[Samba] idmap ad question
Rowland Penny
rpenny at samba.org
Tue Feb 14 12:25:10 UTC 2023
On 14/02/2023 11:41, Vaughan, Robert J via samba wrote:
> I am the UNIX admin and don't have a use for all domain users group since all domain users won't be UNIX (or SAMBA) users
Your decision.
>
> What do you mean by "It isn't as if you can have a user group with the same name as the user"? We currently do have group names in UNIX (local and in LDAP) that are the same as a user (not a real person, but a shared/admin type account for an application) - is there some problem for AD with that? I thought all it cared about was the SID?
In AD, all names must be unique, you cannot have a user called 'fred'
and a group called 'fred'
You also shouldn't have a local Unix user (one in /etc/passwd) called
'fred' and another user in AD called 'fred'. Depending on where
'winbind' appears in the passwd line in /etc/nsswitch will decide which
user will be used, they will never be the same user.
If you do want usergroups, then there is only one way, use the 'rid'
idmap backend and you will get synthetic usergroups, the group isn't
stored anywhere, the 'rid' idmap backend creates it on the fly.
The downside of using the 'rid' idmap backend is, every AD user and
group becomes a Unix user or group.
Now, can I ask what you are actually trying to achieve ?
What is the application ?
I can then try to advise you if it is possible and if you should be
doing it.
Rowland
More information about the samba
mailing list