[Samba] ID mapping help

Arwin L Tugade arwin.tugade at csun.edu
Wed Aug 26 12:03:27 MDT 2009 

Hey all,

I got a unique requirement of having AD groups map over to unix gid and existing perms of Unix only groups being granted.  Reading through the man pages it seems this can be accomplished via idmap_nss.  So my config looks like:

[global]
   workgroup = SKUNKTEST
   realm = SKUNKTEST.LOCAL
   security = ads
   preferred master = no
   encrypt passwords = yes
   log level = 5
   log file = /var/log/samba/%m
   max log size = 50
   server string = Samba RnD Server

   winbind enum groups = yes

   idmap backend = tdb
   idmap uid = 1000000-1999999
   idmap gid = 1000000-1999999

   idmap config SKUNKTEST: backend = nss
   idmap config SKUNKTEST: range = 1000000-1999999

   idmap config KRB: default = yes
   idmap config KRB: backend = tdb

[foo]
   comment = A Shared Drive
   read only = no
   path = /samba/arwin

When I do a "getent group" my winbindd-idmap.tdb populates with groups from AD with gid mappings, of course winbind is running.  When I access a share via Windows and go to the security tab it will looks something like:

Everyone
arwin (Unix User\arwin)
it_posix (Unix Group\it_posix)

My problem arises here.  If someone other than myself who is in the it_posix group (LDAP) tries to access the file (perms are rwx for group), they get access denied.   So then apparently I should be able to "net groupmap" like:

net groupmap add ntgroup="testing" unixgroup=it_posix type=d

Which results in:

[root at krb samba]# net groupmap list verbose
testing
                SID       : S-1-5-21-471262856-1245818307-3878391063-11805
                Unix gid  : 5402
                Unix group: itr_posix
                Group type: Domain Group
                Comment   : Domain Unix group

Gid that is reported by Unix gid is good.  Now the security tab looks like:

Everyone
arwin (Unix User\arwin)
testing (KRB\testing)

But people in that group still cannot access the file.  It's only when I turn off winbind they can access the file, but I want winbind running so acls can be distributed for the groups in winbindd-idmap.tdb.

Any help is appreciated.

Thanks,
Arwin

More information about the samba mailing list