[Samba] Samba4 as DC, idmapping with different backend?

George jorgito1412 at gmail.com
Thu Jul 17 18:14:30 MDT 2014

On Thu, Jul 17, 2014 at 4:02 AM, steve <steve at steve-ss.com> wrote:
> On Wed, 2014-07-16 at 17:49 -0300, George wrote:
>> sssd already faithfully does what I want, as does Samba3 on members
>> servers.
> Hi
> Mmm. sssd does the same as Samba3? I don't think so.

I mean, Samba3 with sssd as a backend (through winbind idmap nss)
works fine. Samba4 DC cannot use another idmapping backend besides
internal or rfc2307, and as you say, the only current way is rfc2307.

>> For it to behave like I would like, it would need more idmapping
>> options (like winbind3 offers) so it can also be "plugged" into sssd
>> (or whatever external backend).
> winbind on the DC will not work with the whole of 2307. You have to use
> sssd for that. Repeat, to do what you want to do now, it's AD.
>> As I have read, the merge between winbind3 and winbind4 will occur at
>> some point. Does anyone know how far are we from this? I know it's no
>> simple task...
> 4.2 I think, but that's irrelevant if you are going with sssd

Well, not really irrelevant. I am trying to use winbind so Samba
itself gets the correct idmapping FROM sssd, without using rfc2307.
Samba member servers can do this, but not Samba4 DCs.
Again, AD users and attributes are correctly mapped and consistent on
Linux, getent paswd shows consistent information everywhere (even
without rfc2307, thanks to sssd). What is missing is the correct UID
and GID on files created by Samba4 DC (on Samba4 DC shares) through
Windows. If winbind4 supported the nss idmap, this would be covered as
well and we would get truly consistent everything, everywhere, and
without rfc2307.

Note that I am not pretending to use winbind to provide Samba users to
the Linux system, but the other way around (and I know this is not the
most common use). I want winbind to get the system users from nss
(sssd) and provide them to Samba so when files are created within
Windows they get properly idmapped to their owner (and this is exactly
what works fine on members servers but not on DCs).

This way, configuration is still easy, rfc2307 attributes can be
defined where necessary and sssd (and by extension, also Samba) will
honor them, we (admins) are happy because we get consistent everything
everywhere, and the devs are happy because we are in fact using
winbind to relay info to smbd ;)

> (BTW, please don't post privately to us. Thanks.)

Sorry for that. Still don't know why Gmail defaults answering to the
author instead of the list...

Best regards,

More information about the samba mailing list