samba - Mar 2021 - Understanding ID mapping between a campus AD and a local LDAP

We?re trying to get ID mapping set up between a campus AD and our internal LDAP.
I?ve tried both idmap_rfc2307 and idmap_nss backends; but if my LDAP uidNumber
doesn?t match my AD uidNumber, mapping doesn?t appear to work. This surprises me
because the _names_ match (AD sAMAccountName and LDAP uid (name)), and I thought
that the whole point of idmap was to translate an AD username into a UNIX
uidNumber. What am I misunderstanding or doing wrong?

For example, when using idmap_nss, I see that it?s trying to call getpwuid with
my AD uidNumber, rather than with my LDAP uidNumber.

I feel like I?m missing something fundamental about how idmap works and what
it?s for if it?s trying to look up a local identity by the AD uidNumber rather
than by the LDAP uidNumber or uid (name).

Thanks for you attention and advice.

~jonathon

On 23/03/2021 14:43, Jonathon A Anderson via samba
wrote:
> We?re trying to get ID mapping set up between a campus AD and our internal
LDAP. I?ve tried both idmap_rfc2307 and idmap_nss backends; but if my LDAP
uidNumber doesn?t match my AD uidNumber, mapping doesn?t appear to work. This
surprises me because the _names_ match (AD sAMAccountName and LDAP uid (name)),
and I thought that the whole point of idmap was to translate an AD username into
a UNIX uidNumber. What am I misunderstanding or doing wrong?
>
> For example, when using idmap_nss, I see that it?s trying to call getpwuid
with my AD uidNumber, rather than with my LDAP uidNumber.
>
> I feel like I?m missing something fundamental about how idmap works and
what it?s for if it?s trying to look up a local identity by the AD uidNumber
rather than by the LDAP uidNumber or uid (name).
>
> Thanks for you attention and advice.
>
> ~jonathon
>
It sounds like you are trying to map users & groups from two places at 
once, if this is the case, I don't think it is ever going to work.

what do you use the ldap for ?

Rowland