idmap_ad group id mapping.

Michael Adam obnox at
Thu Jul 12 08:48:42 MDT 2012

Nimrod Sapir wrote:
> Michael Adam <obnox at> wrote on 12/07/2012 01:20:57:
> > 
> > Yes, this is actually how it should work:
> > Samba takes the windows user token and turns it into
> > a unix token. Here the expected thing is to turn the windows
> > groups into unix groups (by id mapping) one-to-one.
> > 
> > I would say that the windows admins should give the
> > user a primary (windows) group that also carries a gidnumber
> > unix attribute. I can't see why a windows admin would give
> > the user a primary windows group (maybe w/o gid number) and
> > primary gid number in the unix attributes that refers to a
> > different windows group or to no windows group at all.
> > 
> > But it seems to be a rather frequent request.
> > If it is really important, then we could make it configurable
> > to let samba choose the primary gid from the windows user
> > sfu attributes as the unix primary gid.
> I would say that the existing behavior is reasonable (as well as expecting 
> the user to enforce the gid value of the primary group) if the "primary 
> group name/GID" field was not there, right below the UID field. I, as a 
> user, was sure that this field would determine the GID. I believe this is 
> also what Microsoft expect from systems which are using this scheme 
> (otherwise, why is it there?),

Well, I think the primary use of this is Unix/NFS interaction.
Also, from Windows 2003R2 on, the schema extensions are part of
the so called "services for NFS"...

This is meant for systems that unlike samba/winbindd don't do
an id mapping of the windows SIDs themselves.

> and from the perspective of a customer which has large Active
> Directory, and want to allocate different GID to different
> users, the existing behavior is error-prone while the second
> approach ensures consistency.

The point is that the samba server is more on the windows side
than on the unix side, from the windows clients' point of view.
So we should by default map the windows world to the unix world
as 1:1 as possible. We can optionally add in the primary gid
from the unix attributes in the idmap_ad scenario. But what
relevance would the primary windows group have, if it is also
mapped to a GID?


There is by the way already a mechanism for choosing the
gid from idmap_ad: you need to configure the nss_info
correspondingly. Set

"winbind nss info = sfu"

in addition to your idmap config (or = rfc2307, you have to check).
Please read the "smb.conf" manpage for more background.

Cheers - Michael

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 206 bytes
Desc: not available
URL: <>

More information about the samba-technical mailing list