[Samba] Domain member (2k8R2) server, problem mapping Kerberos/NSS users

Elias Probst mail at eliasprobst.eu
Mon Jul 21 10:13:30 MDT 2014

On 07/21/2014 06:03 PM, Rowland Penny wrote:
> Hi, but this is what you are doing, samba is providing the shares and
> allowing entry based on what you have in smb.conf on the fileserver but
> authentication is coming via sssd, The user that winbind expects could
> have the ID xxxxxx but sssd is supplying yyyyyyyyyy
> The only way that I have found that works is to give every user an
> uidNumber and the groups a gidNumber and then use the winbind ad
> backend, this way you can ensure that the user gets the same ID everywhere.

What I expected to happen:
→ the incoming request (mounting a share on a client) supplies a user
like MY-DOMAIN\kxmjd01.
→ smbd/idmap asks NSS via getpwnam() for the UID of 'kxmjd01'
→ smbd/idmap asks NSS via getgrnam() for the groups of UID of 'kxmjd01'
→ smbd/idmap decides based upon the 'valid users' of this share whether
the request is granted or not.

The AD users have all a uidNumber/gidNumber set which is provided by
SSSD to NSS and can be seen when asking NSS e.g. via 'getent passwd'.

I don't see where I'd need any "mapping magic" at this point and why the
incoming user shouldn't be just passed to NSS without another mapping
layer inbetween. The IDs are thanks to SSSD as NSS backend consistent
throughout the whole infrastructure.

- Elias

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 884 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba/attachments/20140721/dc03da85/attachment.pgp>

More information about the samba mailing list