[Samba] User and GRoup mapping

Gaiseric Vandal gaiseric.vandal at gmail.com
Thu Jan 14 08:03:33 MST 2010

The PDC may also have an idmap range but I think, unless you ldap as a 
backend, they will not necessary be the same.

If I set the permissions for a file under unix to be accessible to unix 
rob, and rob from windows tries to read the file-  I think what happens 
is it will try to map "DOMAIN\rob" to the local unix rob and still allow 
access.    If you tail the various samba logs you should see it trying 
to map the windows user to the unix user.        I think I had to set 
the samba share as public and then rely on the file system ACL's to 
restrict files.    This is because, for verifying access to the shares, 
the user mapping wasn't working properly.

Typically, in my environment, the main bulk of the files for both samba 
and nfs access was on one machine, which was also the PDC.  The other 
samba machines were typically machines used primarily by unix users who 
needed to share some data with windows users.      This was a workaround 
that met the limited requirements of our situation.

This is with Samba 3.0.x.  I am hoping when I move to Samba 3.4.x a lot 
of this stuff will work better.

On 01/13/10 20:30, Robert Steinmetz wrote:
> You are correct that the member machine has an idmap range, but so 
> does the PDC. Are you suggesting that in a simple setup (two nearly 
> identical servers) where users and groups are manually coordinated 
> that isn't necessary?
> Gaiseric Vandal wrote:
>> On the PDC,  both the unix and samba account info is on that 
>> machine.  The samba user info includes which is the local unix user.  
>> On the member server, the samba account info is pulled from the 
>> PDC.      Which means that even both unix machines have identical 
>> unix accounts (e.g. the same /etc/passwd and /etc/group file, or use 
>> NIS, NIS+ or LDAP) winbind  ignores this.    Your member machine 
>> probably has an idmap range -  so that samba can assign unix uid and 
>> gid's for the "foreign"  samba accounts.   (Even though you would 
>> think this isn't necessary.)
>> I found this wasn't so much a problem if most of the permission 
>> management was handle on the unix level-  but the moment you started 
>> setting perms in windows the "rob 1000" and "rob 10020" became a 
>> problem.     This bugged me for years.
>> My first work around was to use LDAP for the IDMAP backend and then 
>> manually edit the uid and gid fields in the idmap entries to match 
>> the unix ones.  In the end, I changed everything to an ldap backend 
>> and changed the member server to a BDC.
> -- 
> Robert Steinmetz, AIA
> Principal
> Steinmetz & Associates

More information about the samba mailing list