[Samba] Samba + Winbind help

[Rowland Penny]

On Mon, 1 Dec 2025 10:09:14 +0000
Eric Gurevitz via samba <samba at lists.samba.org> wrote:

> Hi Rowland,
> 
> Sorry, I am used to hitting reply all. I also misspelled your name.
> Fixed both. 
> 
> All we want is AD to authenticate the user and then let nsswitch
> handle UID and GIDs. Vas works by joining the domain with a keytab
> file. It then looks for AD attrs for UNIX that were added to the user
> object: 
> 
> uidNumber
> gidNumber
> gecos
> homeDirectory
> loginShell
> 

Then winbind, using the 'ad' idmap backend will obtain them.

> Vas looks for UNIX group membership in an OU in AD.  This all works
> perfectly in Linux. 

As I said, winbind can make any AD group into a Unix group. With the
'ad' idmap backend, it is easy to not do this, just give a gidNumber
attribute to those groups that you want to be 'Unix' groups, all other
groups will be ignored. The same goes for users, only give a uidNumber
attribute to those users that you want to be 'Unix' users.
> 
> Use case:
> 
> On my Linux PC, we have /local/mnt/workspace where users work. 
> They want to access this as \\pc\workspace. 
> I log into Linux PC as gurevitz and my UID is 82629  and Linux knows
> all my groups as it looks them up in an OU.

Yes winbind can do that.

> 
> Now, from my Windows laptop, I login in as gurevitz and my account is
> in the mea.qualcomm.com domain. I connect to \\pc\workspace and the
> user map script makes mea\gurevitz to gurevitz. Perfect,  this is
> passed to vasd via /etc/nsswitch.comf. My Linux PC now treats samba
> connections the same way as Linux logins. I am in group VLSI and if
> the directory only allows VLSI members, both Linux access and samba
> respect this. 
> 
> Eric
> 

I cannot remember if you have these lines in your smb.conf files:

  vfs objects = acl_xattr
  map acl inherit = Yes

But if you have, or if you add them, then you can set extended
permissions to get the same outcome.

Rowland