From: Ray Van Dolson <[email protected]> Date: Tue, 30 Aug 2011 22:40:54 -0700
> I am using either DOMAIN or ADS for authentication and am trying to > understand how UID/GID mapping rules are triggered. > > This[1] seems to suggest that if I do not specify the idmap uid/gid > parameters in smb.conf, then authenticated usernames are mapped to > "local" user accounts having the same name. > > If, however, I _do_ specify idmap uid/gid then one of the idmap_* > allocator modules is used. > > Is my understanding correct there? Yes, > We have a mixed NIS/AD environment, and in most cases we do not use > idmap parameters and, as such, rely on the existence of an NIS account > to map UID/GID's. However, when users attempt to set permissions from > Windows, it appears that a SID is passed to Samba which is unable to > map it into a valid file system ACL and the permissions aren't actually > set. > > The only workaround I've found is to enable idmap so these SID's can be > resolved properly to NSS-sourced (in our case, NIS or local accounts) > UID/GID's. > > I do something like this: > > idmap backend = tdb > > # Users without NIS accounts are assigned random UID/GID's from the > # following pool (assuming they're allowed to connect) > idmap uid = 1000000-10000000 > idmap gid = 1000000-10000000 > > # NIS users should never have UID/GID > 599999 > idmap config DOMAIN : backend = nss > idmap config DOMAIN : range = 0-599999 > > This seems to work, but I'm looking to confirm that I have the correct > understanding. I think idmap_nss was prepared just for the environment like yours, using both NIS or LDAP and Winbind. --- TAKAHASHI Motonobu <[email protected]> -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
