[Samba] Making Linux and domain users the same

Phil org-samba at freed.com
Wed Mar 6 02:46:33 MST 2013 

That did it!  Thank you very much.  For the benefit of those who come after, here's a bit more detail:

If your Windows domain is WINDOMAIN, add these two lines to the global section of your smb.conf file:

        idmap config windomain : backend  = nss
        idmap config windomain : range = 1000-999999


This mapped the windows domain users to "local" NIS-based Unix users.  This is what we needed, as users could now manipulate files in their own home directories from their Windows boxes.

Notes:
1)  In the idmap statements, the domain must (apparently) be lowercase.

2) In the range statement, make sure that the range of numbers includes all the UIDs of your users.  In our case, we had a user with a Unix UID of 96  (bad sysadmin!  bad!), so my idmap range was actually 96-999999.  I didn't confirm that this was necessary.

3)  Caveat:  One thing was missing:  this does *not* fix the user's primary group membership.  On our system, for instance, local users belong to the group "user", but /Samba users belong to the group "domain users".  I haven't checked to see if they are also members of "user" (or of other Unix groups that the local user belongs to), since this wasn't something we needed.




----- Original Message -----
From: "TAKAHASHI Motonobu" <monyo at monyo.com>
To: org-samba at freed.com
Cc: samba at lists.samba.org, TM-Samba201302 at Firstgrade.Co.UK
Sent: Sunday, March 3, 2013 1:30:52 AM GMT -05:00 US/Canada Eastern
Subject: Re: [Samba] Making Linux and domain users the same

From: org-samba at freed.com
Date: Sat, 2 Mar 2013 08:44:34 -0500 (EST)

>> Is your /etc/nsswitch.conf setup to use winbind?
> 
> Yes -- and winbindd is running.  

>> $ ls -n
>> total 4
>> -rw-r--r-- 1    12903      100 3 Mar  2 03:40 File_Created_In_Linux
>> -rwxrw-rw- 1 16777217 16777216 3 Mar  1 13:12 File_Created_In_Windows
> 
> And:
> 
>> [global]
>>         idmap uid = 16777216-33554431
> 
> So your "joe" user is picking up an "IDMAP"ped UID.  That's expected
>> behaviour unless Samba is told any other way to map the name to a Unix
>> UID - it needs to get that information from somewhere.

Use idmap_nss instead of idmap_tdb (default).

idmap_nss picks uid/gid from /etc/passwd or its altinatives (such as NIS),
instead of generating its own value.

---
TAKAHASHI Motonobu <monyo at monyo.com> / @damemonyo 
                   facebook.com/takahashi.motonobu

More information about the samba mailing list