[Samba] map an ad user to a specific uid question

David Shapiro David.Shapiro at bcbsnc.com
Tue Aug 22 20:54:40 GMT 2006

I am still trying to resolve an issue where I need the ad user's home
directory to have a specific uid so that when I nfs its home somewhere
the user can access his files.  I found wbuser.pl out there at
Mapping Active Directory Users to Existing UNIX UIDsUse this procedure
on systems where AD user accounts should correspond to UNIX user
accounts on other systems. Among other things, this allows NFS shares
from a UNIX server to work on an Active Directory UNIX client. The
normal behavior of winbind is to arbitrarily assign UIDs to users from
the range specified in smb.conf. GIDs will continue to be assigned to
groups automatically by winbind after following this procedure. 

Open issue: Is there any way to restrict login access to an AD client?

Enable AD authentication as described above. Ensure that the range
specified by idmap uid in smb.conf covers the range of UNIX UIDs to
which accounts will be assigned. winbind lookups for UIDs outside that
range will fail. NB: It's best not to use this procedure on systems that
have a mix of AD accounts and UNIX accounts. If both types of accounts
have UIDs within the same range, then winbind could automatically assign
a UID for an existing UNIX account to an inappropriate AD account.
Install wbuser, a custom script used to list, add, and remove the
UID/SID mappings stored in
/opt/local/samba/var/locks/winbindd_idmap.tdb. If desired, print a list
of the current mappings with wbuser -l. For each user, execute sudo
wbuser -a username UID, where username is the AD username, and UID is
the UNIX UID assigned to it. Create a home directory for the user if
necessary. The problem is that I added a user which seemed to work, but
the -l option does not display my added entry.  It looks like it is
trying to use tdbtool to do this.  Does anybody have directions on how I
can do this without this perl script (I think things may have changed
version wise to make the things the perl script regular expressions look
for fail).  The username map option does not help.  I really need to
control what uid is getting used for my ad logins, so this is important
to get working.  Note again, I am using idmap backend and security =
ADS.    If you know that the wbuser stuff above will not work because of
the idmap backend, I need to know that . 
David Shapiro
Distributed Systems
Unix Team Lead
office: 919-765-2011
cellphone: 730-0538

More information about the samba mailing list