NT to UNIX group mapping in Samba 4

I want to map the NT Group Domain Users to a different UNIX group than users on my Samba 4.7.6 Active Directory Domain Controller, but when I try to do this, it fails as follows:

> net groupmap modify ntgroup='Domain Users' unixgroup='share' type=domain
Could not update group database
[255]

I read that you might now do this with winbind, so I tried, but then I get the following error.

> wbinfo --set-gid-mapping=1000,S-1-5-21-...-513
failed to call wbcSetGidMapping: WBC_ERR_NOT_IMPLEMENTED
Could not create or modify gid to sid mapping
[1]

What is the proper way to manage NT to UNIX group mapping in Samba 4?

EDIT: On the Samba mailing list I found someone with a similar problem, so maybe I could work around it by modifying the internal LDAP server directly? Something like:

ldbadd /var/lib/samba/private/sam.ldb.d/metadata.tdb ...

Unfortunately I have no experience with LDAP, so I don't know how to supply it with a valid LDIF file for my use case.

EDIT2: Thanks to a blogpost about Samba 4 user and group management in LDAP, I managed to edit the UNIX group that the NT group maps to:

> ldbedit -e nano -H /var/lib/samba/private/idmap.ldb '(objectSid=S-1-5-21-1580746459-3543417057-3597883204-513)'

> wbinfo --group-info='Domain Users'
AD.EXAMPLE\domain users:x:100:

> net groupmap list ntgroup='Domain Users'
Domain Users (S-1-5-21-1580746459-3543417057-3597883204-513) -> share

So the right group is now being reported by net groupmap, but wbinfo still reports the old value, so it probably does not get its data from that database. I am not sure how important wbinfo reporting the right group is for my use case, but I will see if I can change that as well before using this as my answer and marking it solved.


From what I have been able to piece together it seems that there is no tool available in Samba 4 that allows you to configure this properly, other than editing the built-in LDAP server directly.

The net tool does not seem to work well with the built-in LDAP server, only some operations are successful, e.g. listing the group mappings and granting rights work, but listing members of a group or modifying the group mappings does not work (as seen in my question).

To modify the mapping I ran the following commands as root. First we have to retrieve the SID of Domain Users, because it will be unique for each provisioning of the Samba server.

root> net groupmap list ntgroup='Domain Users'
Domain Users (S-1-5-21-1580746459-3543417057-3597883204-513) -> users

Then we update the built-in LDAP server's record for the SID by updating xidNumber: 100 with the intended UNIX GID:

root> ldbedit -e nano -H /var/lib/samba/private/idmap.ldb '(objectSid=S-1-5-21-1580746459-3543417057-3597883204-513)'
# 0 adds  1 modifies  0 deletes

Let's say you changed it to the GID 250 of the UNIX group called share, then calling net groupmap will result in the group reported back being share:

root> net groupmap list ntgroup='Domain Users'
Domain Users (S-1-5-21-1580746459-3543417057-3597883204-513) -> share

However wbinfo of winbindd will still report the old GID:

root> wbinfo --group-info='Domain Users'
AD.EXAMPLE\domain users:x:100:

So we have to invalidate the cache entry for Domain Users. After some experimentation I managed to do so by asking it to lookup the updated GID:

root> wbinfo --gid-info 250
AD.EXAMPLE\domain users:x:250:

Which is then also reported back correctly by --group-info:

root> wbinfo --group-info='Domain Users'
AD.EXAMPLE\domain users:x:250: