[Samba] Unable to map AD Users to existing local Unix users since 4.8.x

Rowland penny rpenny at samba.org
Thu Jun 4 20:52:35 UTC 2020

On 04/06/2020 21:22, Bivans, Crispin via samba wrote:
> Rowland said:
>>> Can you point me to a Release Changes note that says explicitly that Winbind is now required or that mapping of AD users to local unix accounts has been removed?
>>> Crispin
>> Yes, see here:
>> https://wiki.samba.org/index.php/Samba_4.8_Features_added/changed#Domain_member_setups_require_winbindd
>> Samba did a lot of things back in the NT4-style domain days, some of
>> which dragged into the start of the AD client setups, quite a few of
>> them were not really a good idea.
>> Rowland
> Thanks Rowland for the reference, that clears up a lot.
> Is there a idmap engine or other settings that maps AD users to local ID numbers?
No, because in AD there are no local users, there are just domain users
> We don't manage Windows accounts or groups so it'll be challenge to coordinate and get buy in by the Win Admins,

This is just plain silly, if the users in AD are the same users as 
yours, then what is the problem ?

All the attributes you need are Available in AD, they do not have to 
extend the schema. If they do not want to do the work for you, they 
could delegate control of the required RFC2307 attributes to your team.

>   to the Winbind model when we are asking them to do more work. And there is still no great solution for the primary group dilemma I first wrote about in the chain (i.e. same user on multiple systems may get a different primary group used for that system).
This is the problem Microsoft faced when they came up with domains, they 
solved it by creating the 'Domain Users' group and making all users 
members of the group. They also came up with Windows ACLs, with these 
you can allow (or deny) access by multiple groups. This may be a way out 
of your group problem.


More information about the samba mailing list