[Samba] Samba4 as DC, idmapping with different backend?

George jorgito1412 at gmail.com
Wed Jul 16 02:03:37 MDT 2014

Hi folks,

I've been playing around with Samba 4.1.9 and sssd 1.13 for a while.
I achieved consistent idmapping on Samba MEMBER servers through sssd
and winbind nss idmap (configured towards sssd)

Now, I also have some shares on a Samba4 DOMAIN CONTROLLER, and would
like to get the consistent idmapping as well.

Thanks to sssd, I actually do get a proper mapping everywhere on Linux
itself (getent passwd returns consistent UIDs even on the DC), but NOT
for files created within Windows (Unix permissions still honor the
3000000 and so on default UIDs)

Question is, on a Samba4 DOMAIN CONTROLLER, is it possible to delegate
the whole idmapping tasks to an external backend? (nss in this case).
Or is this one of the limitations of the Samba4 integrated winbind
that makes the devs discourage the use of the Samba4 DCs for file
shares purposes?

If I understand correctly, on member servers winbind is in charge of
idmapping, so making it use the nss backend towards sssd makes
everything run smoothly, but is it currently possible to achieve
something similar on a DC?

Let me tell you that I already read several 200-pages discussions on
the list about "sssd is better" / "winbind is better" / "sssd is not
supported", so we can skip that part ;) In fact, I'm trying to use

Note that I don't neither want nor need to set RFC2307 attributes for
every user.

Thanks a lot!


More information about the samba mailing list