[Samba] ID mapping & sssd

Rowland penny rpenny at samba.org
Mon Jan 18 19:54:50 UTC 2016

See inline comments:

On 18/01/16 19:14, Henry McLaughlin wrote:
> I'm working through learning mapping ids and Rowland has provided the
> following advice:
> "It is fairly simple, on a DC, users are mapped to (via idmap.ldb) Unix
> automatically. On a domain member, you have a choice of backends, but the
> two main ones are 'rid' & 'ad'. The 'rid' backend works similar (from an
> initial view point) to the DC and maps the users & groups to Unix. The 'ad'
> backend is different, any user that you want to be visible to Unix must be
> given a uidNumber attribute, this number must be inside the range that is
> set in smb.conf, you must also give Domain Users (at least) a gidNumber
> attribute, this must also be inside the range set in smb.conf, if you want
> any other groups to be visible to Unix, these also must be given a
> gidNumber."
> I think I now understand however have the following questions:
> 1) When using sssd am I correct in understanding there is no need to
> specify an id range in smb.conf?

Don't think so, but then again sssd isn't from Samba, you may be better 
off asking on the sssd mailing list about this.

> 2) Do I only need to specify uids & gids for the users/groups I explicitly
> set unix permissions for?
> For example if I set a folder ownership to "root:Domain Admins" then I need
> a gid for "Domain Admins" but not uids for any of the members of "Domain
> Admins"

Well, yes, yes and no (short answer)

The long answer is, unless a user has a uid and a group has a gid, it is 
invisible to Unix, If 'getent' doesn't show it, it is invisible to Unix. 
Your members of 'Domain Admins' will need a uid, just being a member of 
a Unix group will not be enough, the group will be visible to Unix, but 
how can you map an invisible user to a Unix group ?

> 3) Previously I assigned Administrator a uid which caused problems. Why was
> this wrong?

This was not really wrong, it is just another way of setting things up, 
but giving 'Administrator' a uid turns into a normal Unix user and as 
such can only do what a normal Unix user can do, this does not normally 
include changing permissions on a directory or file owned by the 'root' 
user. The easiest way is to not give 'Administrator' a uid, but map it 
to the 'root' user via smb.conf on a domain member, this is much the 
same as what a DC does as standard.

> 4) How do Windows permissions translate to Linux? For example if I set a
> folder ownership to "root:Domain Admins" then in Windows I can set other
> user permissions that are not explicitly set at the Linux level.

Ah, but you are probably looking at the files via the normal Unix tools 
'ls' etc, this only lets you see the Unix permissions 'ugo' or 
user:group:others, try using 'getfacl' instead, here is what it shows 
for sysvol:

  root at dc1:~# getfacl /usr/local/samba/var/locks/sysvol
getfacl: Removing leading '/' from absolute path names
# file: usr/local/samba/var/locks/sysvol
# owner: root
# group: BUILTIN\134administrators
# flags: -s-

> 5) Why does "Domain Users" need a gid if i don't explicitly use it for
> Linux permissions?

Because this is the way winbind works, it uses the users primary group 
in its searches and 'Domain Users' is usually the users primary group.


More information about the samba mailing list