[Samba] Understanding ID mapping between a campus AD and a local LDAP

Jonathon A Anderson jonathon.anderson at colorado.edu
Tue Mar 23 16:50:36 UTC 2021

I'll try to describe our situation as completely as possible:

- Our campus runs active directory. It contains an entry for every campus identity / account, as you'd expect.

- Our (research computing / unixy) group runs an LDAP server (389 Directory Server) that has the same usernames as are in the campus active directory, but potentially different uidNumbers.

- We have data in multiple shared file systems within our (research computing / unixy) environment. We are trying to make some of this data available via SMB.

- Our Samba server is joined to our campus AD, and we are trying to map the identities in the campus AD to the identities in our internal LDAP by matching up usernames.

- So if I log into Samba (e.g., with macOS Finder) with my AD credentials, I want it to see my name is "username" in AD, authenticate, then look up "username" in our internal LDAP (either via LDAP using idmap_rfc2307, or via NSS using idmap_nss) to find what my UID number is in the Unix environment, ignoring what AD says my UID number should be.

If this is not what Samba idmap is for (or, at least, what idmap_rfc2307 or idmap_nss is for), then I do not understand what Samba idmap is for.

I very much appreciate your response. I'm hoping to understand better. Thanks for your help.


From: samba <samba-bounces at lists.samba.org> on behalf of Rowland penny via samba <samba at lists.samba.org>
Sent: Tuesday, March 23, 2021 9:00 AM
To: samba at lists.samba.org
Subject: Re: [Samba] Understanding ID mapping between a campus AD and a local LDAP

On 23/03/2021 14:43, Jonathon A Anderson via samba wrote:
> We’re trying to get ID mapping set up between a campus AD and our internal LDAP. I’ve tried both idmap_rfc2307 and idmap_nss backends; but if my LDAP uidNumber doesn’t match my AD uidNumber, mapping doesn’t appear to work. This surprises me because the _names_ match (AD sAMAccountName and LDAP uid (name)), and I thought that the whole point of idmap was to translate an AD username into a UNIX uidNumber. What am I misunderstanding or doing wrong?
> For example, when using idmap_nss, I see that it’s trying to call getpwuid with my AD uidNumber, rather than with my LDAP uidNumber.
> I feel like I’m missing something fundamental about how idmap works and what it’s for if it’s trying to look up a local identity by the AD uidNumber rather than by the LDAP uidNumber or uid (name).
> Thanks for you attention and advice.
> ~jonathon

It sounds like you are trying to map users & groups from two places at
once, if this is the case, I don't think it is ever going to work.

what do you use the ldap for ?


To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list