[Samba] Map sids to Unix UID and GID
Glenn Machin
gmachin at sandia.gov
Tue Feb 3 15:16:23 GMT 2009
> Do you have idmap configured?
Thanks for getting back. It looks like it is working now. I had idmap
turned on and using tbd. All local account and groups on the system are
managed via nss_ldap and a non windows directory. I turned on winbindd
but did not configure it in nsswitch.conf for nss_ldap, so I could get
SID to name mapping, but I it did not resolve SID to uid. I also do
domain name to local name mappping using "username map script:".
I found a note talking about the "nss" backend. I used "idmap backend =
nss" in the configuration file and that seems to do the job.
I can now use any group that is listed in "getent group" and "getent
passwd" and when I do a getfacl I see the proper acls on the file.
It took me awhile to find a reference to "idmap backend = nss". Is
this a well known backend? Is there any information describing what it
does and how it does it?
I have included relevant smb.conf information below.
Thanks again.
Glenn
[global]
; You can change available to no if you want to prevent access
; without shutting down smbd
available = yes
server string = "netbios->" %L Samba Server Version "version->" %v,
"username->" %u, "service->" %S, "IP addr->" %I, "session username->"
%U, "primary group->" "%G, "protocol->" %R, "domain->" %D, "winbind
separator->" %w, "home dir->" %H
`
workgroup = ADDOMAIN
netbios name = hostname
encrypt passwords = yes
use kerberos keytab = yes
username map script = /usr/local/bin/AD_to_localname.sh
security = ADS
realm = AD REALM
use spnego = yes
password server = AD domain-controllers
ntlm auth = no
lanman auth = no
client ntlmv2 auth = yes
client lanman auth = no
client use spnego = yes
map to guest = never
server signing = mandatory
domain master = no
local master = no
preferred master = no
wins support = no
wins server = server-ip
wins proxy = no
dns proxy = no
nt acl support = Yes
acl map full control = yes
acl check permissions = true
acl group control = no
;
; An unknown user ACL will be mapped to the connected user
force unknown acl user = yes
winbind enum groups = no
winbind enum users = no
winbind trusted domains only = no
idmap backend = nss
John Drescher wrote:
> On Mon, Feb 2, 2009 at 6:31 PM, Glenn Machin <gmachin at sandia.gov> wrote:
>
>> I have a samba server running on a Linux RHEL5 system. The system uses
>> nss_ldap and gets passwd and group information from a non-windows ldap
>> server. The smb.conf file is using security=ads and spnego in order to
>> user Kerberos tickets rather than ntlmv2.
>>
>> I have done a net ads join, and the authentication is working fine, however
>> when I try to set an ACL on a file from a windows client using an group
>> defined in Active Directory I get messages talking about not being able to
>> map the SID to a uid.
>>
>> I don't want to use winbind for authentication.
>>
>> So how to you map SID to uid and SID to gid?
>>
>>
>>
>
> Do you have idmap configured?
>
> John
>
>
More information about the samba
mailing list