Samba4 idmap using uidNumber/gidNumber

steve steve at
Tue Jun 19 15:25:59 MDT 2012

On 19/06/12 20:53, Greg Dickie wrote:
> Hi Steve,
>    You are using LDAP to pull these attributes correct?
Hi Greg.

  How did you get
> authenticated binds working in nss?

We use sasl binds under nss-pam-ldapd, and k5start to get and maintain 
the ticket cache for us. Here is our /etc/nslcd.conf:
uid nslcd-user
gid nslcd-user
uri ldap://
base dc=hh3,dc=site
map	passwd	uid              samAccountName
map	passwd	homeDirectory    unixHomeDirectory
map	group 	uniqueMember	member
sasl_mech GSSAPI
sasl_realm HH3.SITE
krb5_ccname /tmp/nslcd.tkt

The latest version includes looking in the dn for the member attributes 
so you can lose the group mapping, making it even faster.
> Also note that windows server ADs will require the  msSFU30NIS objects
> in the directory before they will "recognize" the other attributes (ie:
> let you access them). You need to install the Identity Management for
> UNIX stuff to get that working. Silly windows ;-)

No. Not needed, for S4 at least. The schema as it is allows for all the 
rfc2307 attributes and objectClasses that are needed for Linux 
integration. A script to write new users/groups to the directory and 
away you go.

I was wrong when I said we don't touch idmap. We do, but only for 
uidNumber and gidNumber. I believe that this is due to change soon or at 
least be made an option, after which we will be able to read these from 
the directory too. In any case, it's easy enough to do just by using 
wbinfo commands.

Looking better day by day for the Linux client side:-)
> Greg

More information about the samba-technical mailing list