[Samba] ADS Domain Member smb.conf using idmap_ad

Freeman flo at email.unc.edu
Wed Nov 23 06:17:55 MST 2011

On 11/23/2011 06:59 AM, TAKAHASHI Motonobu wrote:
> From: Freeman<flo at email.unc.edu>
> Date: Tue, 22 Nov 2011 16:47:01 -0500
>> Greetings samba community,
>> I am running samba version: Version 3.5.11-79. fc14. Trying to join
>> linux servers to the windows 2003 domain by running winbind and smb.  I
>> have configured the following smb.conf file which worked but can't seem
>> to understand why the uid is different from the windows side when the
>> windows side has already mapped some kind of uid to the sid.
> (snip)
>> By omitting this "idmap config AD : range = range values" from my
>> configuration, i am able to gain access to this server which join the
>> windows domain from another linux machine. If i left it uncomment in my
>> configuration, i can't seem to login to this machine.
> (snip)
>> [global]
>>      workgroup = ad
>>      password server = server1,server2,server3
>>      realm = myDomain.com
>>      security = ads
>>      allow trusted domains = no
>>      disable netbios = yes
>> # this doesn't seem to work for some reason
>> # i am trying to use idmap_ad
>> #   idmap backend = ad
>>      idmap backend = tdb
>>      idmap uid = 1000-5000000
>>      idmap gid = 1000-5000000
>>      idmap config AD : default = yes
>>      idmap config AD : cache time = 180
>>      idmap config AD : backend  = ad
>>      # idmap config AD : range = 100001-200000
>>      idmap config AD : schema_mode = rfc2307
> Have you already set values into "UNIX attributes" for every user you
> want to "activate" under Winbind.
I believed on the windows side, the windows admin had already mapped the 
unix user uid/gid to the windows domain via some windows/unix converter 
tool. I thought the uid/gid mapping to the sid is all done by either 
winbind or samba, if smb.conf is configured properly. It is transparent 
to the users. Kind of like magic under the covers.  I may need to figure 
out the range to use to use from the window side so that i can apply 
them to this smb.conf.

> Setting "idmap backend = ad", uid/gid and some other values are gotten
> from those in "UNIX attributes".
>> If i were to log into this machine from another linux box and run the
>> command 'id' i get the uid of 1000. When i try to run this command
>> wbinfo -n flo on the member server, i get some other number:
>> [root at moe samba]# wbinfo -n flo
>> S-1-5-21-344340502-4252695000-2390403120-1236058 SID_USER (1)
> uid/gid does not have nothing to do with SID/RID.
> If you want to keep some relationship between RID and uid, use
> idmap_rid(8) instead.

The interesting thing was that i initially tried idmap_rip without 
knowing anything better and it had the same current results as with 
idmap backend = tdb in communicating with active directory.  Something 
is not functioning quite properly but i am not sure what.

The goal is pretty simple, we would like to have all of the linux 
machines joining the campus windows AD domain as a member. Instead of 
using the NIS account with all of the linux machine, we would like to 
log onto the linux servers with the domain account from the window side 
and to mount a windows share upon a user log in.

assistance from the samba community would be much appreciated.

> ---
> TAKAHASHI Motonobu<monyo at samba.gr.jp>

More information about the samba mailing list