[Samba] Understanding ID mapping between a campus AD and a local LDAP

Rowland penny rpenny at samba.org
Wed Mar 24 09:13:00 UTC 2021

On 23/03/2021 23:48, Jonathon A Anderson wrote:
> This was still unsuccessful, but hopefully this is enough information for us to figure out what I'm doing wrong.
> Forgive the redactions; I hope they don't get in the way; but if they do let me know. In general, if I'm using the same string as a redaction, the values are the same.
> First, here's my record in AD. (There's more to it, of course, but I think these are the relevant bits.)
> -
> [root at opsdev1 ~]# ldapsearch -LLL -x -H ldap://ad.[redacted]:389 -b ou=people,dc=ad,dc=[redacted] -D 'AD\[myusername]' -W '(sAMAccountName=[myusername])' CN sAMAccountName uidNumber
> Enter LDAP Password:
> dn: CN=[myusername],OU=People,DC=ad,DC=[redacted]
> cn: [myusername]
> sAMAccountName: [myusername]
> uidNumber: 416810
> -

OK, I have been doing a bit of investigation about idmap_nss and I do 
not think it is going to work as is. If you read 'man idmap_nss', you 
will find this:

This example shows how to use idmap_nss to check the local accounts for 
its own domain while using allocation to create new mappings for trusted 

I read this as being that it will only work if you run your samba server 
as a standalone server with a trust to your AD.

Most of the idmap backends were designed before AD and aren't really 
practicable with AD. The main backends that are used with AD are: 'ad', 
'rid' and 'autorid'. For what you are trying to do, I think you need to 
add/change the uidNumber & gidNumber attributes in AD to match the users 
& groups in /etc/passwd and /etc/group, then remove them from 
/etc/passwd and /etc/group, finally use the winbind 'ad' backend.


More information about the samba mailing list