[Samba] ADS Domain Member smb.conf using idmap_ad

TAKAHASHI Motonobu monyo at monyo.com
Sun Dec 11 06:20:08 MST 2011

From: Freeman <flo at email.unc.edu>
Date: Wed, 23 Nov 2011 10:37:05 -0500

> On 11/23/2011 08:44 AM, TAKAHASHI Motonobu wrote:

> > From: Freeman<flo at email.unc.edu>
> > Date: Wed, 23 Nov 2011 08:17:55 -0500
> >
> >>> Have you already set values into "UNIX attributes" for every user you
> >>> want to "activate" under Winbind.
> >> I believed on the windows side, the windows admin had already mapped the
> >> unix user uid/gid to the windows domain via some windows/unix converter
> >> tool.
> > You need to confirm what was done, I think.
> The unix ID which were mapped to the windows domain on the server 2008 
> RC 2 are all from central campus user ID, not the user ID local to me 
> where i have set up a small NIS service for the 25 people i support.

> > If you keep current uid/gids maintained by NIS, you should use
> > idmap_ad(8). If not, idmap_rid(8) is easy to configure.
> >
> thank you again in explaining to be the difference. i am about 99% 
> certain i would have to go with idmap_ad since the uid/gid from 
> groups/passwd files are manually added into campus's windows active 
> directory.

If you want to use UID/GID maintained on UNIX side (/etc/passwd, NIS,
LDAP, ...), you should use idmap_nss instead of idmap_ad and ask to
stop "windows/unix converter tool" to Windows admin. Then the UID/GID
maintained on UNIX side will be used. 

If you still want to use idmap_ad, you must not explicitly create
those users maintained by Winbind. They should be automatically
created by Winbind.

> my apologies, i am lacking skills on the understanding of windows 
> domain. Campus is running 2008 RC2 server. so, rfc2307 will work for me 
> instead of sfu ?

Anyway, you have to know what was done on Windows side. If you do not
want bother Windows admin, using idmap_nss is better.

TAKAHASHI Motonobu<monyo at samba.gr.jp>

More information about the samba mailing list