[Samba] using AD groups in "username map"

Matthias Leopold matthias.leopold at meduniwien.ac.at
Tue Feb 20 16:06:32 UTC 2018

Am 2018-02-19 um 17:39 schrieb Rowland Penny via samba:
> On Mon, 19 Feb 2018 17:03:31 +0100
> Matthias Leopold via samba <samba at lists.samba.org> wrote:
>> Hi,
>> i'm trying to setup Samba 4.6 on CentOS 7.4 as a Domain Member of a
>> Windows 2012R2 Domain Controller with AD. To administer share
>> security i have to use the "username map" feature. This works when i
>> enumerate individual AD users there. When i want to use AD groups it
>> only works with "primary" groups. This way i can't use the "Domain
>> Admins" group from AD there, since "primary" group (unix style) of
>> all AD users is "Domain Users".
>> I'm using the "rid" idmap backend, where i can't change linux primary
>> group membership of AD users (to my experience). I know i can change
>> linux primary group membership with the "ad" idmap backend, but also
>> only when using the Unix extensions in AD (changing Windows primary
>> group has no effect and is deprecated anyway). I want to avoid this
>> and don't want to believe this is necessary in the first place.
>> Some configuration details:
>> smb.conf:
>> security = ADS
>> passdb backend = tdbsam
>> idmap config * : backend = tdb
>> idmap config * : range = 3000-7999
>> idmap config MYDOMAIN : backend = rid
>> idmap config MYDOMAIN : range = 10000-999999
>> winbind enum users  = yes
>> winbind enum groups = yes
>> username map = /etc/samba/user.map
> Is that your entire smb.conf ?
>> /etc/samba/user.map:
>> !root = "@MYDOMAIN\Domain Admins" "@MYDOMAIN\domain admins"
> I have never tried to map a group to a User, but in any case you don't
> need to ;-)
> You are using the 'rid' backend, so 'Domain Admins' gets a group ID, or
> to put it another way, the underlying Unix OS knows who 'Domain Admins'
> is.
> Have you read this:
> https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs

This is the documentation i have been following. I was trying to use 
"acl_xattr:ignore system acls = yes" for the first time. This doesn't 
seem to work (as i expected). When i use the default "acl_xattr:ignore 
system acls = no" everything is fine and i don't have to use a "username 


More information about the samba mailing list