From: Ray Van Dolson <rvandolson at esri.com>
Date: Tue, 30 Aug 2011 22:40:54 -0700
> I am using either DOMAIN or ADS for authentication and am trying to
> understand how UID/GID mapping rules are triggered.
>
> This[1] seems to suggest that if I do not specify the idmap uid/gid
> parameters in smb.conf, then authenticated usernames are mapped to
> "local" user accounts having the same name.
>
> If, however, I _do_ specify idmap uid/gid then one of the idmap_*
> allocator modules is used.
>
> Is my understanding correct there?
Yes,
> We have a mixed NIS/AD environment, and in most cases we do not use
> idmap parameters and, as such, rely on the existence of an NIS account
> to map UID/GID's. However, when users attempt to set permissions from
> Windows, it appears that a SID is passed to Samba which is unable to
> map it into a valid file system ACL and the permissions aren't actually
> set.
>
> The only workaround I've found is to enable idmap so these SID's
can be
> resolved properly to NSS-sourced (in our case, NIS or local accounts)
> UID/GID's.
>
> I do something like this:
>
> idmap backend = tdb
>
> # Users without NIS accounts are assigned random UID/GID's from the
> # following pool (assuming they're allowed to connect)
> idmap uid = 1000000-10000000
> idmap gid = 1000000-10000000
>
> # NIS users should never have UID/GID > 599999
> idmap config DOMAIN : backend = nss
> idmap config DOMAIN : range = 0-599999
>
> This seems to work, but I'm looking to confirm that I have the correct
> understanding.
I think idmap_nss was prepared just for the environment like yours,
using both NIS or LDAP and Winbind.
---
TAKAHASHI Motonobu <monyo at samba.gr.jp>