[Samba] Understanding ID mapping between a campus AD and a local LDAP

[Rowland penny]

On 23/03/2021 16:50, Jonathon A Anderson wrote:
> I'll try to describe our situation as completely as possible:
>
> - Our campus runs active directory. It contains an entry for every campus identity / account, as you'd expect.
>
> - Our (research computing / unixy) group runs an LDAP server (389 Directory Server) that has the same usernames as are in the campus active directory, but potentially different uidNumbers.
>
> - We have data in multiple shared file systems within our (research computing / unixy) environment. We are trying to make some of this data available via SMB.
>
> - Our Samba server is joined to our campus AD, and we are trying to map the identities in the campus AD to the identities in our internal LDAP by matching up usernames.
>
> - So if I log into Samba (e.g., with macOS Finder) with my AD credentials, I want it to see my name is "username" in AD, authenticate, then look up "username" in our internal LDAP (either via LDAP using idmap_rfc2307, or via NSS using idmap_nss) to find what my UID number is in the Unix environment, ignoring what AD says my UID number should be.
>
> If this is not what Samba idmap is for (or, at least, what idmap_rfc2307 or idmap_nss is for), then I do not understand what Samba idmap is for.


Are you using the 389 Directory Server just for authentication ? Using 
exactly the same users & groups that are in AD ?

If so, then probably the best way out of this is to join all your Unix 
machines to your AD and use the winbind 'rid' backend on all of them, 
Unfortunately you will get new Unix ID's, but I think this will happen 
with whatever method you end up using. The big benefit to using AD, you 
will be able to turn off the 389 Directory server and then have only one 
point of management.

If you are using the 389 Directory Server for more than authentication 
(mailserver for instance), then it would be a bit more difficult, but 
the above should still work.

Rowland