Thanks, I'll try your solution On Mon, Feb 20, 2012 at 10:56 AM, Angel Bosch <[email protected]> wrote:
> Hi, > > not sure if you solved this. I'll give my advice anyway. > > > if you know how to configure NSS/LDAP at system level is the simplest way > i've found to configure a member server. > > first, be sure to have all nss related configured (nsswitch.conf, > ldap.conf) and check it with "getent passwd" and "getent group". > > once you have that, create a machine account on the PDC and join the > member server (net rpc join). > > then configure member server as a simple file server with no reference to > LDAP. you don't need any ldap setting in smb.conf, just something like: > > > [global] > workgroup = MYDOM > server string = %h server > security = DOMAIN > password server = mypdc.example.com > > [prova3] > comment = proves de membre samba > path = /tmp/prova3 > read only = No > guest ok = Yes > > > > > this is the simplest way i've found to do it. > > regards, > > abosch > > > > ----- Original Message ----- > From: "Alex Domoradov" <[email protected]> > To: [email protected] > Sent: Wednesday, February 15, 2012 10:29:19 PM > Subject: Re: [Samba] Samba domain member server using only nss ldap > > > On a member server, the ldap backend should not be needed for user and > group look up. You do need some sort of idmapping for the unix level to > see the UID's and GID's assigned to the samba users, and use those uid's > and gid's to set file permissions. > I need to do idmapping via winbind or something else? > > > I haven't had much luck with member servers either. it does get trickier > when you have ldap used for both unix accounts and samba accounts. I > found it easier to configure my primary machines as domain controllers. > I need to use LDAP only for samba accounts, not local (unix) > > > I think generally your nsswitch.conf file should include entries to allow > unix to retrieve uid's and gid's from winbind. > > passwd: files ldap winbind > > shadow: files ldap winbind > > group: files ldap winbind > but according to > > http://www.samba.org/samba/docs/man/Samba-Guide/unixclients.html#sdcsdmldapIf > I have one domain and all server are the member of this domain there > is > no need to use winbind at all. Did I miss something? > > > This means that you would be able to type "getent user1" and "getent > MYDOMAIN\user1." I > I don't need such case, in my case local and domain users always unique > > > I think it appears you are getting group information from winbind since > have the "force group" entry in smb.conf. > It's strange. When I added force user to the share description, samba set > uid of the new file from ldap > > > You should look at the man page for idmap_nss. In theory, this should > let you use a local backend to store the idmap entries, and the idmap > system should use map the SID's to the existing unix uid and gid. Never > worked for me in practice. > I read the man > http://www.samba.org/samba/docs/man/manpages-3/idmap_nss.8.html but didn't > get clear understanding > > > Alternately, you may want to manually edit the idmap entries in ldap. > The domain controller should have automatically created them. > there are a 10-15 entries in the ou Idmap > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
