[Samba] idmap ad question

Rowland Penny rpenny at samba.org
Tue Feb 14 12:25:10 UTC 2023

On 14/02/2023 11:41, Vaughan, Robert J via samba wrote:

> I am the UNIX admin and don't have a use for all domain users group since all domain users won't be UNIX (or SAMBA) users

Your decision.

> What do you mean by "It isn't as if you can have a user group with the same name as the user"?  We currently do have group names in UNIX (local and in LDAP) that are the same as a user (not a real person, but a shared/admin type account for an application) - is there some problem for AD with that?  I thought all it cared about was the SID?

In AD, all names must be unique, you cannot have a user called 'fred' 
and a group called 'fred'

You also shouldn't have a local Unix user (one in /etc/passwd) called 
'fred' and another user in AD called 'fred'. Depending on where 
'winbind' appears in the passwd line in /etc/nsswitch will decide which 
user will be used, they will never be the same user.

If you do want usergroups, then there is only one way, use the 'rid' 
idmap backend and you will get synthetic usergroups, the group isn't 
stored anywhere, the 'rid' idmap backend creates it on the fly.
The downside of using the 'rid' idmap backend is, every AD user and 
group becomes a Unix user or group.

Now, can I ask what you are actually trying to achieve ?
What is the application ?

I can then try to advise you if it is possible and if you should be 
doing it.


More information about the samba mailing list