I'm having some trouble figuring out ID mapping between AD and LDAP. Basically
I've done what is described in this doc:
because it comes very close what I need. Only Samba is aware of AD and because
uids are kept aligned between my AD and LDAP, acls for users works just fine.
Groups however are not kept aligned between LDAP and AD. For instance, I have
a group in LDAP called "it_unix_posixgroup" and via some middleware that I
basically don't have control over, the group gets created in AD as "it_unix"
with the same exact membership.
So after reading through the manual I came across Chapter 12: Group Mapping: MS
Windows and UNIX
and after doing:
net groupmap add ntgroup="it_unix" unixgroup=it_unix_posixgroup type=d
[root@fsrv-test ~]# net groupmap list verbose
SID : S-1-5-21-3545410113-2264454557-1592041950-11805
Unix gid : 5402
Unix group: it_unix_posixgroup
Group type: Domain Group
Comment : Domain Unix group
I am a member of both AD/LDAP versions of the group.
The test share I have has permissions as follows:
drwxrws--- 2 sli it_unix_posixgroup 4096 Aug 17 16:20 .
drwxr-xr-x 5 root root 4096 Jul 9 09:26 ..
-rwxrwxr--+ 1 sli it_unix_posixgroup 9 Aug 17 11:56 creating_a_newfile.txt
But I'm not able to access the share. I am only able to access the share when
I create a "it_unix_posixgroup" in Active Directory, then everything works
fine. Am I missing something about group mapping? Also I had this working
before but I mananged to get winbind to map groups from AD into
winbindd_idmap.tdb and I was able to give out group perms for groups that
existed in AD but not in LDAP. I've started over since and now I can't get
winbindd_idmap.tdb to populate with group data from AD. I've even tried making
the nsswitch.conf entries look over at winbind but nothing gets mapped over,
but I really don't want this behavior, I only want samba authenticating against
AD and everthing else ldap (as described in that samba wiki).
# Generated by authconfig on 2009/02/20 16:37:18
# DO NOT EDIT THIS SECTION (delimited by --start-line--/--end-line--)
# Any modification may be deleted or altered by authconfig in future
workgroup = SKUNKTEST
realm = SKUNKTEST.LOCAL
security = ads
preferred master = no
encrypt passwords = yes
log level = 3
log file = /var/log/samba/%m
max log size = 50
server string = Samba RnD Server
winbind use default domain = Yes
winbind trusted domains only = Yes
winbind enum groups = Yes
winbind enum users = no
idmap uid = 15000-20000
idmap gid = 15000-20000
comment = A Shared Drive
read only = no
path = /samba/arwin
The relevant entries in nsswitch.conf:
passwd: files ldap
shadow: files ldap
group: files ldap winbind
Should the setup above populate winbindd_idmap.tdb with groups from AD?
To unsubscribe from this list go to the following URL and read the