Follow Techotopia on Twitter

On-line Guides
All Guides
eBook Store
iOS / Android
Linux for Beginners
Office Productivity
Linux Installation
Linux Security
Linux Utilities
Linux Virtualization
Linux Kernel
System/Network Admin
Scripting Languages
Development Tools
Web Development
GUI Toolkits/Desktop
Mail Systems
Eclipse Documentation

How To Guides
General System Admin
Linux Security
Linux Filesystems
Web Servers
Graphics & Desktop
PC Hardware
Problem Solutions
Privacy Policy




Samba HowTo Guide
Prev Home Next

IDMAP_RID with Winbind

The idmap_rid facility is a new tool that, unlike native winbind, creates a predictable mapping of MS Windows SIDs to UNIX UIDs and GIDs. The key benefit of this method of implementing the Samba IDMAP facility is that it eliminates the need to store the IDMAP data in a central place. The downside is that it can be used only within a single ADS domain and is not compatible with trusted domain implementations.

This alternate method of SID to UID/GID mapping can be achieved using the idmap_rid plug-in. This plug-in uses the RID of the user SID to derive the UID and GID by adding the RID to a base value specified. This utility requires that the parameter “allow trusted domains = No” be specified, as it is not compatible with multiple domain environments. The idmap uid and idmap gid ranges must be specified.

The idmap_rid facility can be used both for NT4/Samba-style domains and Active Directory. To use this with an NT4 domain, do not include the realm parameter; additionally, the method used to join the domain uses the net rpc join process.

An example smb.conf file for and ADS domain environment is shown in ADS Domain Member smb.conf using idmap_rid.

Example13.3.ADS Domain Member smb.conf using idmap_rid

# Global parameters
workgroup = KPAK
netbios name = BIGJOE
server string = Office Server
security = ADS
allow trusted domains = No
idmap backend = idmap_rid:KPAK=500-100000000
idmap uid = 500-100000000
idmap gid = 500-100000000
template shell = /bin/bash
winbind use default domain = Yes
winbind enum users = No
winbind enum groups = No
winbind nested groups = Yes
printer admin = "Domain Admins"

In a large domain with many users it is imperative to disable enumeration of users and groups. For example, at a site that has 22,000 users in Active Directory the winbind-based user and group resolution is unavailable for nearly 12 minutes following first startup of winbind . Disabling enumeration resulted in instantaneous response. The disabling of user and group enumeration means that it will not be possible to list users or groups using the getent passwd and getent group commands. It will be possible to perform the lookup for individual users, as shown in the following procedure.

The use of this tool requires configuration of NSS as per the native use of winbind. Edit the /etc/nsswitch.conf so it has the following parameters:

passwd: files winbind
shadow: files winbind
group:  files winbind
hosts:  files wins

The following procedure can use the idmap_rid facility:

  1. Create or install an smb.conf file with the above configuration.

  2. Edit the /etc/nsswitch.conf file as shown above.

  3. Execute:

    root#  net ads join -UAdministrator%password
    Using short domain name -- KPAK
    Joined 'BIGJOE' to realm 'CORP.KPAK.COM'

    An invalid or failed join can be detected by executing:

    root#  net ads testjoin
    BIGJOE$@'s password:
    [2004/11/05 16:53:03, 0] utils/net_ads.c:ads_startup(186)
      ads_connect: No results returned
    Join to domain is not valid

    The specific error message may differ from the above because it depends on the type of failure that may have occurred. Increase the log level to 10, repeat the test, and then examine the log files produced to identify the nature of the failure.

  4. Start the nmbd , winbind , and smbd daemons in the order shown.

  5. Validate the operation of this configuration by executing:

    root#  getent passwd administrator

Samba HowTo Guide
Prev Home Next

  Published under the terms fo the GNU General Public License Design by Interspire