Im no friend of winbind. But you need the idmap-thing with winbind. And I agree with you that there is NO!!! realy good howto about using winbind in the newer versions of samba, no step by step. But as far as I used it, winbind mapped the user of an windows domain or ads to the samba machine as if they where local users there. Then you can grant rights on shares, use domain-groups.... As you are using ads you should have a look at samba4.
Greetings Daniel ----------------------------------------------- EDV Daniel Müller Leitung EDV Tropenklinik Paul-Lechler-Krankenhaus Paul-Lechler-Str. 24 72076 Tübingen Tel.: 07071/206-463, Fax: 07071/206-499 eMail: [email protected] Internet: www.tropenklinik.de ----------------------------------------------- -----Ursprüngliche Nachricht----- Von: [email protected] [mailto:[email protected]] Im Auftrag von Robert Cohen Gesendet: Donnerstag, 24. Februar 2011 07:26 An: [email protected] Betreff: [Samba] Is it a good idea/required to run winbind We've been running a samba service for many years but have stuck using 3.0.24. Every version I tried after 3.0.24 seemed to have reliability problems. But if every version since 3.0.24 was broken I assume someone would have noticed by now :-). So I'm guessing we're doing somethng idiosyncratic and/or stupid.. The config we have is that our samba server (solaris) is getting uid/gid info using NSS from ldap. But all the users are also in an ADS domain which is synchronised with the ldap servers by an identity management system. So we do authentication from ADS. The relevant parts of the config are netbios name = xxx security = ADS realm = yyy.domain password level = 0 local master = no domain master = no encrypt passwords = yes The samba server was joined to the domain using "net ads join". We were running smbd and nmbd but not winbind (since we werent using samba for NSS). And that worked fine up through 3.0.24 After 3.0.24, it stopped working reliably. >From memory the server kept dropping out of the domain. I enquired on this list about the problems we were having and the best advice I received was that winbind was now a required service. So I tried using winbind and it seemed to work better, but still not completely reliably. So we just stayed on 3.0.24 Recently changes to the domain mean that we will need to run a recent version of samba. So I've been looking into upgrading. I ran up a copy of 3.5.6 using winbind. But testing indicated that it didn't appear to be respecting secondary groups for the users. It was picking up the primary group for a user ie the one in the password file. But not the secondary groups (specified in /etc/group). Then someone suggested trying without winbind. And that seems to be working OK. But my question is, is there something that I need to be using winbind for. The documentation is a little confusing. I can't find anything that says categorically that winbind is necessary. But the winbind man page says Even if winbind is not used for nsswitch, it still provides a service to smbd, ntlm_auth and the pam_winbind.so PAM module, by managing connections to domain controllers And chapter 24 of the how to says Fact: Winbind is needed to handle users who use workstations that are NOT part of the local domain. But that appears to be to avoid name clashes. Here we're using a unified namespace (from NSS) so name clashes shouldn't be a problem. So was the earlier recommendation I received that winbind was compulsory either incorrect or outdated? Various documentation implies that using winbind without idmap guid (in netlogon proxy only mode) should work the same as not using winbind. In both cases they will pick up user info via NSS. So why is the behaviour different when using winbind and not using winbind ======================================= Robert Cohen Systems & Desktop Services Division of Information R.G Menzies Building Building 2 The Australian National University Canberra ACT 0200 Australia T: +61 2 6125 8389 F: +61 2 6125 7699 http://www.anu.edu.au CRICOS Provider #00120C ======================================= -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
