[Samba] Wanted: Winbind idmap backend like in Mac OS X

Andreas Triller Andreas.Triller at zweibrueder.com
Mon Dec 9 06:41:17 MST 2013

Hi all,

I try to set up a virtual linux box as a replacement for an Apple Xserve (last of its kind).
Like its Mac predecessor, it needs to be integrated into Active Directory and it must serve as fileserver via smb (samba 3) and afp (netatalk).
Winbind and pam are used for ADS connection, which is working quite well so far. I can log in with Domain users locally and also connect to shares via samba from Windows Clients and set file permissions with Explorer. All good so far.
My problem is with the Mac OS X Clients, which are also ADS integrated via the built-in capabilities of Mac OS X.
They generate the Unix UID and GID by converting the first 4 bytes of the AD UUID to decimal format.
Winbind does the same but it uses another Ldap attribute,  the RID, being the last part of the SID.
This results in a mismatch on all Mac Clients between the locally generated UID and the one provided by the server, regardless of the choice of access protocol (smb via samba or afp via netatalk). The mismatch leads to erratic behavior in Finder.

My question is: Is there any configuration directive that I might have overlooked, thich allows to build the UID and GID in the same way as Mac OS X does?
I already asked the question in the netatalk-admin mailing list and was advised to code a new idmap backend myself, which unfortunately I cannot do.

For reference, also see this thread in the netatalk-admin mailing list:

Best regards and merry x-mas!

Andreas Triller

More information about the samba mailing list