[Samba] Samba4, multi-domain Forest and Unix ID mapping - Samba

This is a discussion on [Samba] Samba4, multi-domain Forest and Unix ID mapping - Samba ; Good day, I wasn't sure whether this should go to the user list or the samba-technical list. I chose here based on the descriptions of the list. Forgive me if my understanding of the naming is inaccurate. It is my ...

+ Reply to Thread
Results 1 to 5 of 5

Thread: [Samba] Samba4, multi-domain Forest and Unix ID mapping

  1. [Samba] Samba4, multi-domain Forest and Unix ID mapping

    Good day,

    I wasn't sure whether this should go to the user list or the
    samba-technical list. I chose here based on the descriptions of the list.

    Forgive me if my understanding of the naming is inaccurate. It is my
    understanding that Samba3 (and I believe 4, as well) has a very powerful
    SID<->UID mapping mechanism which will auto create the UID in a range.
    This is what I mean by Unix ID mapping.

    I have read that this as of yet won't work in a forest, even if the
    organization is only one organization. I am hoping this isn't true.

    I am beginning to look at Samba4 for future implementations within
    organizations I do work for. However, it appears I will need multiple
    domain in one forest functionality. Is this implemented or at least planned?

    If it is implemented/planned is it possible to do the automatic Unix ID
    mapping per above? If it is all one domain, is it possible to do this if
    all the domain controllers/active directory machines are Samba 4?
    Basically, can each domain have its own UID mapping setup and they will
    work in the forest IF, and ONLY IF, the UID mapping doesn't overlap? The
    exact mechanism my questions may bring into mind may be bad.

    Here is the situation, explained in the context of an extended family
    network:

    Each family has its own domain (Windows and DNS), policies, etc. Each
    has its own file servers, mail domains (DNS), etc. Each may share file
    and printers with other families. This needs to work in Windows and Linux.

    However, here is the killer, root access to Linux machines is not shared
    across domains. Nor should Windows system/net/domain admin abilities.
    However, guests from other families (within the extended family) need to
    be able to view the shared files as well as login (without
    administrative privileges) on computers in the other domains (think
    visiting family).

    To do this, auto SID<->UID maps are a must. Domains within the forest
    will start at 6 at least and grow from there. (This is example isn't far
    from the kinds of things businesses and families ask me to do.)

    Is all of this possible, planned, or just out there?

    Thank you,
    Trever Adams

    P.S. Please, reply directly as well as to the list as I am not on the
    list and only keep up from time to time.




    --
    To unsubscribe from this list go to the following URL and read the
    instructions: https://lists.samba.org/mailman/listinfo/samba
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.4.9 (GNU/Linux)
    Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

    iEYEARECAAYFAkhPf+kACgkQTmpiivh5HXM4pQCfVAEUCYsNWQ 8RkNtqufOSCgqR
    SoYAn1hAqoNqNsvklzDTflSysolQUAIC
    =twM0
    -----END PGP SIGNATURE-----


  2. Re: [Samba] Samba4, multi-domain Forest and Unix ID mapping

    When you say "forest" are you referring to a user authentication
    database implementing multiple linked lists that do not share a common
    root?

    Cause I don't know of any reason you'd have trouble running samba in
    the woods. It's heavily wooded around my house and the timber never
    causes any problems. The local Ents are all OK with samba.

    Samba 3 & 4 do indeed incorporate "idmapping" which works pretty much
    as you describe. The command syntax has grown a lot recently and has
    not yet been fully documented, but I'd say it's quite powerful. If
    you can get your interdomain trusts set up right I think you can do
    what you want, but it's probably going to be dependent on how well you
    can control access to your directory backend.

    You haven't specified what directory backend you are running...
    Microsoft AD? Novell eDirectory? OpenLDAP? Sun? IBM? Fedora DS?
    There are lots...

    --Charlie

    On Wed, Jun 11, 2008 at 3:33 AM, Trever L. Adams wrote:
    > Good day,
    >
    > I wasn't sure whether this should go to the user list or the
    > samba-technical list. I chose here based on the descriptions of the list.
    >
    > Forgive me if my understanding of the naming is inaccurate. It is my
    > understanding that Samba3 (and I believe 4, as well) has a very powerful
    > SID<->UID mapping mechanism which will auto create the UID in a range.
    > This is what I mean by Unix ID mapping.
    >
    > I have read that this as of yet won't work in a forest, even if the
    > organization is only one organization. I am hoping this isn't true.
    >
    > I am beginning to look at Samba4 for future implementations within
    > organizations I do work for. However, it appears I will need multiple
    > domain in one forest functionality. Is this implemented or at least planned?
    >
    > If it is implemented/planned is it possible to do the automatic Unix ID
    > mapping per above? If it is all one domain, is it possible to do this if
    > all the domain controllers/active directory machines are Samba 4?
    > Basically, can each domain have its own UID mapping setup and they will
    > work in the forest IF, and ONLY IF, the UID mapping doesn't overlap? The
    > exact mechanism my questions may bring into mind may be bad.
    >
    > Here is the situation, explained in the context of an extended family
    > network:
    >
    > Each family has its own domain (Windows and DNS), policies, etc. Each
    > has its own file servers, mail domains (DNS), etc. Each may share file
    > and printers with other families. This needs to work in Windows and Linux.
    >
    > However, here is the killer, root access to Linux machines is not shared
    > across domains. Nor should Windows system/net/domain admin abilities.
    > However, guests from other families (within the extended family) need to
    > be able to view the shared files as well as login (without
    > administrative privileges) on computers in the other domains (think
    > visiting family).
    >
    > To do this, auto SID<->UID maps are a must. Domains within the forest
    > will start at 6 at least and grow from there. (This is example isn't far
    > from the kinds of things businesses and families ask me to do.)
    >
    > Is all of this possible, planned, or just out there?
    >
    > Thank you,
    > Trever Adams
    >
    > P.S. Please, reply directly as well as to the list as I am not on the
    > list and only keep up from time to time.
    >
    >
    >
    >
    > --
    > To unsubscribe from this list go to the following URL and read the
    > instructions: https://lists.samba.org/mailman/listinfo/samba
    >

    --
    To unsubscribe from this list go to the following URL and read the
    instructions: https://lists.samba.org/mailman/listinfo/samba


  3. Re: [Samba] Samba4, multi-domain Forest and Unix ID mapping

    Charlie wrote:
    > When you say "forest" are you referring to a user authentication
    > database implementing multiple linked lists that do not share a common
    > root?
    >

    First, thank you for responding. I must also say I have been out of
    Windows land for some time. I last really messed with Windows Networking
    around NT 4.0. By Forest, I mean:
    "At the top of the structure is the Forest - the collection of every
    object, its attributes, and rules (attribute syntax) in the AD. The
    forest holds one or more transitive, trust-linked Trees. A tree holds
    one or more Domains and domain trees, again linked in a transitive trust
    hierarchy. Domains are identified by their DNS name structure, the
    namespace."
    (http://en.wikipedia.org/wiki/Active_...2C_and_domains)

    So, I am looking for something like:
    family1.example.com (uids=1000.1999, for example)
    family2.example.com (uids=2000.2999)
    family3.example.com (uids=3000.3999)
    family4.example.com (uids=4000.4999)
    family5.example.com (uids=5000.5999)
    family6.example.com (uids=6000.6999)

    Where each is a separate domain that trusts the other, and is within one
    forest/tree. Also, they must use something like idmap_ldap (or the
    equivalent) in Samba4 and that mapping must be valid and usable so that
    people in each domain can log in on boxes in the other domains as Linux
    and Windows users and share files and printers without uid collisions or
    other such problems. The only exception is root (uid=0) as each family
    may or may not want root to be shared. Again, I am using the family
    example as it fits even the business cases. I am hoping that Linux users
    can login doing something like windows (user@domain or domain\user).
    > Samba 3 & 4 do indeed incorporate "idmapping" which works pretty much
    > as you describe. The command syntax has grown a lot recently and has
    > not yet been fully documented, but I'd say it's quite powerful. If
    > you can get your interdomain trusts set up right I think you can do
    > what you want, but it's probably going to be dependent on how well you
    > can control access to your directory backend.
    >

    Well, I once read that, at least at one point, idmap didn't work in this
    setup. I was wondering if it has changed (as I can no longer find the
    reference). Also, yes, these will all be Samba based domains (Active
    Directory style). All clients will likely be Vista Business or Ultimate.
    > You haven't specified what directory backend you are running...
    > Microsoft AD? Novell eDirectory? OpenLDAP? Sun? IBM? Fedora DS?
    > There are lots...
    >
    > --Charlie
    >

    Well, Samba 4 so, if it has an internal (I think that has been
    abandoned, but not certain) then that, OpenLDAP or Fedora DS will be the
    backend. I am leaning toward Fedora DS, but I am not certain and will
    accept suggestions.

    I hope this corrects and clarifies my question enough that I can get an
    accurate response.

    This is a forward looking query and I am only interested in Samba 4 as
    it must be Active Directory and Windows server free.

    Thank you,
    Trever Adams
    > On Wed, Jun 11, 2008 at 3:33 AM, Trever L. Adams wrote:
    >
    >> Good day,
    >>
    >> I wasn't sure whether this should go to the user list or the
    >> samba-technical list. I chose here based on the descriptions of the list.
    >>
    >> Forgive me if my understanding of the naming is inaccurate. It is my
    >> understanding that Samba3 (and I believe 4, as well) has a very powerful
    >> SID<->UID mapping mechanism which will auto create the UID in a range.
    >> This is what I mean by Unix ID mapping.
    >>
    >> I have read that this as of yet won't work in a forest, even if the
    >> organization is only one organization. I am hoping this isn't true.
    >>
    >> I am beginning to look at Samba4 for future implementations within
    >> organizations I do work for. However, it appears I will need multiple
    >> domain in one forest functionality. Is this implemented or at least planned?
    >>
    >> If it is implemented/planned is it possible to do the automatic Unix ID
    >> mapping per above? If it is all one domain, is it possible to do this if
    >> all the domain controllers/active directory machines are Samba 4?
    >> Basically, can each domain have its own UID mapping setup and they will
    >> work in the forest IF, and ONLY IF, the UID mapping doesn't overlap? The
    >> exact mechanism my questions may bring into mind may be bad.
    >>
    >> Here is the situation, explained in the context of an extended family
    >> network:
    >>
    >> Each family has its own domain (Windows and DNS), policies, etc. Each
    >> has its own file servers, mail domains (DNS), etc. Each may share file
    >> and printers with other families. This needs to work in Windows and Linux.
    >>
    >> However, here is the killer, root access to Linux machines is not shared
    >> across domains. Nor should Windows system/net/domain admin abilities.
    >> However, guests from other families (within the extended family) need to
    >> be able to view the shared files as well as login (without
    >> administrative privileges) on computers in the other domains (think
    >> visiting family).
    >>
    >> To do this, auto SID<->UID maps are a must. Domains within the forest
    >> will start at 6 at least and grow from there. (This is example isn't far
    >> from the kinds of things businesses and families ask me to do.)
    >>
    >> Is all of this possible, planned, or just out there?
    >>
    >> Thank you,
    >> Trever Adams
    >>
    >> P.S. Please, reply directly as well as to the list as I am not on the
    >> list and only keep up from time to time.
    >>




    --
    To unsubscribe from this list go to the following URL and read the
    instructions: https://lists.samba.org/mailman/listinfo/samba
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.4.9 (GNU/Linux)
    Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

    iEYEARECAAYFAkhSw6oACgkQTmpiivh5HXMhiQCffPCa/AlNoFKUTZQcdCYrBkPl
    e0AAnAuCFxL6EoqqIgkpB363q9AYM/iR
    =A6KJ
    -----END PGP SIGNATURE-----


  4. Re: [Samba] Samba4, multi-domain Forest and Unix ID mapping

    On Fri, 2008-06-13 at 12:59 -0600, Trever L. Adams wrote:
    > Well, Samba 4 so, if it has an internal (I think that has been
    > abandoned, but not certain) then that, OpenLDAP or Fedora DS will be
    > the
    > backend. I am leaning toward Fedora DS, but I am not certain and will
    > accept suggestions.


    I'll look at the rest of the discussion later, but I want to assure you
    that the 'internal' backed on Samba4 is still the primary focus. The
    LDAP backend experiment continues, and seems to work, but needs the help
    and testing of interested users.

    Questions about Samba4 can best be directed to the samba-technical list,
    where I will notice them better.

    Andrew Bartlett

    --
    Andrew Bartlett
    http://samba.org/~abartlet/
    Authentication Developer, Samba Team http://samba.org
    Samba Developer, Red Hat Inc.

    --
    To unsubscribe from this list go to the following URL and read the
    instructions: https://lists.samba.org/mailman/listinfo/samba
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.4.9 (GNU/Linux)

    iD8DBQBIY4OMz4A8Wyi0NrsRAqENAKCYqmxH/GxSoOazu1PE5WxrCfAiDgCdFaj9
    G03AUY1S5ZEVURDRt2JAxC0=
    =LemB
    -----END PGP SIGNATURE-----


  5. Re: [Samba] Samba4, multi-domain Forest and Unix ID mapping

    On Wed, 2008-06-11 at 01:33 -0600, Trever L. Adams wrote:
    > Good day,
    >
    > I wasn't sure whether this should go to the user list or the
    > samba-technical list. I chose here based on the descriptions of the list.
    >
    > Forgive me if my understanding of the naming is inaccurate. It is my
    > understanding that Samba3 (and I believe 4, as well) has a very powerful
    > SID<->UID mapping mechanism which will auto create the UID in a range.
    > This is what I mean by Unix ID mapping.
    >
    > I have read that this as of yet won't work in a forest, even if the
    > organization is only one organization. I am hoping this isn't true.


    We can map any arbitary SID to unix ID, in principal.

    > I am beginning to look at Samba4 for future implementations within
    > organizations I do work for. However, it appears I will need multiple
    > domain in one forest functionality. Is this implemented or at least planned?


    Samba4 is currently just a single domain, mostly because we have not
    looked at what it would take to extend it.

    > If it is implemented/planned is it possible to do the automatic Unix ID
    > mapping per above? If it is all one domain, is it possible to do this if
    > all the domain controllers/active directory machines are Samba 4?
    > Basically, can each domain have its own UID mapping setup and they will
    > work in the forest IF, and ONLY IF, the UID mapping doesn't overlap? The
    > exact mechanism my questions may bring into mind may be bad.


    You could easily use a modal like idmap_rid to automatically handle the
    mappings, assuming certain limits in the ranges of SIDs expected to be
    valid.

    > Here is the situation, explained in the context of an extended family
    > network:
    >
    > Each family has its own domain (Windows and DNS), policies, etc. Each
    > has its own file servers, mail domains (DNS), etc. Each may share file
    > and printers with other families. This needs to work in Windows and Linux..
    >
    > However, here is the killer, root access to Linux machines is not shared
    > across domains. Nor should Windows system/net/domain admin abilities.
    > However, guests from other families (within the extended family) need to
    > be able to view the shared files as well as login (without
    > administrative privileges) on computers in the other domains (think
    > visiting family).
    >
    > To do this, auto SID<->UID maps are a must. Domains within the forest
    > will start at 6 at least and grow from there. (This is example isn't far
    > from the kinds of things businesses and families ask me to do.)
    >
    > Is all of this possible, planned, or just out there?


    We would need more help to understand your requirements, and figure out
    the best way to implement them, and what assistance you will be able to
    provide to get there. It is best to discuss this on the samba-technical
    list.

    Andrew Bartlett

    --
    Andrew Bartlett
    http://samba.org/~abartlet/
    Authentication Developer, Samba Team http://samba.org
    Samba Developer, Red Hat Inc.

    --
    To unsubscribe from this list go to the following URL and read the
    instructions: https://lists.samba.org/mailman/listinfo/samba
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.4.9 (GNU/Linux)

    iD8DBQBIY4T7z4A8Wyi0NrsRAn/6AJ4qxECeBVsGj6PP2Yc9t2DVCVyhdQCeKNkf
    zqvsror++t+FiQH9z86ZTgk=
    =o1wF
    -----END PGP SIGNATURE-----


+ Reply to Thread