summaryrefslogtreecommitdiffstats
path: root/docs/README.idmap-and-winbind-changes
blob: a892343c6efac44831b4013113ceeb35b8d8071c (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
## Date : 	2003-07-09
## Author:  	Gerald (Jerry) Carter <jerry@samba.org>
## Title: 	README.idmap-and-winbind-changes

Introduction
------------

Beginning with Samba3.0.0beta3, winbindd has been given new account 
manage functionality equivalent to the 'add user script' family of 
smb.conf parameters.  The idmap design has also been changed to centralize
control of foreign SID lookups and matching to UNIX uids and gids.


Brief Description of Changes
----------------------------

1) The sid_to_uid() family of functions (smbd/uid.c) have been reverted 
   to the 2.2.x design.  This means that when resolving a SID to a UID
   or similar mapping:

	a) First consult winbindd
	b) perform a local lookup only if winbindd fails to
	   return a successful answer
	   
   There are some variations to this, but these two rules generally
   apply.

2) All idmap lookups have been moved into winbindd.  This means that
   a server must run winbindd (and support NSS) in order to achieve
   any mappings of SID to dynamically allocated UNIX ids.  This was 
   a conscious design choice.

3) New functions have been added to winbindd to emulate the 'add user script'
   family of smbd functions without requiring that external scripts
   be defined.  This functionality is controlled by the 'winbind enable local 
   accounts' smb.conf parameter (enabled by default).
   
   However, this account management functionality is only supported in
   a local tdb (winbindd_idmap.tdb).  If these new UNIX accounts must be 
   shared among multiple Samba servers (such as a PDC and BDCs), it
   will be necessary to define your own 'add user script', et. al.
   programs that place the accounts/groups in some form of directory
   such as NIS or LDAP.  This requirement was deemed beyond the scope
   of winbind's account management functions.  Solutions for distributing 
   UNIX system information have been deployed and tested for many years.
   We saw no need to reinvent the wheel.
   
4) A member of a Samba controlled domain running winbindd is now able to
   map domain users directly onto existing UNIX accounts while still
   automatically creating accounts for trusted users and groups.  This
   behavior is controlled by the 'winbind trusted domains only' smb.conf
   parameter (disabled by default to provide 2.2.x winbind behavior).

5) Group mapping support is wrapped in the local_XX_to_XX() functions   
   in smbd/uid.c.  The reason that group mappings are not included
   in winbindd is because the purpose of Samba's group map is to 
   match any Windows SID with an existing UNIX group.  These UNIX
   groups can be created by winbindd (see next section), but the 
   SID<->gid mapping is retreived by smbd, not winbindd.
   

Examples
--------

* security = server running winbindd to allocate accounts on demand

* Samba PDC running winbindd to handle the automatic creation of UNIX 
  identities for machine trust accounts
  
* Automtically creating UNIX user and groups when migrating a Windows NT
  4.0 PDC to a Samba PDC.  Winbindd must be running when executing
  'net rpc vampire' for this to work.