[Samba] ID mapping help LDAP/AD

Arwin L Tugade arwin.tugade at csun.edu
Tue Aug 18 12:40:48 MDT 2009 

Hey all,

I'm having some trouble figuring out ID mapping between AD and LDAP.  Basically I've done what is described in this doc:

http://wiki.samba.org/index.php/Samba%2C_Active_Directory_%26_LDAP

because it comes very close what I need.  Only Samba is aware of AD and because uids are kept aligned between my AD and LDAP, acls for users works just fine.  Groups however are not kept aligned between LDAP and AD.  For instance, I have a group in LDAP called "it_unix_posixgroup" and via some middleware that I basically don't have control over, the group gets created in AD as "it_unix" with the same exact membership.

So after reading through the manual I came across Chapter 12: Group Mapping: MS Windows and UNIX (http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/groupmapping.html) and after doing:

net groupmap add ntgroup="it_unix" unixgroup=it_unix_posixgroup type=d

[root at fsrv-test ~]# net groupmap list verbose
it_unix
                SID       : S-1-5-21-3545410113-2264454557-1592041950-11805
                Unix gid  : 5402
                Unix group: it_unix_posixgroup
                Group type: Domain Group
                Comment   : Domain Unix group

I am a member of both AD/LDAP versions of the group.

The test share I have has permissions as follows:

drwxrws---  2 sli   it_unix_posixgroup  4096 Aug 17 16:20 .
drwxr-xr-x  5 root  root                    4096 Jul  9 09:26 ..
-rwxrwxr--+ 1 sli it_unix_posixgroup     9 Aug 17 11:56 creating_a_newfile.txt

But I'm not able to access the share.  I am only able to access the share when I create a "it_unix_posixgroup" in Active Directory, then everything works fine.  Am I missing something about group mapping?  Also I had this working before but I mananged to get winbind to map groups from AD into winbindd_idmap.tdb and I was able to give out group perms for groups that existed in AD but not in LDAP.  I've started over since and now I can't get winbindd_idmap.tdb to populate with group data from AD.  I've even tried making the nsswitch.conf entries look over at winbind but nothing gets mapped over, but I really don't want this behavior, I only want samba authenticating against AD and everthing else ldap (as described in that samba wiki).

Smb.conf:

[global]
#--authconfig--start-line--

# Generated by authconfig on 2009/02/20 16:37:18
# DO NOT EDIT THIS SECTION (delimited by --start-line--/--end-line--)
# Any modification may be deleted or altered by authconfig in future

   workgroup = SKUNKTEST
   realm = SKUNKTEST.LOCAL
   security = ads

   preferred master = no
   encrypt passwords = yes
   log level = 3
   log file = /var/log/samba/%m
   max log size = 50
   server string = Samba RnD Server
   winbind use default domain = Yes
   winbind trusted domains only = Yes
   winbind enum groups = Yes
   winbind enum users = no
   idmap uid = 15000-20000
   idmap gid = 15000-20000

[foo]
   comment = A Shared Drive
   read only = no
   path = /samba/arwin

The relevant entries in nsswitch.conf:

passwd:     files ldap
shadow:     files ldap
group:      files ldap winbind

Should the setup above populate winbindd_idmap.tdb with groups from AD?

Thanks,
Arwin

More information about the samba mailing list