idmap script option for flexible UID/GID handling ------------------------------------------------- If you are using "idmap backend = tdb2" with winbind in Samba3, then you have the option of specifying an external script to perform uid/gid allocation. This can be useful in situations where you are using AD for authentication, but the AD server is not configured to supply uid/gid mappings via the services for unix extensions and you have a need to support a pre-existing system for uid/gid allocation. One common situation where this arises is where you have a mixture of NFS and CIFS clients, and the NFS clients are configured to use NIS for their id mapping. It is quite common to have an administrative mechanism in place to ensure that all of the NIS users have a corresponding AD user account, but there may be no direct mechanism to ensure that any unix uid/gid attributes in AD match those in NIS. In this situation it would normally not be possible to share files with correct ownership between the CIFS and NFS clients, as winbind would normally allocate its own set of UIDs from a reserved pool, and those uids won't match the existing ones in NIS. The idmap script option ----------------------- To resolve this problem the idmap tdb2 module has the ability to call out to an external script whenever it meeds an unknown SID or UID/GID for the first time. It is then the job of that script to provide a mapping consistent with whatever external system is in place (such as NIS), and return the mapped result to winbind. Winbind will then persistently store the result of the mapping, so that the script is not invoked more than once per user/group. To setup the idmap script you need to set the following options: idmap backend = tdb2 idmap script = /usr/local/bin/idmap.sh where the location and name of the script is arbitrary. It just needs to be executable by winbind. You then need to stop Samba, delete the key idmap cache files, and restart Samba. The idmap files that need to be deleted are: - gencache.tdb - winbindd_cache.tdb - idmap2.tdb Script operation ---------------- The script will be called by winbind in one of three ways. 1) idmap.sh SIDTOID <SID> 2) idmap.sh IDTOSID UID <UID> 2) idmap.sh IDTOSID GID <GID> In the first form the script is being asked to map a windows SID (in the string form "S-*") to a UID or GID. In the second form the script is being asked to map a UID to a SID, and in the third form it is being asked to map a GID to a SID. SIDTOID ------- In the first form the script is expected to output a UID or GID given a SID. The output format is expected to be like this: UID:1234 or GID:1122 If the SID cannot be found, then the script should output an error like this: ERR:Some error message Note that it is common for the external mechanism to not know about windows SIDs, in which case the script may use the wbinfo command to ask winbind to change the SID into a username or group name. The "wbinfo -s" option is the one to use. IDTOSID UID ----------- In this form the script is expected to turn a UID into a SID, returning a result like this: SID:S-1-5-21-1110277820-2343689819-414998773-1124 or an error like this: ERR:Some error message If the external mechanism that the script wants to use cannot produce a SID, but can produce a username, then the script can convert the username to a SID using the "wbinfo -n" option. IDTOSID GID ----------- In this form the script is expected to turn a GID into a SID, returning a result like this: SID:S-1-5-21-1110277820-2343689819-414998773-1120 or an error like this: ERR:Some error message If the external mechanism that the script wants to use cannot produce a SID, but can produce a group name, then the script can convert the groupname to a SID using the "wbinfo -n" option. Testing the script ------------------ It is suggested that you test the script on the command line first, before using it in winbind. To do that first get a list of users you would like to test using the command "wbinfo -u". Let's assume one of those users is "DC01\tridge". You would then test the script as follows: [root ~]# wbinfo -n 'DC01\tridge' S-1-5-21-1110277820-2343689819-414998773-1124 User (1) [root ~]# /usr/local/bin/idmap.sh SIDTOID S-1-5-21-1110277820-2343689819-414998773-1124 UID:1003 [root ~]# /usr/local/bin/idmap.sh IDTOSID UID 1003 SID:S-1-5-21-1110277820-2343689819-414998773-1124 Once those steps pass, you can enable the script in winbind (remembering to clear the cache tdbs), and test using the id command: [root ~]# id 'DC01\tridge' uid=1003(DC01\tridge) gid=10000009(DC01\domain users) nsswitch.conf ------------- When using the idmap script option you setup nsswitch.conf as usual for winbind, with one addition. If your external idmap mechanism support nsswitch then you may optionally choose to add it to nsswitch.conf, but you must add it after the winbind entry. So for example, if using NIS, you could have a nsswitch.conf entry like this: passwd: files winbind nis group: files winbind nis Adding this to nsswitch.conf is not essential, but may be useful for some local administration tools. Sample script ------------- This directory contains a simple example script 'idmap_nis.sh' that provides idmap script support for NIS. To use it you first need to enable the NIS client on your Samba server, usually by configuring /etc/yp.conf. See the manual page for yp.conf for details. You should test the ypcat and ypmatch commands and make sure they work before enabling the idmap_nis.sh script.