Project

General

Profile

Feature #36963

Allow NIS to be ID provider for Active Directory

Added by Andrew Walker 10 months ago. Updated 9 months ago.

Status:
Done
Priority:
No priority
Assignee:
Andrew Walker
Category:
OS
Target version:
Estimated time:
Severity:
New
Reason for Closing:
Reason for Blocked:
Needs QA:
No
Needs Doc:
No
Needs Merging:
No
Needs Automation:
No
Support Suite Ticket:
n/a
Hardware Configuration:

Description

In addition to autorid, rid, ad, etc. idmap backends. It's possible in samba to use external directory services to provide IDs for domain users. We have at least two customers that want this, and in general it's a good feature to have.

We can mostly support this out of the box with new ui in the nightlies as far as I can tell. I have it working in a test environment. The only code change I had to make was as follows:

root@catherder:/usr/local/lib/python3.6/site-packages/middlewared/etc_files # diff -u nsswitch.conf.orig nsswitch.conf
--- nsswitch.conf.orig    2018-07-06 19:02:32.698539683 -0400
+++ nsswitch.conf    2018-07-06 19:02:52.887779423 -0400
@@ -20,10 +20,6 @@
         passwd = ['files']
         sudoers = ['files']

-        if ad_enabled or dc_enabled:
-            group.append('winbind')
-            passwd.append('winbind')
-
         if ldap_enabled:
             ldap_anonymous_bind = safe_call('notifier.common', 'system', 'ldap_anonymous_bind')
             ldap_sudo_configured = safe_call('notifier.common', 'system', 'ldap_sudo_configured')
@@ -41,6 +37,10 @@
             group.append('nis')
             hosts.append('nis')
             passwd.append('nis')
+
+        if ad_enabled or dc_enabled:
+            group.append('winbind')
+            passwd.append('winbind')
 %>

 group: ${' '.join(group)}

This allowed me to set up NIS and LDAP as ID providers with a slightly customized smb4.conf file and the idmap_nss backend.


Related issues

Copied to FreeNAS - Feature #40684: Allow NIS to be ID provider for Active DirectoryDone

History

#1 Updated by Dru Lavigne 9 months ago

  • Category set to OS
  • Assignee changed from Release Council to John Hixson

#2 Updated by Andrew Walker 9 months ago

Big picture, we have idmap_rfc2307 for the case of using an external LDAP server (i.e. one external to AD) to provide IDs. So the above change is really only needed for the case of enabling NIS and AD simultaneously with NIS providing id mappings. I guess it also helps on the off chance that NIS is providing a range of IDs and LDAP another (I hope this doesn't occur in real life).

#3 Updated by Andrew Walker 9 months ago

  • Subject changed from Allow LDAP and NIS to be ID providers for Active Directory to Allow NIS to be ID provider for Active Directory.

#4 Updated by Andrew Walker 9 months ago

#5 Updated by Dru Lavigne 9 months ago

  • Target version changed from Backlog to 11.2-BETA2

#6 Updated by John Hixson 9 months ago

  • Assignee changed from John Hixson to Andrew Walker

Approved the PR. As stated in the PR: In the future when we re-work this, we will want the ability to specify order for this, but that's a way out so this will do for now. Andrew, please merge then mark this ready for testing.

#7 Updated by Dru Lavigne 9 months ago

  • Status changed from Unscreened to In Progress

#8 Updated by John Hixson 9 months ago

Merged.

#9 Updated by John Hixson 9 months ago

  • Status changed from In Progress to Ready for Testing

#10 Updated by Dru Lavigne 9 months ago

  • Subject changed from Allow NIS to be ID provider for Active Directory. to Allow NIS to be ID provider for Active Directory
  • Needs Merging changed from Yes to No

#11 Updated by Dru Lavigne 9 months ago

  • Needs Doc changed from Yes to No

#13 Updated by Bonnie Follweiler 9 months ago

  • Status changed from Ready for Testing to Passed Testing
  • Needs QA changed from Yes to No

Passed Testing in FreeNAS-11.2-MASTER-201807260859
(Build Date: Jul 26, 2018 12:8)

#14 Updated by Dru Lavigne 9 months ago

  • Status changed from Passed Testing to Done

#15 Updated by John Hixson 9 months ago

  • Copied to Feature #40684: Allow NIS to be ID provider for Active Directory added

Also available in: Atom PDF