[Samba] Help with mapping a UNIX group to a AD Directory Group

Whyte, Brian C CIV NSWCDD, W63 brian.c.whyte at navy.mil
Fri Feb 1 22:00:31 GMT 2008 

Hi All,

I have already integrated my samba with the Active directory domain
using winbind, but I am trying to do the following. I want to map a UNIX
group "ccusers" to Active Directory group "NICE\ccusers". I need my AD
users that don't have local accounts on my machine to be able to access
directories owne by the UNIX group ccusers.  It seems like it should be
simple to do, but I cannot figure out how to make it work.

I do know that this will work if I add a local account for each user
with the correct group, but I have about 2000 users so I'd rather not do
this.

Here's what I have done.

I have  a UNIX group called ccusers with a gid of 330

The following commands both work and return all the users and groups in
the AD domain.

%getent passwd 
</etc/passwd output>
.
.
.
<winbind user output>
.
.
.
%getent group
</etc/group output>
.
.
.
<winbind group output>
.
.
.


I had thought that "net groupmap add ..." was the right way to map
these, but it does not seem to do anything. I might be confused as to
what this command is supposed to accomplish.  Here is what I tried:

%net groupmap add ntgroup=ccusers unixgroup=ccusers rid=1022 type=d
<successfully added...>
<did not appear to map my two groups in getent output>

%net groupmap delete ntgroup=ccusers
%net groupmap add ntgroup=NICE\ccusers unixgroup=ccusers rid=1022 type=d
%cd /var/cache/samba
%rm winbindd_cache.tdb
%rm winbindd_idmap.tdb
%/etc/init.d/smb restart
%/etc/init.d/winbind restart
<same unsatisfactory result>

First, can someone tell me what this command is actually supposed to do?
The man page's explanation of it leaves a lot to the imagination.  As
far as I'm concerned it does absolutely nothing except update the output
of "net groupmap list".  

Here's a detailed example of what I'm looking for samba and winbind to
do:

Right now the output of getent passwd looks like this for an AD user on
my Linux machine (Yes, I am not using a separator and I am using
templates for the home directory and shell)
jsmith:*:233:204:John Smith:/home/NICE/jsmith:/bin/bash

204 is the gid that the winbind service has assigned to the AD
NICE\ccusers group
330 is the gid of my Linux ccusers group

I would like the output of winbind to look like this
jsmith:*:233:330:John Smith:/home/NICE/jsmith:/bin/bash  (correct gid)

The only way I have found to make this work, is the following:

%/etc/init.d/winbind stop
%groupdel ccusers
%groupadd -g 204 ccusers
%/etc/init.d/winbind start

This would probably work fine for me if this was a new server. The
problem is that gid 330 owns a ton of files on the system and I'm not
sure that winbind will always assign 204 to the AD NICE\ccusers group.
Does anyone have any ideas?


Sincerely,

Brian

More information about the samba mailing list