member smb.conf using idmap_rid</b></p><div class="example-contents"><table class="simplelist" border="0" summary="Simple list"><tr><td># Global parameters</td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[global]</code></em></td></tr><tr><td><a class="indexterm" name="id2606774"></a><em class="parameter"><code>workgroup = KPAK</code></em></td></tr><tr><td><a class="indexterm" name="id2606785"></a><em class="parameter"><code>netbios name = BIGJOE</code></em></td></tr><tr><td><a class="indexterm" name="id2606797"></a><em class="parameter"><code>realm = CORP.KPAK.COM</code></em></td></tr><tr><td><a class="indexterm" name="id2606809"></a><em class="parameter"><code>server string = Office Server</code></em></td></tr><tr><td><a class="indexterm" name="id2606821"></a><em class="parameter"><code>security = ADS</code></em></td></tr><tr><td><a class="indexterm" name="id2606832"></a><em class="parameter"><code>allow trusted domains = No</code></em></td></tr><tr><td><a class="indexterm" name="id2606844"></a><em class="parameter"><code>idmap backend = idmap_rid:KPAK=500-100000000</code></em></td></tr><tr><td><a class="indexterm" name="id2606857"></a><em class="parameter"><code>idmap uid = 500-100000000</code></em></td></tr><tr><td><a class="indexterm" name="id2606868"></a><em class="parameter"><code>idmap gid = 500-100000000</code></em></td></tr><tr><td><a class="indexterm" name="id2606880"></a><em class="parameter"><code>template shell = /bin/bash</code></em></td></tr><tr><td><a class="indexterm" name="id2606892"></a><em class="parameter"><code>winbind use default domain = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2606904"></a><em class="parameter"><code>winbind enum users = No</code></em></td></tr><tr><td><a class="indexterm" name="id2606916"></a><em class="parameter"><code>winbind enum groups = No</code></em></td></tr><tr><td><a class="indexterm" name="id2606928"></a><em class="parameter"><code>winbind nested groups = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2606940"></a><em class="parameter"><code>printer admin = "Domain Admins"</code></em></td></tr></table></div></div><br class="example-break"><p> 479 <a class="indexterm" name="id2606955"></a> 480 <a class="indexterm" name="id2606962"></a> 481 <a class="indexterm" name="id2606969"></a> 482 <a class="indexterm" name="id2606976"></a> 483 In a large domain with many users it is imperative to disable enumeration of users and groups. 484 For example, at a site that has 22,000 users in Active Directory the winbind-based user and 485 group resolution is unavailable for nearly 12 minutes following first startup of 486 <code class="literal">winbind</code>. Disabling enumeration resulted in instantaneous response. 487 The disabling of user and group enumeration means that it will not be possible to list users 488 or groups using the <code class="literal">getent passwd</code> and <code class="literal">getent group</code> 489 commands. It will be possible to perform the lookup for individual users, as shown in the following procedure. 490 </p><p> 491 <a class="indexterm" name="id2607013"></a> 492 <a class="indexterm" name="id2607020"></a> 493 The use of this tool requires configuration of NSS as per the native use of winbind. Edit the 494 <code class="filename">/etc/nsswitch.conf</code> so it has the following parameters: 495</p><pre class="screen"> 496... 497passwd: files winbind 498shadow: files winbind 499group: files winbind 500... 501hosts: files wins 502... 503</pre><p> 504 </p><p> 505 The following procedure can use the idmap_rid facility: 506 </p><div class="procedure"><ol type="1"><li><p> 507 Create or install an <code class="filename">smb.conf</code> file with the above configuration. 508 </p></li><li><p> 509 Edit the <code class="filename">/etc/nsswitch.conf</code> file as shown above. 510 </p></li><li><p> 511 Execute: 512</p><pre class="screen"> 513<code class="prompt">root# </code> net ads join -UAdministrator%password 514Using short domain name -- KPAK 515Joined 'BIGJOE' to realm 'CORP.KPAK.COM' 516</pre><p> 517 </p><p> 518 <a class="indexterm" name="id2607099"></a> 519 An invalid or failed join can be detected by executing: 520</p><pre class="screen"> 521<code class="prompt">root# </code> net ads testjoin 522BIGJOE$@'s password: 523[2004/11/05 16:53:03, 0] utils/net_ads.c:ads_startup(186) 524 ads_connect: No results returned 525Join to domain is not valid 526</pre><p> 527 The specific error message may differ from the above because it depends on the type of failure that 528 may have occurred. Increase the <em class="parameter"><code>log level</code></em> to 10, repeat the test, 529 and then examine the log files produced to identify the nature of the failure. 530 </p></li><li><p> 531 Start the <code class="literal">nmbd</code>, <code class="literal">winbind</code>, and <code class="literal">smbd</code> daemons in the order shown. 532 </p></li><li><p> 533 Validate the operation of this configuration by executing: 534 <a class="indexterm" name="id2607164"></a> 535</p><pre class="screen"> 536<code class="prompt">root# </code> getent passwd administrator 537administrator:x:1000:1013:Administrator:/home/BE/administrator:/bin/bash 538</pre><p> 539 </p></li></ol></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2607186"></a>IDMAP Storage in LDAP Using Winbind</h3></div></div></div><p> 540 <a class="indexterm" name="id2607194"></a> 541 <a class="indexterm" name="id2607201"></a> 542 The storage of IDMAP information in LDAP can be used with both NT4/Samba-3-style domains and 543 ADS domains. OpenLDAP is a commonly used LDAP server for this purpose, although any 544 standards-complying LDAP server can be used. It is therefore possible to deploy this IDMAP 545 configuration using the Sun iPlanet LDAP server, Novell eDirectory, Microsoft ADS plus ADAM, 546 and so on. 547 </p><p> 548 An example is for an ADS domain is shown in <a class="link" href="idmapper.html#idmapldapDMS" title="Example�14.4.�ADS Domain Member Server using LDAP">ADS Domain Member Server using 549 LDAP</a>. 550 </p><div class="example"><a name="idmapldapDMS"></a><p class="title"><b>Example�14.4.�ADS Domain Member Server using LDAP</b></p><div class="example-contents"><table class="simplelist" border="0" summary="Simple list"><tr><td># Global parameters</td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[global]</code></em></td></tr><tr><td><a class="indexterm" name="id2607255"></a><em class="parameter"><code>workgroup = SNOWSHOW</code></em></td></tr><tr><td><a class="indexterm" name="id2607266"></a><em class="parameter"><code>netbios name = GOODELF</code></em></td></tr><tr><td><a class="indexterm" name="id2607278"></a><em class="parameter"><code>realm = SNOWSHOW.COM</code></em></td></tr><tr><td><a class="indexterm" name="id2607290"></a><em class="parameter"><code>server string = Samba Server</code></em></td></tr><tr><td><a class="indexterm" name="id2607302"></a><em class="parameter"><code>security = ADS</code></em></td></tr><tr><td><a class="indexterm" name="id2607314"></a><em class="parameter"><code>log level = 1 ads:10 auth:10 sam:10 rpc:10</code></em></td></tr><tr><td><a class="indexterm" name="id2607326"></a><em class="parameter"><code>ldap admin dn = cn=Manager,dc=SNOWSHOW,dc=COM</code></em></td></tr><tr><td><a class="indexterm" name="id2607338"></a><em class="parameter"><code>ldap idmap suffix = ou=Idmap</code></em></td></tr><tr><td><a class="indexterm" name="id2607350"></a><em class="parameter"><code>ldap suffix = dc=SNOWSHOW,dc=COM</code></em></td></tr><tr><td><a class="indexterm" name="id2607362"></a><em class="parameter"><code>idmap backend = ldap:ldap://ldap.snowshow.com</code></em></td></tr><tr><td><a class="indexterm" name="id2607374"></a><em class="parameter"><code>idmap uid = 150000-550000</code></em></td></tr><tr><td><a class="indexterm" name="id2607386"></a><em class="parameter"><code>idmap gid = 150000-550000</code></em></td></tr><tr><td><a class="indexterm" name="id2607398"></a><em class="parameter"><code>template shell = /bin/bash</code></em></td></tr><tr><td><a class="indexterm" name="id2607409"></a><em class="parameter"><code>winbind use default domain = Yes</code></em></td></tr></table></div></div><br class="example-break"><p> 551 <a class="indexterm" name="id2607425"></a> 552 In the case of an NT4 or Samba-3-style domain the <em class="parameter"><code>realm</code></em> is not used, and the 553 command used to join the domain is <code class="literal">net rpc join</code>. The above example also demonstrates 554 advanced error-reporting techniques that are documented in <a class="link" href="bugreport.html#dbglvl" title="Debug Levels">Reporting Bugs</a>. 555 </p><p> 556 <a class="indexterm" name="id2607459"></a> 557 <a class="indexterm" name="id2607465"></a> 558 <a class="indexterm" name="id2607472"></a> 559 Where MIT kerberos is installed (version 1.3.4 or later), edit the <code class="filename">/etc/krb5.conf</code> 560 file so it has the following contents: 561</p><pre class="screen"> 562[logging] 563 default = FILE:/var/log/krb5libs.log 564 kdc = FILE:/var/log/krb5kdc.log 565 admin_server = FILE:/var/log/kadmind.log 566 567[libdefaults] 568 default_realm = SNOWSHOW.COM 569 dns_lookup_realm = false 570 dns_lookup_kdc = true 571 572[appdefaults] 573 pam = { 574 debug = false 575 ticket_lifetime = 36000 576 renew_lifetime = 36000 577 forwardable = true 578 krb4_convert = false 579 } 580</pre><p> 581 </p><p> 582 Where Heimdal kerberos is installed, edit the <code class="filename">/etc/krb5.conf</code> 583 file so it is either empty (i.e., no contents) or it has the following contents: 584</p><pre class="screen"> 585[libdefaults] 586 default_realm = SNOWSHOW.COM 587 clockskew = 300 588 589[realms] 590 SNOWSHOW.COM = { 591 kdc = ADSDC.SHOWSHOW.COM 592 } 593 594[domain_realm] 595 .snowshow.com = SNOWSHOW.COM 596</pre><p> 597 </p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> 598 Samba cannot use the Heimdal libraries if there is no <code class="filename">/etc/krb5.conf</code> file. 599 So long as there is an empty file, the Heimdal kerberos libraries will be usable. There is no 600 need to specify any settings because Samba, using the Heimdal libraries, can figure this out automatically. 601 </p></div><p> 602 Edit the NSS control file <code class="filename">/etc/nsswitch.conf</code> so it has the following entries: 603</p><pre class="screen"> 604... 605passwd: files ldap 606shadow: files ldap 607group: files ldap 608... 609hosts: files wins 610... 611</pre><p> 612 </p><p> 613 <a class="indexterm" name="id2607556"></a> 614 <a class="indexterm" name="id2607563"></a> 615 You will need the <a class="ulink" href="http://www.padl.com" target="_top">PADL</a> <code class="literal">nss_ldap</code> 616 tool set for this solution. Configure the <code class="filename">/etc/ldap.conf</code> file so it has 617 the information needed. The following is an example of a working file: 618</p><pre class="screen"> 619host 192.168.2.1 620base dc=snowshow,dc=com 621binddn cn=Manager,dc=snowshow,dc=com 622bindpw not24get 623 624pam_password exop 625 626nss_base_passwd ou=People,dc=snowshow,dc=com?one 627nss_base_shadow ou=People,dc=snowshow,dc=com?one 628nss_base_group ou=Groups,dc=snowshow,dc=com?one 629ssl no 630</pre><p> 631 </p><p> 632 The following procedure may be followed to effect a working configuration: 633 </p><div class="procedure"><ol type="1"><li><p> 634 Configure the <code class="filename">smb.conf</code> file as shown above. 635 </p></li><li><p> 636 Create the <code class="filename">/etc/krb5.conf</code> file as shown above. 637 </p></li><li><p> 638 Configure the <code class="filename">/etc/nsswitch.conf</code> file as shown above. 639 </p></li><li><p> 640 Download, build, and install the PADL nss_ldap tool set. Configure the 641 <code class="filename">/etc/ldap.conf</code> file as shown above. 642 </p></li><li><p> 643 Configure an LDAP server and initialize the directory with the top-level entries needed by IDMAP, 644 shown in the following LDIF file: 645</p><pre class="screen"> 646dn: dc=snowshow,dc=com 647objectClass: dcObject 648objectClass: organization 649dc: snowshow 650o: The Greatest Snow Show in Singapore. 651description: Posix and Samba LDAP Identity Database 652 653dn: cn=Manager,dc=snowshow,dc=com 654objectClass: organizationalRole 655cn: Manager 656description: Directory Manager 657 658dn: ou=Idmap,dc=snowshow,dc=com 659objectClass: organizationalUnit 660ou: idmap 661</pre><p> 662 </p></li><li><p> 663 Execute the command to join the Samba DMS to the ADS domain as shown here: 664</p><pre class="screen"> 665<code class="prompt">root# </code> net ads testjoin 666Using short domain name -- SNOWSHOW 667Joined 'GOODELF' to realm 'SNOWSHOW.COM' 668</pre><p> 669 </p></li><li><p> 670 Store the LDAP server access password in the Samba <code class="filename">secrets.tdb</code> file as follows: 671</p><pre class="screen"> 672<code class="prompt">root# </code> smbpasswd -w not24get 673</pre><p> 674 </p></li><li><p> 675 Start the <code class="literal">nmbd</code>, <code class="literal">winbind</code>, and <code class="literal">smbd</code> daemons in the order shown. 676 </p></li></ol></div><p> 677 <a class="indexterm" name="id2607758"></a> 678 Follow the diagnositic procedures shown earlier in this chapter to identify success or failure of the join. 679 In many cases a failure is indicated by a silent return to the command prompt with no indication of the 680 reason for failure. 681 </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2607771"></a>IDMAP and NSS Using LDAP from ADS with RFC2307bis Schema Extension</h3></div></div></div><p> 682 <a class="indexterm" name="id2607780"></a> 683 <a class="indexterm" name="id2607787"></a> 684 The use of this method is messy. The information provided in the following is for guidance only 685 and is very definitely not complete. This method does work; it is used in a number of large sites 686 and has an acceptable level of performance. 687 </p><p> 688 An example <code class="filename">smb.conf</code> file is shown in <a class="link" href="idmapper.html#idmaprfc2307" title="Example�14.5.�ADS Domain Member Server using RFC2307bis Schema Extension Date via NSS">ADS Domain Member Server using 689RFC2307bis Schema Extension Date via NSS</a>. 690 </p><div class="example"><a name="idmaprfc2307"></a><p class="title"><b>Example�14.5.�ADS Domain Member Server using RFC2307bis Schema Extension Date via NSS</b></p><div class="example-contents"><table class="simplelist" border="0" summary="Simple list"><tr><td># Global parameters</td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[global]</code></em></td></tr><tr><td><a class="indexterm" name="id2607846"></a><em class="parameter"><code>workgroup = BOBBY</code></em></td></tr><tr><td><a class="indexterm" name="id2607858"></a><em class="parameter"><code>realm = BOBBY.COM</code></em></td></tr><tr><td><a class="indexterm" name="id2607870"></a><em class="parameter"><code>security = ADS</code></em></td></tr><tr><td><a class="indexterm" name="id2607881"></a><em class="parameter"><code>idmap uid = 150000-550000</code></em></td></tr><tr><td><a class="indexterm" name="id2607893"></a><em class="parameter"><code>idmap gid = 150000-550000</code></em></td></tr><tr><td><a class="indexterm" name="id2607905"></a><em class="parameter"><code>template shell = /bin/bash</code></em></td></tr><tr><td><a class="indexterm" name="id2607917"></a><em class="parameter"><code>winbind cache time = 5</code></em></td></tr><tr><td><a class="indexterm" name="id2607928"></a><em class="parameter"><code>winbind use default domain = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2607941"></a><em class="parameter"><code>winbind trusted domains only = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2607953"></a><em class="parameter"><code>winbind nested groups = Yes</code></em></td></tr></table></div></div><br class="example-break"><p> 691 <a class="indexterm" name="id2607968"></a> 692 The DMS must be joined to the domain using the usual procedure. Additionally, it is necessary 693 to build and install the PADL nss_ldap tool set. Be sure to build this tool set with the 694 following: 695</p><pre class="screen"> 696./configure --enable-rfc2307bis --enable-schema-mapping 697make install 698</pre><p> 699 </p><p> 700 <a class="indexterm" name="id2607988"></a> 701 The following <code class="filename">/etc/nsswitch.conf</code> file contents are required: 702</p><pre class="screen"> 703... 704passwd: files ldap 705shadow: files ldap 706group: files ldap 707... 708hosts: files wins 709... 710</pre><p> 711 </p><p> 712 <a class="indexterm" name="id2608013"></a> 713 <a class="indexterm" name="id2608020"></a> 714 The <code class="filename">/etc/ldap.conf</code> file must be configured also. Refer to the PADL documentation 715 and source code for nss_ldap to specific instructions. 716 </p><p> 717 The next step involves preparation of the ADS schema. This is briefly discussed in the remaining 718 part of this chapter. 719 </p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2608041"></a>IDMAP, Active Directory, and MS Services for UNIX 3.5</h4></div></div></div><p> 720 <a class="indexterm" name="id2608050"></a> 721 The Microsoft Windows Service for UNIX (SFU) version 3.5 is available for free 722 <a class="ulink" href="http://www.microsoft.com/windows/sfu/" target="_top">download</a> 723 from the Microsoft Web site. You will need to download this tool and install it following 724 Microsoft instructions. 725 </p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2608069"></a>IDMAP, Active Directory and AD4UNIX</h4></div></div></div><p> 726 Instructions for obtaining and installing the AD4UNIX tool set can be found from the 727 <a class="ulink" href="http://www.geekcomix.com/cgi-bin/classnotes/wiki.pl?LDAP01/An_Alternative_Approach" target="_top"> 728 Geekcomix</a> Web site. 729 </p></div></div></div><div class="footnotes"><br><hr width="100" align="left"><div class="footnote"><p><sup>[<a name="ftn.id2604373" href="#id2604373" class="para">4</a>] </sup>Samba local account mode results in both 730<code class="literal">DOMINICUS\FJones</code> and <code class="literal">FRANCISCUS\FJones</code> mapping to the UNIX user 731<code class="literal">FJones</code>.</p></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="NetCommand.html">Prev</a>�</td><td width="20%" align="center"><a accesskey="u" href="optional.html">Up</a></td><td width="40%" align="right">�<a accesskey="n" href="rights.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter�13.�Remote and Local Management: The Net Command�</td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top">�Chapter�15.�User Rights and Privileges</td></tr></table></div></body></html> 732