Samba – Import Active Directory users into Unix/Linux/FreeBSD group


I need to have FreeBSD 8.2 RELEASE p9 (running FreeNAS) import or associate Active Directory users (or Security Group) with a Unix/FreeBSD group. This way I can use FreeBSD group(s) security on a specific file/directory tree yet still allow AD users to access them.

I have tried a couple of thing with no luck.

Putting userid's into the /etc/group file: i.e. in the format of 'DOMAIN\username' or 'DOMAIN\user group'

Matching the GID of the Unix group to the RID of the Active Directory group. This supposedly used to work until the security patch came out earlier this year.

Using net groupmap from SAMBA tools. (This works, only in reverse, the freebsd users end up in the Active Directory group).

I basically need a local Unix group to be able to share access with CIFS shares mapped as drives to the Windows Network browser.

Note that I've also tried using a symbolic link (different drive geometry) to the FTP user/group folder. For some reason the windows users can't see the folder, and I have turned on Wide Links, and follow symlinks with unix extensions turned off. No luck.

I am going to post this over on the FreeNAS community, but this seems to be a more basic system configuration/administration issue. I may also post over in one of the SAMBA communities.


Best Answer

You are probably better off configuring your FreeBSD systems to authenticate against Active Directory using pam_ldap/nss_ldap, or nss_ldapd (available in the FreeBSD ports collection), or the Microsoft Subsystem for Unix Applications (SUA) NIS server (more good info in the TechNet SFU/SUA Blog).

You also have the option of using the NFS Server available in the SUA kit to give the FreeBSD machines access to the share in question. (This is probably the most likely to work since the UNIX UID/GID -> AD UID/GID -> AD Permissions mapping chain is on the Windows server in this case.)

Note that you will need to extend your Windows users and groups to be POSIXAccounts and POSIXGroups for all of these cases.