Idmap config ad

From SambaWiki
Revision as of 10:12, 16 June 2015 by Hortimech (talk | contribs) (→‎Rewrite to only show relevant info: removed reference to idmap lines etc, they do not do anything on a samba 4.2.0 DC)


RFC2307 defines the possibility to store e. g. user and group information in an LDAP directory. This allows central administration with several advantages.

RFC2307 attributes are usable by default in a Samba Active Directory. This documentation describes how to make account and group information available on Member Servers via Winbindd using RFC2307.

Since Samba 4.2.0, Winbindd (as used on a member server) is now used by default on a Samba Domain Controller. Previous version were shipped with Winbind - an implementation that was dropped because it doesn't have the same quality and feature set of Winbindd. The Samba team advice is to only use Winbindd on 4.2.0 or later. If you're running 4.0 or 4.1, choose one of the alternatives sssd or nslcd.


  • Central administration of users (UID, Login Shell, Home Directory, Primary Group) and groups (GID) directly in Active Directory.
  • Consistent user and group information accross multiple machines.
  • Individual settings for users (e. g. for Login Shell). Other mapping technologies typically use global template settings for all accounts on a host.
  • Central management prevents the necessity for local ID mappings, that may cause loosing file ownership if the local database corrupts.
  • Easy user/group management via the default Microsoft tools (e. g. Active Directory Users and Computers), which are part of RSAT.
  • If administered via ADUC and enabled NIS extensions, there's no need for manual ID counting. E. g. the next free UID and GID is stored directly in Active Directory and will be incremented then creating a new user or group.

General information about the Samba idmap_ad backend for Winbindd

The idmap_ad plugin will ultimately provide a way for Winbindd to read id mappings from an AD server that uses RFC2307/SFU schema extensions. This module implements only the "idmap" API, and is read-only. Mappings must be provided in advance by the administrator by adding the uidNumber attributes for users and gidNumber attributes for groups in the AD. Winbindd will only map users that have a uidNumber and whose primary group have a gidNumber attribute set. It is however recommended that all groups in use have gidNumber attributes assigned, otherwise they will not work.

See the manpage of idmap_ad for further information.

Using Winbindd on a Samba DC

On a DC, UID/GID resolving to user/groupnames on the OS side is optional. If you're fine with seeing UIDs/GIDs on your DC, instead of user/groupnames, no further action is required. However if you want to have user/groupnames displayed on 'ls', etc., you can choose to do it via Winbindd (see this section), nslcd or sssd.

Since Samba 4.2.0, Winbindd is now used on a Samba Domain Controller, instead of the winbind built into the "samba" process.

Winbindd is automatically started by the "samba" process on startup and should not to be run manually!

Administering Unix Attributes in Active Directory

See Administer_Unix_Attributes_in_Active_Directory.