[Samba] PDC + LDAP group mappings
John H Terpstra
jht at Samba.Org
Thu Dec 30 18:36:43 GMT 2004
On Thursday 30 December 2004 10:34, David Sonenberg wrote:
> Alright now that samba can talk to LDAP I have a blank slate. I know I
> need to setup group mappings, but I'm a little confused about this.
> Since it's an ldap backend do the groups need to have unix counterparts?
> Should I use the net groupmap command to add the mappings or should I
> use an LDIF file?
This subject comes up on this list ad nauseum! I am responding in full in the
hope that we can get this sorted out so that others who do their homework
before asking here will find the answers they need. I have tried to document
this in the Samba-HOWTO-Collection and in the Samba-Guide ("Samba-3 by
Suggest you check out chapter 6 of the book, "Samba-4 by Example". You can
download it from:
If you get lost give me a shout. If the documentation is not clear enough and
has too much fog-factor, please promise us all that when this becomes clear
to you you will help to improve the documentation. Feedback, improvement in
clarifty and corrections are always welcome.
For the record:
If you use LDAP with Samba it is essential that ALL your UNIX (POSIX) accounts
(both for users and for groups) are in the LDAP backend. Samba requires the
SambaSAM account data also in LDAP. It is NOT possible with Samba to have
only the SambaSAM account information in LDAP and not the UNIX accounts in
Additionally, it is essential that all accounts will translate unambiguously
between Windows credentials and UNIX credentials. This means that any UID
must translate to exactly one (and one only) MS Windows SID. Every SID must
translate (map) to precisely one UID or GID. Every GID must map to precisely
one SID and vica versa.
The "net groupmap" utility provides the connection between a Windows NT Group
and the UNIX (POSIX) group. What this does is it tells Samba that when a
Windows user accesses the Samba server that user will be treated by the UNIX
operating system as if he is accessing UNIX directly as the mapped account.
A Windows user is called 'billyboy' and is a member of Windows groups "Domain
Users", "Engineers", and "Goodguys", and his primary group is "Goodguys".
In your LDAP based POSIX backend the UNIX account is called 'billyboy' with
UID = 1106. Group mappings are set so that:
Windows NT Group == UNIX group
"Domain Users" -> users (group id = 500)
"Domain Guests" -> nobody (group id = 65534)
"Domain Admins" -> root (group id = 0)
"Engineers" -> engineers (group id = 1211)
"Goodguys" -> goodguys (group id = 1235)
Then for all UNIX file system access the user 'billyboy' will have the
following UNIX credentials:
Primary group ID: 1235
Additional group memberships IDs: 500, 1211
That is the information that should be returned if you execute in a UNIX
You can manually populate your LDAP database using an LDIF file to set all
this up, but if you use the Idealx scripts this is all neatly done for you.
I hope that helps to explain the connections.
John H Terpstra
Phone: +1 (650) 580-8668
The Official Samba-3 HOWTO & Reference Guide, ISBN: 0131453556
Samba-3 by Example, ISBN: 0131472216
Hardening Linux, ISBN: 0072254971
Other books in production.
More information about the samba