[Samba] Unable to map AD Users to existing local Unix users since 4.8.x

Bivans, Crispin Crispin.Bivans at vwcredit.com
Thu Jun 4 21:08:45 UTC 2020

Rowland said:
    >>  Is there a idmap engine or other settings that maps AD users to local ID numbers?
    > No, because in AD there are no local users, there are just domain users
   > >
   > > We don't manage Windows accounts or groups so it'll be challenge to coordinate and get buy in by the Win Admins,

   > This is just plain silly, if the users in AD are the same users as
   > yours, then what is the problem ?

   > All the attributes you need are Available in AD, they do not have to
   > extend the schema. If they do not want to do the work for you, they
   > could delegate control of the required RFC2307 attributes to your team.

   >>   to the Winbind model when we are asking them to do more work. And there is still no great solution for the primary group dilemma I first wrote about in the chain (i.e. same user on multiple systems may get a different primary group used for that system).

   > This is the problem Microsoft faced when they came up with domains, they
    >solved it by creating the 'Domain Users' group and making all users
   > members of the group. They also came up with Windows ACLs, with these
   > you can allow (or deny) access by multiple groups. This may be a way out
   > of your group problem.

   > Rowland

Thank you Rowland

-Crispin Bivans

More information about the samba mailing list