That sounds like a pretty good description of winbind and nsswitch.
The tricky party, depending on your configuration, is that one "real"
user can end up with two uid's- one from the "unix" account (e.g.
/etc/passwd, nis or ldap) and one from winbind. Your DC's should not
be using winbind for the local samba domain if the users already have
unix accounts that are also being used for things like nfs or ssh.
On 01/04/2011 09:45 AM, Michael Wood wrote:
On 4 January 2011 05:50, Bob Miller<[email protected]> wrote:
Gaiseric,
thank you sooo much for the reply....
I will make comments inline:
On Mon, 2011-01-03 at 20:06 -0500, Gaiseric Vandal wrote:
Winbind is used for allowing unix things like file system access, getent
passwd and getent group to handle windows users (windows users and groups
get unix uid's and gid's allocated.)
To say this another way; getent maps users/groups and their respective
uids/gids/sids, winbind is what determines if those uids/gids have
permission to do what is being requested?
That is not how I understand it at all.
"getent passwd" and "getent group" are basically front-ends to winbind
(when you have winbind specified in your nsswitch.conf.) So winbind
does the talking to a Windows (or Samba) server and maps the uids/gids
to/from sids.
i.e. winbind maps uids/gids to/from sids/names. getent passwd/group
maps between uids/gids and names (via winbind).
It's the local filesystem permissions/acls or your smb.conf that
determine whether a particular user/group has access to something.
I have never used winbind, but that's basically my understanding of it.
I don't use winbind to login to a
unix system as a windows user but I do use it to allow the unix file system
on a samba server to handle file perms for windows users. Winbind would
have nothing to do with subnet issues.
So wbinfo commands are not affected by working across a vpn...
I suppose if winbind can talk to the Windows (or Samba) server where
it gets its information, it should not matter if that server is on the
other end of a VPN link.
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
