Hey all,
I'm having some trouble figuring out ID mapping between AD and LDAP.
Basically I've done what is described in this doc:
http://wiki.samba.org/index.php/Samba%2C_Active_Directory_%26_LDAP
because it comes very close what I need. Only Samba is aware of AD and because
uids are kept aligned between my AD and LDAP, acls for users works just fine.
Groups however are not kept aligned between LDAP and AD. For instance, I have a
group in LDAP called "it_unix_posixgroup" and via some middleware that
I basically don't have control over, the group gets created in AD as
"it_unix" with the same exact membership.
So after reading through the manual I came across Chapter 12: Group Mapping: MS
Windows and UNIX
(http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/groupmapping.html)
and after doing:
net groupmap add ntgroup="it_unix" unixgroup=it_unix_posixgroup type=d
[root at fsrv-test ~]# net groupmap list verbose
it_unix
SID : S-1-5-21-3545410113-2264454557-1592041950-11805
Unix gid : 5402
Unix group: it_unix_posixgroup
Group type: Domain Group
Comment : Domain Unix group
I am a member of both AD/LDAP versions of the group.
The test share I have has permissions as follows:
drwxrws--- 2 sli it_unix_posixgroup 4096 Aug 17 16:20 .
drwxr-xr-x 5 root root 4096 Jul 9 09:26 ..
-rwxrwxr--+ 1 sli it_unix_posixgroup 9 Aug 17 11:56 creating_a_newfile.txt
But I'm not able to access the share. I am only able to access the share
when I create a "it_unix_posixgroup" in Active Directory, then
everything works fine. Am I missing something about group mapping? Also I had
this working before but I mananged to get winbind to map groups from AD into
winbindd_idmap.tdb and I was able to give out group perms for groups that
existed in AD but not in LDAP. I've started over since and now I can't
get winbindd_idmap.tdb to populate with group data from AD. I've even tried
making the nsswitch.conf entries look over at winbind but nothing gets mapped
over, but I really don't want this behavior, I only want samba
authenticating against AD and everthing else ldap (as described in that samba
wiki).
Smb.conf:
[global]
#--authconfig--start-line--
# Generated by authconfig on 2009/02/20 16:37:18
# DO NOT EDIT THIS SECTION (delimited by --start-line--/--end-line--)
# Any modification may be deleted or altered by authconfig in future
workgroup = SKUNKTEST
realm = SKUNKTEST.LOCAL
security = ads
preferred master = no
encrypt passwords = yes
log level = 3
log file = /var/log/samba/%m
max log size = 50
server string = Samba RnD Server
winbind use default domain = Yes
winbind trusted domains only = Yes
winbind enum groups = Yes
winbind enum users = no
idmap uid = 15000-20000
idmap gid = 15000-20000
[foo]
comment = A Shared Drive
read only = no
path = /samba/arwin
The relevant entries in nsswitch.conf:
passwd: files ldap
shadow: files ldap
group: files ldap winbind
Should the setup above populate winbindd_idmap.tdb with groups from AD?
Thanks,
Arwin
