I'm deploying a fileserver running Samba 3.0.2a in an environment that
contains NT and UNIX users. I'd like to have my fileserver set up as
- Users connecting to the fileserver from NT boxes are authenticated against
the Win2K ADS Domain Controller.
- Users connecting to the fileserver from other UNIX boxes are authenticated
locally using NIS and access the shared volume via NFS.
Each user has an account on the Win2K ADS Domain, and also an account on the
NIS server. I have this setup running now, but there's one problem: When
the user accesses a file from a Windows client it's accessed using the
UID/GID generated by winbind, but when the user accesses a file from a UNIX
client it's accessed using the NIS UID/GID. Effectively they have different
I'd like this fileserver set up so that files created from either type of
client have the same ownership. Basically I need to somehow map my ADS
UID/GID's to my UNIX UID/GID's. I've looked around in the docs and on the
web and can't find an answer (other than warnings that the winbind UIDs
should *not* map to existing UNIX UIDs - but this is what I want!). I know
from working with NetApps in the past that there is a way to configure those
fileservers so that they attempt to do a username match from NT to/from
UNIX, and if the same named user exists, then it will use the same UID/GID.
I really want a way to set up a mapping file or something to the effect of
# NT user UNIX user
It is *not* important that users have login accounts on the fileserver ...
so one idea I had was this:
- Remove NIS from the nsswitch.conf entries on the fileserver.
- Edit my /etc/passwd file on my NIS server so that UID/GID entries for a
user are the same as they ones generated by winbind
Will this work? Will I run into a problem down the road if I add a new
fileserver (if winbind's SID->UID/GID mapping is not the same on that new
Thanks in advance,
To unsubscribe from this list go to the following URL and read the
I think you have two options, use winbind and bin NIS or vice versa.
If you choose to use winbind as you identified you have to worry about mappings being different on individual
Samba servers, the only way to get around this currently is to use LDAP as your idmap backend. This stores
the UID to SID mappings centrally for multiple Samba servers to share.
If you choose to use NIS you will have to mess around with smbpasswd and net groupmap to make users and
groups visiable as valid accounts for Samba. Also your NTLM passwords will not be sync'd to the domain but
Kerberos auth will work seemlessly. AFAIK
Hope that helps,
BBCi at http://www.bbc.co.uk/
This e-mail (and any attachments) is confidential and may contain personal views which are not the views of the BBC unless specifically
If you have received it in error, please delete it from your system. Do not use, copy or disclose the information in any way nor act in
reliance on it and notify the sender immediately. Please note that the BBC monitors e-mails sent or received.
Further communication will signify your consent to this.
Thanks. I did a little more poking around and it seems like I'm leaning
towards using winbind as my definitive authorization for this server and
removing NIS from the fileserver. If I do this, I'll need to get LDAP up
and running to control the mapping of SID -> UID so my NT SIDs map to my NIS
UIDs for UNIX NFS clients that mount the volume(s). I've seen several
descriptions of how to get the Samba side up (basically use the "idmap
backend" option in smb.conf), but I'm completely new to LDAP, and I haven't
found a simple description of how to set up an minimal LDAP server (probably
using OpenLDAP) on my linux box that would just contain the SID->UID
Does anyone have a simple example configuration for OpenLDAP that they would
like to share? You can post, or email me directly at: loope...@yahoo.com
Thanks in advance,
What you're trying to accomplish is exactly the same thing that I've done on my
network. The solution that I'm using is to use AD4Unix. This modifies the AD
LDAP-tree, so that you can add UID and GID entries for every user and group
through a new tab that appears in user manager. The only problem is that if
you've got a bunch of users, you need to manually allocate their UIDs and to
every new user you add, you need to enable their "UNIX settings". So after
installing it, you need to go through each and every user to enable their UNIX
settings... However, it's only a few clicks per user...
On the samba server you simply use LDAP for passwd and group entries in
nsswitch and use the AD server as the LDAP. Then you need to configure winbind
with "winbind trusted domains only = yes". However, this doesn't work out of
the box on Samba 3.0.2a, because there seems to be a bug with returning
incorrect SIDs, but I made a quick hack to Samba to make it work. I've been
using this configuration since Samba 3.0.0, but the earlier versions required a
bit more tinkering as there wasn't such a thing as "winbind trusted domains
The good side with this configuration is that you don't need to have an idmap
backend and every bit of configuration is simply done through the user manager.
The bad side is that modifying the AD LDAP-tree prevents you from updating the
operating system on the AD server. There's some patch from M$ to make updating
work, but you can't find it on their website; the only way to get it is to
contact their customer support. I don't know why this is made so hard...
The other good thing is that you can add UNIX workstations to the network and
let them authenticate through kerberos to the AD and share the files on the
samba server to them through NFS. This way all user management both for the
UNIX and windows workstations is done on the AD server. This makes it easy to
integrate UNIX workstations to the windows network and you don't have to
install Samba on any of the UNIX workstations.
If you need more info you can e-mail me and I'll give you more detailed
information of how to make it work.
Privileged/Confidential Information may be contained in this message. If you are not the addressee indicated in this message (or responsible for delivery of the message to such person), you may not copy or deliver this message to anyone. In such case, you should destroy this message and kindly notify the sender by reply email. Opinions, conclusions and other information contained in this message that do not relate to official business shall be understood as neither given nor endorsed by ITS
This message was content-scanned by IXC Shield
Powered by GatewayDefender - BH0904ffcd.00000001.mml
Just apply the attached patch to samba. The file to patch is:
Then remember to put the following to your smb.conf:
winbind trusted domains only = yes
winbind use default domain = no (might be unneeded this just happens to be in
my config, because I needed it for my previous hack before the trusted domains
only stuff got implemented...)
Then specify the idmap ranges, so that they cover every uid and gid you specify
in AD4Unix. I myself use:
idmap uid = 1000-65000
idmap gid = 1000-65000
which covers my userbase quite well. I just traced the SID problem to that "if"
in the source and that "if" is probably there for a reason or it's simply a bug
and tests for the exact opposite that it should. I tried to post about it to the
technical mailing-list, but I didn't get any comments about it, so dunno. I
hope it doesn't mess up anything, but I've been running my previous hack on a
production server since august and haven't had any problems.