[Samba] Retry: Mapping AD domain users to UNIX users

Nigel.Pain at scotland.gsi.gov.uk Nigel.Pain at scotland.gsi.gov.uk
Wed Jan 23 10:07:14 GMT 2008

I posted this last week but haven't heard anything. I'm not sure if this
is because nobody knows the answer (can't believe that!) or I'm missing
something obvious in the documentation and people are thinking "Read The
Fine Manual". Whatever the reason, if anyone has any insights into this
problem I'd be very grateful for their comments.

We're using Samba 3.0.23b (binaries downloaded from Sunfreeware) on
Solaris 9 as a member server, using "security = DOMAIN" in an Active
Directory 2003 domain. The server is primarily an application server,
running SAS software, but we have a share to Windows to enable users to
save programs and data from their Windows XP workstations. Historically
we've been using PC Netlink, Sun's version of Lanman, but this isn't
compatible with AD 2003 so we need to move to Samba.

We're struggling to establish a mapping between domain user accounts and
UNIX user accounts that are similarly named (the same naming convention
is used for both). My understanding of Samba, albeit sketchy, was that
it could automatically make a mapping between local and domain accounts
of the same name. However, this doesn't appear to be happening. If I set
a file's permissions for a specified user in Solaris it appears in the
file's security within Windows, but the user is listed as a Unix User
along the lines of:

u123456 (Unix User\u123456)

I was expecting that there should be an implicit mapping between u123456
in Solaris and domain\u123456 but maybe I've got the wrong end of the
stick. We need to maintain the local users so that we can control who
has access to the server software, and we maintain password aging both
on the server and the domain so maintaining a separate password database
for Samba would be a complication. an Extract from nsswitch.conf and
(edited) smb.conf and included below.

As you will see from nsswitch.conf, we are using winbind. wbinfo will
resolve any domain information and getent passwd will return domain user

Many thanks in advance.


passwd:     files winbind
group:      files winbind

hosts:      files dns winbind


	workgroup = our-domain-name
	netbios aliases = mc18unxa
# dual nics: the netmask is correct for our network
	interfaces = xx.xx.xxx.xx/,
	security = DOMAIN
	null passwords = Yes
	password server = *
	passdb backend = tdbsam
	lanman auth = No
	client NTLMv2 auth = Yes
	client lanman auth = No
	client plaintext auth = No
	log level = 1
	log file = /var/samba/log/log.%m
	max log size = 50000
	load printers = No
	dns proxy = No
	ldap ssl = no
	idmap uid = 10000-100000000
	idmap gid = 10000-100000000
	winbind enum users = Yes
	winbind enum groups = Yes
	winbind use default domain = Yes
	create mask = 0644
	directory mask = 0775
	hosts deny = none
	case sensitive = No
	preserve case = No
      domain master = no
      local master = no
      preferred master = no
      os level = 0

	path = /dosptn
	read only = No
	inherit permissions = Yes
	guest ok = Yes

Nigel Pain
The Scottish Government
Corporate Systems Support
Information Systems and Information Services (ISIS)
Victoria Quay 
EH6 6QQ 


This e-mail (and any files or other attachments transmitted with it) is intended solely for the attention of the addressee(s).  Unauthorised use, disclosure, storage, copying or distribution of any part of this e-mail is not permitted.  If you are not the intended recipient please destroy the email, remove any copies from your system and inform the sender immediately by return.


Communications with the Scottish Government may be monitored or recorded in order to secure the effective operation of the system and for other lawful purposes.  The views or opinions contained within this e-mail may not necessarily reflect those of the Scottish Government.


The original of this email was scanned for viruses by the Government Secure Intranet virus scanning service supplied by Cable&Wireless in partnership with MessageLabs. (CCTM Certificate Number 2007/11/0032.) On leaving the GSi this email was certified virus free.
Communications via the GSi may be automatically logged, monitored and/or recorded for legal purposes.

More information about the samba mailing list