blob: a892343c6efac44831b4013113ceeb35b8d8071c (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
|
## Date : 2003-07-09
## Author: Gerald (Jerry) Carter <jerry@samba.org>
## Title: README.idmap-and-winbind-changes
Introduction
------------
Beginning with Samba3.0.0beta3, winbindd has been given new account
manage functionality equivalent to the 'add user script' family of
smb.conf parameters. The idmap design has also been changed to centralize
control of foreign SID lookups and matching to UNIX uids and gids.
Brief Description of Changes
----------------------------
1) The sid_to_uid() family of functions (smbd/uid.c) have been reverted
to the 2.2.x design. This means that when resolving a SID to a UID
or similar mapping:
a) First consult winbindd
b) perform a local lookup only if winbindd fails to
return a successful answer
There are some variations to this, but these two rules generally
apply.
2) All idmap lookups have been moved into winbindd. This means that
a server must run winbindd (and support NSS) in order to achieve
any mappings of SID to dynamically allocated UNIX ids. This was
a conscious design choice.
3) New functions have been added to winbindd to emulate the 'add user script'
family of smbd functions without requiring that external scripts
be defined. This functionality is controlled by the 'winbind enable local
accounts' smb.conf parameter (enabled by default).
However, this account management functionality is only supported in
a local tdb (winbindd_idmap.tdb). If these new UNIX accounts must be
shared among multiple Samba servers (such as a PDC and BDCs), it
will be necessary to define your own 'add user script', et. al.
programs that place the accounts/groups in some form of directory
such as NIS or LDAP. This requirement was deemed beyond the scope
of winbind's account management functions. Solutions for distributing
UNIX system information have been deployed and tested for many years.
We saw no need to reinvent the wheel.
4) A member of a Samba controlled domain running winbindd is now able to
map domain users directly onto existing UNIX accounts while still
automatically creating accounts for trusted users and groups. This
behavior is controlled by the 'winbind trusted domains only' smb.conf
parameter (disabled by default to provide 2.2.x winbind behavior).
5) Group mapping support is wrapped in the local_XX_to_XX() functions
in smbd/uid.c. The reason that group mappings are not included
in winbindd is because the purpose of Samba's group map is to
match any Windows SID with an existing UNIX group. These UNIX
groups can be created by winbindd (see next section), but the
SID<->gid mapping is retreived by smbd, not winbindd.
Examples
--------
* security = server running winbindd to allocate accounts on demand
* Samba PDC running winbindd to handle the automatic creation of UNIX
identities for machine trust accounts
* Automtically creating UNIX user and groups when migrating a Windows NT
4.0 PDC to a Samba PDC. Winbindd must be running when executing
'net rpc vampire' for this to work.
|
