[Samba] Retry: Mapping AD domain users to UNIX users

Andrew Morgan morgan at orst.edu
Wed Jan 23 18:01:52 GMT 2008 

On Wed, 23 Jan 2008, Nigel.Pain at scotland.gsi.gov.uk wrote:

> We're using Samba 3.0.23b (binaries downloaded from Sunfreeware) on
> Solaris 9 as a member server, using "security = DOMAIN" in an Active
> Directory 2003 domain. The server is primarily an application server,
> running SAS software, but we have a share to Windows to enable users to
> save programs and data from their Windows XP workstations. Historically
> we've been using PC Netlink, Sun's version of Lanman, but this isn't
> compatible with AD 2003 so we need to move to Samba.
>
> We're struggling to establish a mapping between domain user accounts and
> UNIX user accounts that are similarly named (the same naming convention
> is used for both). My understanding of Samba, albeit sketchy, was that
> it could automatically make a mapping between local and domain accounts
> of the same name. However, this doesn't appear to be happening. If I set
> a file's permissions for a specified user in Solaris it appears in the
> file's security within Windows, but the user is listed as a Unix User
> along the lines of:
>
> u123456 (Unix User\u123456)
>
> I was expecting that there should be an implicit mapping between u123456
> in Solaris and domain\u123456 but maybe I've got the wrong end of the
> stick. We need to maintain the local users so that we can control who
> has access to the server software, and we maintain password aging both
> on the server and the domain so maintaining a separate password database
> for Samba would be a complication. an Extract from nsswitch.conf and
> (edited) smb.conf and included below.
>
> As you will see from nsswitch.conf, we are using winbind. wbinfo will
> resolve any domain information and getent passwd will return domain user
> accounts.

If your Solaris system already has unix system accounts with the same 
usernames as the Windows accounts, then you do not need to run winbind. 
That's how we run our Solaris and Linux systems here.  Unix users are 
populated from ldap using the nss_ldap module, and Samba is a member of 
the domain (security=domain).

 	Andy

More information about the samba mailing list