[Samba] Understanding ID mapping between a campus AD and a local LDAP

Rowland penny rpenny at samba.org
Tue Mar 23 18:46:18 UTC 2021

On 23/03/2021 17:50, Jonathon A Anderson wrote:
> Here's a copy of our [global] section, with three attempted alternative idmap sections.
> backend=ad works as we'd expect, but produces undesired behavior when the local identity uidNumber is different than the AD uidNumber.

You will only find uidNumber attributes in AD or ldap.

> Neither backend=rfc2307 nor backend=nss appear to provide the desired behavior I described earlier, of using the local uid (number) identity of the local user with the same name as the AD user.

OK, the first thing I noticed, you do not appear to have any 'idmap 
config' lines for the default (*) domain, you must have lines like these:

idmap config * : backend = tdb
idmap config AD : range = RANGE

Where 'RANGE' is a range of numbers that do not overlap the 'AD' domain, 
so something like 20000001-20001000

> [global]
> # idmap config AD : backend            = ad
> # idmap config AD : range              = 1000-20000000
> # idmap config AD : schema_mode        = rfc2307
> # idmap config AD : unix_nss_info      = yes
> # idmap config AD : unix_primary_group = yes

The above lines will only work if your users have a uidNumber attribute 
containing a unique number inside the 1000-20000000, your groups have a 
gidNumber inside the same range, Domain Users must have a gidNumber and 
your users must also have a gidNumber attribute containing the gidNumber 
of the group that will be their unix primary group.

> idmap config AD : backend = rfc2307
> idmap config AD : range = 1000-20000000
> idmap config AD : ldap_server = stand-alone
> idmap config AD : ldap_url = ldap://ldap.[redacted]
> idmap config AD : bind_path_user = ou=UCB,ou=People,dc=[redacted]
> idmap config AD : bind_path_group = ou=UCB,ou=Groups,dc=[redacted]

To use the rfc2307 backend, you must have uidNumber & gidNumber 
attributes as per the 'ad' backend, the 'ldap server =' should be 'ad'. 
I not entirely sure this will work, because AD doesn't use the POSIX 
objectclasses by default, so if the search expects these, it will fail.

> # idmap config AD : backend  = nss
> # idmap config AD : range = 1000-20000000

If you are going to try the 'nss' backend again, try removing 'winbind 
use default domain = yes'


More information about the samba mailing list