[Samba] User and GRoup mapping

[Gaiseric Vandal]

On the PDC,  both the unix and samba account info is on that machine.  
The samba user info includes which is the local unix user.  On the 
member server, the samba account info is pulled from the PDC.      Which 
means that even both unix machines have identical unix accounts (e.g. 
the same /etc/passwd and /etc/group file, or use NIS, NIS+ or LDAP) 
winbind  ignores this.    Your member machine probably has an idmap 
range -  so that samba can assign unix uid and gid's for the "foreign"  
samba accounts.   (Even though you would think this isn't necessary.)


I found this wasn't so much a problem if most of the permission 
management was handle on the unix level-  but the moment you started 
setting perms in windows the "rob 1000" and "rob 10020" became a 
problem.     This bugged me for years.

My first work around was to use LDAP for the IDMAP backend and then 
manually edit the uid and gid fields in the idmap entries to match the 
unix ones.  In the end, I changed everything to an ldap backend and 
changed the member server to a BDC.




On 01/13/10 16:39, Robert Steinmetz wrote:
> I have two servers running Samba, one as a Domain Controller one as a 
> Member Server. Both are running Ubuntu 8.10 and running smbd, nmbd and 
> winbindd using the tdb back end.
>
> I am having a problem understanding ID mapping. The mapping is not the 
> same on both machines.
>
> On the Domain Controller
>
>> root at thelma:/etc/init.d# wbinfo -i 'ATLANTA\rob'
>> rob:*:1000:2003:Robert Steinmetz,,,:/home/ATLANTA/rob:/bin/false
>> root at thelma:/etc/init.d# wbinfo -i 'ATLANTA\trish'
>> trish:*:1033:2003::/home/ATLANTA/trish:/bin/false
> On the Member Server
>> root at louise:/etc/samba# wbinfo -i 'ATLANTA\rob'
>> ATLANTA\rob:*:10020:10001:Robert 
>> Steinmetz,,,:/home/ATLANTA/rob:/bin/bash
>
>> root at louise:/etc/samba# wbinfo -i 'ATLANTA\trish'
>> ATLANTA\trish:*:10037:10001::/home/ATLANTA/trish:/bin/bash
> Note the different UID and  GID
>