[Samba] Understanding ID mapping between a campus AD and a local LDAP

Jonathon A Anderson jonathon.anderson at colorado.edu
Wed Mar 24 17:23:42 UTC 2021


> I read this as being that it will only work if you run your samba server
> as a standalone server with a trust to your AD.

How is that different from what I'm trying to do?

~jonathon

________________________________________
From: samba <samba-bounces at lists.samba.org> on behalf of Rowland penny via samba <samba at lists.samba.org>
Sent: Wednesday, March 24, 2021 3:13 AM
To: samba at lists.samba.org
Subject: Re: [Samba] Understanding ID mapping between a campus AD and a local LDAP

On 23/03/2021 23:48, Jonathon A Anderson wrote:
> This was still unsuccessful, but hopefully this is enough information for us to figure out what I'm doing wrong.
>
> Forgive the redactions; I hope they don't get in the way; but if they do let me know. In general, if I'm using the same string as a redaction, the values are the same.
>
> First, here's my record in AD. (There's more to it, of course, but I think these are the relevant bits.)
>
> -
> [root at opsdev1 ~]# ldapsearch -LLL -x -H ldap://ad.[redacted]:389 -b ou=people,dc=ad,dc=[redacted] -D 'AD\[myusername]' -W '(sAMAccountName=[myusername])' CN sAMAccountName uidNumber
> Enter LDAP Password:
> dn: CN=[myusername],OU=People,DC=ad,DC=[redacted]
> cn: [myusername]
> sAMAccountName: [myusername]
> uidNumber: 416810
> -


OK, I have been doing a bit of investigation about idmap_nss and I do
not think it is going to work as is. If you read 'man idmap_nss', you
will find this:

This example shows how to use idmap_nss to check the local accounts for
its own domain while using allocation to create new mappings for trusted
domains

I read this as being that it will only work if you run your samba server
as a standalone server with a trust to your AD.

Most of the idmap backends were designed before AD and aren't really
practicable with AD. The main backends that are used with AD are: 'ad',
'rid' and 'autorid'. For what you are trying to do, I think you need to
add/change the uidNumber & gidNumber attributes in AD to match the users
& groups in /etc/passwd and /etc/group, then remove them from
/etc/passwd and /etc/group, finally use the winbind 'ad' backend.

Rowland




--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba



More information about the samba mailing list