mirror of
https://github.com/samba-team/samba.git
synced 2025-01-11 05:18:09 +03:00
169 lines
5.5 KiB
Plaintext
169 lines
5.5 KiB
Plaintext
idmap script option for flexible UID/GID handling
|
|
-------------------------------------------------
|
|
|
|
If you are using "idmap backend = tdb2" with winbind in Samba3, then
|
|
you have the option of specifying an external script to perform
|
|
uid/gid allocation. This can be useful in situations where you are
|
|
using AD for authentication, but the AD server is not configured to
|
|
supply uid/gid mappings via the services for unix extensions and you
|
|
have a need to support a pre-existing system for uid/gid allocation.
|
|
|
|
One common situation where this arises is where you have a mixture of
|
|
NFS and CIFS clients, and the NFS clients are configured to use NIS
|
|
for their id mapping. It is quite common to have an administrative
|
|
mechanism in place to ensure that all of the NIS users have a
|
|
corresponding AD user account, but there may be no direct mechanism to
|
|
ensure that any unix uid/gid attributes in AD match those in NIS.
|
|
|
|
In this situation it would normally not be possible to share files
|
|
with correct ownership between the CIFS and NFS clients, as winbind
|
|
would normally allocate its own set of UIDs from a reserved pool, and
|
|
those uids won't match the existing ones in NIS.
|
|
|
|
The idmap script option
|
|
-----------------------
|
|
|
|
To resolve this problem the idmap tdb2 module has the ability to call
|
|
out to an external script whenever it meeds an unknown SID or UID/GID
|
|
for the first time. It is then the job of that script to provide a
|
|
mapping consistent with whatever external system is in place (such as
|
|
NIS), and return the mapped result to winbind.
|
|
|
|
Winbind will then persistently store the result of the mapping, so
|
|
that the script is not invoked more than once per user/group.
|
|
|
|
To setup the idmap script you need to set the following options:
|
|
|
|
idmap backend = tdb2
|
|
idmap script = /usr/local/bin/idmap.sh
|
|
|
|
where the location and name of the script is arbitrary. It just needs
|
|
to be executable by winbind.
|
|
|
|
You then need to stop Samba, delete the key idmap cache files, and
|
|
restart Samba. The idmap files that need to be deleted are:
|
|
|
|
- gencache.tdb
|
|
- winbindd_cache.tdb
|
|
- idmap2.tdb
|
|
|
|
|
|
Script operation
|
|
----------------
|
|
|
|
The script will be called by winbind in one of three ways.
|
|
|
|
1) idmap.sh SIDTOID <SID>
|
|
2) idmap.sh IDTOSID UID <UID>
|
|
2) idmap.sh IDTOSID GID <GID>
|
|
|
|
In the first form the script is being asked to map a windows SID (in
|
|
the string form "S-*") to a UID or GID. In the second form the script
|
|
is being asked to map a UID to a SID, and in the third form it is
|
|
being asked to map a GID to a SID.
|
|
|
|
SIDTOID
|
|
-------
|
|
|
|
In the first form the script is expected to output a UID or GID given
|
|
a SID. The output format is expected to be like this:
|
|
|
|
UID:1234
|
|
or
|
|
GID:1122
|
|
|
|
If the SID cannot be found, then the script should output an error
|
|
like this:
|
|
|
|
ERR:Some error message
|
|
|
|
Note that it is common for the external mechanism to not know about
|
|
windows SIDs, in which case the script may use the wbinfo command to
|
|
ask winbind to change the SID into a username or group name. The
|
|
"wbinfo -s" option is the one to use.
|
|
|
|
|
|
IDTOSID UID
|
|
-----------
|
|
|
|
In this form the script is expected to turn a UID into a SID,
|
|
returning a result like this:
|
|
|
|
SID:S-1-5-21-1110277820-2343689819-414998773-1124
|
|
|
|
or an error like this:
|
|
|
|
ERR:Some error message
|
|
|
|
If the external mechanism that the script wants to use cannot produce
|
|
a SID, but can produce a username, then the script can convert the
|
|
username to a SID using the "wbinfo -n" option.
|
|
|
|
IDTOSID GID
|
|
-----------
|
|
|
|
In this form the script is expected to turn a GID into a SID,
|
|
returning a result like this:
|
|
|
|
SID:S-1-5-21-1110277820-2343689819-414998773-1120
|
|
|
|
or an error like this:
|
|
|
|
ERR:Some error message
|
|
|
|
If the external mechanism that the script wants to use cannot produce
|
|
a SID, but can produce a group name, then the script can convert the
|
|
groupname to a SID using the "wbinfo -n" option.
|
|
|
|
|
|
Testing the script
|
|
------------------
|
|
|
|
It is suggested that you test the script on the command line first,
|
|
before using it in winbind. To do that first get a list of users you
|
|
would like to test using the command "wbinfo -u". Let's assume one of
|
|
those users is "DC01\tridge". You would then test the script as
|
|
follows:
|
|
|
|
[root ~]# wbinfo -n 'DC01\tridge'
|
|
S-1-5-21-1110277820-2343689819-414998773-1124 User (1)
|
|
|
|
[root ~]# /usr/local/bin/idmap.sh SIDTOID S-1-5-21-1110277820-2343689819-414998773-1124
|
|
UID:1003
|
|
|
|
[root ~]# /usr/local/bin/idmap.sh IDTOSID UID 1003
|
|
SID:S-1-5-21-1110277820-2343689819-414998773-1124
|
|
|
|
Once those steps pass, you can enable the script in winbind
|
|
(remembering to clear the cache tdbs), and test using the id command:
|
|
|
|
[root ~]# id 'DC01\tridge'
|
|
uid=1003(DC01\tridge) gid=10000009(DC01\domain users)
|
|
|
|
|
|
nsswitch.conf
|
|
-------------
|
|
|
|
When using the idmap script option you setup nsswitch.conf as usual
|
|
for winbind, with one addition. If your external idmap mechanism
|
|
support nsswitch then you may optionally choose to add it to
|
|
nsswitch.conf, but you must add it after the winbind entry. So for
|
|
example, if using NIS, you could have a nsswitch.conf entry like this:
|
|
|
|
passwd: files winbind nis
|
|
group: files winbind nis
|
|
|
|
Adding this to nsswitch.conf is not essential, but may be useful for
|
|
some local administration tools.
|
|
|
|
Sample script
|
|
-------------
|
|
|
|
This directory contains a simple example script 'idmap_nis.sh' that
|
|
provides idmap script support for NIS. To use it you first need to
|
|
enable the NIS client on your Samba server, usually by configuring
|
|
/etc/yp.conf. See the manual page for yp.conf for details.
|
|
|
|
You should test the ypcat and ypmatch commands and make sure they work
|
|
before enabling the idmap_nis.sh script.
|