Re: [Samba] idmap config ad: can't resolve domain users' uids
- Date: Fri, 16 Feb 2018 14:14:11 +0000
- From: Rowland Penny via samba <samba@xxxxxxxxxxxxxxx>
- Subject: Re: [Samba] idmap config ad: can't resolve domain users' uids
On Fri, 16 Feb 2018 14:26:57 +0100
Francesco Malvezzi via samba <samba@xxxxxxxxxxxxxxx> wrote:
> Il 16/02/18 13:43, Rowland Penny via samba ha scritto:
> > On Fri, 16 Feb 2018 13:10:16 +0100
> > Francesco Malvezzi via samba <samba@xxxxxxxxxxxxxxx> wrote:
> >> So just to recap: there were two problems:
> >> 1) the syntax mistake in smb.conf pointed up before;
> > This wouldn't have helped.
> >> 2) a logical mistake because wbinfo can't possibily work without
> >> the full setup that includes the nss part.
> > No, wbinfo will work without the libnss_winbind links, but the OS
> > will not know who the AD users & groups are without the links.
> Rowland, you are helping me a lot.
> Let me make a step backwards.
> The problem is bugging me is to allow Domain Users to access samba
> shares (on a linux os) and to create file with the same uidNumber I
> have put in the AD directory.
> Domanin Users have been exported from a samba3-ldap domain.
> In a samba3-ldap domain the trick to have files with the same
> ownership  was to record the uidNumber data in the OpenLDAP.
> How does it work in samba4? I started with
> https://wiki.samba.org/index.php/Setting_up_RFC2307_in_AD and then I
> have been populating the users' uidNumber ad attribute and the groups'
Lets see if I can explain it for you ;-)
If you use a DC as a fileserver (by the way, lots of people do not
recommend doing this), by default users & groups are assigned
xidNumber attributes in the '3000000' range. These 'xidNumbers' are
stored in 'idmap.ldb'
You can override these 'xidNumber' attributes by giving your users a
unique 'uidNumber' and groups a 'gidNumber'.
If you want the OS to know who the users and groups are, you will need
something to extract the data from either 'idmap.ldb' or AD, Samba
uses the libnss_winbind links, other methods are available.
See here for how to set up the links:
To unsubscribe from this list go to the following URL and read the