1<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter�12.�Identity Mapping (IDMAP)</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.66.1"><link rel="start" href="index.html" title="The Official Samba-3 HOWTO and Reference Guide"><link rel="up" href="optional.html" title="Part�III.�Advanced Configuration"><link rel="prev" href="groupmapping.html" title="Chapter�11.�Group Mapping MS Windows and UNIX"><link rel="next" href="rights.html" title="Chapter�13.�User Rights and Privileges"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter�12.�Identity Mapping (IDMAP)</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="groupmapping.html">Prev</a>�</td><th width="60%" align="center">Part�III.�Advanced Configuration</th><td width="20%" align="right">�<a accesskey="n" href="rights.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="idmapper"></a>Chapter�12.�Identity Mapping (IDMAP)</h2></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email"><<a href="mailto:jht@samba.org">jht@samba.org</a>></tt></p></div></div></div></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="idmapper.html#id2558363">Samba Server Deployment Types and IDMAP</a></span></dt><dd><dl><dt><span class="sect2"><a href="idmapper.html#id2558389">Stand-Alone Samba Server</a></span></dt><dt><span class="sect2"><a href="idmapper.html#id2558444">Domain Member Server or Domain Member Client</a></span></dt><dt><span class="sect2"><a href="idmapper.html#id2559025">Primary Domain Controller</a></span></dt><dt><span class="sect2"><a href="idmapper.html#id2559160">Backup Domain Controller</a></span></dt></dl></dd><dt><span class="sect1"><a href="idmapper.html#id2559191">Examples of IDMAP Backend Usage</a></span></dt><dd><dl><dt><span class="sect2"><a href="idmapper.html#id2559247">Default Winbind TDB</a></span></dt><dt><span class="sect2"><a href="idmapper.html#id2559669">IDMAP_RID with Winbind</a></span></dt><dt><span class="sect2"><a href="idmapper.html#id2560055">IDMAP Storage in LDAP using Winbind</a></span></dt><dt><span class="sect2"><a href="idmapper.html#id2560425">IDMAP and NSS Using LDAP From ADS with RFC2307bis Schema Extension</a></span></dt></dl></dd></dl></div><p> 2<a class="indexterm" name="id2558252"></a> 3<a class="indexterm" name="id2558258"></a> 4<a class="indexterm" name="id2558265"></a> 5<a class="indexterm" name="id2558272"></a> 6<a class="indexterm" name="id2558281"></a> 7<a class="indexterm" name="id2558288"></a> 8<a class="indexterm" name="id2558294"></a> 9The Microsoft Windows operating system has a number of features that impose specific challenges 10to interoperability with operating system on which Samba is implemented. This chapter deals 11explicitly with the mechanisms Samba-3 (version 3.0.8 and later) uses to overcome one of the 12key challenges in the integration of Samba servers into an MS Windows networking environment. 13This chapter deals with Identify Mapping (IDMAP) of Windows Security Identifers (SIDs) 14to UNIX UIDs and GIDs. 15</p><p> 16To ensure good sufficient coverage each possible Samba deployment type will be discussed. 17This is followed by an overview of how the IDMAP facility may be implemented. 18</p><p> 19<a class="indexterm" name="id2558319"></a> 20The IDMAP facility is usually of concern where more than one Samba server (or Samba network client) 21is installed in the one Domain. Where there is a single Samba server do not be too concerned regarding 22the IDMAP infrastructure - the default behavior of Samba is nearly always sufficient. 23</p><p> 24<a class="indexterm" name="id2558334"></a> 25The use of IDMAP is important where the Samba server will be accessed by workstations or servers from 26more than one domain, in which case it is important to run winbind so it can handle the resolution (ID mapping) 27of foreign SIDs to local UNIX UIDs and GIDs. 28</p><p> 29<a class="indexterm" name="id2558348"></a> 30The use of the IDMAP facility requires that the <span><b class="command">winbindd</b></span> be executed on Samba start-up. 31</p><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2558363"></a>Samba Server Deployment Types and IDMAP</h2></div></div></div><p> 32<a class="indexterm" name="id2558372"></a> 33There are four (4) basic server deployment types, as documented in <a href="ServerType.html" title="Chapter�3.�Server Types and Security Modes">the chapter 34on Server Types and Security Modes</a>. 35</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2558389"></a>Stand-Alone Samba Server</h3></div></div></div><p> 36 <a class="indexterm" name="id2558397"></a> 37 <a class="indexterm" name="id2558403"></a> 38 <a class="indexterm" name="id2558410"></a> 39 A stand-alone Samba server is an implementation that is not a member of a Windows NT4 Domain, 40 a Windows 200X Active Directory Domain, or of a Samba Domain. 41 </p><p> 42 <a class="indexterm" name="id2558423"></a> 43 <a class="indexterm" name="id2558430"></a> 44 By definition, this means that users and groups will be created and controlled locally and 45 the identity of a network user must match a local UNIX/Linux user login. The IDMAP facility 46 is therefore of little to no interest, winbind will not be necessary, and the IDMAP facility 47 will not be relevant or of interest. 48 </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2558444"></a>Domain Member Server or Domain Member Client</h3></div></div></div><p> 49 <a class="indexterm" name="id2558453"></a> 50 <a class="indexterm" name="id2558459"></a> 51 <a class="indexterm" name="id2558466"></a> 52 <a class="indexterm" name="id2558472"></a> 53 <a class="indexterm" name="id2558479"></a> 54 Samba-3 can act as a Windows NT4 PDC or BDC thereby providing domain control protocols that 55 are compatible with Windows NT4. Samba-3 file and print sharing protocols are compatible with 56 all version of Microsoft Windows products. Windows NT4, as with Microsoft Active Directory, 57 extensively makes use of Windows security identifiers (SIDs). 58 </p><p> 59 <a class="indexterm" name="id2558495"></a> 60 <a class="indexterm" name="id2558502"></a> 61 <a class="indexterm" name="id2558508"></a> 62 Samba-3 Domain Member servers and clients must interact correctly with MS Windows SIDs. Incoming 63 Windows SIDs must be translated to local UNIX UIDs and GIDs. Outgoing information from the Samba 64 server must provide to MS Windows clients and servers appropriate SIDs. 65 </p><p> 66 <a class="indexterm" name="id2558523"></a> 67 <a class="indexterm" name="id2558529"></a> 68 A Samba member of a Windows networking domain (NT4-style or ADS) can be configured to handle 69 identity mapping in a variety of ways. The mechanism is will use depends on whether or not 70 the <span><b class="command">winbindd</b></span> daemon is used, and how the winbind functionality is configured. 71 The configuration options are briefly described here: 72 </p><div class="variablelist"><dl><dt><span class="term">Winbind is not used, users and groups are local: </span></dt><dd><p> 73 Where <span><b class="command">winbindd</b></span> is not used Samba (<span><b class="command">smbd</b></span>) 74 uses the underlying UNIX/Linux mechanisms to resolve the identity of incoming 75 network traffic. This will be done using the LoginID (account name) in the 76 session setup request and passing it to the getpwnam() system function call. 77 This call is implemented using the name service switch (NSS) mechanism on 78 modern UNIX/Linux systems. By saying “<span class="quote"><span class="emphasis"><em>users and groups are local</em></span></span>” 79 we are implying that they are stored only on the local system, in the 80 <tt class="filename">/etc/passwd</tt> and <tt class="filename">/etc/group</tt> respectively. 81 </p><p> 82 For example, if an incoming SessionSetupAndX request is owned by the user 83 <tt class="constant">BERYLIUM\WambatW</tt>, a system call will be made to look up 84 the user <tt class="constant">WambatW</tt> in the <tt class="filename">/etc/passwd</tt> 85 file. 86 </p><p> 87 This configuration may be used with stand-alone Samba servers, Domain Member 88 servers (NT4 or ADS), and may be used for a PDC that uses either an smbpasswd 89 or a tdbsam based Samba passdb backend. 90 </p></dd><dt><span class="term">Winbind is not used, users and groups resolved via NSS: </span></dt><dd><p> 91 In this situation user and group accounts are treated as if they are local 92 accounts, the only way in which this differs from having local accounts is 93 that the accounts are stored in a repository that can be shared. In practice 94 this means that they will reside in either a NIS type database or else in LDAP. 95 </p><p> 96 This configuration may be used with stand-alone Samba servers, Domain Member 97 servers (NT4 or ADS), and may be used for a PDC that uses either an smbpasswd 98 or a tdbsam based Samba passdb backend. 99 </p></dd><dt><span class="term">Winbind/NSS with the default local IDMAP table: </span></dt><dd><p> 100 There are many sites that require only a simple Samba server, or a single Samba 101 server that is a member of a Windows NT4 Domain or an ADS Domain. A typical example 102 is an appliance like file server on which no local accounts are configured and 103 winbind is used to obtain account credentials from the domain controllers for the 104 domain. The domain control can be provided by Samba-3, MS Windows NT4 or MS Windows 105 Active Directory. 106 </p><p> 107 Winbind is a great convenience in this situation. All that is needed is a range of 108 UID numbers and GID numbers that can be defined in the <tt class="filename">smb.conf</tt> file, the 109 <tt class="filename">/etc/nsswitch.conf</tt> file is configured to use <span><b class="command">winbind</b></span> 110 which does all the difficult work of mapping incoming SIDs to appropriate UIDs and GIDs. 111 The SIDs are allocated a UID/GID in the order in which winbind receives them. 112 </p><p> 113 This configuration is not convenient or practical in sites that have more than one 114 Samba server and that require the same UID or GID for the same user or group across 115 all servers. One of the hazards of this method is that in the event that the winbind 116 IDMAP file may become corrupted or lost, the repaired or rebuilt IDMAP file may allocate 117 UIDs and GIDs to differing users and groups from what was there previously with the 118 result that MS Windows files that are stored on the Samba server may now not belong to 119 to rightful owner. 120 </p></dd><dt><span class="term">Winbind/NSS uses RID based IDMAP: </span></dt><dd><p> 121 <a class="indexterm" name="id2558731"></a> 122 <a class="indexterm" name="id2558738"></a> 123 <a class="indexterm" name="id2558744"></a> 124 <a class="indexterm" name="id2558751"></a> 125 The IDMAP_RID facility is new to Samba version 3.0.8. It was added to make life easier 126 for a number of sites that are committed to use of MS ADS, who do not want to apply 127 an ADS schema extension, and who do not wish to install an LDAP directory server just for 128 the purpose of maintaining an IDMAP table. If you have a single ADS domain (not a forest of 129 domains, and not multiple domain trees) and you want a simple cookie-cutter solution to the 130 IDMAP table problem, then IDMAP_RID is an obvious choice. 131 </p><p> 132 <a class="indexterm" name="id2558770"></a> 133 <a class="indexterm" name="id2558777"></a> 134 <a class="indexterm" name="id2558783"></a> 135 <a class="indexterm" name="id2558790"></a> 136 <a class="indexterm" name="id2558797"></a> 137 <a class="indexterm" name="id2558803"></a> 138 <a class="indexterm" name="id2558810"></a> 139 This facility requires the allocation of the <i class="parameter"><tt>idmap uid</tt></i> and the 140 <i class="parameter"><tt>idmap gid</tt></i> ranges, and within the <i class="parameter"><tt>idmap uid</tt></i> 141 it is possible to allocate a sub-set of this range for automatic mapping of the relative 142 identifier (RID) portion of the SID directly to the base of the UID plus the RID value. 143 For example, if the <i class="parameter"><tt>idmap uid</tt></i> range is <tt class="constant">1000-100000000</tt> 144 and the <i class="parameter"><tt>idmap backend = idmap_rid:DOMAIN_NAME=1000-50000000</tt></i>, and 145 a SID is encountered that has the value <tt class="constant">S-1-5-21-34567898-12529001-32973135-1234</tt>, 146 the resulting UID will be <tt class="constant">1000 + 1234 = 2234</tt>. 147 </p></dd><dt><span class="term">Winbind with an NSS/LDAP backend based IDMAP facility: </span></dt><dd><p> 148 <a class="indexterm" name="id2558881"></a> 149 In this configuration <span><b class="command">winbind</b></span> resolved SIDs to UIDs and GIDs from 150 the <i class="parameter"><tt>idmap uid</tt></i> and <i class="parameter"><tt>idmap gid</tt></i> ranges specified 151 in the <tt class="filename">smb.conf</tt> file, but instead of using a local winbind IDMAP table it is stored 152 in an LDAP directory so that all Domain Member machines (clients and servers) can share 153 a common IDMAP table. 154 </p><p> 155 <a class="indexterm" name="id2558919"></a> 156 It is important that all LDAP IDMAP clients use only the master LDAP server as the 157 <i class="parameter"><tt>idmap backend</tt></i> facility in the <tt class="filename">smb.conf</tt> file does not correctly 158 handle LDAP redirects. 159 </p></dd><dt><span class="term">Winbind with NSS to resolve UNIX/Linux user and group IDs: </span></dt><dd><p> 160 The use of LDAP as the passdb backend is a smart solution for PDC, BDC as well as for 161 Domain Member servers. It is a neat method for assuring that UIDs, GIDs and the matching 162 SIDs will be consistent across all servers. 163 </p><p> 164 <a class="indexterm" name="id2558964"></a> 165 <a class="indexterm" name="id2558970"></a> 166 The use of the LDAP based passdb backend requires use of the PADL nss_ldap utility, or 167 an equivalent. In this situation winbind is used to handle foreign SIDs; ie: SIDs from 168 stand-alone Windows clients (i.e.: not a member of our domain) as well as SIDs from 169 another domain. The foreign UID/GID is mapped from allocated ranges (idmap uid and idmap gid) 170 in precisely the same manner as when using winbind with a local IDMAP table. 171 </p><p> 172 <a class="indexterm" name="id2558988"></a> 173 <a class="indexterm" name="id2558995"></a> 174 <a class="indexterm" name="id2559002"></a> 175 The nss_ldap tool set can be used to access UIDs and GIDs via LDAP as well as via Active 176 Directory. In order to use Active Directory it is necessary to modify the ADS schema by 177 installing either the AD4UNIX schema extension or else use the Microsoft Services for UNIX 178 version 3.5 of later to extend the ADS schema so it maintains UNIX account credentials. 179 Where the ADS schema is extended a Microsoft Management Console (MMC) snap-in in also 180 installed to permit the UNIX credentials to be set and managed from the ADS User and Computer 181 management tool. Each account must be separately UNIX enabled before the UID and GID data can 182 be used by Samba. 183 </p></dd></dl></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2559025"></a>Primary Domain Controller</h3></div></div></div><p> 184 <a class="indexterm" name="id2559033"></a> 185 <a class="indexterm" name="id2559040"></a> 186 <a class="indexterm" name="id2559047"></a> 187 <a class="indexterm" name="id2559053"></a> 188 Microsoft Windows domain security systems generate the user and group security identifier (SID) as part 189 of the process of creation of an account. Windows does not have a concept of the UNIX UID or a GID, rather 190 it has its own type of security descriptor. When Samba is used as a Domain Controller, it provides a method 191 of producing a unique SID for each user and group. Samba generates a machine and a domain SID to which it 192 adds a relative identifier (RID) that is calculated algorithmically from a base value that can be specified 193 in the <tt class="filename">smb.conf</tt> file, plus twice (2X) the UID or GID. This method is called “<span class="quote"><span class="emphasis"><em>algorithmic mapping</em></span></span>”. 194 </p><p> 195 <a class="indexterm" name="id2559084"></a> 196 For example, a user has a UID of 4321, and the algorithmic RID base has a value of 1000, the RID will 197 be <tt class="constant">1000 + (2 x 4321) = 9642</tt>. Thus, if the domain SID is 198 <tt class="constant">S-1-5-21-89238497-92787123-12341112</tt>, the resulting SID is 199 <tt class="constant">S-1-5-21-89238497-92787123-12341112-9642</tt>. 200 </p><p> 201 <a class="indexterm" name="id2559109"></a> 202 The foregoing type SID is produced by Samba as an automatic function and is either produced on-the-fly 203 (as in the case when using a <i class="parameter"><tt>passdb backend = [tdbsam | smbpasswd]</tt></i>, or may be stored 204 as a permanent part of an account in an LDAP based ldapsam. 205 </p><p> 206 <a class="indexterm" name="id2559129"></a> 207 MS Active Directory Server (ADS) uses a directory schema that can be extended to accommodate additional 208 account attributes such as UIDs and GIDs. The installation of Microsoft Service for UNIX 3.5 will expand 209 the normal ADS schema to include UNIX account attributes. These must of course be managed separately 210 through a snap-in module to the normal ADS account management MMC interface. 211 </p><p> 212 <a class="indexterm" name="id2559146"></a> 213 Security identifiers used within a domain must be managed to avoid conflict and to preserve itegrity. 214 In an NT4 domain context that PDC manages the distribution of all security credentials to the backup 215 domain controllers. At this time the only passdb backend for a Samba domain controller that is suitable 216 for such information is an LDAP backend. 217 </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2559160"></a>Backup Domain Controller</h3></div></div></div><p> 218 <a class="indexterm" name="id2559168"></a> 219 Backup Domain Controllers (BDCs) have read-only access to security credentials that are stored in LDAP. 220 Changes in user or group account information are passed by the BDC to the PDC. Only the PDC can write 221 changes to the directory. 222 </p><p> 223 IDMAP information can however be written directly to the LDAP server so long as all domain controllers 224 have access to the master (writable) LDAP server. Samba-3 at this time does not handle LDAP redirects 225 in the IDMAP backend. This means that it is is unsafe to use a slave (replicate) LDAP server with 226 the IDMAP facility. 227 </p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2559191"></a>Examples of IDMAP Backend Usage</h2></div></div></div><p> 228<a class="indexterm" name="id2559199"></a> 229<a class="indexterm" name="id2559208"></a> 230<a class="indexterm" name="id2559218"></a> 231<a class="indexterm" name="id2559224"></a> 232Anyone who wishes to use <span><b class="command">winbind</b></span> will find the following example configurations helpful. 233Remember that in the majority of cases <span><b class="command">winbind</b></span> is of primary interest for use with 234Domain Member Servers (DMSs) and Domain Member Clients (DMCs). 235</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2559247"></a>Default Winbind TDB</h3></div></div></div><p> 236 Two common configurations are used: 237 </p><div class="itemizedlist"><ul type="disc"><li><p> 238 Networks that have an NT4 PDC (with or without BDCs) or a Samba PDC (with or without BDCs). 239 </p></li><li><p> 240 Networks that use MS Windows 200X ADS. 241 </p></li></ul></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2559272"></a>NT4 Style Domains (includes Samba Domains)</h4></div></div></div><p> 242 The following is a simple example of an NT4 DMS <tt class="filename">smb.conf</tt> file that shows only the global section. 243</p><pre class="screen"> 244#Global parameters 245[global] 246 workgroup = MEGANET2 247 security = DOMAIN 248 idmap uid = 10000-20000 249 idmap gid = 10000-20000 250 template primary group = "Domain Users" 251 template shell = /bin/bash 252</pre><p> 253 </p><p> 254 <a class="indexterm" name="id2559300"></a> 255 <a class="indexterm" name="id2559307"></a> 256 The use of <span><b class="command">winbind</b></span> requires configuration of NSS. Edit the <tt class="filename">/etc/nsswitch.conf</tt> 257 so it includes the following entries: 258</p><pre class="screen"> 259... 260passwd: files winbind 261shadow: files winbind 262group: files winbind 263... 264hosts: files wins 265... 266</pre><p> 267 </p><p> 268 The creation of the DMS requires the following steps: 269 </p><div class="procedure"><ol type="1"><li><p> 270 Create or install and <tt class="filename">smb.conf</tt> file with the above configuration. 271 </p></li><li><p> 272 Execute: 273</p><pre class="screen"> 274<tt class="prompt">root# </tt> net rpc join -UAdministrator%password 275Joined domain MEGANET2. 276</pre><p> 277 <a class="indexterm" name="id2559374"></a> 278 The success or failure of the join can be confirmed with the following command: 279</p><pre class="screen"> 280<tt class="prompt">root# </tt> net rpc testjoin 281Join to 'MIDEARTH' is OK 282</pre><p> 283 A failed join would report an error message like the following: 284 <a class="indexterm" name="id2559396"></a> 285</p><pre class="screen"> 286<tt class="prompt">root# </tt> net rpc testjoin 287[2004/11/05 16:34:12, 0] utils/net_rpc_join.c:net_rpc_join_ok(66) 288Join to domain 'MEGANET2' is not valid 289</pre><p> 290 </p></li><li><p> 291 Start the <span><b class="command">nmbd, winbind,</b></span> and <span><b class="command">smbd</b></span> daemons in the order shown. 292 </p></li></ol></div></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2559439"></a>ADS Domains</h4></div></div></div><p> 293 <a class="indexterm" name="id2559447"></a> 294 The procedure for joining and ADS domain is similar to the NT4 domain join, except the <tt class="filename">smb.conf</tt> file 295 will have the following contents: 296</p><pre class="screen"> 297# Global parameters 298[global] 299 workgroup = BUTTERNET 300 netbios name = GARGOYLE 301 realm = BUTTERNET.BIZ 302 security = ADS 303 template shell = /bin/bash 304 idmap uid = 500-10000000 305 idmap gid = 500-10000000 306 winbind use default domain = Yes 307 winbind nested groups = Yes 308 printer admin = "BUTTERNET\Domain Admins" 309</pre><p> 310 </p><p> 311 <a class="indexterm" name="id2559477"></a> 312 <a class="indexterm" name="id2559484"></a> 313 <a class="indexterm" name="id2559490"></a> 314 <a class="indexterm" name="id2559497"></a> 315 <a class="indexterm" name="id2559504"></a> 316 <a class="indexterm" name="id2559511"></a> 317 <a class="indexterm" name="id2559518"></a> 318 ADS DMS operation requires use of kerberos (KRB). For this to work the <tt class="filename">krb5.conf</tt> 319 must be configured. The exact requirements depends on which version of MIT or Heimdal kerberos is being 320 used. It is sound advice to use only the latest version, which at this time are MIT kerberos version 321 1.3.5 and Heimdal 0.61. 322 </p><p> 323 The creation of the DMS requires the following steps: 324 </p><div class="procedure"><ol type="1"><li><p> 325 Create or install and <tt class="filename">smb.conf</tt> file with the above configuration. 326 </p></li><li><p> 327 Edit the <tt class="filename">/etc/nsswitch.conf</tt> file as shown above. 328 </p></li><li><p> 329 Execute: 330 <a class="indexterm" name="id2559576"></a> 331</p><pre class="screen"> 332<tt class="prompt">root# </tt> net ads join -UAdministrator%password 333Joined domain BUTTERNET. 334</pre><p> 335 The success or failure of the join can be confirmed with the following command: 336</p><pre class="screen"> 337<tt class="prompt">root# </tt> net ads testjoin 338Using short domain name -- BUTTERNET 339Joined 'GARGOYLE' to realm 'BUTTERNET.BIZ' 340</pre><p> 341 </p><p> 342 An invalid or failed join can be detected by executing: 343</p><pre class="screen"> 344<tt class="prompt">root# </tt> net ads testjoin 345GARGOYLE$@'s password: 346[2004/11/05 16:53:03, 0] utils/net_ads.c:ads_startup(186) 347 ads_connect: No results returned 348Join to domain is not valid 349</pre><p> 350 <a class="indexterm" name="id2559629"></a> 351 The specific error message may differ from the above as it depends on the type of failure that 352 may have occured. Increase the <i class="parameter"><tt>log level</tt></i> to 10, repeat the above test 353 and then examine the log files produced to identify the nature of the failure. 354 </p></li><li><p> 355 Start the <span><b class="command">nmbd, winbind,</b></span> and <span><b class="command">smbd</b></span> daemons in the order shown. 356 </p></li></ol></div></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2559669"></a>IDMAP_RID with Winbind</h3></div></div></div><p> 357 <a class="indexterm" name="id2559677"></a> 358 <a class="indexterm" name="id2559684"></a> 359 <a class="indexterm" name="id2559691"></a> 360 <a class="indexterm" name="id2559697"></a> 361 The <span><b class="command">idmap_rid</b></span> facility is a new tool that, unlike native winbind, creates a 362 predictable mapping of MS Windows SIDs to UNIX UIDs and GIDs. The key benefit of this method 363 of implementing the Samba IDMAP facility is that it eliminates the need to store the IDMAP data 364 in a central place. The down-side is that it can be used only within a single ADS Domain and 365 is not compatible with trusted domain implementations. 366 </p><p> 367 <a class="indexterm" name="id2559720"></a> 368 <a class="indexterm" name="id2559727"></a> 369 <a class="indexterm" name="id2559734"></a> 370 <a class="indexterm" name="id2559741"></a> 371 This alternate method of SID to UID/GID mapping can be achieved uses the idmap_rid 372 plug-in. This plug-in uses the RID of the user SID to derive the UID and GID by adding the 373 RID to a base value specified. This utility requires that the parameter 374 “<span class="quote"><span class="emphasis"><em>allow trusted domains = No</em></span></span>” must be specified, as it is not compatible 375 with multiple domain environments. The <i class="parameter"><tt>idmap uid</tt></i> and 376 <i class="parameter"><tt>idmap gid</tt></i> ranges must be specified. 377 </p><p> 378 <a class="indexterm" name="id2559774"></a> 379 <a class="indexterm" name="id2559781"></a> 380 The idmap_rid facility can be used both for NT4/Samba style domains as well as with Active Directory. 381 To use this with an NT4 Domain the <i class="parameter"><tt>realm</tt></i> is not used, additionally the 382 method used to join the domain uses the <tt class="constant">net rpc join</tt> process. 383 </p><p> 384 An example <tt class="filename">smb.conf</tt> file for and ADS domain environment is shown here: 385</p><pre class="screen"> 386# Global parameters 387[global] 388 workgroup = KPAK 389 netbios name = BIGJOE 390 realm = CORP.KPAK.COM 391 server string = Office Server 392 security = ADS 393 allow trusted domains = No 394 idmap backend = idmap_rid:KPAK=500-100000000 395 idmap uid = 500-100000000 396 idmap gid = 500-100000000 397 template shell = /bin/bash 398 winbind use default domain = Yes 399 winbind enum users = No 400 winbind enum groups = No 401 winbind nested groups = Yes 402 printer admin = "Domain Admins" 403</pre><p> 404 </p><p> 405 <a class="indexterm" name="id2559830"></a> 406 <a class="indexterm" name="id2559837"></a> 407 <a class="indexterm" name="id2559844"></a> 408 <a class="indexterm" name="id2559850"></a> 409 In a large domain with many users it is imperative to disable enumeration of users and groups. 410 For examplem, at a site that has 22,000 users in Active Directory the winbind based user and 411 group resolution is unavailable for nearly 12 minutes following first start-up of 412 <span><b class="command">winbind</b></span>. Disabling of such enumeration resulted in instantaneous response. 413 The disabling of user and group enumeration means that it will not be possible to list users 414 or groups using the <span><b class="command">getent passwd</b></span> and <span><b class="command">getent group</b></span> 415 commands. It will be possible to perform the lookup for individual users, as shown in the procedure 416 below. 417 </p><p> 418 <a class="indexterm" name="id2559888"></a> 419 <a class="indexterm" name="id2559895"></a> 420 The use of this tool requires configuration of NSS as per the native use of winbind. Edit the 421 <tt class="filename">/etc/nsswitch.conf</tt> so it has the following parameters: 422</p><pre class="screen"> 423... 424passwd: files winbind 425shadow: files winbind 426group: files winbind 427... 428hosts: files wins 429... 430</pre><p> 431 </p><p> 432 The following procedure can be used to utilize the idmap_rid facility: 433 </p><div class="procedure"><ol type="1"><li><p> 434 Create or install and <tt class="filename">smb.conf</tt> file with the above configuration. 435 </p></li><li><p> 436 Edit the <tt class="filename">/etc/nsswitch.conf</tt> file as shown above. 437 </p></li><li><p> 438 Execute: 439</p><pre class="screen"> 440<tt class="prompt">root# </tt> net ads join -UAdministrator%password 441Using short domain name -- KPAK 442Joined 'BIGJOE' to realm 'CORP.KPAK.COM' 443</pre><p> 444 </p><p> 445 <a class="indexterm" name="id2559974"></a> 446 An invalid or failed join can be detected by executing: 447</p><pre class="screen"> 448<tt class="prompt">root# </tt> net ads testjoin 449BIGJOE$@'s password: 450[2004/11/05 16:53:03, 0] utils/net_ads.c:ads_startup(186) 451 ads_connect: No results returned 452Join to domain is not valid 453</pre><p> 454 The specific error message may differ from the above as it depends on the type of failure that 455 may have occured. Increase the <i class="parameter"><tt>log level</tt></i> to 10, repeat the above test 456 and then examine the log files produced to identify the nature of the failure. 457 </p></li><li><p> 458 Start the <span><b class="command">nmbd, winbind,</b></span> and <span><b class="command">smbd</b></span> daemons in the order shown. 459 </p></li><li><p> 460 Validate the operation of this configuration by executing: 461 <a class="indexterm" name="id2560034"></a> 462</p><pre class="screen"> 463<tt class="prompt">root# </tt> getent passwd administrator 464administrator:x:1000:1013:Administrator:/home/BE/administrator:/bin/bash 465</pre><p> 466 </p></li></ol></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2560055"></a>IDMAP Storage in LDAP using Winbind</h3></div></div></div><p> 467 <a class="indexterm" name="id2560064"></a> 468 <a class="indexterm" name="id2560070"></a> 469 The storage of IDMAP information in LDAP can be used with both NT4/Samba-3 style domains as well as 470 with ADS domains. OpenLDAP is a commonly used LDAP server for this purpose, although any standards 471 complying LDAP server can be used. It is therefore possible to deploy this IDMAP configuration using 472 the Sun iPlanet LDAP server, Novell eDirectory, Microsoft ADS plus ADAM, and so on. 473 </p><p> 474 The following example is for an ADS style domain: 475 </p><p> 476</p><pre class="screen"> 477# Global parameters 478[global] 479 workgroup = SNOWSHOW 480 netbios name = GOODELF 481 realm = SNOWSHOW.COM 482 server string = Samba Server 483 security = ADS 484 log level = 1 ads:10 auth:10 sam:10 rpc:10 485 ldap admin dn = cn=Manager,dc=SNOWSHOW,dc=COM 486 ldap idmap suffix = ou=Idmap 487 ldap suffix = dc=SNOWSHOW,dc=COM 488 idmap backend = ldap:ldap://ldap.snowshow.com 489 idmap uid = 150000-550000 490 idmap gid = 150000-550000 491 template shell = /bin/bash 492 winbind use default domain = Yes 493</pre><p> 494 </p><p> 495 <a class="indexterm" name="id2560109"></a> 496 In the case of an NT4 or Samba-3 style Domain the <i class="parameter"><tt>realm</tt></i> is not used and the 497 command used to join the domain is: <span><b class="command">net rpc join</b></span>. The above example also demonstrates 498 advanced error reporting techniques that are documented in <a href="bugreport.html#dbglvl" title="Debug Levels">the chapter called 499 Reporting Bugs</a>. 500 </p><p> 501 <a class="indexterm" name="id2560143"></a> 502 <a class="indexterm" name="id2560150"></a> 503 <a class="indexterm" name="id2560157"></a> 504 Where MIT kerberos is installed (version 1.3.4 or later) edit the <tt class="filename">/etc/krb5.conf</tt> 505 file so it has the following contents: 506</p><pre class="screen"> 507[logging] 508 default = FILE:/var/log/krb5libs.log 509 kdc = FILE:/var/log/krb5kdc.log 510 admin_server = FILE:/var/log/kadmind.log 511 512[libdefaults] 513 default_realm = SNOWSHOW.COM 514 dns_lookup_realm = false 515 dns_lookup_kdc = true 516 517[appdefaults] 518 pam = { 519 debug = false 520 ticket_lifetime = 36000 521 renew_lifetime = 36000 522 forwardable = true 523 krb4_convert = false 524 } 525</pre><p> 526 </p><p> 527 Where Heimdal kerberos is installed edit the <tt class="filename">/etc/krb5.conf</tt> 528 file so it is either empty (i.e.: no contents) or it has the following contents: 529</p><pre class="screen"> 530[libdefaults] 531 default_realm = SNOWSHOW.COM 532 clockskew = 300 533 534[realms] 535 SNOWSHOW.COM = { 536 kdc = ADSDC.SHOWSHOW.COM 537 } 538 539[domain_realm] 540 .snowshow.com = SNOWSHOW.COM 541</pre><p> 542 </p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> 543 Samba can not use the Heimdal libraries if there is no <tt class="filename">/etc/krb5.conf</tt> file. 544 So long as there is an empty file the Heimdal kerberos libraries will be usable. There is no 545 need to specify any settings as Samba using the Heimdal libraries can figure this out automatically. 546 </p></div><p> 547 Edit the NSS control file <tt class="filename">/etc/nsswitch.conf</tt> so it has the following entries: 548</p><pre class="screen"> 549... 550passwd: files ldap 551shadow: files ldap 552group: files ldap 553... 554hosts: files wins 555... 556</pre><p> 557 </p><p> 558 <a class="indexterm" name="id2560240"></a> 559 <a class="indexterm" name="id2560247"></a> 560 You will need the <a href="http://www.padl.com" target="_top">PADL</a> <span><b class="command">nss_ldap</b></span> 561 tool set for this solution. Configure the <tt class="filename">/etc/ldap.conf</tt> file so it has 562 the information needed. The following is an example of a working file: 563</p><pre class="screen"> 564host 192.168.2.1 565base dc=snowshow,dc=com 566binddn cn=Manager,dc=snowshow,dc=com 567bindpw not24get 568 569pam_password exop 570 571nss_base_passwd ou=People,dc=snowshow,dc=com?one 572nss_base_shadow ou=People,dc=snowshow,dc=com?one 573nss_base_group ou=Groups,dc=snowshow,dc=com?one 574ssl no 575</pre><p> 576 </p><p> 577 The following procedure may be followed to affect a working configuration: 578 </p><div class="procedure"><ol type="1"><li><p> 579 Configure the <tt class="filename">smb.conf</tt> file as shown above. 580 </p></li><li><p> 581 Create the <tt class="filename">/etc/krb5.conf</tt> file following the indications above. 582 </p></li><li><p> 583 Configure the <tt class="filename">/etc/nsswitch.conf</tt> file as shown above. 584 </p></li><li><p> 585 Download, build and install the PADL nss_ldap tool set. Configure the 586 <tt class="filename">/etc/ldap.conf</tt> file as shown above. 587 </p></li><li><p> 588 Configure an LDAP server, initialize the directory with the top level entries needed by IDMAP 589 as shown in the following LDIF file: 590</p><pre class="screen"> 591dn: dc=snowshow,dc=com 592objectClass: dcObject 593objectClass: organization 594dc: snowshow 595o: The Greatest Snow Show in Singapore. 596description: Posix and Samba LDAP Identity Database 597 598dn: cn=Manager,dc=snowshow,dc=com 599objectClass: organizationalRole 600cn: Manager 601description: Directory Manager 602 603dn: ou=Idmap,dc=snowshow,dc=com 604objectClass: organizationalUnit 605ou: idmap 606</pre><p> 607 </p></li><li><p> 608 Execute the command to join the Samba Domain Member Server to the ADS domain as shown here: 609</p><pre class="screen"> 610<tt class="prompt">root# </tt> net ads testjoin 611Using short domain name -- SNOWSHOW 612Joined 'GOODELF' to realm 'SNOWSHOW.COM' 613</pre><p> 614 </p></li><li><p> 615 Start the <span><b class="command">nmbd, winbind,</b></span> and <span><b class="command">smbd</b></span> daemons in the order shown. 616 </p></li></ol></div><p> 617 <a class="indexterm" name="id2560412"></a> 618 Follow the diagnositic procedures shown earlier in this chapter to identify success or failure of the join. 619 In many cases a failure is indicated by a silent return to the command prompt with no indication of the 620 reason for failure. 621 </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2560425"></a>IDMAP and NSS Using LDAP From ADS with RFC2307bis Schema Extension</h3></div></div></div><p> 622 <a class="indexterm" name="id2560434"></a> 623 <a class="indexterm" name="id2560441"></a> 624 The use of this method is messy. The information provided in the following is for guidance only 625 and is very definitely not complete. This method does work; it is used in a number of large sites 626 and has an acceptable level of performance. 627 </p><p> 628 The following is an example <tt class="filename">smb.conf</tt> file: 629</p><pre class="screen"> 630# Global parameters 631[global] 632 workgroup = BOBBY 633 realm = BOBBY.COM 634 security = ADS 635 idmap uid = 150000-550000 636 idmap gid = 150000-550000 637 template shell = /bin/bash 638 winbind cache time = 5 639 winbind use default domain = Yes 640 winbind trusted domains only = Yes 641 winbind nested groups = Yes 642</pre><p> 643 </p><p> 644 <a class="indexterm" name="id2560476"></a> 645 The DMS must be joined to the domain using the usual procedure. Additionally, it is necessary 646 to build and install the PADL nss_ldap tool set. Be sure to build this tool set with the 647 following: 648</p><pre class="screen"> 649./configure --enable-rfc2307bis --enable-schema-mapping 650make install 651</pre><p> 652 </p><p> 653 <a class="indexterm" name="id2560497"></a> 654 The following <tt class="filename">/etc/nsswitch.conf</tt> file contents are required: 655</p><pre class="screen"> 656... 657passwd: files ldap 658shadow: files ldap 659group: files ldap 660... 661hosts: files wins 662... 663</pre><p> 664 </p><p> 665 <a class="indexterm" name="id2560521"></a> 666 <a class="indexterm" name="id2560528"></a> 667 The <tt class="filename">/etc/ldap.conf</tt> file must be configured also. Refer to the PADL documentation 668 and source code for nss_ldap to specific instructions. 669 </p><p> 670 The next step involves preparation on the ADS schema. This is briefly discussed in the remaining 671 part of this chapter. 672 </p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2560549"></a>IDMAP, Active Directory and MS Services for UNIX 3.5</h4></div></div></div><p> 673 <a class="indexterm" name="id2560558"></a> 674 The Microsoft Windows Service for UNIX (SFU) version 3.5 is available for free 675 <a href="http://www.microsoft.com/windows/sfu/" target="_top">download</a> 676 from the Microsoft Web site. You will need to download this tool and install it following 677 Microsoft instructions. 678 </p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2560577"></a>IDMAP, Active Directory and AD4UNIX</h4></div></div></div><p> 679 Instructions for obtaining and installing the AD4UNIX tool set can be found from the 680 <a href="http://www.geekcomix.com/cgi-bin/classnotes/wiki.pl?LDAP01/An_Alternative_Approach" target="_top"> 681 Geekcomix</a> web site. 682 </p></div></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="groupmapping.html">Prev</a>�</td><td width="20%" align="center"><a accesskey="u" href="optional.html">Up</a></td><td width="40%" align="right">�<a accesskey="n" href="rights.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter�11.�Group Mapping MS Windows and UNIX�</td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top">�Chapter�13.�User Rights and Privileges</td></tr></table></div></body></html> 683