[Samba] ACL's and SSSD

George jorgito1412 at gmail.com
Thu Sep 4 21:57:24 MDT 2014

I believe that the key here is to use idmap nss configured with the ranges
that sssd assigned to your domain (or setting the default domain in
sssd.conf so it gets the first slice), for example:

# smb.conf
# Keep in mind that you NEED to specify the * range
# for the BUILTIN mappings to occur, choose a non-
# overlapping range
    idmap config *:backend = tdb
    idmap config *:range = 70001-80000
    idmap config MYDOMAIN:backend = nss
    idmap config MYDOMAIN:range = 200000-399999

You should replace the 200000-399999 range with the slice that sssd
assigned to your domain (by default, its size is 200000). For a cleaner
approach you can set

# sssd.conf
ldap_idmap_default_domain_sid = YOUR_DOMAIN_SID

And you will get all IDs mapped within the 200000-399999 range.

This way, all attempts to get UIDs within that range will be directed to
sssd via nss.

Hope this helps!

Best regards!


More information about the samba mailing list