Samba4: ID mapping is hard

Andrew Bartlett abartlet at
Fri Mar 23 18:20:31 MDT 2012

On Fri, 2012-03-23 at 23:54 +0100, steve wrote:

> What is working well for us in tests is giving Domain Users a uid, gid, 
> setting their primaryGroupID to that of a posix-ified security group and 
> storing these attributes in their entry in sam.ldb. The only problem I 
> have with this is that adding the posixGroup objectClass to a security 
> group removes the ability to be able to list its members in ADUC and it 
> is really unfortunate that I can't test this against a windows server. 
> Because I don't have one. 

Trial copies of Windows are available for download:

> This is merely an inconvenience as the 
> posix-ified security group behaves exactly as if it were a normal domain 
> group. If we want point and click we can use phpldapadmin.
> So, uid gid mapping and the interoperability of domain and posix groups 
> like this is really simple. What we fear may happen is that when an 
> official s4 mapping method comes along, it will make changes to either 
> the schema or sam.ldb which will disallow our storing our attributes in 
> the directory.

Any valid schema modification that is supported in windows will continue
to be supported.  The schema as shipped is the official AD schema, and
it and the implementation of the mayContains rules associated are both
highly unlikely to change. 

> Are we wasting time proceding with this or does it make at least a 
> little sense? Our aim is simply to have a single sign on linux/windows. 
> As s4 does not provide an official mechanism for this at the moment we 
> invented this.

For Linux clients, the supported solution is using Samba3's winbindd.
Patches to modify Samba4's id mapping to internally honour the same id
mapping behaviour of the Samba3 winbindd you deploy on clients would be
welcome and appreciated.

Binding nss_ldap directly against any AD implementation has always been
a bad idea.  We built winbindd for this reason, and recommend it's use
against Samba4.

Andrew Bartlett

Andrew Bartlett                      
Authentication Developer, Samba Team 

More information about the samba-technical mailing list