[Samba] idmap config ad: can't resolve domain users' uids

Francesco Malvezzi francesco.malvezzi at unimore.it
Fri Feb 16 13:26:57 UTC 2018

Il 16/02/18 13:43, Rowland Penny via samba ha scritto:
> On Fri, 16 Feb 2018 13:10:16 +0100
> Francesco Malvezzi via samba <samba at lists.samba.org> wrote:
>> So just to recap: there were two problems:
>> 1) the syntax mistake in smb.conf pointed up before;
> This wouldn't have helped.
>> 2) a logical mistake because wbinfo can't possibily work without the
>> full setup that includes the nss part.
> No, wbinfo will work without the libnss_winbind links, but the OS will
> not know who the AD users & groups are without the links.

Rowland, you are helping me a lot.

Let me make a step backwards.

The problem is bugging me is to allow Domain Users to access samba
shares (on a linux os) and to create file with the same uidNumber I have
put in the AD directory.

Domanin Users have been exported from a samba3-ldap domain.

In a samba3-ldap domain the trick to have files with the same ownership
[1] was to record the uidNumber data in the OpenLDAP.

How does it work in samba4? I started with
https://wiki.samba.org/index.php/Setting_up_RFC2307_in_AD and then I
have been populating the users' uidNumber ad attribute and the groups'

So I was wrong starting talking about sssd, nss and so on. Those tools
are required to allow Domain Users to access linux server (ssh for
instance). I am more interested to deploy windows share on a samba4
server (a AD DC, actually) and to see users create file with the
familiar uidNumber and not the exotic number taken from the idmap.ldb

thank you,


[1] means the same user, both as a linux user or as a Domain User,
create files with same uidNumber.

More information about the samba mailing list