[Samba] Unable to map AD Users to existing local Unix users since 4.8.x

Rowland penny rpenny at samba.org
Thu Jun 4 19:07:41 UTC 2020

On 04/06/2020 19:58, Bivans, Crispin via samba wrote:
> Rowland said:
>>> Is there a set of settings to restore the mapping of AD users to pre-existing Unix Users?
>> No
>>> Does the official Samba distributed project source continue to support AD Users mapping to pre-existing Unix Users?
>> I do not think it ever did.
> I found this reference quickly from google describing the previous behavior.
> Winbind was always optional until perhaps recently.
> https://www.samba.org/~ab/output/htmldocs/Samba3-HOWTO/idmapper.html
> This functionality I know has worked from early 2000's (roughly 2002) until last year.
>  From page:
> "A Samba member of a Windows networking domain (NT4-style or ADS) can be configured to handle identity mapping in a variety of ways. The mechanism it uses depends on whether or not the winbindd daemon is used and how the winbind functionality is configured. The configuration options are briefly described here:
> Winbind is not used; users and groups are local:
> Where winbindd is not used Samba (smbd) uses the underlying UNIX/Linux mechanisms to resolve the identity of incoming network traffic. This is done using the LoginID (account name) in the session setup request and passing it to the getpwnam() system function call. This call is implemented using the name service switch (NSS) mechanism on modern UNIX/Linux systems. By saying "users and groups are local," we are implying that they are stored only on the local system, in the /etc/passwd and /etc/group respectively.
> For example, when the user BERYLIUM\WambatW tries to open a connection to a Samba server the incoming SessionSetupAndX request will make a system call to look up the user WambatW in the /etc/passwd file.
> "
>>> Do we just need to compile our own Samba to get back that functionality?
>> How ? the functionality that let your system work has been removed.
> Can you point me to a Release Changes note that says explicitly that Winbind is now required or that mapping of AD users to local unix accounts has been removed?
> Crispin

Yes, see here:


Samba did a lot of things back in the NT4-style domain days, some of 
which dragged into the start of the AD client setups, quite a few of 
them were not really a good idea.


More information about the samba mailing list