[Samba] Samba-Guide chapter 10

John H Terpstra jht at samba.org
Tue Mar 29 17:18:25 GMT 2005

On Tuesday 29 March 2005 09:56, Dr. Matthias Schlett (987) wrote:
> Hi John T. et al.,
> here is my comment about the Samba-Guide chapter 10.

The Samba-Guide (Samba-3 by Example) is not intended as a comprehensive 
technical overview of how Samba works. It is meant as a quick guide that will 
help our users to create a working network environment. The premise behind 
the Samba-Guide is "learn be seeing Samba work" - not "see how every nut and 
bolt of Samba works". The nuts and bolts should be covered in the 

> In my opinion this chapter is a good place to explain the nature of Samba:
> joining the unix and the windows world by mapping.

This is handled in the Samba-HOWTO-Collection. Is that the wrong place?

> In most of the cases discussed on this list a unix server is used only as a
> container for the windows world. The Samba team tries to smooth the
> differences between unix and windows and to put windows functionality into
> unix. For me everything is merged into one big cloud. As an administrator I
> want to look behind the scene and to understand the different cases which
> Samba as an all-purpose software can serve for.

Right. Refer to the Samba-HOWTO-Collection and if that is deficient it must be 

> We don't use Samba as a general tool for everything. For the user and group
> management we have an external Oracle database. From this database we feed
> a mixed mode AD for the windows world and a LDAP for the unix world using
> there nss_ldap.
> A windowsusername = DOMAIN\unixusername and some windowsgroupname =
> DOMAIN\unixgroupname, some windowsgroupnames differ from unixgroupnames.

AS shown in the Samba-Guide and as explained in detail in the 
Samba-HOWTO-Collection a Windows username should be the same as a UNIX 
username. The 'username map' facility is a kludge for handling out-lying 
cases where the names must for a particular reason differ, not as a panacea 
for general use. The 'username map' facility violates one of the principle 
rules of using Samba - that there must be only unique resolution of 
login_ID<=>UID<=>SID as any ambiguity may end up biting the hand off.

The same rules apply to group mappings. The tool for setting up group mappings 
is: 'net groupmap [add | modify | delete] ntgroup=[...] unixgroup=[...]'

> Both group membership trees are identical ( LDAP supports nested unix
> groups). The password entries for unix and windows are managed by the
> external database.
> On our NFS and CIFS fileserver both worlds get in touch with the help of
> winbind: the idmap backend on a LDAP server is also feeded by our database,
> winbind has only to read the mappings. We don't use winbind for name
> resolution or automatic creation of uid/gid.

What do you see as the role of winbind?

> In chapter 10 there are some common phrases about the winbind role, but in
> my opinion we need a more detailed explanation how it manages the mapping
> in different cases. More general, I would like to have a chapter from the
> mapping viewpoint. For my particular case I had to read many different
> places in the documentation (and I'm reading it the third month) to find a
> working configuration (which I'll send to the list if you would like ), but
> there are still some open questions:

Have you referred to the Samba-HOWTO-Collection? Both the HOWTO and the Guide 
have recently been significantly updated. They are available on-line at:


> - Must the idmap be a one-to-one mapping or can several sid point to one
> uid/gid ? or is the username map the only tool in this case (and what about

IDMAP can handle only single and unambiguous mapping of SID to UID and vica 

> a groupname map ) ? - Why does the user mapping mechanism differ from the
> group mapping mechanism ? - How is a windows group membership mapped
> automatically to a unix membership (We do it by the external database) ?

Groups are only explicitly mapped since 3.0.0. That is why you need to create 
the mapping using the 'net groupmap' facility.

> - How are the 14 different windows security attributes mapped into the
> Posix ACLs and how are the Posix ACLs displayed in windows ?

Perhaps Jeremy can best answer this.

> I hope this email is not too confusingly, but I tried be short.

- John T.
John H Terpstra
Samba-Team Member
Phone: +1 (650) 580-8668

The Official Samba-3 HOWTO & Reference Guide, ISBN: 0131453556
Samba-3 by Example, ISBN: 0131472216
Hardening Linux, ISBN: 0072254971
Other books in production.

More information about the samba mailing list