[Samba] using AD groups in "username map"

Rowland Penny rpenny at samba.org
Mon Feb 19 16:39:56 UTC 2018

On Mon, 19 Feb 2018 17:03:31 +0100
Matthias Leopold via samba <samba at lists.samba.org> wrote:

> Hi,
> i'm trying to setup Samba 4.6 on CentOS 7.4 as a Domain Member of a 
> Windows 2012R2 Domain Controller with AD. To administer share
> security i have to use the "username map" feature. This works when i
> enumerate individual AD users there. When i want to use AD groups it
> only works with "primary" groups. This way i can't use the "Domain
> Admins" group from AD there, since "primary" group (unix style) of
> all AD users is "Domain Users".
> I'm using the "rid" idmap backend, where i can't change linux primary 
> group membership of AD users (to my experience). I know i can change 
> linux primary group membership with the "ad" idmap backend, but also 
> only when using the Unix extensions in AD (changing Windows primary 
> group has no effect and is deprecated anyway). I want to avoid this
> and don't want to believe this is necessary in the first place.
> Some configuration details:
> smb.conf:
> security = ADS
> passdb backend = tdbsam
> idmap config * : backend = tdb
> idmap config * : range = 3000-7999
> idmap config MYDOMAIN : backend = rid
> idmap config MYDOMAIN : range = 10000-999999
> winbind enum users  = yes
> winbind enum groups = yes
> username map = /etc/samba/user.map

Is that your entire smb.conf ?

> /etc/samba/user.map:
> !root = "@MYDOMAIN\Domain Admins" "@MYDOMAIN\domain admins"

I have never tried to map a group to a User, but in any case you don't
need to ;-)

You are using the 'rid' backend, so 'Domain Admins' gets a group ID, or
to put it another way, the underlying Unix OS knows who 'Domain Admins'
Have you read this:



More information about the samba mailing list