When and How to Deploy Winbind

Commonly Asked Questions

The section describes a couple of common questions asked when deciding to use winbind as follows:

How do I control the access that all these winbind generated identities have?

The most common ways to control access to resources are as follows:

Control access to the HP CIFS shares by using the valid users = [user/group name list] parameter in the smb.conf file.
Use standard UNIX group and ownership permissions on directories and files to further limit access.
Use ACLs on files and directories as needed.

What can I do so native UNIX users can automatically access files created by their windows account?

Windows users including winbind users can be mapped to a specific UID using the username.map utility. When this is done with a winbind user name, the winbind uid is still mapped and reported using the wbinfo tool. This allows the native UNIX user and windows or winbind user to have the same UID belonging to all of the same UNIX groups. When gaining access to the system through the HP CIFS Server, the user is no longer allowed access to resources based on any Windows group permission that Windows user belongs to. Files or directories created will be owned by the UNIX user name and primary group of the UNIX user name. This type of user name mapping can be automatically implemented through the username map script to minimize administration of a user name map file.

How can I provide selective permission to a group with some native UNIX users and some windows users?

This is a problem because HP-UX does not allow Windows or winbind users as members of a UNIX group. There is no way to add native UNIX users to Windows or winbind groups.

There is a solution that you can create a group with some native UNIX members and some windows or winbind members, but it requires that you perform the following administration tasks:

Map one or more winbind users or groups to a UNIX user.
Assign the mapped UNIX user to a native UNIX group.
Assign the selective native UNIX users to the same group.

The following are some drawbacks that you need to take into consideration if you use the above solution:

Windows groups that are not assigned GIDs by winbind may not be mapped to a UNIX user. You must use Winbind if you want to assign specific windows groups to a UNIX user name.
Once mapped, the session of the mapped user does not belong to the Windows groups of the original Windows user. The user no longer gains access to resources through the windows groups on the mapped server.
If the UNIX user is mapped from a number of Windows, winbind users or groups, all files of all mapped users will be created with the same owner and primary group names. You cannot differentiate which user actually created the file or directory from a file system perspective.

Why can’t I use the net groupmap utility to map a windows group to a UNIX group, then add UNIX members to this group?

The net groupmap feature allows administrators to assign Windows group RIDs to UNIX groups, so they can be recognized by Windows clients allowing them to be used when setting permissions on the local server resources. A complete SID is generated by appending the entered RID to the SID of the server, making local groups on CIFS member servers. You edit /etc/group to add Windows or winbind names as members, but they are not recognized by the files system when granting access.

Considering Alternatives

The purpose of winbind is to automate the creation of UIDs and GIDs and maintain their correspondence to the Windows SIDs in order to minimize identity management efforts but this may not be required in all environments. Your environment may have few users or may already have additional HP-UX user requirements for UNIX user activities in which separate Windows and UNIX management is acceptable (consider the use of a user name map file, see SWAT help for smb.conf parameter username map). Also, there are several alternatives that may meet your requirements. Consider the following alternatives before deploying winbind:

Username map script
One alternative to winbind for assigning UIDs is to create and configure a “username map script” to selectively assign users. This allows you to write a script that potentially creates and/or assigns a native UNIX user name based on the windows name requesting access. The groups that a specific user belongs to depends on how the script is implemented, but it will be a native UNIX group because the mapping is to a native UNIX user. The results of the user name map script overwrite any match in the user name map file if the script provides an output name.

Create users on-the-fly

One alternative to winbind is to allow an HP-UX user to be added “on-the-fly” during a Windows user’s first HP CIFS login. Set the add user script parameter in the smb.conf file. For example:

add user script = /usr/sbin/useradd -g users –c "Auto_Account" -s /bin/false %u

For the above example, the %u is a macro that specifies the Windows user name. The HP-UX user name is created to match the Windows name. It is stored and is managed in the same way as other UNIX users separate from Windows users




	NOTE: On HP-UX 11v1 and v2, this solution is limited by the `useradd` command’s eight character maximum name length. All the Windows user names have to be limited to eight characters. The command fails if the `%u` macro user name does not meet the constraints of the `useradd` command. On HP-UX 11v3, you can explicitly enable the system for expanded user and group names by using the `lugadmin` command. Refer to the `lugadmin` man page for details. The `lugadmin –e` option enables long user name. When the system is enabled for long user and group names, it cannot be disabled. When the expanded user and group name feature is enabled, all the user and group management commands (`useradd`, `usermod`, `userdel`, `groupadd`, `groupmod` and `groupdel`) allow you to create and update users with long user and group names. Some products have limitations, consult HP-UX 11v3 documentation before enabling long name feature.

Services for UNIX (SFU)
For environments with Windows 2000 or 2003 Domain Controllers, Microsoft offers Services for UNIX (SFU) which provides a variety of tools to support Windows and UNIX inter-operability including sharing identity credentials. SFU downloads and technical papers are available from Microsoft’s TechNet at the following web site:
http://technet.microsoft.com
SFU features are incorporated into Windows Active Directory Server 2003 Release 2 (R2), so no download is necessary for this version.
There are two approaches to integrate HP-UX account management and authentication with Windows SFU:
- NIS
  One of the SFU tools, Server for NIS, enables Windows to serve as a NIS server. Windows Active Directory Server (ADS) stores user account and group information including SID, UID, and GID in the Windows ADS schema.
- LDAP
  When using LDAP-UX Client Services, HP-UX uses Windows ADS directly. SID, UID, and GID information is stored as attributes of a user account in the Windows ADS schema.
With SFU, HP CIFS Server can access both Windows and UNIX identity information from the Windows Domain Controller.
HP CIFS Deployment Model Consideration
When winbind is desired, consider how your environment best fits into the following HP CIFS deployment models. See Chapter 9 for detailed information on HP CIFS deployment models.
Samba Domain Model
A Samba Domain consists of HP CIFS Servers and no Windows Domain Controllers. The Samba Domain deployment may benefit from the use of winbind when the domain trusts other domains. Rather than managing local UNIX users for corresponding Windows/Samba users for all trusted domains, winbind can be used to generate the UIDs and GIDs required for the trusted domains. When multiple domains are involved, HP suggests that you configure winbind with LDAP to use the sambaUnixIDPool identity allocation algorithm.
UNIX user requirements are likely to drive management of users in Samba Domain deployments. HP recommends that you use the syncsmbpasswd script to generate Samba user entries based on the existing UNIX user entries. See the syncsmbpasswd man page for more information. Note that the name "syncsmbpasswd" originates from the name of the password file. This tool only creates Samba user entries, it is not possible to translate UNIX passwords into Samba passwords. Winbind bases its mappings on existing Windows/Samba identities rather than existing UNIX users so it may be of little use in many Samba Domains.
Domain member servers may use winbind to minimize management of all domain users. However, HP CIFS Primary Domain Controllers may only make use of winbind to minimize management of trusted domain users.
Windows Domain Model
In the Windows Domain deployment, Window NT or ADS Domain Controller does not utilize Windows Services for UNIX (SFU) to maintain UNIX UID and GID data. HP CIFS Servers participate as member servers and may benefit from the use of winbind to create the local UNIX UIDs and GIDs required to correspond to Windows identities or when other domains are trusted. Even when a Windows Domain Controller provides primary domain authentication, HP CIFS member servers would benefit from the use of an LDAP directory server, so winbind can be used while storing ID maps in an LDAP directory and maintaining unique ID maps across multiple HP CIFS member servers. You can deploy Winbind with the idmap rid method when your environment does not require domain trusts.
Unified Domain Model
In the Unified Domain environment, the Windows 2000 or 2003 Domain Controller maintains the unique user UID and GID data with Windows Services for UNIX (SFU). So that it is not necessary to deploy winbind.

When and How to Deploy Winbind

Technical documentation

» Table of Contents

» Glossary

» Index