Overview

This document describes the group attribute mapping from IPA to Samba and vice versa in various scenarios.

Mapping IPA Group to Samba Group

If an IPA group doesn't have a corresponding Samba group, a new Samba group should be created with IPA attributes:

Samba Attribute	Source
dn	CN=<ipa.cn>,CN=Users,DC=domain1,DC=com If this DN conflicts with another DN belonging to a different entity, a counter will be appended to the RDN value until it no longer conflicts.
objectClass	group
cn	ipa.cn
sAMAccountName	ipa.cn
description	ipa.description
member	transform IPA members into Samba members

Once the Samba group is created, the IPA group should be updated with Samba attributes:

If an IPA group has a corresponding Samba group but they are not linked yet, the Samba group should be updated with IPA attributes:

Samba Attributes	Source
cn	ipa.cn
description	ipa.description
member	transform IPA members into Samba members

Once the Samba group is updated, the IPA group should be updated with Samba attributes:

If an IPA group has a corresponding Samba group and they are already linked, the Samba group should be updated with IPA attributes:

Samba Attributes	Source
cn	ipa.cn
description	ipa.description
member	transform IPA members into Samba members
objectSid	ipa.objectSid

There is no need to update IPA group.

A new group should be generated from Samba attributes and added to IPA:

IPA	Samba
dn	cn=<sAMAccountName>,cn=groups,cn=accounts,dc=domain1,dc=com
objectClass	groupOfNames, posixGroup, extensibleObject
cn	sAMAccountName
description	description
member	transform Samba members into IPA members
objectGUID	objectGUID
objectSid	objectSid