[Samba] Understanding ID mapping between a campus AD and a local LDAP

Jonathon A Anderson jonathon.anderson at colorado.edu
Tue Mar 23 17:50:55 UTC 2021

Here's a copy of our [global] section, with three attempted alternative idmap sections.

backend=ad works as we'd expect, but produces undesired behavior when the local identity uidNumber is different than the AD uidNumber.

Neither backend=rfc2307 nor backend=nss appear to provide the desired behavior I described earlier, of using the local uid (number) identity of the local user with the same name as the AD user.


dns proxy          = no
encrypt passwords  = yes
kerberos method    = system keytab
load printers      = no
map to guest       = Bad User
max log size       = 5000
passdb backend     = tdbsam
password server    = *
realm              = AD.[redacted]
restrict anonymous = 2
security           = ADS
server string      = %h samba
workgroup          = AD

dos charset  = CP850
unix charset = UTF-8

# idmap config AD : backend            = ad
# idmap config AD : range              = 1000-20000000
# idmap config AD : schema_mode        = rfc2307
# idmap config AD : unix_nss_info      = yes
# idmap config AD : unix_primary_group = yes

idmap config AD : backend = rfc2307
idmap config AD : range = 1000-20000000
idmap config AD : ldap_server = stand-alone
idmap config AD : ldap_url = ldap://ldap.[redacted]
idmap config AD : bind_path_user = ou=UCB,ou=People,dc=[redacted]
idmap config AD : bind_path_group = ou=UCB,ou=Groups,dc=[redacted]

# idmap config AD : backend  = nss
# idmap config AD : range = 1000-20000000

winbind enum groups        = yes
winbind enum users         = yes
winbind expand groups      = 1
winbind use default domain = yes

log level = 3

From: samba <samba-bounces at lists.samba.org> on behalf of Rowland penny via samba <samba at lists.samba.org>
Sent: Tuesday, March 23, 2021 11:39 AM
To: sambalist
Subject: Re: [Samba] Understanding ID mapping between a campus AD and a local LDAP

On 23/03/2021 17:13, Jonathon A Anderson wrote:
> We cannot stop using our local LDAP at this point. The legacy issue is real--we have a lot of data with the current uidNumbers--but we also have users in our local LDAP that are _not_ in the campus AD, because we have accounts from other institutions as well (stored in different OUs, and tracked via sssd as discrete domains). Those accounts are out-of-scope for this SMB effort, but they do necessitate that we run our own directory server.
> This still leaves me confused as to what the point of Samba idmap is, though, if it's not meant to translate a remote identity by resolving it to a local identity.

OK, there are a few idmap backends:

idmap_ldap is an allocating backend: I do not think you could use this
with AD.

idmap_nss maps Unix users and groups to Windows accounts: This would
require local Unix users & groups (with the same names) in AD and
/etc/passwd & /etc/group, so would use the local ID's. Not really
required as the 'rid' backend will work similarly without the local
users & groups.

idmap_rfc2307 reads id mappings from RFC2307 records in an LDAP server:
This will use any uidNumber & gidNumber attributes in AD

idmap_ad reads all RFC2307 records in an AD server

idmap_rid calculates id mappings from SID's in an AD server

idmap_autorid works in a similar way to idmap_rid, but works with
multiple domains

It might help if you post the smb.conf files you have tried.


To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list