[Samba] Unable to map AD Users to existing local Unix users since 4.8.x
Bivans, Crispin
Crispin.Bivans at vwcredit.com
Thu Jun 4 21:08:45 UTC 2020
Rowland said:
>> Is there a idmap engine or other settings that maps AD users to local ID numbers?
> No, because in AD there are no local users, there are just domain users
> >
> > We don't manage Windows accounts or groups so it'll be challenge to coordinate and get buy in by the Win Admins,
> This is just plain silly, if the users in AD are the same users as
> yours, then what is the problem ?
> All the attributes you need are Available in AD, they do not have to
> extend the schema. If they do not want to do the work for you, they
> could delegate control of the required RFC2307 attributes to your team.
>> to the Winbind model when we are asking them to do more work. And there is still no great solution for the primary group dilemma I first wrote about in the chain (i.e. same user on multiple systems may get a different primary group used for that system).
> This is the problem Microsoft faced when they came up with domains, they
>solved it by creating the 'Domain Users' group and making all users
> members of the group. They also came up with Windows ACLs, with these
> you can allow (or deny) access by multiple groups. This may be a way out
> of your group problem.
> Rowland
Thank you Rowland
-Crispin Bivans
More information about the samba
mailing list