|
The
idmap_rid
facility is a new tool that, unlike native winbind, creates a
predictable mapping of MS Windows SIDs to UNIX UIDs and GIDs. The key benefit of this method
of implementing the Samba IDMAP facility is that it eliminates the need to store the IDMAP data
in a central place. The downside is that it can be used only within a single ADS domain and
is not compatible with trusted domain implementations.
This alternate method of SID to UID/GID mapping can be achieved using the idmap_rid
plug-in. This plug-in uses the RID of the user SID to derive the UID and GID by adding the
RID to a base value specified. This utility requires that the parameter
“allow trusted domains = No” be specified, as it is not compatible
with multiple domain environments. The
idmap uid
and
idmap gid
ranges must be specified.
The idmap_rid facility can be used both for NT4/Samba-style domains and Active Directory.
To use this with an NT4 domain, do not include the
realm
parameter; additionally, the
method used to join the domain uses the net rpc join process.
An example smb.conf file for and ADS domain environment is shown in
ADS
Domain Member smb.conf using idmap_rid.
Example13.3.ADS Domain Member smb.conf using idmap_rid
| # Global parameters |
| |
[global]
|
workgroup = KPAK
|
netbios name = BIGJOE
|
realm = CORP.KPAK.COM
|
server string = Office Server
|
security = ADS
|
allow trusted domains = No
|
idmap backend = idmap_rid:KPAK=500-100000000
|
idmap uid = 500-100000000
|
idmap gid = 500-100000000
|
template shell = /bin/bash
|
winbind use default domain = Yes
|
winbind enum users = No
|
winbind enum groups = No
|
winbind nested groups = Yes
|
printer admin = "Domain Admins"
|
In a large domain with many users it is imperative to disable enumeration of users and groups.
For example, at a site that has 22,000 users in Active Directory the winbind-based user and
group resolution is unavailable for nearly 12 minutes following first startup of
winbind
. Disabling enumeration resulted in instantaneous response.
The disabling of user and group enumeration means that it will not be possible to list users
or groups using the
getent passwd
and
getent group
commands. It will be possible to perform the lookup for individual users, as shown in the following procedure.
The use of this tool requires configuration of NSS as per the native use of winbind. Edit the
/etc/nsswitch.conf so it has the following parameters:
...
passwd: files winbind
shadow: files winbind
group: files winbind
...
hosts: files wins
...
The following procedure can use the idmap_rid facility:
-
Create or install an smb.conf file with the above configuration.
-
Edit the /etc/nsswitch.conf file as shown above.
-
Execute:
root# net ads join -UAdministrator%password
Using short domain name -- KPAK
Joined 'BIGJOE' to realm 'CORP.KPAK.COM'
An invalid or failed join can be detected by executing:
root# net ads testjoin
BIGJOE$@'s password:
[2004/11/05 16:53:03, 0] utils/net_ads.c:ads_startup(186)
ads_connect: No results returned
Join to domain is not valid
The specific error message may differ from the above because it depends on the type of failure that
may have occurred. Increase the
log level
to 10, repeat the test,
and then examine the log files produced to identify the nature of the failure.
-
Start the
nmbd
,
winbind
, and
smbd
daemons in the order shown.
-
Validate the operation of this configuration by executing:
root# getent passwd administrator
administrator:x:1000:1013:Administrator:/home/BE/administrator:/bin/bash
|
