On a member server, the ldap backend should not be needed for user and
group look up. You do need some sort of idmapping for the unix level to
see the UID's and GID's assigned to the samba users, and use those uid's
and gid's to set file permissions.
I haven't had much luck with member servers either. it does get
trickier when you have ldap used for both unix accounts and samba
accounts. I found it easier to configure my primary machines as domain
controllers.
I think generally your nsswitch.conf file should include entries to
allow unix to retrieve uid's and gid's from winbind.
passwd: files ldap winbind
shadow: files ldap winbind
group: files ldap winbind
This means that you would be able to type "getent user1" and "getent
MYDOMAIN\user1." I
I think it appears you are getting group information from winbind since
have the "force group" entry in smb.conf.
You should look at the man page for idmap_nss. In theory, this should
let you use a local backend to store the idmap entries, and the idmap
system should use map the SID's to the existing unix uid and gid. Never
worked for me in practice.
Alternately, you may want to manually edit the idmap entries in ldap.
The domain controller should have automatically created them.
On 02/15/12 10:21, Alex Domoradov wrote:
I have NT4 domain on samba-3.x integrated with LDAP. I need to use domain
users in the shares permissions
On the domain member server I have the following smb.conf
[global]
workgroup = W3
server string = File server
netbios name = FS1
security = domain
load printers = no
show add printer wizard = no
printcap name = /dev/null
disable spoolss = yes
log file = /var/log/samba/samba.log
max log size = 50000
encrypt passwords = yes
winbind trusted domains only = yes
idmap backend = ldap:"ldap://pdc.w3.lan/";
ldap idmap suffix = ou=idmap
idmap uid = 50000-500000
idmap gid = 50000-500000
ldapsam:trusted = yes
ldapsam:editposix = yes
ldap suffix = dc=w3,dc=lan
ldap user suffix = ou=users
ldap group suffix = ou=groups
ldap machine suffix = ou=computers
ldap admin dn = "cn=root,dc=w3,dc=lan"
ldap ssl = no
socket options = TCP_NODELAY SO_SNDBUF=8192 SO_RCVBUF=8192
enable privileges = yes
os level = 8
local master = no
domain master = no
preferred master = no
domain logons = no
wins server = 192.168.210.104
dns proxy = yes
client ntlmv2 auth = yes
client plaintext auth = no
lanman auth = no
lm announce = no
deadtime = 15
display charset = utf8
unix charset = utf8
dos charset = cp866
log level = 3
host msdfs = no
[Test]
comment = Test
path = /data/production/Test/
public = yes
guest ok = no
valid users = @W3\w3-nssldap
write list = @W3\w3-nssldap
browseable = yes
force create mode = 0770
create mode = 0770
force directory mode = 0770
directory mode = 0770
create mask = 0660
directory mask = 0770
force group = @W3\w3-nssldap
# cat /etc/nsswitch.conf | grep ldap
passwd: files ldap
shadow: files ldap
group: files ldap
When I create any folder in the share Test I get the following uid/gid
# ls -l
total 4
drwxrwx--- 2 nssldap 321909 4096 Feb 15 17:00 test
# ls -ln
total 4
drwxrwx--- 2 1890 321909 4096 Feb 15 17:00 test
# getent group | grep ^w3-nssldap
w3-nssldap:*:1354:nssldap
# id nssldap
uid=1890(nssldap) gid=1354(w3-nssldap) groups=1354(w3-nssldap),513(Domain
Users)
# wbinfo --name-to-sid=nssldap
S-1-5-21-250625134-237382211-2379110221-4780 SID_USER (1)
# wbinfo --sid-to-uid=S-1-5-21-250625134-237382211-2379110221-4780
50290
It's seems that samba get uid from LDAP and gid from winbind. So my
question is - Is it possible to use only nss ldap on domain member server
to mapping uid/gid?
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
