[Samba] Link AD to pre-existing UNIX accounts

Jonathan C. Detert Jonathan.Detert at msoe.edu
Tue Apr 24 13:54:06 GMT 2007

On Mon, 2007-04-23 at 14:17 +0000, CG wrote:
> I'm trying to use winbindd to enumerate and link AD users to their
> existing UNIX accounts. Right now, winbindd creates new "users" for
UNIX based 
> on windows username and groups.

You seem to have 2 separate criteria:

> What I can't figure out is how to explicitly map the AD users to their
> existing UNIX accounts. I'd like the users to be able to access their

That's one criterium: mapping AD users to the existing Unix accounts.
>From this, I assume you mean that after the mapping, you want the
'getent passwd' info to be the same: i.e. the same uid, gid, homedir,
shell, gecos.  Call this criterium 1.

> accounts with their UNIX authentication information /and/ their AD 
> authentication information. I had hung my hat on the "username map"

That's another criterium: ability to authenticate as a given user via
either the existing unix password (e.g. the /etc/shadow password), or
the MsAD password.  Call this criterium 2.

> directive, but I find now that it doesn't apply to winbindd.
> Has anyone worked out a strategy for this scenario?

I think so:

Criterium 1:

extend the MsAD schema to include posix attributes.  I think Ms calls
this 'Ms Services For Unix'.  Doing so will add uid, gid, homedir, and
login-shell attributes.  They have their own ms-hopped-up names, but
that's what they're for.

Populate the MsAD schema w. the values you already have in your unix
system.  You could do this manually, but you could also write scripts to
do it.  The script(s) would use LDAP to update MsAD.

I did this 2 years ago.  It's some work, but you only do it once, and
then you're set ever after.

Criterium 2:

Use pam to allow authentication via either the existing unix password,
or via winbind.  I am not a pam expert, but here's the general kind of
approach I've used for situations like this:

auth sufficient pam_winbind.so
auth required   pam_unix.so

In summary, I believe that what you want is achievable.

Good luck,


More information about the samba mailing list