Idmap config ad: Difference between revisions
Mmuehlfeld (talk | contribs) (Rewrote page. Clearer structure, removed a lot of duplicate content, refreshed examples, added admonitions,) |
m (/* Updated warning) |
||
(32 intermediate revisions by 3 users not shown) | |||
Line 3: | Line 3: | ||
The <code>ad</code> ID mapping back end implements a read-only API to read account and group information from Active Directory (AD). The back end is based on RFC 2307. For further details, see https://www.rfc-editor.org/rfc/rfc2307.txt. |
The <code>ad</code> ID mapping back end implements a read-only API to read account and group information from Active Directory (AD). The back end is based on RFC 2307. For further details, see https://www.rfc-editor.org/rfc/rfc2307.txt. |
||
For alternatives, see [[Identity_Mapping_Back_Ends|Identity Mapping Back Ends]]. |
|||
Alternatives to the <code>rid</code> back end: |
|||
* [[Idmap_config_rid|idmap config rid]] |
|||
{{Imbox |
|||
* [[Idmap_config_autorid|idmap config autorid]] |
|||
| type = warning |
|||
| text = ID mapping back ends are not supported in the <code>smb.conf</code> file on a Samba Active Directory (AD) domain controller (DC).<br />Do not add any idmap config lines to a Samba Active Directory (AD) domain controller (DC) smb.conf<br />For details, see [[Updating_Samba#Failure_To_Access_Shares_on_Domain_Controllers_If_idmap_config_Parameters_Set_in_the_smb.conf_File|Failure To Access Shares on Domain Controllers If idmap config Parameters Set in the smb.conf File]]. |
|||
}} |
|||
{{Imbox |
|||
| type = warning |
|||
| text = If you use the winbind 'ad' backend, you '''must''' add a gidNumber attribute to the <code>Domain Users</code> group in AD. You '''must''' also give any users, that you want to be visible to Unix, a uidNumber attribute. From Samba version 4.6.0 , you can also add a gidNumber attribute containing the gidNumber of a group and, providing smb.conf is set up correctly, this will be used as the users Unix primary group. All of these uidNumber & gidNumber attributes must contain numbers inside the range you set for the <code>DOMAIN</code> in the Unix domain members <code>smb.conf</code>. |
|||
}} |
|||
Line 16: | Line 24: | ||
* Central administration of IDs inside Active Directory (AD). |
* Central administration of IDs inside Active Directory (AD). |
||
* Consistent IDs on all Samba clients and servers using the <code>ad</code> back end. |
* Consistent IDs on all Samba clients and servers using the <code>ad</code> back end. |
||
* |
* The required attributes only need creating once, this can be done when the user or group is created |
||
* IDs are |
* IDs are only cached locally, they are stored in the AD database on DC's. This means that if the local cache becomes corrupt the file ownerships are not lost. |
||
Disadvantages: |
Disadvantages: |
||
* |
* You have to manualy track ID values to avoid duplicates. |
||
* |
* The values for the RFC2307 attributes are not created automatically, they must be added manually. |
||
Winbind NSS info mode-specific features: |
|||
* <code>rfc2307</code>: Individual login shells and home directory paths for users. |
* <code>rfc2307</code>: Individual login shells and home directory paths for users. |
||
* <code>template</code>: |
* <code>template</code>: The login shells and home directory base paths are the same for all users. |
||
Line 33: | Line 41: | ||
= Planning the ID Ranges = |
= Planning the ID Ranges = |
||
Before configuring the <code>ad</code> back end in the <code>smb.conf</code> file, select unique ID ranges |
Before configuring the <code>ad</code> back end in the <code>smb.conf</code> file, you must select unique ID ranges for each domain. The ranges must be continuous and big enough to enable Samba to assign an ID for every future user and group created in the domain. |
||
{{Imbox |
{{Imbox |
||
Line 48: | Line 56: | ||
To enable Samba to retrieve user and group information from Active Directory (AD): |
To enable Samba to retrieve user and group information from Active Directory (AD): |
||
* Users must have at least the <code>uidNumber |
* Users must have, at least, the <code>uidNumber</code> attribute set. When using the <code>rfc2307</code> <code>winbind NSS info</code> mode, user accounts must also have the <code>loginShell</code> and <code>unixHomeDirectory</code> set. |
||
* |
* Groups must have, at least, the <code>gidNumber</code> attribute set. |
||
* Computers, or: 'machine network accounts', must have the <code>uidNumber</code> attribute set to access shares on samba domain members. |
|||
* If the <code>Active Directory Users and Groups</code> (ADUC) utility is used to assign the UNIX attributes, the NIS extensions have to be installed. For details, see [[Setting_up_RFC2307_in_AD|Setting up RFC2307 in AD]]. |
|||
* The Users and Computers Primary Group must have a <code>gidNumber</code> attribute set. |
|||
* User IDs must be unique for all users and group IDs for all groups. Duplicate IDs or reusing IDs of previously deleted accounts enable the new user or group to access files created by the previous ID owner. When using the ADUC utility, the IDs are automatically tracked inside AD and incremented when creating a new user or group. |
|||
* The user, computer, and group IDs must be within the range configured in the <code>smb.conf</code> for this domain. |
|||
* The primary user group of user accounts, this is typically the <code>Domain Users</code> group, must have a <code>gidNumber</code> attribute set. If the attribute is not set for the primary group, the users are not visible on the machine having the <code>ad</code> ID mapping back end configured. |
|||
* User and computer IDs must be unique for all users and computers, and group IDs must be unique for all groups. Duplicate IDs or reusing IDs of previously deleted accounts enable the new user, computer, or group to access files created by the other or previous ID owner. When using the ADUC utility, the user and group IDs are automatically tracked inside AD and incremented when creating a new user or group. |
|||
* Computer IDs (<code>uidNumber</code> attribute) are not automatically tracked inside AD and must be set manually in the ADUC Attribute Editor tab when a computer is joined to the domain. |
|||
{{Imbox |
|||
| type = important |
|||
| text = If the <code>Active Directory Users and Groups</code> [[Maintaining_Unix_Attributes_in_AD_using_ADUC | (ADUC) utility is used]] to assign the UNIX attributes, the NIS extensions have to be installed. For details, see [[Setting_up_RFC2307_in_AD|Setting up RFC2307 in AD]]. |
|||
}} |
|||
= The <code>RFC2307</code> and <code>template</code> <code>winbind NSS info mode</code> options = |
|||
= The <code>RFC2307</code> and <code>template</code> Mode Options = |
|||
'''Before Samba version 4.6.0:''' |
|||
The <code>ad</code> ID mapping back end supports two modes, set in the <code>winbind nss info</code> parameter in the <code>[global]</code> section of the <code>smb.conf</code> file: |
The <code>ad</code> ID mapping back end supports two modes, set in the <code>winbind nss info</code> parameter in the <code>[global]</code> section of the <code>smb.conf</code> file: |
||
* <code>winbind nss info = rfc2307</code>: All information |
* <code>winbind nss info = rfc2307</code>: All information is read from Active Directory (AD): |
||
:* Users: Account name, UID, login shell, home directory path, and primary group. |
:* Users: Account name, UID, login shell, home directory path, and primary group. |
||
:* Groups: Group name and GID. |
:* Groups: Group name and GID. |
||
Line 68: | Line 86: | ||
* <code>winbind nss info = template</code>: Only the following values are read from AD: |
* <code>winbind nss info = template</code>: Only the following values are read from AD: |
||
:* Users: Account name, UID, and primary group. |
:* Users: Account name, UID, and primary group. |
||
:: The login shell and home directory |
:: The login shell and home directory are automatically set by user-independent settings in the <code>smb.conf</code> file. |
||
:* Groups: Group name and |
:* Groups: Group name and GID |
||
'''From Samba version 4.6.0:''' |
|||
You no longer use the <code>winbind nss info</code> parameter, it has been replaced by <code>idmap config DOMAIN : unix_nss_info</code> |
|||
The <code>ad</code> ID mapping back end supports two modes, set in the <code>idmap config DOMAIN : unix_nss_info</code> parameter in the <code>[global]</code> section of the <code>smb.conf</code> file: |
|||
* <code>idmap config DOMAIN : unix_nss_info = yes</code>: All information is read from Active Directory (AD): |
|||
:* Users: Account name, UID, login shell, home directory path, and primary group. |
|||
:* Groups: Group name and GID. |
|||
;* These settings are set on a DOMAIN basis, this means you can have different settings for each DOMAIN. |
|||
:* If a user lacks the RFC2307 attributes, the login shell and home directory are automatically set by user-independent settings in the <code>smb.conf</code> file. |
|||
* <code>idmap config DOMAIN : unix_nss_info = no</code>: Only the following values are read from AD: |
|||
:* Users: Account name, UID, and primary group. |
|||
:: The login shell and home directory are automatically set by user-independent settings in the <code>smb.conf</code> file. |
|||
:* Groups: Group name and GID |
|||
:* This is the default setting. |
|||
There is now a new setting <code>unix_primary_group</code>, this allows you to use another group for the users primary group instead of Domain Users. |
|||
:* If this is set with <code>unix_primary_group = yes</code>, the users primary group is obtained from the gidNumber attribute found in the users AD object. |
|||
:* If this is set with <code>unix_primary_group = no</code>, the users primary group is calculated via the "primaryGroupID" attribute. |
|||
:* The default is 'no' |
|||
= Configuring the <code>ad</code> Back End = |
= Configuring the <code>ad</code> Back End = |
||
'''Before Samba version 4.6.0:''' |
|||
* Set the following in the <code>[global]</code> section of your <code>smb.conf</code> file: |
|||
* To configure the <code>ad</code> back end using the <code>10000-999999</code> ID range for the <code>SAMDOM</code> domain, set the following in the <code>[global]</code> section of your <code>smb.conf</code> file: |
|||
security = ADS |
|||
# Default idmap config for local BUILTIN accounts and groups |
|||
workgroup = SAMDOM |
|||
realm = SAMDOM.EXAMPLE.COM |
|||
log file = /var/log/samba/%m.log |
|||
log level = 1 |
|||
winbind nss info = rfc2307 |
|||
# Default ID mapping configuration for local BUILTIN accounts |
|||
# and groups on a domain member. The default (*) domain: |
|||
# - must not overlap with any domain ID mapping configuration! |
|||
# - must use a read-write-enabled back end, such as tdb. |
|||
idmap config * : backend = tdb |
idmap config * : backend = tdb |
||
idmap config * : range = 3000- |
idmap config * : range = 3000-7999 |
||
# - You must set a DOMAIN backend configuration |
|||
# idmap config for the SAMDOM domain |
|||
idmap config SAMDOM:backend = ad |
|||
idmap config SAMDOM:schema_mode = rfc2307 |
|||
idmap config SAMDOM:range = 10000-999999 |
|||
vfs objects = acl_xattr |
|||
map acl inherit = yes |
|||
store dos attributes = yes |
|||
:: Setting the default back end is mandatory. |
|||
'''From Samba version 4.6.0:''' |
|||
:* To configure the <code>ad</code> back end using the <code>10000-999999</code> ID range for the <code>SAMDOM</code> domain: |
|||
* To configure the <code>ad</code> back end using the <code>10000-999999</code> ID range for the <code>SAMDOM</code> domain, set the following in the <code>[global]</code> section of your <code>smb.conf</code> file: |
|||
security = ADS |
|||
workgroup = SAMDOM |
|||
realm = SAMDOM.EXAMPLE.COM |
|||
log file = /var/log/samba/%m.log |
|||
log level = 1 |
|||
# Default ID mapping configuration for local BUILTIN accounts |
|||
# and groups on a domain member. The default (*) domain: |
|||
# - must not overlap with any domain ID mapping configuration! |
|||
# - must use a read-write-enabled back end, such as tdb. |
|||
idmap config * : backend = tdb |
|||
idmap config * : range = 3000-7999 |
|||
# - You must set a DOMAIN backend configuration |
|||
# idmap config for the SAMDOM domain |
# idmap config for the SAMDOM domain |
||
idmap config SAMDOM:backend = ad |
idmap config SAMDOM:backend = ad |
||
idmap config SAMDOM:schema_mode = rfc2307 |
idmap config SAMDOM:schema_mode = rfc2307 |
||
idmap config SAMDOM:range = 10000-999999 |
idmap config SAMDOM:range = 10000-999999 |
||
idmap config SAMDOM:unix_nss_info = yes |
|||
vfs objects = acl_xattr |
|||
map acl inherit = yes |
|||
store dos attributes = yes |
|||
::{{Imbox |
|||
{{Imbox |
|||
| type = important |
| type = important |
||
| text = Setting the default back end is mandatory. |
|||
| text = For every domain, set these parameters individually. The ID ranges of the <code>*</code> default domain and all other domains configured in the <code>smb.conf</code> file must not overlap. |
|||
}} |
}} |
||
{{Imbox |
|||
| type = important |
|||
| text = You must set the range for every domain, including the <code>*</code> default domain. You must set the back end and schema mode for every domain, except the <code>*</code> default domain. The ID ranges of all domains configured in the smb.conf file must not overlap. |
|||
}} |
|||
* Configure the Winbind NSS info mode: |
* Configure the Winbind NSS info mode: |
||
Line 103: | Line 193: | ||
# Template settings for login shell and home directory |
# Template settings for login shell and home directory |
||
winbind nss info = template |
|||
template shell = /bin/bash |
template shell = /bin/bash |
||
template homedir = /home/%U |
template homedir = /home/%U |
||
:: The |
:: The settings are applied to all users in each domain that has the <code>schema_mode = rfc2307</code> parameter set. From Samba 4.6.0, the global template settings can be overwritten on a domain-basis by enabling the <code>idmap config ''domain_name'':unix_nss_info</code> parameter. |
||
:: Samba resolves the <code>%U</code> variable to the session user name. For details, see the <code>VARIABLE SUBSTITUTIONS</code> section in the <code>smb.conf(5)</code> man page. |
|||
:* To enable the <code>rfc2307</code> mode, set: |
|||
* By default, Samba sets the Windows primary group as primary group for mapped domain user entries on Unix. The Windows primary group is retrieved from the <code>primaryGroupID</code> attribute of each user entry, this is usually set to the <code>Domain Users</code> group RID. This RID is then used to obtain the <code>gidNumber</code> attribute from the Windows primary group. |
|||
winbind nss info = rfc2307 |
|||
* If you are running Samba 4.6.0 or later, you can optionally configure Samba to use the primary group set in the <code>gidNumber</code> attribute in the users entry instead. For example, when using the <code>Active Directory Users and Computers</code> application, this attribute is displayed in the <code>UNIX Attributes</code> tab. To use the group ID set in the users <code>gidNumber</code> attribute as primary group for each user instead of the Windows primary group, enable the following parameter in the <code>[global]</code> section in your <code>smb.conf</code> file: |
|||
* Reload Samba: |
|||
idmap config SAMDOM:unix_primary_group = yes |
|||
# smbcontrol all reload-config |
|||
{{Imbox |
|||
For further details, see the <code>smb.conf(5)</code> and <code>idmap_ad(5)</code> man page. |
|||
| type = important |
|||
| text = Whichever setting you use, the group (or groups) set as the users primary group must have the <code>gidNumber</code> attribute set. For example, if you only use the <code>Domain Users</code> group as the primary group for all accounts, then the <code>Domain Users</code> group must have a <code>gidNumber</code> attribute set. Winbind is unable to map accounts that use primary groups that do not have the <code>gidNumber</code> attribute set. |
|||
}} |
|||
{{Imbox |
|||
| type = important |
|||
| text = Whichever setting you use, do not change the users <code>primaryGroupID</code> attribute, Windows relies on all users being a member of <code>Domain Users</code>. If you require your Unix users to have a primary group other than <code>Domain Users</code>, you should use Samba version 4.6.0 or later. |
|||
}} |
|||
* Reload Samba: |
|||
# smbcontrol all reload-config |
|||
For further details, see the <code>smb.conf(5)</code> and <code>idmap_ad(5)</code> man page. |
|||
= Using the <code>ad</code> Back End on a Samba AD Domain Controller = |
|||
Samba 4.0 and 4.1 used a new <code>Winbind</code> implementation built into the <code>samba</code> command. However, this implementation never worked correctly. For this reason, Samba 4.2 enabled the <code>winbindd</code> utility to be used on domain controllers (DC). |
|||
{{Imbox |
|||
| type = note |
|||
| text = If you run a Samba version prior 4.2, update to a supported version before using the <code>ad</code> back end on a Samba Active Directory (AD) DC. For details, see [[Updating_Samba|Updating Samba]]. |
|||
}} |
|||
To set up the <code>ad</code> ID mapping back end locally on a Samba AD DC, verify that you are not using the unsupported <code>samba</code> built-in <code>Winbind</code> implementation. If the <code>server services</code> parameter in your <code>smb.conf</code> file lists the option <code>winbind</code>, replace it with <code>winbindd</code>: |
|||
server services = ..., <s>winbind,</s> <u>winbindd</u>,... |
|||
---- |
|||
If you do not have the <code>server services</code> parameter in your <code>smb.conf</code> file or it already lists the <code>winbindd</code> option, Samba automatically starts the <code>winbindd</code> service on Samba 4.2 and later when the <code>samba</code> service is started. |
|||
[[Category:Active Directory]] |
|||
[[Category:Domain Members]] |
|||
To verify that the <code>winbindd</code> service is started as a subprocess of the <code>samba</code> process, enter: |
|||
# ps axf |
|||
... |
|||
2156 ? Ss 0:00 /usr/local/samba/sbin/samba -D |
|||
2158 ? S 0:00 \_ /usr/local/samba/sbin/samba -D |
|||
2172 ? R 0:00 \_ /usr/local/samba/sbin/winbindd -D --option=server role check:inhibit=yes --foreground |
|||
... |
|||
{{Imbox |
|||
| type = important |
|||
| text = Do not start the <code>winbindd</code> service manually on a Samba AD DC. |
|||
}} |
Latest revision as of 18:44, 1 April 2023
Introduction
The ad
ID mapping back end implements a read-only API to read account and group information from Active Directory (AD). The back end is based on RFC 2307. For further details, see https://www.rfc-editor.org/rfc/rfc2307.txt.
For alternatives, see Identity Mapping Back Ends.
ID mapping back ends are not supported in the smb.conf file on a Samba Active Directory (AD) domain controller (DC).Do not add any idmap config lines to a Samba Active Directory (AD) domain controller (DC) smb.conf For details, see Failure To Access Shares on Domain Controllers If idmap config Parameters Set in the smb.conf File. |
If you use the winbind 'ad' backend, you must add a gidNumber attribute to the Domain Users group in AD. You must also give any users, that you want to be visible to Unix, a uidNumber attribute. From Samba version 4.6.0 , you can also add a gidNumber attribute containing the gidNumber of a group and, providing smb.conf is set up correctly, this will be used as the users Unix primary group. All of these uidNumber & gidNumber attributes must contain numbers inside the range you set for the DOMAIN in the Unix domain members smb.conf . |
Advantages and Disadvantages of the ad
Back End
Advantages:
- Central administration of IDs inside Active Directory (AD).
- Consistent IDs on all Samba clients and servers using the
ad
back end. - The required attributes only need creating once, this can be done when the user or group is created
- IDs are only cached locally, they are stored in the AD database on DC's. This means that if the local cache becomes corrupt the file ownerships are not lost.
Disadvantages:
- You have to manualy track ID values to avoid duplicates.
- The values for the RFC2307 attributes are not created automatically, they must be added manually.
Winbind NSS info mode-specific features:
rfc2307
: Individual login shells and home directory paths for users.template
: The login shells and home directory base paths are the same for all users.
Planning the ID Ranges
Before configuring the ad
back end in the smb.conf
file, you must select unique ID ranges for each domain. The ranges must be continuous and big enough to enable Samba to assign an ID for every future user and group created in the domain.
The ID ranges of the * default domain and all other domains configured in the smb.conf file must not overlap. |
Prerequisites
To enable Samba to retrieve user and group information from Active Directory (AD):
- Users must have, at least, the
uidNumber
attribute set. When using therfc2307
winbind NSS info
mode, user accounts must also have theloginShell
andunixHomeDirectory
set. - Groups must have, at least, the
gidNumber
attribute set. - Computers, or: 'machine network accounts', must have the
uidNumber
attribute set to access shares on samba domain members. - The Users and Computers Primary Group must have a
gidNumber
attribute set. - The user, computer, and group IDs must be within the range configured in the
smb.conf
for this domain. - User and computer IDs must be unique for all users and computers, and group IDs must be unique for all groups. Duplicate IDs or reusing IDs of previously deleted accounts enable the new user, computer, or group to access files created by the other or previous ID owner. When using the ADUC utility, the user and group IDs are automatically tracked inside AD and incremented when creating a new user or group.
- Computer IDs (
uidNumber
attribute) are not automatically tracked inside AD and must be set manually in the ADUC Attribute Editor tab when a computer is joined to the domain.
If the Active Directory Users and Groups (ADUC) utility is used to assign the UNIX attributes, the NIS extensions have to be installed. For details, see Setting up RFC2307 in AD. |
The RFC2307
and template
Mode Options
Before Samba version 4.6.0:
The ad
ID mapping back end supports two modes, set in the winbind nss info
parameter in the [global]
section of the smb.conf
file:
winbind nss info = rfc2307
: All information is read from Active Directory (AD):
- Users: Account name, UID, login shell, home directory path, and primary group.
- Groups: Group name and GID.
winbind nss info = template
: Only the following values are read from AD:
- Users: Account name, UID, and primary group.
- The login shell and home directory are automatically set by user-independent settings in the
smb.conf
file.
- Groups: Group name and GID
From Samba version 4.6.0:
You no longer use the winbind nss info
parameter, it has been replaced by idmap config DOMAIN : unix_nss_info
The ad
ID mapping back end supports two modes, set in the idmap config DOMAIN : unix_nss_info
parameter in the [global]
section of the smb.conf
file:
idmap config DOMAIN : unix_nss_info = yes
: All information is read from Active Directory (AD):
- Users: Account name, UID, login shell, home directory path, and primary group.
- Groups: Group name and GID.
- These settings are set on a DOMAIN basis, this means you can have different settings for each DOMAIN.
- If a user lacks the RFC2307 attributes, the login shell and home directory are automatically set by user-independent settings in the
smb.conf
file.
idmap config DOMAIN : unix_nss_info = no
: Only the following values are read from AD:
- Users: Account name, UID, and primary group.
- The login shell and home directory are automatically set by user-independent settings in the
smb.conf
file.
- Groups: Group name and GID
- This is the default setting.
There is now a new setting unix_primary_group
, this allows you to use another group for the users primary group instead of Domain Users.
- If this is set with
unix_primary_group = yes
, the users primary group is obtained from the gidNumber attribute found in the users AD object. - If this is set with
unix_primary_group = no
, the users primary group is calculated via the "primaryGroupID" attribute. - The default is 'no'
- If this is set with
Configuring the ad
Back End
Before Samba version 4.6.0:
- To configure the
ad
back end using the10000-999999
ID range for theSAMDOM
domain, set the following in the[global]
section of yoursmb.conf
file:
security = ADS workgroup = SAMDOM realm = SAMDOM.EXAMPLE.COM log file = /var/log/samba/%m.log log level = 1 winbind nss info = rfc2307 # Default ID mapping configuration for local BUILTIN accounts # and groups on a domain member. The default (*) domain: # - must not overlap with any domain ID mapping configuration! # - must use a read-write-enabled back end, such as tdb. idmap config * : backend = tdb idmap config * : range = 3000-7999 # - You must set a DOMAIN backend configuration # idmap config for the SAMDOM domain idmap config SAMDOM:backend = ad idmap config SAMDOM:schema_mode = rfc2307 idmap config SAMDOM:range = 10000-999999 vfs objects = acl_xattr map acl inherit = yes store dos attributes = yes
From Samba version 4.6.0:
- To configure the
ad
back end using the10000-999999
ID range for theSAMDOM
domain, set the following in the[global]
section of yoursmb.conf
file:
security = ADS workgroup = SAMDOM realm = SAMDOM.EXAMPLE.COM log file = /var/log/samba/%m.log log level = 1 # Default ID mapping configuration for local BUILTIN accounts # and groups on a domain member. The default (*) domain: # - must not overlap with any domain ID mapping configuration! # - must use a read-write-enabled back end, such as tdb. idmap config * : backend = tdb idmap config * : range = 3000-7999 # - You must set a DOMAIN backend configuration # idmap config for the SAMDOM domain idmap config SAMDOM:backend = ad idmap config SAMDOM:schema_mode = rfc2307 idmap config SAMDOM:range = 10000-999999 idmap config SAMDOM:unix_nss_info = yes vfs objects = acl_xattr map acl inherit = yes store dos attributes = yes
Setting the default back end is mandatory. |
You must set the range for every domain, including the * default domain. You must set the back end and schema mode for every domain, except the * default domain. The ID ranges of all domains configured in the smb.conf file must not overlap. |
- Configure the Winbind NSS info mode:
- To enable the
template
mode and set, for example,/bin/bash
as shell and/home/%U
as home directory path:
- To enable the
# Template settings for login shell and home directory template shell = /bin/bash template homedir = /home/%U
- The settings are applied to all users in each domain that has the
schema_mode = rfc2307
parameter set. From Samba 4.6.0, the global template settings can be overwritten on a domain-basis by enabling theidmap config domain_name:unix_nss_info
parameter.
- The settings are applied to all users in each domain that has the
- Samba resolves the
%U
variable to the session user name. For details, see theVARIABLE SUBSTITUTIONS
section in thesmb.conf(5)
man page.
- Samba resolves the
- By default, Samba sets the Windows primary group as primary group for mapped domain user entries on Unix. The Windows primary group is retrieved from the
primaryGroupID
attribute of each user entry, this is usually set to theDomain Users
group RID. This RID is then used to obtain thegidNumber
attribute from the Windows primary group.
- If you are running Samba 4.6.0 or later, you can optionally configure Samba to use the primary group set in the
gidNumber
attribute in the users entry instead. For example, when using theActive Directory Users and Computers
application, this attribute is displayed in theUNIX Attributes
tab. To use the group ID set in the usersgidNumber
attribute as primary group for each user instead of the Windows primary group, enable the following parameter in the[global]
section in yoursmb.conf
file:
idmap config SAMDOM:unix_primary_group = yes
Whichever setting you use, the group (or groups) set as the users primary group must have the gidNumber attribute set. For example, if you only use the Domain Users group as the primary group for all accounts, then the Domain Users group must have a gidNumber attribute set. Winbind is unable to map accounts that use primary groups that do not have the gidNumber attribute set. |
Whichever setting you use, do not change the users primaryGroupID attribute, Windows relies on all users being a member of Domain Users . If you require your Unix users to have a primary group other than Domain Users , you should use Samba version 4.6.0 or later. |
- Reload Samba:
# smbcontrol all reload-config
For further details, see the smb.conf(5)
and idmap_ad(5)
man page.