[Samba] Samba4 as DC, idmapping with different backend?

steve steve at steve-ss.com
Fri Jul 18 04:01:42 MDT 2014

On Thu, 2014-07-17 at 21:14 -0300, George wrote:
> On Thu, Jul 17, 2014 at 4:02 AM, steve <steve at steve-ss.com> wrote:
> > On Wed, 2014-07-16 at 17:49 -0300, George wrote:
> >> sssd already faithfully does what I want, as does Samba3 on members
> >> servers.
> > Hi
> > Mmm. sssd does the same as Samba3? I don't think so.
> I mean, Samba3 with sssd as a backend (through winbind idmap nss)
> works fine. Samba4 DC cannot use another idmapping backend besides
> internal or rfc2307, and as you say, the only current way is rfc2307.
> >> For it to behave like I would like, it would need more idmapping
> >> options (like winbind3 offers) so it can also be "plugged" into sssd
> >> (or whatever external backend).
> > winbind on the DC will not work with the whole of 2307. You have to use
> > sssd for that. Repeat, to do what you want to do now, it's AD.
> >>
> >> As I have read, the merge between winbind3 and winbind4 will occur at
> >> some point. Does anyone know how far are we from this? I know it's no
> >> simple task...
> > 4.2 I think, but that's irrelevant if you are going with sssd
> Well, not really irrelevant. I am trying to use winbind so Samba
> itself gets the correct idmapping FROM sssd, without using rfc2307.
> Samba member servers can do this, but not Samba4 DCs.
> Again, AD users and attributes are correctly mapped and consistent on
> Linux, getent paswd shows consistent information everywhere (even
> without rfc2307, thanks to sssd). What is missing is the correct UID
> and GID on files created by Samba4 DC (on Samba4 DC shares) through
> Windows. If winbind4 supported the nss idmap, this would be covered as
> well and we would get truly consistent everything, everywhere, and
> without rfc2307.
> Note that I am not pretending to use winbind to provide Samba users to
> the Linux system, but the other way around (and I know this is not the
> most common use). I want winbind to get the system users from nss
> (sssd) and provide them to Samba so when files are created within
> Windows they get properly idmapped to their owner (and this is exactly
> what works fine on members servers but not on DCs).
> This way, configuration is still easy, rfc2307 attributes can be
> defined where necessary and sssd (and by extension, also Samba) will
> honor them, we (admins) are happy because we get consistent everything
> everywhere, and the devs are happy because we are in fact using
> winbind to relay info to smbd ;)
> > (BTW, please don't post privately to us. Thanks.)
> Sorry for that. Still don't know why Gmail defaults answering to the
> author instead of the list...
> Best regards,
> George

Ok, so why not try the sssd method for sid to idmapping? I know 1.12.0
has it and maybe some of the 1.11 series too. In fact I think it's the
default, as we had to turn it off for our AD (with rfc2307 in AD):
 ldap_id_mapping = False

(on gmail web and mobile I think the best you can do is, 'reply to all')

More information about the samba mailing list