On Sat, 2021-10-30 at 00:46 +0200, Pablo Suarez wrote:> Correct, openldap server is used for authentication and also for
> filesystem permissions on filesystems's NFS shares.
Then you do not really require the openldap server.
>
> I don't understand either why they are note using the RFC2307
> attributes. I'm not seeing these attributes when fetching user
> information with an LDAP search request on AD. Unfortunately, I don't
> have write access on it.
>
> By "populating", I meant just write in the "Idmap
Organisation Unit"
> on the OpenLdap server (when using idmap ldap backend) in order to
> maintain and store the user map beetwen SID and uid... Of course my
> OpenLdap already have lots of users and groups on it.
Your problem will be that they will get new ID's.
>
> For example, I thaught winbind compares linux username and
> SamacountName value, and if it matchs, it associates the same Linux
> uid with the SID.
In your setup (which is the old way of doing it) you will need local
unix users and AD users. but with the rid, autorid or ad backends, you
do not need local Unix users. For instance if I run 'cat /etc/passwd |
grep 'rowland' , I do not get output, but getent shows me as a Unix
user:
rowland at devstation:~$ cat /etc/passwd | grep 'rowland'
rowland at devstation:~$ getent passwd rowland
rowland:*:10000:10000:Rowland Penny:/home/rowland:/bin/bash
> So, when a windows users try to write on a Linux file system through
> Samba, the Linux uid is used on the file system. Is that possible? I
> was completely wrong? So, how does the user mapping works?
Try reading these:
man idmap_rid
man idmap_autorid
man idmap_ad
https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member
https://wiki.samba.org/index.php/Idmap_config_ad
https://wiki.samba.org/index.php/Idmap_config_rid
https://wiki.samba.org/index.php/Idmap_config_autorid
>
>
> I will try what you suggested to me with the rid or autorid backend
> and see if it act like I want.
>
> Sorry if I'm not clear but my english is no so good...
Good enough to understand :-)
Rowland