[Samba] LDAP GID<->SID without winbind?

Logan Shaw lshaw at emitinc.com
Tue Jun 20 23:03:31 GMT 2006

Hello everyone,

In my new Samba environment, I have a few servers that use LDAP
for Unix accounts (via PADL's NSS stuff).  This is working fine
for Unix accounts, and everything is in LDAP.  These servers
are also going to run Samba, with the ldapsam backend.

I've noticed that ldapsam allows me to maintain a UID<->SID
mapping by simply putting the SID in the sambaSID attribute
for a (domain) user.  That is, I can manually assign the SID
when I create the account.

Is there any simple equivalent thing for GID<->SID mappings
for groups?  I'd really like to just choose a SID when I choose
a GID at the same time I'm adding the group.  And I'd like it
to be a SID that matches the domain SID; that would help keep
things uniform across servers.

I've looked at the documentation quite a lot, and the only
thing I've seen allusions to so far that allows GID<->SID
mapping to be stored in LDAP is using idmap with winbind.
It seems very strange to me that there's an easy way to do this
(without winbind) for users but there isn't for groups.

For what it's worth, I'm trying to avoid winbind (at least,
using NSS going through winbind) because the new PDC is also
to be a Samba file server, smtp/pop3/imap mail server, etc.
Basically, I just want all Unix UIDs and GIDs and all SIDs to
be specified manually in LDAP.

I notice in the figures in Chapter 11 of the official HOWTO that
it shows "winbind" querying ldapsam to do GID<->SID mapping.
Is it possible that "winbind" (one "d") refers to "winbindd"
(two "d"s -- the daemon) and this implies that I can have
LDAP-based GID<->SID mapping by running the winbindd daemon
but not setting up winbind anywhere in /etc/nsswitch.conf?

Thanks for any insight -- I've spent hours today looking through
the documentation and I've learned a lot, but I haven't learned
the one thing I need to know...  :-)

   - Logan

More information about the samba mailing list