[Samba] idmap ad question

Rowland Penny rpenny at samba.org
Tue Feb 14 14:29:40 UTC 2023

On 14/02/2023 13:59, Vaughan, Robert J via samba wrote:

> We created the groups we have in UNIX LDAP in AD, gave them the same gidNumber, this seems to work?

Provided they do not exist in /etc/group, you shouldn't have a problem

>>> Now, can I ask what you are actually trying to achieve ?
>>> What is the application ?
> We will be migrating our UNIX LDAP to AD.  Our UNIX LDAP is used by a few Windows users for shell logins, and by quite a few for SAMBA.  Our environment is Solaris and Red Hat, with Solaris being replaced by Red Hat.
> The users don't have Linux workstations
> Right now production is still using UNIX LDAP
> AD DC are all Windows and managed by another team.  All the users use AD for their Windows client.

Have you tried talking to the Windows sysadmins about the benefits of AD ?
To be honest, you sound like you are saying 'we have always done it this 
way' and are missing the major benefits of running an AD Unix domain member.

> All users are assigned UID by the corp

That shouldn't be a problem, provided they are unique.

> I am testing a Red Hat SAMBA domain member in two modes (via snapshots I can switch back and forth), one with winbind only, and one with winbind using sssd

All that sssd gets you is authentication and you can get that without 
running Samba at all.

If you read this:


You will find this:


Red Hat only supports running Samba as a server with the winbindd 
service to provide domain users and groups to the local system. Due to 
certain limitations, such as missing Windows access control list (ACL) 
support and NT LAN Manager (NTLM) fallback, SSSD is not supported.

It is very simple, if you only require authentication, then run sssd 
without Samba, but if you require shares, then run Samba (with winbind) 
without sssd.


More information about the samba mailing list