[Samba] Winbind group mapping
Sören Busse
soeren.busse at magis-it.de
Wed Sep 4 11:49:32 UTC 2019
Hey there,
currently I'm trying to map my users and groups using winbind on a samba
fileserver member server which is connected to a samba DC. Both are
running version 4.10.0 from the 19.04 ubuntu repository.
Here's my samba member servers smb.conf:
[global]
security = ADS
workgroup = SAMDOM
realm = SAMDOM.DOMAIN:TLD
log file = /var/log/samba/%m.log
log level = 1
server min protocol = SMB2
bind interfaces only = yes
interfaces = lo 10.42.6.2
idmap config * : backend = tdb
idmap config * : range = 3000-7999
idmap config SCHULE : backend = ad
idmap config SCHULE : range = 100000-999999
idmap config SCHULE : schema_mode = rfc2307
idmap config SCHULE : unix_nss_info = no
idmap config SCHULE : unix_primary_group = yes
template shell = /bin/bash
template homedir = /home/%U
username map = /etc/samba/user.map
[Share]
comment = Share
path = /share/Share
read only = no
store dos attributes = no
create mask = 0660
force create mode = 0660
directory mask = 0770
force directory mode = 0770
I would like to match the normal Linux user and group behavior as much
as possible. Normally when creating a user you would create a group with
the same name and same id as the user, which will result in an
"id"-command output like this:
uid=1000(soeren) gid=1000(soeren) Gruppen=1000(soeren)
When I now add a user to my domain and set the uid and gid to the same
value e.g 100 000 without creating a seperate group with the gid 100 000
the "id"-command output would looks like this:
uid=100000(soeren) gid=100000 Gruppen=100000
So the ids are mapped correctly, but the gid is missing the name. This
is reasonable because winbind is looking for a group with the id 100 000
but can't find any so the name can't be set.
The solution would be to simply create a group with the id 100 000.
However you can't have the group to use the same sAMAccountname as the
user, because it's only allowed to exists once. So I have to choose a
different group name with a well-known prefix like "group_soeren" for
any user groups (As far as I know the sAMAccountname of the group is
allowed to be longer than 20 characters, isn't it? This would allow to
set a prefix altough the username might already be 20 characters long)
This solution feels a little bit like a workaround or hack. Is there a
better way to solve this issue or is this the only solution?
Kind regards
Sören Busse
Magis IT GmbH
More information about the samba
mailing list