[Samba] winbind and existing UIDs

Gaiseric Vandal gaiseric.vandal at gmail.com
Thu Feb 4 08:00:35 MST 2010

On 02/04/10 04:07, Liam Gretton wrote:
> Hi,
> I'm implementing a Samba service on Solaris (the native CIFS service 
> being unreliable in our environment); all is working well but I have a 
> couple of questions regarding winbind which I can't find answers to in 
> the documentation. I'm using 3.0.37 at the moment, but it wouldn't be 
> a big deal to use a more recent version if necessary.
> The system will join an existing Windows AD.
> We have Unix UIDs/GIDs already assigned, so I really need winbind to 
> NOT allocate UIDs on its own, but to use our existing ones. We don't 
> have the option of extending the AD schema to include UIDs; our 
> existing Unix accounts are all in LDAP.
> What I've done to get round this is to use the ldap backend for 
> winbind, and create the mappings myself. This seems to work perfectly 
> well but I can't believe there's not a means within winbind to use the 
> account username to look up UIDs from an existing range.
> My questions are therefore:
> 1. Can I rely on winbind to never delete mappings from its database? 
> I.e. if I've created its backend LDAP database myself, can I be sure 
> that those mappings won't ever need to be recreated?
> 2. I wonder if the 'idmap alloc' options would actually do what I 
> want, but I can't find a simple explanation of what alloc backends 
> actually do. Am I barking up the wrong tree thinking that an 
> appropriate alloc backend will do what I want?

It looks like from the Samba how to documentation that you might want to 
use the RID backend-  which would use the Active Directory to store the 
IDMAP info instead of a standalone LDAP server.  It doesn't actually say 
that you HAVE to use the RID backend.     I don't think you need to 
extend the AD schema.    I have an MS Active Directory Server (for MS 
Exchange support) which is completely separate from the samba-based 
domain.  If I use an ldap tool to export a use to an LDIF file I see the 

allowedAttributes: uidNumber
allowedAttributes: uid
allowedAttributes: gidNumber

Also, MS Services for Unix uses relies on unix attributes -  I don't 
think it has to expand the schema when installed.  But if you install it 
it may give you the option to tweak the uid.

(I have been thinking about trying to move my LDAP functionality from a 
standalone Sun LDAP Directory Server to the Active Directory "LDAP" 
server to better consolidate directories.)

I would want to point out that under Sun's Samba 3.0.3x release I have 
had a lot of problems with domain trusts with a Windows 2003 server 
(mixed mode) and the idmapping cache- even with idmapping in LDAP.  The 
PDC and one BDC are running 3.0.3x.    I have a 2nd BDC running Samba 
3.4.x (compiled from source) which seems to handle this a lot better.

Compiling Samba from source is a bit of a pain as well.  The Samba build 
from sunfreeware is pretty good but it doesn't include the 
nss_windind.so file and I think zfs isn't properly supported.    Form 
the opensolaris forums it looks like sun is hoping to release Samba 
3.4.x in the near future.

More information about the samba mailing list