[Samba] Help with mapping a UNIX group to a AD Directory Group

Mark Braker brakerm19 at gmail.com
Sat Feb 2 00:08:25 GMT 2008


I thought there might be a way to do this in the smb.conf file itself or 
possibly in the /etc/samba/smbusers file.
some kind of user/group mapping config.


--------------------------------------------------
From: "Whyte, Brian  C CIV NSWCDD, W63" <brian.c.whyte at navy.mil>
Sent: Friday, February 01, 2008 5:00 PM
To: <samba at lists.samba.org>
Subject: [Samba] Help with mapping a UNIX group to a AD Directory Group

> Hi All,
>
> I have already integrated my samba with the Active directory domain
> using winbind, but I am trying to do the following. I want to map a UNIX
> group "ccusers" to Active Directory group "NICE\ccusers". I need my AD
> users that don't have local accounts on my machine to be able to access
> directories owne by the UNIX group ccusers.  It seems like it should be
> simple to do, but I cannot figure out how to make it work.
>
> I do know that this will work if I add a local account for each user
> with the correct group, but I have about 2000 users so I'd rather not do
> this.
>
> Here's what I have done.
>
> I have  a UNIX group called ccusers with a gid of 330
>
> The following commands both work and return all the users and groups in
> the AD domain.
>
> %getent passwd
> </etc/passwd output>
> .
> .
> .
> <winbind user output>
> .
> .
> .
> %getent group
> </etc/group output>
> .
> .
> .
> <winbind group output>
> .
> .
> .
>
>
> I had thought that "net groupmap add ..." was the right way to map
> these, but it does not seem to do anything. I might be confused as to
> what this command is supposed to accomplish.  Here is what I tried:
>
> %net groupmap add ntgroup=ccusers unixgroup=ccusers rid=1022 type=d
> <successfully added...>
> <did not appear to map my two groups in getent output>
>
> %net groupmap delete ntgroup=ccusers
> %net groupmap add ntgroup=NICE\ccusers unixgroup=ccusers rid=1022 type=d
> %cd /var/cache/samba
> %rm winbindd_cache.tdb
> %rm winbindd_idmap.tdb
> %/etc/init.d/smb restart
> %/etc/init.d/winbind restart
> <same unsatisfactory result>
>
> First, can someone tell me what this command is actually supposed to do?
> The man page's explanation of it leaves a lot to the imagination.  As
> far as I'm concerned it does absolutely nothing except update the output
> of "net groupmap list".
>
> Here's a detailed example of what I'm looking for samba and winbind to
> do:
>
> Right now the output of getent passwd looks like this for an AD user on
> my Linux machine (Yes, I am not using a separator and I am using
> templates for the home directory and shell)
> jsmith:*:233:204:John Smith:/home/NICE/jsmith:/bin/bash
>
> 204 is the gid that the winbind service has assigned to the AD
> NICE\ccusers group
> 330 is the gid of my Linux ccusers group
>
> I would like the output of winbind to look like this
> jsmith:*:233:330:John Smith:/home/NICE/jsmith:/bin/bash  (correct gid)
>
> The only way I have found to make this work, is the following:
>
> %/etc/init.d/winbind stop
> %groupdel ccusers
> %groupadd -g 204 ccusers
> %/etc/init.d/winbind start
>
> This would probably work fine for me if this was a new server. The
> problem is that gid 330 owns a ton of files on the system and I'm not
> sure that winbind will always assign 204 to the AD NICE\ccusers group.
> Does anyone have any ideas?
>
>
> Sincerely,
>
> Brian
>
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/listinfo/samba
> 


More information about the samba mailing list