On Thursday 09 August 2007 08:38, Henrik Zagerholm wrote: > 8 aug 2007 kl. 16:18 skrev Thierry Lacoste: > > I'm trying to allow XP clients to add ACLs in the homes share. > > It appears that I'm unable to do it unless I use winbind > > although I'm in a pure Samba/OpenLDAP environment. > > > > I have a PDC and BDC with Samba/OpenLDAP > > and a member Samba server with homes and profiles (below > > is its smb.conf) on which I have Posix ACLs. > > If I comment out the idmap lines I cannot add ACLs from XP > > in my home share though. I can browse and pick domain users > > and groups but cannot add them to the security tab of a file > > in a user's home share. > > > > Do I really need winbind? > > Yes, I'm pretty sure you'll need winbind. > Cheers, > henke Thanks Henrik. Can someone explain why or point me to some doc? What I read everywhere is that winbind is used to identify users of a windows domain at the NSS level (mapping them localy with winbindd_idmap.tdb or globaly with ldap) while my users are correctly identified by nss_ldap.
What puzzles me is that I didn't touch my /etc/nsswitch.conf which reads: group: files ldap hosts: files dns networks: files passwd: files ldap Is this a common setting to use winbind for samba and not for NSS? Also I realized that my smb.conf was not entirely functional. When I create a file with XP the domain part of the initial ACLs is the NetBIOS name of the server and not my domain name. Moreover when I pick a domain group (which truly appears as a domain group) to add it in the ACLs of the file it is mapped to gid 10000 through entries in winbindd_idmap.tdb. Adding the following lines to my smb.conf solved the problem. passdb backend = ldapsam:ldap://aldap1.stars.net ldap ssl = start_tls ldap suffix = o=stars ldap admin dn = cn=sambamgr,ou=Managers,o=stars ldap machine suffix = ou=Computers,ou=Accounts ldap user suffix = ou=Users,ou=Accounts ldap group suffix = ou=Groups In this case getfacl reports the correct group and winbindd_idmap.tdb appears to never change. Still I need the idmap lines to be able to add ACLs. Regards, Thierry. > > > > workgroup = STARS > > netbios name = CAPELLA > > security = DOMAIN > > name resolve order = wins bcast > > wins server = castor > > netbios aliases = AHOMES APROFILES > > password server = ALDAP1 ALDAP2 > > > > log level = 2 > > > > idmap gid = 10000-20000 > > idmap uid = 10000-20000 > > > > [homes] > > comment = Home Directories > > valid users = %S > > read only = No > > browseable = No > > > > [Profiles] > > comment = Roaming Profile Share > > path = /export/profiles > > read only = No > > profile acls = Yes -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba