SID list population in 3.5.n series

Volker Lendecke Volker.Lendecke at SerNet.DE
Mon Mar 12 02:36:48 MDT 2012

On Sat, Mar 10, 2012 at 06:23:01PM -0700, Tom Noonan II wrote:
> > What specific problem are you trying to overcome?
> My goal is to use NSS groups to control access to shares
> by domain joined users.  The ultimate goal is to use NSS
> to glue in auth from an external server, so I'm looking
> for a solution that requires no local user management.
> (i.e. adding groups via the net calls would be acceptable
> as that could be done when modifying the share ACLs, but
> adding users would not.)  I don't want to go into detail
> about the external server I'm trying to use, so please
> take my word that NSS is the least painful route.

If you can ignore the domain groups coming in via ADS, it
might be possible for you to use

username map script = /bin/echo

This assumes that your usernames from AD match the unix
usernames including the domain prefix. You might want to
play a bit with a more intelligent mapping script.

If you map a user, the effect is that the domain group
memberships are discarded and only the ones from NSS are
being looked at.

With best regards,

Volker Lendecke

SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen
phone: +49-551-370000-0, fax: +49-551-370000-9
AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen, mailto:kontakt at

More information about the samba-technical mailing list