[Samba] Samba4 as DC, idmapping with different backend?

[George]

On Sat, Jul 19, 2014 at 4:11 AM, steve <steve at steve-ss.com> wrote:
> Hi
> You do have sss specified for passwd and group in nsswitch.conf no? We
> don't use winbind anywhere in the domain. sssd works on both DCs and
> file servers independently of either smbd or samba.
>
> Trying to visualise what you have and just wondering what you can do
> with winbind/smbd that you can't do with sssd/samba. It must be to do
> with the fact that we do not use an external idmap database. But then
> again, in your setup you would be relying on both winbind and sssd to
> maintain an external database with the sid to id mappings.
> Cheers,
> Steve

* Unix permissions for files created WITHIN WINDOWS on a DOMAIN
CONTROLLER, WITHOUT USING RFC2307: get mapped as '30000xx'

* Unix permissions for files created WITHIN WINDOWS on a SAMBA MEMBER
SERVER WITH IDMAP NSS, WITHOUT USING RFC2307: get properly mapped as
'2000xx' (in my case, forcing sssd default slice), the same that
getent passwd returns *everywhere*

That's it. Am I missing something? As we discussed, samba AD binary
can only get idmapping from internal ldb, or rfc2307. If it could get
idmapping from nss as well (as smbd can), it would be able to retrieve
idmaps from sssd.

The key here is that no matter your setup, when you create a file on a
share **within Windows**, its *Unix file permissions* get mapped by
winbind. No winbind, then no correct Unix idmapping, period. This is
sort of related to the problem you posted yesterday about the BUILTIN
mapping. For Windows to assign the proper Unix permissions, you need
winbind to pass the idmapping to samba or smbd.

Regards!