1 idmap script option for flexible UID/GID handling
2 -------------------------------------------------
4 If you are using "idmap backend = tdb2" with winbind in Samba3, then
5 you have the option of specifying an external script to perform
6 uid/gid allocation. This can be useful in situations where you are
7 using AD for authentication, but the AD server is not configured to
8 supply uid/gid mappings via the services for unix extensions and you
9 have a need to support a pre-existing system for uid/gid allocation.
11 One common situation where this arises is where you have a mixture of
12 NFS and CIFS clients, and the NFS clients are configured to use NIS
13 for their id mapping. It is quite common to have an administrative
14 mechanism in place to ensure that all of the NIS users have a
15 corresponding AD user account, but there may be no direct mechanism to
16 ensure that any unix uid/gid attributes in AD match those in NIS.
18 In this situation it would normally not be possible to share files
19 with correct ownership between the CIFS and NFS clients, as winbind
20 would normally allocate its own set of UIDs from a reserved pool, and
21 those uids won't match the existing ones in NIS.
23 The idmap script option
24 -----------------------
26 To resolve this problem the idmap tdb2 module has the ability to call
27 out to an external script whenever it meeds an unknown SID or UID/GID
28 for the first time. It is then the job of that script to provide a
29 mapping consistent with whatever external system is in place (such as
30 NIS), and return the mapped result to winbind.
32 Winbind will then persistently store the result of the mapping, so
33 that the script is not invoked more than once per user/group.
35 To setup the idmap script you need to set the following options:
38 idmap script = /usr/local/bin/idmap.sh
40 where the location and name of the script is arbitrary. It just needs
41 to be executable by winbind.
43 You then need to stop Samba, delete the key idmap cache files, and
44 restart Samba. The idmap files that need to be deleted are:
54 The script will be called by winbind in one of three ways.
56 1) idmap.sh SIDTOID <SID>
57 2) idmap.sh IDTOSID UID <UID>
58 2) idmap.sh IDTOSID GID <GID>
60 In the first form the script is being asked to map a windows SID (in
61 the string form "S-*") to a UID or GID. In the second form the script
62 is being asked to map a UID to a SID, and in the third form it is
63 being asked to map a GID to a SID.
68 In the first form the script is expected to output a UID or GID given
69 a SID. The output format is expected to be like this:
75 If the SID cannot be found, then the script should output an error
78 ERR:Some error message
80 Note that it is common for the external mechanism to not know about
81 windows SIDs, in which case the script may use the wbinfo command to
82 ask winbind to change the SID into a username or group name. The
83 "wbinfo -s" option is the one to use.
89 In this form the script is expected to turn a UID into a SID,
90 returning a result like this:
92 SID:S-1-5-21-1110277820-2343689819-414998773-1124
94 or an error like this:
96 ERR:Some error message
98 If the external mechanism that the script wants to use cannot produce
99 a SID, but can produce a username, then the script can convert the
100 username to a SID using the "wbinfo -n" option.
105 In this form the script is expected to turn a GID into a SID,
106 returning a result like this:
108 SID:S-1-5-21-1110277820-2343689819-414998773-1120
110 or an error like this:
112 ERR:Some error message
114 If the external mechanism that the script wants to use cannot produce
115 a SID, but can produce a group name, then the script can convert the
116 groupname to a SID using the "wbinfo -n" option.
122 It is suggested that you test the script on the command line first,
123 before using it in winbind. To do that first get a list of users you
124 would like to test using the command "wbinfo -u". Let's assume one of
125 those users is "DC01\tridge". You would then test the script as
128 [root ~]# wbinfo -n 'DC01\tridge'
129 S-1-5-21-1110277820-2343689819-414998773-1124 User (1)
131 [root ~]# /usr/local/bin/idmap.sh SIDTOID S-1-5-21-1110277820-2343689819-414998773-1124
134 [root ~]# /usr/local/bin/idmap.sh IDTOSID UID 1003
135 SID:S-1-5-21-1110277820-2343689819-414998773-1124
137 Once those steps pass, you can enable the script in winbind
138 (remembering to clear the cache tdbs), and test using the id command:
140 [root ~]# id 'DC01\tridge'
141 uid=1003(DC01\tridge) gid=10000009(DC01\domain users)
147 When using the idmap script option you setup nsswitch.conf as usual
148 for winbind, with one addition. If your external idmap mechanism
149 support nsswitch then you may optionally choose to add it to
150 nsswitch.conf, but you must add it after the winbind entry. So for
151 example, if using NIS, you could have a nsswitch.conf entry like this:
153 passwd: files winbind nis
154 group: files winbind nis
156 Adding this to nsswitch.conf is not essential, but may be useful for
157 some local administration tools.
162 This directory contains a simple example script 'idmap_nis.sh' that
163 provides idmap script support for NIS. To use it you first need to
164 enable the NIS client on your Samba server, usually by configuring
165 /etc/yp.conf. See the manual page for yp.conf for details.
167 You should test the ypcat and ypmatch commands and make sure they work
168 before enabling the idmap_nis.sh script.