[Samba] using AD groups in "username map"
Rowland Penny
rpenny at samba.org
Mon Feb 19 16:39:56 UTC 2018
On Mon, 19 Feb 2018 17:03:31 +0100
Matthias Leopold via samba <samba at lists.samba.org> wrote:
> Hi,
>
> i'm trying to setup Samba 4.6 on CentOS 7.4 as a Domain Member of a
> Windows 2012R2 Domain Controller with AD. To administer share
> security i have to use the "username map" feature. This works when i
> enumerate individual AD users there. When i want to use AD groups it
> only works with "primary" groups. This way i can't use the "Domain
> Admins" group from AD there, since "primary" group (unix style) of
> all AD users is "Domain Users".
>
> I'm using the "rid" idmap backend, where i can't change linux primary
> group membership of AD users (to my experience). I know i can change
> linux primary group membership with the "ad" idmap backend, but also
> only when using the Unix extensions in AD (changing Windows primary
> group has no effect and is deprecated anyway). I want to avoid this
> and don't want to believe this is necessary in the first place.
>
> Some configuration details:
>
> smb.conf:
> security = ADS
> passdb backend = tdbsam
> idmap config * : backend = tdb
> idmap config * : range = 3000-7999
> idmap config MYDOMAIN : backend = rid
> idmap config MYDOMAIN : range = 10000-999999
> winbind enum users = yes
> winbind enum groups = yes
> username map = /etc/samba/user.map
Is that your entire smb.conf ?
>
> /etc/samba/user.map:
> !root = "@MYDOMAIN\Domain Admins" "@MYDOMAIN\domain admins"
I have never tried to map a group to a User, but in any case you don't
need to ;-)
You are using the 'rid' backend, so 'Domain Admins' gets a group ID, or
to put it another way, the underlying Unix OS knows who 'Domain Admins'
is.
Have you read this:
https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs
Rowland
More information about the samba
mailing list