[Samba] Understanding UID/GID mapping models.

TAKAHASHI Motonobu monyo at monyo.com
Thu Sep 1 09:51:17 MDT 2011

From: Ray Van Dolson <rvandolson at esri.com>
Date: Tue, 30 Aug 2011 22:40:54 -0700

> I am using either DOMAIN or ADS for authentication and am trying to
> understand how UID/GID mapping rules are triggered.
> This[1] seems to suggest that if I do not specify the idmap uid/gid
> parameters in smb.conf, then authenticated usernames are mapped to
> "local" user accounts having the same name.
> If, however, I _do_ specify idmap uid/gid then one of the idmap_*
> allocator modules is used.
> Is my understanding correct there?


> We have a mixed NIS/AD environment, and in most cases we do not use
> idmap parameters and, as such, rely on the existence of an NIS account
> to map UID/GID's.  However, when users attempt to set permissions from
> Windows, it appears that a SID is passed to Samba which is unable to
> map it into a valid file system ACL and the permissions aren't actually
> set.
> The only workaround I've found is to enable idmap so these SID's can be
> resolved properly to NSS-sourced (in our case, NIS or local accounts)
> UID/GID's.
> I do something like this:
>     idmap backend = tdb
>     # Users without NIS accounts are assigned random UID/GID's from the
>     # following pool (assuming they're allowed to connect)
>     idmap uid = 1000000-10000000
>     idmap gid = 1000000-10000000
>     # NIS users should never have  UID/GID > 599999
>     idmap config DOMAIN : backend = nss
>     idmap config DOMAIN : range = 0-599999
> This seems to work, but I'm looking to confirm that I have the correct
> understanding.

I think idmap_nss was prepared just for the environment like yours,
using both NIS or LDAP and Winbind.

TAKAHASHI Motonobu <monyo at samba.gr.jp>

More information about the samba mailing list