sam, gums, idmap from discussion to realitypdc user management in samba 3.0alpha xml mysql idmap...
TRANSCRIPT
![Page 1: SAM, GUMS, IDMAP From discussion to realityPDC User Management in samba 3.0alpha Xml MySQL IDMAP What is a 'SAM' Users: Username Full Name, Description SID Password Home, Profile,](https://reader036.vdocuments.us/reader036/viewer/2022081403/608f154151bca90932325d08/html5/thumbnails/1.jpg)
SAM, GUMS, IDMAPFrom discussion to reality
byAndrew Bartlett & Simo Sorce
![Page 2: SAM, GUMS, IDMAP From discussion to realityPDC User Management in samba 3.0alpha Xml MySQL IDMAP What is a 'SAM' Users: Username Full Name, Description SID Password Home, Profile,](https://reader036.vdocuments.us/reader036/viewer/2022081403/608f154151bca90932325d08/html5/thumbnails/2.jpg)
User Management in samba 2.0 Smbpasswd is used mainly for password storage No other password database backend Smbpasswd stores the unix user name and uid
Smbpasswd
POSIX
SMBD
Passwords only
getpwnam()
![Page 3: SAM, GUMS, IDMAP From discussion to realityPDC User Management in samba 3.0alpha Xml MySQL IDMAP What is a 'SAM' Users: Username Full Name, Description SID Password Home, Profile,](https://reader036.vdocuments.us/reader036/viewer/2022081403/608f154151bca90932325d08/html5/thumbnails/3.jpg)
User Management in samba 2.2
Smbpasswd
POSIX
SMBD
getpwnam()
Multiple password databasesDatabases can store other Windows related user dataThe backends store the unix user name and the uidDomain users provided through winbindd
Ldapsam
Tdbsam
Nisplussam
Passswords &other user info
Nsswitch
/etc/passwd
LDAP
NIS+
Winbindd
Authentication, user infoUID/GID<>SID for domain
PDC
![Page 4: SAM, GUMS, IDMAP From discussion to realityPDC User Management in samba 3.0alpha Xml MySQL IDMAP What is a 'SAM' Users: Username Full Name, Description SID Password Home, Profile,](https://reader036.vdocuments.us/reader036/viewer/2022081403/608f154151bca90932325d08/html5/thumbnails/4.jpg)
Pass
db m
odul
es in
terfa
ce
Winbindd_pdb?
MySQL
Smbpasswd
POSIX
SMBD
Getpwnam()
Ldapsam
Tdbsam
Nisplussam
Passswords,user info
Nsswitch
/etc/passwd
LDAP
NIS+
Winbindd
Authentication, SIDs &other user info
PDC
User Management in samba 3.0alpha
Xml
MySQL
IDMAP
![Page 5: SAM, GUMS, IDMAP From discussion to realityPDC User Management in samba 3.0alpha Xml MySQL IDMAP What is a 'SAM' Users: Username Full Name, Description SID Password Home, Profile,](https://reader036.vdocuments.us/reader036/viewer/2022081403/608f154151bca90932325d08/html5/thumbnails/5.jpg)
What is a 'SAM'Users:
UsernameFull Name, DescriptionSIDPasswordHome, Profile, ... locationsLogon restrictions
HoursMachinesExpiry
'Times'Dialup Properties
Machines, Trusted Domains...
![Page 6: SAM, GUMS, IDMAP From discussion to realityPDC User Management in samba 3.0alpha Xml MySQL IDMAP What is a 'SAM' Users: Username Full Name, Description SID Password Home, Profile,](https://reader036.vdocuments.us/reader036/viewer/2022081403/608f154151bca90932325d08/html5/thumbnails/6.jpg)
Our passdbLoadable modulesWeak group supportNo privileges supportArbitrary RID support
PassdbSmbpasswd
Stores only passwordsTdbsam
Stores all the user informations as NT4 doesEasy to set upEasy to backup through tdbdump
![Page 7: SAM, GUMS, IDMAP From discussion to realityPDC User Management in samba 3.0alpha Xml MySQL IDMAP What is a 'SAM' Users: Username Full Name, Description SID Password Home, Profile,](https://reader036.vdocuments.us/reader036/viewer/2022081403/608f154151bca90932325d08/html5/thumbnails/7.jpg)
Our passdbLdapsam
Stores all the user informations as NT4 doesEasy Unix/Samba user information couplingEasy replication over multiple serversEasy multiDC/multiServer infrastructuresNot so easy to setup for nonexperienced adminsEasy integration with other services (Mail, ...)
![Page 8: SAM, GUMS, IDMAP From discussion to realityPDC User Management in samba 3.0alpha Xml MySQL IDMAP What is a 'SAM' Users: Username Full Name, Description SID Password Home, Profile,](https://reader036.vdocuments.us/reader036/viewer/2022081403/608f154151bca90932325d08/html5/thumbnails/8.jpg)
So where is the problem?
Windows uses Security IDs (SID), not UIDs or GIDs.
A SID can identify more things than merely users or groups
World (S110)
Local System (S1518)
A domain (S15211721414241570541885638950510)
All authenticated users (S1511)
...
Windows have a unified caseinsensitive name space.
NT Local Groups can contain groups and users
Posix groups can contain only users.
![Page 9: SAM, GUMS, IDMAP From discussion to realityPDC User Management in samba 3.0alpha Xml MySQL IDMAP What is a 'SAM' Users: Username Full Name, Description SID Password Home, Profile,](https://reader036.vdocuments.us/reader036/viewer/2022081403/608f154151bca90932325d08/html5/thumbnails/9.jpg)
Names and ID spacesPOSIX Win32
User Names
GIDs
User/Group Names
UIDs
User Names
SIDs
Workstation Names
![Page 10: SAM, GUMS, IDMAP From discussion to realityPDC User Management in samba 3.0alpha Xml MySQL IDMAP What is a 'SAM' Users: Username Full Name, Description SID Password Home, Profile,](https://reader036.vdocuments.us/reader036/viewer/2022081403/608f154151bca90932325d08/html5/thumbnails/10.jpg)
The Ideal SAM
Only SIDs no UID/GIDs
Unified caseinsensitive name space
Never check unix users
Trust the idmap system
Possibly users are provided back to the underlying system
through winbindd
![Page 11: SAM, GUMS, IDMAP From discussion to realityPDC User Management in samba 3.0alpha Xml MySQL IDMAP What is a 'SAM' Users: Username Full Name, Description SID Password Home, Profile,](https://reader036.vdocuments.us/reader036/viewer/2022081403/608f154151bca90932325d08/html5/thumbnails/11.jpg)
IDMAPSIDs
GIDsUIDs
Domain A Domain B
Workstation Unkown
![Page 12: SAM, GUMS, IDMAP From discussion to realityPDC User Management in samba 3.0alpha Xml MySQL IDMAP What is a 'SAM' Users: Username Full Name, Description SID Password Home, Profile,](https://reader036.vdocuments.us/reader036/viewer/2022081403/608f154151bca90932325d08/html5/thumbnails/12.jpg)
IDMAP
sID<>[u,g]ID MAPping
Only map SIDs to UID/GIDs, nothing else
It is a “persistent cache”
SID<>[U,G]ID mapped when(if) needed
![Page 13: SAM, GUMS, IDMAP From discussion to realityPDC User Management in samba 3.0alpha Xml MySQL IDMAP What is a 'SAM' Users: Username Full Name, Description SID Password Home, Profile,](https://reader036.vdocuments.us/reader036/viewer/2022081403/608f154151bca90932325d08/html5/thumbnails/13.jpg)
IDMAP with multiple servers
IDMAP Mapping Requests
Central IDMAP Server
Local IDMAP
Local IDMAP
Local IDMAP
![Page 14: SAM, GUMS, IDMAP From discussion to realityPDC User Management in samba 3.0alpha Xml MySQL IDMAP What is a 'SAM' Users: Username Full Name, Description SID Password Home, Profile,](https://reader036.vdocuments.us/reader036/viewer/2022081403/608f154151bca90932325d08/html5/thumbnails/14.jpg)
IDMAP with multiple servers
UIDs,GIDs allocate randomly
All kept consistent by a central server
The central server handle all the mappings
Peripheral servers keep a “permanent cache”
![Page 15: SAM, GUMS, IDMAP From discussion to realityPDC User Management in samba 3.0alpha Xml MySQL IDMAP What is a 'SAM' Users: Username Full Name, Description SID Password Home, Profile,](https://reader036.vdocuments.us/reader036/viewer/2022081403/608f154151bca90932325d08/html5/thumbnails/15.jpg)
[U,G]ID ExhaustionSID space is a lot bigger than UID/GID space
changing a mapping can be a security issue
Changes will be an admin responsibility
A notification mechanism based on sequence numbers will be
implemented
![Page 16: SAM, GUMS, IDMAP From discussion to realityPDC User Management in samba 3.0alpha Xml MySQL IDMAP What is a 'SAM' Users: Username Full Name, Description SID Password Home, Profile,](https://reader036.vdocuments.us/reader036/viewer/2022081403/608f154151bca90932325d08/html5/thumbnails/16.jpg)
SAM vs GUMSA brief history of the internal fork
PassdbSAMGUMS
Dead pathsMultiple domain supportMultiple backends active at same time
What we wanted:The perfect SAM (accounts, privs, ecc..)The perfect IDMAPWinbind on PDC
![Page 17: SAM, GUMS, IDMAP From discussion to realityPDC User Management in samba 3.0alpha Xml MySQL IDMAP What is a 'SAM' Users: Username Full Name, Description SID Password Home, Profile,](https://reader036.vdocuments.us/reader036/viewer/2022081403/608f154151bca90932325d08/html5/thumbnails/17.jpg)
How to ProceedReal needs:
A system that is good enough
What will be into 3.0?IDMAPA possibly improved passdbWinbind on PDC (?)
Samba 3.0 Out!