[Samba] Understanding ID mapping between a campus AD and a local LDAP
rpenny at samba.org
Tue Mar 23 17:39:44 UTC 2021
On 23/03/2021 17:13, Jonathon A Anderson wrote:
> We cannot stop using our local LDAP at this point. The legacy issue is real--we have a lot of data with the current uidNumbers--but we also have users in our local LDAP that are _not_ in the campus AD, because we have accounts from other institutions as well (stored in different OUs, and tracked via sssd as discrete domains). Those accounts are out-of-scope for this SMB effort, but they do necessitate that we run our own directory server.
> This still leaves me confused as to what the point of Samba idmap is, though, if it's not meant to translate a remote identity by resolving it to a local identity.
OK, there are a few idmap backends:
idmap_ldap is an allocating backend: I do not think you could use this
idmap_nss maps Unix users and groups to Windows accounts: This would
require local Unix users & groups (with the same names) in AD and
/etc/passwd & /etc/group, so would use the local ID's. Not really
required as the 'rid' backend will work similarly without the local
users & groups.
idmap_rfc2307 reads id mappings from RFC2307 records in an LDAP server:
This will use any uidNumber & gidNumber attributes in AD
idmap_ad reads all RFC2307 records in an AD server
idmap_rid calculates id mappings from SID's in an AD server
idmap_autorid works in a similar way to idmap_rid, but works with
It might help if you post the smb.conf files you have tried.
More information about the samba