Follow Techotopia on Twitter

On-line Guides
All Guides
eBook Store
iOS / Android
Linux for Beginners
Office Productivity
Linux Installation
Linux Security
Linux Utilities
Linux Virtualization
Linux Kernel
System/Network Admin
Programming
Scripting Languages
Development Tools
Web Development
GUI Toolkits/Desktop
Databases
Mail Systems
openSolaris
Eclipse Documentation
Techotopia.com
Virtuatopia.com
Answertopia.com

How To Guides
Virtualization
General System Admin
Linux Security
Linux Filesystems
Web Servers
Graphics & Desktop
PC Hardware
Windows
Problem Solutions
Privacy Policy

  




 

 

Samba HowTo Guide
Prev Home Next

Chapter13.Identity Mapping (IDMAP)

John H. Terpstra

Samba Team

Table of Contents

Samba Server Deployment Types and IDMAP
Standalone Samba Server
Domain Member Server or Domain Member Client
Primary Domain Controller
Backup Domain Controller
Examples of IDMAP Backend Usage
Default Winbind TDB
IDMAP_RID with Winbind
IDMAP Storage in LDAP Using Winbind
IDMAP and NSS Using LDAP from ADS with RFC2307bis Schema Extension

The Microsoft Windows operating system has a number of features that impose specific challenges to interoperability with the operating systems on which Samba is implemented. This chapter deals explicitly with the mechanisms Samba-3 (version 3.0.8 and later) uses to overcome one of the key challenges in the integration of Samba servers into an MS Windows networking environment. This chapter deals with identity mapping (IDMAP) of Windows security identifiers (SIDs) to UNIX UIDs and GIDs.

To ensure sufficient coverage, each possible Samba deployment type is discussed. This is followed by an overview of how the IDMAP facility may be implemented.

The IDMAP facility is of concern where more than one Samba server (or Samba network client) is installed in a domain. Where there is a single Samba server, do not be too concerned regarding the IDMAP infrastructure the default behavior of Samba is nearly always sufficient. Where mulitple Samba servers are used it is often necessary to move data off one server and onto another, and that is where the fun begins!

Where user and group account information is stored in an LDAP directory every server can have the same consistent UID and GID for users and groups. This is achieved using NSS and the nss_ldap tool. Samba can be configured to use only local accounts, in which case the scope of the IDMAP problem is somewhat reduced. This works reasonably well if the servers belong to a single domain, and interdomain trusts are not needed. On the other hand, if the Samba servers are NT4 domain members, or ADS domain members, or if there is a need to keep the security name-space separate (i.e., the user DOMINICUS\FJones must not be given access to the account resources of the user FRANCISCUS\FJones [4] free from inadvertent cross-over, close attention should be given to the way that the IDMAP facility is configured.

The use of IDMAP is important where the Samba server will be accessed by workstations or servers from more than one domain, in which case it is important to run winbind so it can handle the resolution (ID mapping) of foreign SIDs to local UNIX UIDs and GIDs.

The use of the IDMAP facility requires the execution of the winbindd upon Samba startup.

Samba HowTo Guide
Prev Home Next

 
 
  Published under the terms fo the GNU General Public License Design by Interspire