Unfortunately I am not sure if the idmapping functionality in Samba
depends on winbind. it appears that it does
http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/idmapper.html
I do have some member servers that I am not using winbindd. We are
using LDAP for Unix level authentication since we have both windows and
unix clients. On these member servers, if you look at the file
permissions in windows you will see entries like "UNIX\someuser" instead
of "MYDOMAIN\someuser." I have not tried the idmap_nss on this.
This is OK if most of the changes to the files or file permissions is
done in unix. If a windows user connects, samba will map
"MYDOMAIN\someuser" to the unix user and respect the existing unix
permissions. but it makes it hard to set file permissions in windows.
From a windows client, you may try to grant permissions to
"MYDOMAIN\someotheruser" but in that case samba will not handle the
mapping correctly and setting permissions fails.
With the idmap_nss backend example, samba should try to use nsswitch to
locate the user id's for user's in your domain. It will expect user and
group uid's to be 1000 or higher but under 1 milllion. Any other users
or groups (e.g. from trusted domains) will have use a local database
file to create or retrieve idmapping entries. For users in your domain
samba should determine that "MYDOMAIN\someuser" is the same person as
the unix "someuser" account. And hopefully display the file
permissions in windows appropriately.
[global]
idmap backend = tdb
idmap uid = 1000000-1999999
idmap gid = 1000000-1999999
idmap config SAMBA : backend = nss
idmap config SAMBA : range = 1000-999999
As I said, I have not got this to work. I have also found that the
samba how-to documentation does not always keep pace with the software
updates- although the man pages usually do. It is just sometimes
difficult to get an overall picture of how something should work from
the man pages.
On 02/15/12 16:29, Alex Domoradov wrote:
> On a member server, the ldap backend should not be needed for user
and group look up. You do need some sort of idmapping for the unix
level to see the UID's and GID's assigned to the samba users, and use
those uid's and gid's to set file permissions.
I need to do idmapping via winbind or something else?
> I haven't had much luck with member servers either. it does get
trickier when you have ldap used for both unix accounts and samba
accounts. I found it easier to configure my primary machines as
domain controllers.
I need to use LDAP only for samba accounts, not local (unix)
> I think generally your nsswitch.conf file should include entries to
allow unix to retrieve uid's and gid's from winbind.
> passwd: files ldap winbind
> shadow: files ldap winbind
> group: files ldap winbind
but according to
http://www.samba.org/samba/docs/man/Samba-Guide/unixclients.html#sdcsdmldap
If I have one domain and all server are the member of this domain
there is no need to use winbind at all. Did I miss something?
> This means that you would be able to type "getent user1" and "getent
MYDOMAIN\user1." I
I don't need such case, in my case local and domain users always unique
> I think it appears you are getting group information from winbind
since have the "force group" entry in smb.conf.
It's strange. When I added force user to the share description, samba
set uid of the new file from ldap
> You should look at the man page for idmap_nss. In theory, this
should let you use a local backend to store the idmap entries, and the
idmap system should use map the SID's to the existing unix uid and
gid. Never worked for me in practice.
I read the man
http://www.samba.org/samba/docs/man/manpages-3/idmap_nss.8.html but
didn't get clear understanding
> Alternately, you may want to manually edit the idmap entries in
ldap. The domain controller should have automatically created them.
there are a 10-15 entries in the ou Idmap
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
