I want to map the NT Group Domain Users
to a different UNIX group than users
on my Samba 4.7.6 Active Directory Domain Controller, but when I try to do this, it fails as follows:
> net groupmap modify ntgroup='Domain Users' unixgroup='share' type=domain
Could not update group database
[255]
I read that you might now do this with winbind, so I tried, but then I get the following error.
> wbinfo --set-gid-mapping=1000,S-1-5-21-...-513
failed to call wbcSetGidMapping: WBC_ERR_NOT_IMPLEMENTED
Could not create or modify gid to sid mapping
[1]
What is the proper way to manage NT to UNIX group mapping in Samba 4?
EDIT: On the Samba mailing list I found someone with a similar problem, so maybe I could work around it by modifying the internal LDAP server directly? Something like:
ldbadd /var/lib/samba/private/sam.ldb.d/metadata.tdb ...
Unfortunately I have no experience with LDAP, so I don't know how to supply it with a valid LDIF file for my use case.
EDIT2: Thanks to a blogpost about Samba 4 user and group management in LDAP, I managed to edit the UNIX group that the NT group maps to:
> ldbedit -e nano -H /var/lib/samba/private/idmap.ldb '(objectSid=S-1-5-21-1580746459-3543417057-3597883204-513)'
> wbinfo --group-info='Domain Users'
AD.EXAMPLE\domain users:x:100:
> net groupmap list ntgroup='Domain Users'
Domain Users (S-1-5-21-1580746459-3543417057-3597883204-513) -> share
So the right group is now being reported by net groupmap
, but wbinfo
still reports the old value, so it probably does not get its data from that database. I am not sure how important wbinfo
reporting the right group is for my use case, but I will see if I can change that as well before using this as my answer and marking it solved.