[Samba] Guides to AD integration using Win ACL and nested groups

Rowland Penny rpenny at samba.org
Mon Jun 28 19:33:03 UTC 2021

On Mon, 2021-06-28 at 17:56 +0000, Deas, Jim wrote:
> Rowland, thank you for the reply, I see where I may need to move the
> idmap backend from ad to rid and will setup a second test system to
> investigate it.
> Re-reading parts of the doc you reference, I have not created
> template entries for items such as home directory, but all domain
> users do have uid, uidNumber and gidNumber set to match my legacy
> posix system used by PAM.  I did not set gidNumbers on the AD groups
> because I was attempting to have the system use Windows nested ACLs
> exclusively for access control to the shares.

If you use idmap_ad, then you must give Domain Users a gidNumber
attribute containing a number inside the DOMAIN range you set in
smb.conf , or ALL your users will be ignored.

> Does switching from idmap_ad to idmap_rid  along with idmap range
> allow full Win ACL control of a share based on 'calculated' group and
> user access rights stored in the files/folder xattr and alleviate the
> need to duplicate uid/gid information from their Unix accounts into
> the Win AD accounts?

Ah, when you say 'Unix accounts', do you mean accounts and groups
stored in /etc/passwd & /etc/group ? If you do, then if there are
accounts in AD that are also in /etc/passwd or /etc/group, then delete
the ones in /etc/passwd and /etc/group. You should only have Accounts
in AD. 
If you use the winbind 'rid' backend (idmap_rid), then the ID's are
calculated from the accounts RID. Any RFC2307 attributes in AD will be
If you use the winbind 'ad' backend (idmap_ad), then the ID's are found
from the RFC2307 attributes you have added.

> Is xattr:security  used directly by smb to determine access or is it
> instead only used to calculate a posix uid/gid number used by ext4
> natively?

Not sure you understand AD permissions correctly, ext4 doesn't
calculate ID's at all, it just uses them, if it can find them.

There are three sets of permissions in play here, the normal Unix 'ugo'
permissions, the ACL set with setfacl and the Windows ACL stored in an
EA. If you set the shares permissions from Windows (highly
recommended), they are stored in the latter.


More information about the samba mailing list