> > By "consistent and simple" I mean, something like -- "you have a > > Windows user that needs to get to a Samba share? Create a UNIX account > > with the *same name* and you will get an smbd process with the UID and > > hence the permissions of that user accessing the files on the server > > (ok not always). The authentication will be done on the NT side though". > > Nope. You should use winbind for that. Any other way will cause you > problems when you try to use ACLs.
I think I understand at least a part of Anton's issue. It's one that I've been thinking about as we deploy Samba 3.0. We never really thought much about ACLs until now and have never run winbindd. The problem boils down to this: We currently have a group of seven Samba/NFS file servers which are members of a Windows domain. The Windows usernames and group names are synchronized. The numeric UIDs and GIDs are uniform across all of them by virtue of the fact that they have a common /etc/passwd. We want to jump on the ACL bandwagon and do things right using winbindd. However, in a distributed environment the official way of mapping SIDs to UIDs consistently across the servers involves an 'idmap backend'. All of the idmap backends involve ldap. It is frustrating that I have to introduce the overhead of deploying an LDAP server and populate it with UID mappings even though the file servers already have an /etc/passwd which has enough information to map numeric Unix UIDs consistently. I know idmap'ing was a hot topic during development so you have probably already considered all of this. At the time, watching the discussion I didn't follow it all but now starting to consider deployment the issues are becoming clearer. --Eric -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
