[Samba] PDC + LDAP group mappings

John H Terpstra jht at Samba.Org
Thu Dec 30 18:36:43 GMT 2004

On Thursday 30 December 2004 10:34, David Sonenberg wrote:
> Alright now that samba can talk to LDAP I have a blank slate.  I know I
> need to setup group mappings, but I'm a little confused about this.
> Since it's an ldap backend do the groups need to have unix counterparts?
> Should I use the net groupmap command to add the mappings or should I
> use an LDIF file?


This subject comes up on this list ad nauseum! I am responding in full in the 
hope that we can get this sorted out so that others who do their homework 
before asking here will find the answers they need. I have tried to document 
this in the Samba-HOWTO-Collection and in the Samba-Guide ("Samba-3 by 
Example" books).

Suggest you check out chapter 6 of the book, "Samba-4 by Example". You can 
download it from:


If you get lost give me a shout. If the documentation is not clear enough and 
has too much fog-factor, please promise us all that when this becomes clear 
to you you will help to improve the documentation. Feedback, improvement in 
clarifty and corrections are always welcome.

For the record:

If you use LDAP with Samba it is essential that ALL your UNIX (POSIX) accounts 
(both for users and for groups) are in the LDAP backend. Samba requires the 
SambaSAM account data also in LDAP. It is NOT possible with Samba to have 
only the SambaSAM account information in LDAP and not the UNIX accounts in 

Additionally, it is essential that all accounts will translate unambiguously 
between Windows credentials and UNIX credentials. This means that any UID 
must translate to exactly one (and one only) MS Windows SID. Every SID must 
translate (map) to precisely one UID or GID. Every GID must map to precisely 
one SID and vica versa.

The "net groupmap" utility provides the connection between a Windows NT Group 
and the UNIX (POSIX) group. What this does is it tells Samba that when a 
Windows user accesses the Samba server that user will be treated by the UNIX 
operating system as if he is accessing UNIX directly as the mapped account. 

For Example: 
A Windows user is called 'billyboy' and is a member of Windows groups "Domain 
Users", "Engineers", and "Goodguys", and his primary group is "Goodguys".

In your LDAP based POSIX backend the UNIX account is called 'billyboy' with 
UID = 1106. Group mappings are set so that:

	Windows NT Group	==	UNIX group
	"Domain Users"	->	users (group id = 500)
	"Domain Guests"	->	nobody (group id = 65534)
	"Domain Admins" ->	root (group id = 0)
	"Engineers" 	->	engineers (group id = 1211)
	"Goodguys" 	->	goodguys (group id = 1235)

Then for all UNIX file system access the user 'billyboy' will have the 
following UNIX credentials:
	UID: 1106
	Primary group ID: 1235
	Additional group memberships IDs: 500, 1211

That is the information that should be returned if you execute in a UNIX 
	id billyboy

You can manually populate your LDAP database using an LDIF file to set all 
this up, but if you use the Idealx scripts this is all neatly done for you.

I hope that helps to explain the connections.

John T.
John H Terpstra
Samba-Team Member
Phone: +1 (650) 580-8668

The Official Samba-3 HOWTO & Reference Guide, ISBN: 0131453556
Samba-3 by Example, ISBN: 0131472216
Hardening Linux, ISBN: 0072254971
Other books in production.

More information about the samba mailing list