[Samba] IDMAP behaviour

Rowland Penny rpenny at samba.org
Fri Oct 29 21:32:28 UTC 2021


On Fri, 2021-10-29 at 23:10 +0200, Pablo Suarez wrote:
> Hi,
> 
> It's historical. We have a Netapp file server which serves both NFS
> and CIFS for Linux and Windows clients. Netapp has it's own
> usermapping system beetween Linux and Windows. We also have a Linux
> file server using Samba which is sharing a dedicated big disk array
> and the Netapp volumes to a more restricted and secure Network
> environment for Linux and Windows clients.
> 
> I'm using the OpenLdap server because i'm not adminnistrator of the
> Active Directory and actually, the Windows IT department of my
> company refuses to use POSIX attributes in the Active Directory
> schema. Furthermore, I don't want to be dependant to the Windows
> administrators every time I want to do some groups modifications. I
> need to response quiclky when users need it.
> 
> Regards.
> 

So to boil it down, you use it for authentication, is this correct ?

If so, you do not need the openldap server, just the rid or autorid
winbind backend.

I also do not understand why your IT department will not let you use
the RFC2307 attributes, they are all standard in the AD schema, they do
not have to add them. 

Do you have write access to AD ? If so, you could add the RFC2307
attributes yourself with samba-tool, though by the sound of it, this
might upset your IT department.

Samba by itself will not populate your openldap server, you will need
to do this yourself. Your openldap server is just this side of being a
PDC, it only really needs one line removing and another adding.
Unfortunately, if you did make it a PDC, it would need to use SMBv1, do
you really want to do this ?

Rowland
 




More information about the samba mailing list