Greetings all. I have a requirement to use winbind to allocate UID/GIDs for users but only if they aren't in the non-winbind nsswitch sources.
I.e, given
smb.conf ; samba 3.0.7
realm = DOMAIN
workgroup = DOMAIN
log level = 3 idmap:10 winbind:10
idmap gid = 50000-59999
idmap uid = 50000-59999
ADS users:
DOMAIN\adsuser1 ; only in ADS, not NIS
DOMAIN\adsuser2 ; only in ADS, not NIS
DOMAIN\user1
DOMAIN\user2
NIS passwd:
user1:*:10001:20000:&:/home/user1:/bin/sh
user2:*:10002:20000:&:/home/user2:/bin/sh
I want name<->uid loops to return "10001" for user1 and a
winbind allocated UID for adsuser* (e.g, 50000).
I have had no succes so far configuring samba 3.0.7 to do this.
What I've tried so far (stopping smbd/nmbd/winbindd and removing
winbindd_idmap.tdb between tests)
a)
nsswitch.conf
passwd: files nis winbind
group: files nis winbind
smb.conf
winbind trusted domains only = no
nsswitch test results:
% id user1
uid=10001(user1) gid=20000(group0) groups=20000(group0)
% id adsuser1
id: adsuser1: No such user
% id 'DOMAIN\adsuser1'
uid=50000(DOMAIN\adsuser1) gid=50005(DOMAIN\Domain Users)
groups=50005(DOMAIN\Domain Users)
Accessing as DOMAIN\adsuser1 connects as uid=50000,gid=50005.
This is expected; we want winbind to fake a UID/GID.
Accessing as DOMAIN\user1 connects as uid=50001,gid=50005.
This is NOT expected.
As far as I can tell, it's because samba first tries
getpwnam("DOMAIN\user1") which isn't found by NIS but
winbind(8) fakes up an entry.
b)
nsswitch.conf
passwd: files nis
group: files nis
smb.conf
winbind trusted domains only = no
nsswitch test results:
% id user1
uid=10001(user1) gid=20000(group0) groups=20000(group0)
% id adsuser1
id: adsuser1: No such user
% id 'DOMAIN\adsuser1'
id: DOMAIN\adsuser1: No such user
Accessing as DOMAIN\user1 connects as uid=10001,gid=20000.
This is expected.
Accessing as DOMAIN\adsuser1 fails, because there's no
corresponding name->UID mapping in NIS.
This is expected based on the nsswitch.conf configuration,
but not what I want.
c)
nsswitch.conf
passwd: files nis winbind
group: files nis winbind
smb.conf
winbind trusted domains only = yes
nsswitch test results:
% id user1
uid=10001(user1) gid=20000(group0) groups=20000(group0)
% id adsuser1
id: adsuser1: No such user
% id 'DOMAIN\adsuser1'
id: DOMAIN\adsuser1: No such user
Accessing as DOMAIN\user1 connects as uid=10001,gid=20000.
This is expected.
Accessing as DOMAIN\adsuser1 fails, because there's no
corresponding name->UID mapping in NIS, and winbind
refuses to fake one up:
winbindd_getpwnam: My domain -- rejecting getpwnam()
for DOMAIN\ADSUSER1
What can I do to get winbind to fake one up?
At this point, I'm lost for a solution based on existing functionality.
I am considering hacking in another option which changes the
behaviour of "winbind trusted domains only" so that winbind will
provide a fallback mapping for users in the trusted domain that
aren't found by getpwnam(3) (i.e, the other UNIX getpw*() nsswitch
sources, such as "files nis".).
Is there any way to achieve what I want, or do I need to hack the
functionality into samba?
Thanks,
Luke.
pgpgByoX7ffYn.pgp
Description: PGP signature
-- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
