Robert Cohen wrote:
On 20/2/08 4:11 PM, "Neal A. Lucier" <[EMAIL PROTECTED]> wrote:
Robert Cohen wrote:
Ok, I thought winbind was only relevant if you were using AD as a NSS (name
service source). We have all the users in the name service from LDAP or
NIS+. We're only getting the passwords from AD.
I guess this could be an unusual combination and could be whats causing our
problems...
This is exactly what we are doing, and until 3.0.25 setting up idmap to work in
this environment was a bit convoluted, but now it is extremely simple, mainly
because an "nss" backend was introduced to idmap. Generally speaking idmap is
for authorization; however, there is some interplay with authentication.
So, to be clear, your nsswitch on the machine is only look at LDAP or NIS+, and
in AD you have all the same users with the same username?
You need IDmap to map the uid of the owner of the files (which is coming from
LDAP/NIS+) to the SID of the user that is accessing via Samba (which is coming
from AD). There are many ways to do this, by putting the SID in LDAP, the uid
in AD, using local .tdb files, or a local mapping. The simpliest (given that my
assumptions about your environment are correct) is:
winbind use default domain = yes
idmap domains = XX
idmap config XX:backend = nss
idmap config XX:readonly = yes
idmap config XX:default = no
The only setting I'm not sure exactly what is does is the ":default = no", but
IIRC that says if someone from another domain that is not defined by "idmap
domains = " tries to connect than idmap should not use this backend as the
default backend.
see: http://www.samba.org/~idra/samba3_newidmap.pdf
And allow trusted domains = no doesn't make any difference.
Sorry, I was thinking of "winbind trusted domains only" which has been obsoleted
by the idmap_nss backend.
Neal
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
