idmap_nss — Samba's idmap_nss Backend for Winbind
The idmap_nss plugin provides a means to map Unix users and groups to Windows accounts and obseletes the "winbind trusted domains only" smb.conf option. This provides a simple means of ensuring that the SID for a Unix user named jsmith is reported as the one assigned to DOMAIN\jsmith which is necessary for reporting ACLs on files and printers stored on a Samba member server.
This example shows how to use idmap_nss to check the local accounts for its own domain while using allocation to create new mappings for trusted domains
[global] idmap domains = SAMBA TRUSTEDDOMAINS idmap config SAMBA:backend = nss idmap config SAMBA:readonly = yes idmap config TRUSTEDDOMAINS:default = yes idmap config TRUSTEDDOMAINS:backend = tdb idmap config TRUSTEDDOMAINS:range = 10000 - 50000 idmap alloc backend = tdb idmap alloc config:range = 10000 - 50000