[Samba] UID mapping
Peter.Shevchenko at rsise.anu.edu.au
Tue Jun 14 17:41:47 MDT 2011
On Tue, 14 Jun 2011 23:28:49 +0100, Jonathan Buzzard wrote:
> Martin Rootes wrote:
>> I'm trying to convert an old system on Solaris 10 that uses the
>> smbpasswd file authentication method to a system that authenticates
>> against Active Directory. I've managed to get winbind working but of
>> course this just allocates UIDs as it sees fit whereas the smbpasswd
>> file method used the UID from the /etc/passwd file. The user codes on
>> the Solaris server match the user codes in AD but if I just switch over
>> to winbind the UIDs will not match. If there were only a small number
>> of users I could simply change the ownership of the users home
>> directories to match the winbind allocated UID but unfortunately there
>> are thousands of users and so this would be a mammoth task. I've has a
>> look at various bits of documentation but can't get my head around the
>> best strategy. Has anyone needed to do something similar and if so how
>> did you go about it?
>> Also the users' home directories are distributed around multiple
>> directories and I would prefer to continue to use the home directory
>> information from /etc/passwd as opposed to using "template homedir"
>> (although I assume that I could leave the directories in place and just
>> set up links to them). I've had also had a look at the PADL nss_ldap
>> stuff but can't get it to compile, it seems to be looking for SASL,
>> would the SASL version on the Sun Freeware site work?
> Would not filling out the rfc2307 information in the AD not be the way
> forward? Then winbind would not be allocating UID's but using what was
> set in the AD which you could match with your current settings. In
> addition you could have your home directories wherever you want on a per
> user basis depending on what you have set in the AD.
> If you are going to be using AD then it is best not to fight it, and any
> AD server after 2003 R2 has the rfc2307 scheme extensions activated, you
> just need to populate the fields. Though I appreciate that sometimes
> this can be easier said than done if you don't have control over the AD
> Jonathan A. Buzzard Email: jonathan (at) buzzard.me.uk
> Fife, United Kingdom.
I have been working on exactly this problem. I looked into the
rfc2307scheme extensions and it looked like a lot of trouble. The samba
HowTo has this to say about it.
"The use of this method is messy. The information provided in the
following is for guidance only and is very definitely not complete. This
method does work; it is used in a number of large sites and has an
acceptable level of performance." see
I also noticed that, to quote the HowTo again "If winbindd is not running,
smbd (which calls winbindd) will fall back to using purely local
information from /etc/passwd and /etc/group and no dynamic mapping will
be used. On an operating system that has been enabled with the NSS, the
resolution of user and group information will be accomplished via NSS."
This is the solution that I am now implementing. It looks to be working
but I still have some testing to do. This is the way that another system
works here and we have had no trouble with it. If you have multiple
domains then you have to be vary careful doing this. We have one master
OpenLDAP server and we create accounts on all domains from that. We know
that John on one domain is the same person as John on all the others. The
linux samba servers are just setup so that nss gets account info from the
master LDAP server but the smb.conf gets Auth info from the AD Domian
controller. Password changing on the windows and linux machines have been
disabled and all password changes are done through a website. This site
then updates the LDAP and AD passwords.
Email:Peter.Shevchenko at rsise.anu.edu.au
ANU College of Engineering and
More information about the samba