[Samba] username map for ADS groups

Greg Adams gadams at gmail.com
Fri Oct 8 22:23:21 GMT 2004

I'm having some kind of trouble mapping all users in an ADS group to a Unix id.

I'm running Samba 3.0.7 on Solaris 9 as a member of a Windows 2000 ADS Domain.

Here's my smb.conf:

        workgroup = ADSDOM
        realm = ADSDOM.MY.COM

        server string = Samba 3.0.7 Test Server

        log level = 2

        max log size = 100

        security = ADS

        local master = no

        os level = 0

        domain master = no

        preferred master = no

        wins server = ###.###.###.###
        dns proxy = no

        encrypt passwords = yes

        idmap uid = 60000-70000
        idmap gid = 80000-90000

        winbind enum users = yes
        winbind enum groups = yes

        winbind separator = +

        winbind use default domain = no

        username map = /opt/samba/lib/username.map
        comment = Space Partition Share
        path = /space
        public = no
        writable = yes
        printable = no
        browsable = no
        create mask = 0777
and here's /opt/samba/lib/username.map
!smbadmin = @"ADSDOM\Domain Admins"
!smbuser = @"ADSDOM\Domain Users"
smbguest = '*'
I know of a user that is in the "ADSDOM\Domain Users" group, called
imguser... if I do
getent passwd | grep imguser
I get
ADSDOM+imguser:x:60001:80000:imguser Imaging

so, that user is in group 80000, so I do
getent group 80000
and get
EDSADDDM+Domain Users:x:80000:

Now... If I map the space share from a Windows XP client, I get the
following lines in log.smbd:
[2004/10/08 15:16:54, 2] smbd/sesssetup.c:setup_new_vc_session(608)
  setup_new_vc_session: New VC == 0, if NT4.x compatible we would
close all old resources.
[2004/10/08 15:16:54, 2] auth/auth.c:check_ntlm_password(305)
  check_ntlm_password:  authentication for user [imguser] ->
[smbguest] -> [smbguest] succeeded
[2004/10/08 15:16:54, 1] smbd/service.c:make_connection_snum(648)
  mule ( connect to service space initially as user
smbguest (uid=689013, gid=2503) (pid 1108)

I get the same thing,... where the user gets mapped to smbguest, no
matter what user I use. Winbind isn't correctly determining the group
for the ADS domain users.

Also, another problem that might be related... getent group doesn't
show all the groups I expect it to show. The ADS domain has trusts to
another ADS domain, and also to an NT4 domain. I know for certain that
not all of the NT4 domains show up in wbinfo -g, and even fewer show
up in getent group. And the output of wbinfo -g and getent group are
both not consistent. Sometimes no domain groups at all show up in
getent group.

Anybody have any ideas? I desperately need this functionality to work.

Greg Adams

More information about the samba mailing list