[Samba] using AD groups in "username map"

Matthias Leopold matthias.leopold at meduniwien.ac.at
Wed Feb 21 08:29:20 UTC 2018

Am 2018-02-20 um 17:47 schrieb Rowland Penny via samba:
> On Tue, 20 Feb 2018 17:06:32 +0100
> Matthias Leopold <matthias.leopold at meduniwien.ac.at> wrote:
>> Am 2018-02-19 um 17:39 schrieb Rowland Penny via samba:
>>> On Mon, 19 Feb 2018 17:03:31 +0100
>>> Matthias Leopold via samba <samba at lists.samba.org> wrote:
>>>> Hi,
>>>> i'm trying to setup Samba 4.6 on CentOS 7.4 as a Domain Member of a
>>>> Windows 2012R2 Domain Controller with AD. To administer share
>>>> security i have to use the "username map" feature. This works when
>>>> i enumerate individual AD users there. When i want to use AD
>>>> groups it only works with "primary" groups. This way i can't use
>>>> the "Domain Admins" group from AD there, since "primary" group
>>>> (unix style) of all AD users is "Domain Users".
>>>> I'm using the "rid" idmap backend, where i can't change linux
>>>> primary group membership of AD users (to my experience). I know i
>>>> can change linux primary group membership with the "ad" idmap
>>>> backend, but also only when using the Unix extensions in AD
>>>> (changing Windows primary group has no effect and is deprecated
>>>> anyway). I want to avoid this and don't want to believe this is
>>>> necessary in the first place.
>>>> Some configuration details:
>>>> smb.conf:
>>>> security = ADS
>>>> passdb backend = tdbsam
>>>> idmap config * : backend = tdb
>>>> idmap config * : range = 3000-7999
>>>> idmap config MYDOMAIN : backend = rid
>>>> idmap config MYDOMAIN : range = 10000-999999
>>>> winbind enum users  = yes
>>>> winbind enum groups = yes
>>>> username map = /etc/samba/user.map
>>> Is that your entire smb.conf ?
>>>> /etc/samba/user.map:
>>>> !root = "@MYDOMAIN\Domain Admins" "@MYDOMAIN\domain admins"
>>> I have never tried to map a group to a User, but in any case you
>>> don't need to ;-)
>>> You are using the 'rid' backend, so 'Domain Admins' gets a group
>>> ID, or to put it another way, the underlying Unix OS knows who
>>> 'Domain Admins' is.
>>> Have you read this:
>>> https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs
>> This is the documentation i have been following. I was trying to use
>> "acl_xattr:ignore system acls = yes" for the first time. This doesn't
>> seem to work (as i expected). When i use the default
>> "acl_xattr:ignore system acls = no" everything is fine and i don't
>> have to use a "username map".
>> thx
>> matthias
> Hmm, bit of a catch 22 situation here, to use members of 'Domain
> Admins' to set the ACLs on a share directory, the group for the share
> directory must be 'Domain Admins', but if you tell Samba to ignore the
> system acls, then 'Domain Admins' will not have permission on the
> share.

I initially intuitively thought so too, but stubbornly (and stupidly) 
kept wondering why it "didn't work". Thanks for demonstrating a way how 
to use "acl_xattr:ignore system acls = yes", but i'll stick to the 
default now, i don't have a real reason to change it


More information about the samba mailing list