[Samba] Understanding UID/GID mapping models.
Ray Van Dolson
rvandolson at esri.com
Tue Aug 30 23:40:54 MDT 2011
I am using either DOMAIN or ADS for authentication and am trying to
understand how UID/GID mapping rules are triggered.
This seems to suggest that if I do not specify the idmap uid/gid
parameters in smb.conf, then authenticated usernames are mapped to
"local" user accounts having the same name.
If, however, I _do_ specify idmap uid/gid then one of the idmap_*
allocator modules is used.
Is my understanding correct there?
We have a mixed NIS/AD environment, and in most cases we do not use
idmap parameters and, as such, rely on the existence of an NIS account
to map UID/GID's. However, when users attempt to set permissions from
Windows, it appears that a SID is passed to Samba which is unable to
map it into a valid file system ACL and the permissions aren't actually
The only workaround I've found is to enable idmap so these SID's can be
resolved properly to NSS-sourced (in our case, NIS or local accounts)
I do something like this:
idmap backend = tdb
# Users without NIS accounts are assigned random UID/GID's from the
# following pool (assuming they're allowed to connect)
idmap uid = 1000000-10000000
idmap gid = 1000000-10000000
# NIS users should never have UID/GID > 599999
idmap config DOMAIN : backend = nss
idmap config DOMAIN : range = 0-599999
This seems to work, but I'm looking to confirm that I have the correct
More information about the samba