[Samba] Understanding ID mapping between a campus AD and a local LDAP

Rowland penny rpenny at samba.org
Tue Mar 23 17:39:44 UTC 2021

On 23/03/2021 17:13, Jonathon A Anderson wrote:
> We cannot stop using our local LDAP at this point. The legacy issue is real--we have a lot of data with the current uidNumbers--but we also have users in our local LDAP that are _not_ in the campus AD, because we have accounts from other institutions as well (stored in different OUs, and tracked via sssd as discrete domains). Those accounts are out-of-scope for this SMB effort, but they do necessitate that we run our own directory server.
> This still leaves me confused as to what the point of Samba idmap is, though, if it's not meant to translate a remote identity by resolving it to a local identity.

OK, there are a few idmap backends:

idmap_ldap is an allocating backend: I do not think you could use this 
with AD.

idmap_nss maps Unix users and groups to Windows accounts: This would 
require local Unix users & groups (with the same names) in AD and 
/etc/passwd & /etc/group, so would use the local ID's. Not really 
required as the 'rid' backend will work similarly without the local 
users & groups.

idmap_rfc2307 reads id mappings from RFC2307 records in an LDAP server: 
This will use any uidNumber & gidNumber attributes in AD

idmap_ad reads all RFC2307 records in an AD server

idmap_rid calculates id mappings from SID's in an AD server

idmap_autorid works in a similar way to idmap_rid, but works with 
multiple domains

It might help if you post the smb.conf files you have tried.


More information about the samba mailing list