[Samba] Winbind group mapping

Sören Busse soeren.busse at magis-it.de
Wed Sep 4 11:49:32 UTC 2019

Hey there,

currently I'm trying to map my users and groups using winbind on a samba 
fileserver member server which is connected to a samba DC. Both are 
running version 4.10.0 from the 19.04 ubuntu repository.

Here's my samba member servers smb.conf:

security = ADS
workgroup = SAMDOM
log file = /var/log/samba/%m.log
log level = 1
server min protocol = SMB2
bind interfaces only = yes
interfaces = lo
idmap config * : backend = tdb
idmap config * : range = 3000-7999
idmap config SCHULE : backend = ad
idmap config SCHULE : range = 100000-999999
idmap config SCHULE : schema_mode = rfc2307
idmap config SCHULE : unix_nss_info = no
idmap config SCHULE : unix_primary_group = yes
template shell = /bin/bash
template homedir = /home/%U
username map = /etc/samba/user.map

comment = Share
path = /share/Share
read only = no
store dos attributes = no
create mask = 0660
force create mode = 0660
directory mask = 0770
force directory mode = 0770

I would like to match the normal Linux user and group behavior as much 
as possible. Normally when creating a user you would create a group with 
the same name and same id as the user, which will result in an 
"id"-command output like this:
uid=1000(soeren) gid=1000(soeren) Gruppen=1000(soeren)

When I now add a user to my domain and set the uid and gid to the same 
value e.g 100 000 without creating a seperate group with the gid 100 000 
the "id"-command output would looks like this:
uid=100000(soeren) gid=100000 Gruppen=100000
So the ids are mapped correctly, but the gid is missing the name. This 
is reasonable because winbind is looking for a group with the id 100 000 
but can't find any so the name can't be set.

The solution would be to simply create a group with the id 100 000. 
However you can't have the group to use the same sAMAccountname as the 
user, because it's only allowed to exists once. So I have to choose a 
different group name with a well-known prefix like "group_soeren" for 
any user groups (As far as I know the sAMAccountname of the group is 
allowed to be longer than 20 characters, isn't it? This would allow to 
set a prefix altough the username might already be 20 characters long)

This solution feels a little bit like a workaround or hack. Is there a 
better way to solve this issue or is this the only solution?

Kind regards
Sören Busse
Magis IT GmbH

More information about the samba mailing list