Tips and tricks: How can I configure winbind to synchronize user and group IDs across multiple Red Hat Enterprise Linux hosts on Active Directory accounts?

Release Found: Red Hat Enterprise Linux 4 and 5

This article describes using the winbind idmap_rid mechanism to deliver a consistent mapping of Windows SIDs to UNIX user and group ids across multiple Red Hat Enterprise Linux hosts . It applies to Red Hat Enterprise Linux 4 and 5.

Using ldap for the idmap backend achieves a similar goal as explained in this kbase article: http://kbase.redhat.com/faq/FAQ_71_11146.shtm. However the benefit of using the rid idmap backend is that it doesn’t require any additional network servers or services to be configured. It does have one limitation though: it can only be used within single domain environments and is not compatible with trusted domain implementations.

Assumption:

The machine is joined to the AD domain and winbind is successfully being used for domain account authentication and the retrieval of domain account information. If this is not yet configured please consult other kbase articles for setting this up.

Configuration:

Edit /etc/samba/smb.conf and add the following entries to the [global] section:

allow trusted domains = no
idmap backend = idmap_rid:MYDOMAIN=10000-20000

The values chosen for idmap_rid should be the same as the values for idmap uid and idmap gid. Restart smb and winbind for the idmaps to take effect .

The consistent id mapping is achieved by adding the value of the RID portion of the Windows SID value to the idmap base value. For example, using the range of values specified above, a user with a RID value of 1117 will be mapped to a UID value of 11117. This user will receive this same UID value across all Red Hat Enterprise Linux hosts using this same samba configuration. A user’s SID value can be viewed by running wbinfo -n <domainuser>

Caveat:

If domain users have already been queried or authenticated using winbind before setting up idmap_rid then they will have existing uid and gid values mapped to their Windows SID based on a first-come-first-served basis. These mappings have to be removed so that the consistent RID-based mappings can be used instead. Delete the winbind cache files containing the existing identity maps. These files are /var/cache/samba/winbind_*.tdb. After deleting these files, restart winbind to generate new idmap files.

The problem with this of course is that existing files and directories belonging to domain users will have the previous uid and gid values. The root user will have to run chown against these files to reflect the new id values.

Red Hat’s customer service and support teams receive technical support questions from users all over the world. Red Hat technicians add the questions and answers to Red Hat Knowledgebase on a daily basis. Access to Red Hat Knowledgebase is free. Every month, Red Hat Magazine offers a preview into the Red Hat Knowledgebase by highlighting some of the most recent entries. The information provided in this article is for your information only. The origin of this information may be internal or external to Red Hat. While Red Hat attempts to verify the validity of this information before it is posted, Red Hat makes no express or implied claims to its validity.

This entry was posted by the editorial team on Monday, November 12th, 2007 at 1:41 pm and is filed under tips and tricks, technical. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.