Re: [Samba] Settings ACLS from Windows via member server
Once upon a time I had only samba 3.0.x servers. They were in a samba domain (with a samba PDC) and had a trust relationship with a windows 2003 AD domain. I had to use Winbind + idmap + nsswitch.conf so that users from the trusted Windows AD domain could be allocated unix uid's and gid's. I also used winbind so that member samba servers in the samba domain could allocate unix uid's and gid's to the users from the samba PDC. Within the samba domain I found it simplest to move all the servers to an LDAP backend for samba and unix accounts so that I could enforce a consistent UID-to-SID mapping across all domain members. As other users have noticed, it ended up being simpler to promote key member servers to BDC's and remove any need for winbind/idmap with in the samba domain. However, I still (to the best of my knowledge) needed winbind and idmap to allocate unix uid's and gid's to the domain. In the smb.conf of the PDC I had the following: idmap config TRUSTEDDOMAIN:backend = ldap idmap config TRUSTEDDOMAIN:readonly = no idmap config TRUSTEDDOMAIN:default=no idmap config TRUSTEDDOMAIN:ldap_base_dn = ou=trusteddomain,ou=idmap,o=mydomain.com idmap config TRUSTEDDOMAIN:ldap_user_dn = cn=Admin idmap config TRUSTEDDOMAIN:ldap_url = ldap://ldap1.mydomain.com idmap config TRUSTEDDOMAIN:range = 3-3 BDC's are similarily configured, except for the following line: idmap config TRUSTEDDOMAIN:readonly=yes With samba 3.0.x, idmap allocation worked somewhat- id's were allocated but would fail after the cache period expired. With samba 3.4, idmap cache issue was fixed but idmap did not allocate new uid's or gid's . Based on your information, having upgrade to Samba 3.4, I could have used idmap_ad as the backend for the trusted Windows domain.Although I believe I still need winbind and nsswitch.conf so that the Unix system can use the uid's and gid's allocated to the trusted users? Have I understood correctly? PS. I truly appreciate all the effort that the samba community puts into samba. And yes, I know it is free.However, man pages our good for resolving specific implementation issues but they are not always ideal for putting together a big picture of how all the parts are supposed to go together.Updated Samba HowTo would really be appreciated. To be fair, MS Server- even with all its documentation- also has some serious gaps in documentation and users often have to resort to user forum support as well. Thanks. -Original Message- From: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] On Behalf Of John H Terpstra Sent: Tuesday, February 22, 2011 4:28 PM To: samba@lists.samba.org Subject: Re: [Samba] Settings ACLS from Windows via member server On 02/23/2011 07:26 AM, John Drescher wrote: While subscribers keep explaining what they believe, and keep giving advice based on their belief system, rather than on well reasoned fact, confusion will continue to exist and complaints regarding Samba documentation will continue also. Are you willing to take a brave step to explain your reasoning? This was acquired by several weeks of testing on some version of samba with test PDC/BDC and a few windows clients. I am not sure of the exact version. It was probably 3.0.X. The clients were mostly 32 bit windows XP with a few 64 bit XP machines. Outside of this test domain we have used samba for around 10 years and we are still using the original domain which has grown from a single samba PDC to a PDC with several BDCs, multiple LDAP servers and at least 1/2 dozen domain member servers since the PDC and BDCs do not act as fileservers. I do not have the test setup to try again with more recent samba but I guess I could easily create servers under Virtual Machines. John John, The role of winbindd has morphed considerably since the time the HOWTO document was written. The most recent version of Samba covered by the HOWTO is 3.0.20. The HOWTO has languished since that time. Winbind has been significantly rewritten in 3.2.x, and gain in 3.3.x, and in 3.4.x. It is no surprise that there is confusion regarding its role, when it is needed, and how to configure it. The best place to start (always) is the man pages that ship with the version of Samba you are using. The man pages that should be consulted includes: man winbindd man idmap_nss man idmap_ad man idmap_hash man idmap_rid man idmap_adex The man page for winbindd for samba-3.5.4 says: quote winbindd is a daemon that provides a number of services to the Name service Switch capability found in most modern C libraries, to arbitrary applications via PAM and ntlm_auth and to Samba itself. Even if winbind is not used for nsswitch, it still provides a service to smbd, ntlm_auth and the pam_winbind.so PAM module, by managing connections to domain controllers. In this configuraiton the idmap uid and idmap gid parameters
Re: [Samba] Settings ACLS from Windows via member server
John, I just posted a long reply to help you understand how the pieces fit together. Yell out if you are still confused after reading my posting. Thanks for the lengthy reply and also the suggestion to read man pages instead of doc, I didn't realize there was such a big difference. The pieces are starting to fall into place, but I still have more questions. I've become convinced that my member servers need to be running winbind, especially since I want the builtin accounts to work. So... My sense is that my member servers should NOT require the LDAP passdb backend settings. Can someone confirm that only PDC/BDC should require this? If so, I think my problem boils down to an issue resolving sids - uids. Playing around with wbinfo on my member workstation, I see that I can resolve things like: [root]# wbinfo -n mkd S-1-5-21-2830206405-3223145701-231191277-7214 SID_USER (1) [root]# wbinfo -n CS.BROWN.EDU\mkd S-1-5-21-2830206405-3223145701-231191277-7214 SID_USER (1) so far so good, but [root]# wbinfo -S S-1-5-21-2830206405-3223145701-231191277-7214 Could not convert sid S-1-5-21-2830206405-3223145701-231191277-7214 to uid This seemed to work for a short while after I added the passdb LDAP entries to my member server, but I think it was a red herring, as it stopped working and worked only for a select number of users. So the question becomes, what am I missing that is preventing the PDC from resolving these for my member servers? It's quite possible there is some sort of LDAP mapping that we are just missing... we've been running LDAP for a while prior to getting samba up and working, so we had to modify our existing schema and add in the LDAP necessary stuff, rather than let samba do it as we couldn't afford to loose the existing data. Is this where the idmap_ldap stuff comes in? If so, can I just pre-seed these entries so all the information is there and run it in a read only ldap mode? Thanks! Mark -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Settings ACLS from Windows via member server
Associated question... When I perform the following looking up on a member server: [root]# wbinfo -S S-1-5-21-2830206405-3223145701-231191277-7214 Could not convert sid S-1-5-21-2830206405-3223145701-231191277-7214 to uid When the result is not cached on the machine doing the lookup (which by the way I can't keep it from caching results even when I toss the -n flag on winbindd), I see traffic between the member server and PDC. Good. The PDC has access to all the information in needs to resolve this query, it's all contained within a user/group entry in LDAP. However, I can see no evidence it is trying to resolve this. If idmap is the portion responsible for this resolution, doesn't it make sense that I should be running idmap_ldap on the PDC? I've been looking over the LDAP schema and it has the following: objectclass ( 1.3.6.1.4.1.7165.2.2.8 NAME 'sambaIdmapEntry' SUP top AUXILIARY DESC 'Mapping from a SID to an ID' MUST ( sambaSID ) MAY ( uidNumber $ gidNumber ) ) which I do NOT have defined in our LDAP db. I'm planning to just toss this in to see whether it helps, but still don't fully understand where the idmap_ldap stuff should be defined... Sorry the pieces just aren't falling into place. Hopefully, I'm not the only one struggling with this and the resulting discussions can someday help others. Mark -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Settings ACLS from Windows via member server
On 02/24/2011 06:18 AM, Mark Dieterich wrote: John, I just posted a long reply to help you understand how the pieces fit together. Yell out if you are still confused after reading my posting. Thanks for the lengthy reply and also the suggestion to read man pages instead of doc, I didn't realize there was such a big difference. The pieces are starting to fall into place, but I still have more questions. I've become convinced that my member servers need to be running winbind, especially since I want the builtin accounts to work. So... My sense is that my member servers should NOT require the LDAP passdb backend settings. Can someone confirm that only PDC/BDC should require this? Correct. Samba domain member servers do not require NSS-LDAP because winbind can resolve SID to uid/gid. The SID to uid.gid mapping can be stored locally (which means the mappings will differ on each member server in your domain), or the mappings can be stored in LDAP in the idmap suffix specified in the smb.conf file on the domain member itself (this enables the mappings to be shared across Samba domain member servers). On the other hand, some sites require the same uid/gid across domain controllers (PDC/BDC) and domain member servers (dms). Where this is required you CAN use NSS-LDAP to get globally consistent uid/gid values for each user and then use idmap_ldap to handle SID to uid/gid mappings. This configuration can get a little messy and my preference is to not have any domain member server but rather make them all domain controllers - that way all BDCs can share the exact same smb.conf configuration for simpler admin. If so, I think my problem boils down to an issue resolving sids - uids. Playing around with wbinfo on my member workstation, I see that I can resolve things like: [root]# wbinfo -n mkd S-1-5-21-2830206405-3223145701-231191277-7214 SID_USER (1) [root]# wbinfo -n CS.BROWN.EDU\mkd S-1-5-21-2830206405-3223145701-231191277-7214 SID_USER (1) so far so good, but Correct. [root]# wbinfo -S S-1-5-21-2830206405-3223145701-231191277-7214 Could not convert sid S-1-5-21-2830206405-3223145701-231191277-7214 to uid This seemed to work for a short while after I added the passdb LDAP entries to my member server, but I think it was a red herring, as it stopped working and worked only for a select number of users. So the question becomes, what am I missing that is preventing the PDC from resolving these for my member servers? It's quite possible there is some sort of LDAP mapping that we are just missing... we've been running LDAP for a while prior to getting samba up and working, so we had to modify our existing schema and add in the LDAP necessary stuff, rather than let samba do it as we couldn't afford to loose the existing data. Is this where the idmap_ldap stuff comes in? If so, can I just pre-seed these entries so all the information is there and run it in a read only ldap mode? The domain member server should be configured so it can write to the LDAP directory so that it can assign (out of the idmap range provided in the smb.conf file) the idmap entries. These should populate into the idmap suffix container. Cheers, John T. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Settings ACLS from Windows via member server
On 02/24/2011 06:49 AM, Mark Dieterich wrote: Associated question... When I perform the following looking up on a member server: [root]# wbinfo -S S-1-5-21-2830206405-3223145701-231191277-7214 Could not convert sid S-1-5-21-2830206405-3223145701-231191277-7214 to uid When the result is not cached on the machine doing the lookup (which by the way I can't keep it from caching results even when I toss the -n flag on winbindd), I see traffic between the member server and PDC. Good. The PDC has access to all the information in needs to resolve this query, it's all contained within a user/group entry in LDAP. However, I can see no evidence it is trying to resolve this. If idmap is the portion responsible for this resolution, doesn't it make sense that I should be running idmap_ldap on the PDC? I've been looking over the LDAP schema and it has the following: objectclass ( 1.3.6.1.4.1.7165.2.2.8 NAME 'sambaIdmapEntry' SUP top AUXILIARY DESC 'Mapping from a SID to an ID' MUST ( sambaSID ) MAY ( uidNumber $ gidNumber ) ) which I do NOT have defined in our LDAP db. I'm planning to just toss this in to see whether it helps, but still don't fully understand where the idmap_ldap stuff should be defined... Sorry the pieces just aren't falling into place. Hopefully, I'm not the only one struggling with this and the resulting discussions can someday help others. Mark As mentioned in my previous response, it is best to let smbd (via the idmap handler) automatically create these entries as they are needed. Using nss_ldap to share a common mapping across all domain member servers is a good thing(tm). - John T. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Settings ACLS from Windows via member server
John, Thanks again for the feedback. On the other hand, some sites require the same uid/gid across domain controllers (PDC/BDC) and domain member servers (dms). Where this is required you CAN use NSS-LDAP to get globally consistent uid/gid values for each user and then use idmap_ldap to handle SID to uid/gid mappings. This configuration can get a little messy and my preference is to not have any domain member server but rather make them all domain controllers - that way all BDCs can share the exact same smb.conf configuration for simpler admin. This is exactly the situation we are in. The vast majority of our workstations are linux/unix based, thus uids/gids are really at the guts of our environment. The majority of our users work in both environments, so it's critical to have everything match. Someone else (tms3) asked off list whether there was any reason to even both with member servers. While it is certainly the case in a real Windows environment, I couldn't come up with a reason why this shouldn't/couldn't be done with a pure samba environment. I just tested and things appear to work just fine in a test setup. It seems wrong, but there is no reason why it can't work just fine with samba. The domain member server should be configured so it can write to the LDAP directory so that it can assign (out of the idmap range provided in the smb.conf file) the idmap entries. These should populate into the idmap suffix container. Of course the problem with this is users could end up with multiple gids/uids if we allowed the member servers to assign uids/gids. I now understand why member servers would need to assign uids/gids in a real Windows domain and it's likely we could seed LDAP properly so that we could use them as member servers, but for now I think I'll likely go with the massive number of DCs route. Thanks everyone, I think I've put together a better understanding of some of the samba/NT domain internals... probably just enough to cause some real trouble ;) Mark -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Settings ACLS from Windows via member server
On Tue, Feb 22, 2011 at 11:04 AM, Mark Dieterich m...@cs.brown.edu wrote: I have a purely samba domain: samba PDC, BDC, and a collection of clustered member servers that provide CIFS access to our underlying file system. Things are working fine, with the exception of users being able to set ACLS from Windows workstations. When they try to do so, they can search for and properly find domain members, but when they try to apply the changes, the settings simply vanish from the Window! We setup a test share from our PDC and users **can** set permissions properly on this share, so I would think we are looking at a configuration problem on our member servers. A couple generic questions about member servers: 1) Our password backend is stored in LDAP. Currently, we only have the LDAP configuration on the PDC and BDC samba setups. My understanding is that all other machines, including samba member servers, join the domain and get their user information that way, correct? 2) With a non-AD environment, should our samba member servers run winbind? My understanding is not, but this could be part of the problem. I'm happy to provide any other information that may be of help, this problem is driving us nuts! I believe the PDC/BDC does not need winbind but the member servers do. Also you need idmap to work on the member servers. I believe I use a nss backend for my idmap setup at work. John -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Settings ACLS from Windows via member server
2011/2/23 Mark Dieterich m...@cs.brown.edu: (snip) Things are working fine, with the exception of users being able to set ACLS from Windows workstations. (snip) 1) Our password backend is stored in LDAP. Currently, we only have the LDAP configuration on the PDC and BDC samba setups. My understanding is that all other machines, including samba member servers, join the domain and get their user information that way, correct? Yes. Samba member servers does not need LDAP configurations. 2) With a non-AD environment, should our samba member servers run winbind? My understanding is not, but this could be part of the problem. If you want to set ACLs of domain users and groups, you have to run winbindd regardless of AD env. or not. # You can set ACLs of server local users and groups without running winbindd. --- TAKAHASHI Motonobu mo...@samba.gr.jp -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Settings ACLS from Windows via member server
If you want to set ACLs of domain users and groups, you have to run winbindd regardless of AD env. or not. # You can set ACLs of server local users and groups without running winbindd. Hmm... I was working from: http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/idmapper.html#id2604553 I have NSS setup to resolve via LDAP, which contains all of the appropriate user/group information that samba should need. The second heading on this page, Winbind is not used; users and groups resolved via NSS seemed to read as though I didn't actually need winbind. My concern here is that winbind appears to be necessary to create unix users for non-existent Windows NT domain users. This isn't our case... ever user available in the Windows NT domain (managed by the samba PDC/BDC) exist in LDAP and, therefore, unix as well. Regardless... I enable winbind and the behavior is the same. Once winbind is started, I can query most users (wbinfo -u) and groups (wbinfo -g). For some reason, some groups don't show. We have many groups and users, so I haven't checked them all, but a spot check suggests there are some missing. Mark -- -- I'd rather be burning carbohydrates than hydrocarbons -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Settings ACLS from Windows via member server
SNIP 2) With a non-AD environment, should our samba member servers run winbind? My understanding is not, but this could be part of the problem. If you want to set ACLs of domain users and groups, you have to run winbindd regardless of AD env. or not. I've done acls just using nss_ldap. # You can set ACLs of server local users and groups without running winbindd. --- TAKAHASHI Motonobu mo...@samba.gr.jp -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Settings ACLS from Windows via member server
X-SpamDetect-Info: - End ASpam results - If you want to set ACLs of domain users and groups, you have to run winbindd regardless of AD env. or not. # You can set ACLs of server local users and groups without running winbindd. Hmm... I was working from: http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/idmapper.html#id2604553 I have NSS setup to resolve via LDAP, which contains all of the appropriate user/group information that samba should need. The second heading on this page, Winbind is not used; users and groups resolved via NSS seemed to read as though I didn't actually need winbind. My concern here is that winbind appears to be necessary to create unix users for non-existent Windows NT domain users. This isn't our case... ever user available in the Windows NT domain (managed by the samba PDC/BDC) exist in LDAP and, therefore, unix as well. Do you have acls set on the file system for the member servers? Winbind is for authentication purposes, not files system acls. Regardless... I enable winbind and the behavior is the same. Once winbind is started, I can query most users (wbinfo -u) and groups (wbinfo -g). For some reason, some groups don't show. We have many groups and users, so I haven't checked them all, but a spot check suggests there are some missing. Mark -- -- I'd rather be burning carbohydrates than hydrocarbons -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Settings ACLS from Windows via member server
Do you have acls set on the file system for the member servers? Winbind is for authentication purposes, not files system acls. Without winbind I did not get users names in the ACLs tab under windwows? Do you get these? John -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Settings ACLS from Windows via member server
I believe the PDC/BDC does not need winbind but the member servers do. Also you need idmap to work on the member servers. I believe I use a nss backend for my idmap setup at work. So is idmap separate from winbind? I thought the two went hand in hand. This may be another clue as to what's going on. When I bump up the log level for acls, it reports back: [2011/02/22 14:04:21.247390, 0] smbd/posix_acls.c:1755(create_canon_ace_lists) create_canon_ace_lists: unable to map SID S-1-5-21-2830206405-3223145701-231191277-62564 to uid or gid. This was the result of an operation from a Windows client trying to grant a user permissions to a folder. The SID is correct for the user in question, so obviously something is able to look up information from LDAP. However, some other piece can't seem to later resolve it. Is this of any help? I should add... the above is without winbind running on the member server. Thanks! Mark -- -- I'd rather be burning carbohydrates than hydrocarbons -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Settings ACLS from Windows via member server
Do you have acls set on the file system for the member servers? Winbind is for authentication purposes, not files system acls. Without winbind I did not get users names in the ACLs tab under windwows? Do you get these? I don't currently have any S3 servers to check... John -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Settings ACLS from Windows via member server
Do you have acls set on the file system for the member servers? Winbind is for authentication purposes, not files system acls. Yes, I can set acls on the linux side without problems. In fact, I can set acls from a Windows client on the same file system, if I connect to the share via our PDC rather than a member server. We can only support this for testing, because the throughput of the PDC couldn't keep up with clients. Mark -- -- I'd rather be burning carbohydrates than hydrocarbons -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Settings ACLS from Windows via member server
On Tue, Feb 22, 2011 at 2:23 PM, t...@tms3.com wrote: Do you have acls set on the file system for the member servers? Winbind is for authentication purposes, not files system acls. Without winbind I did not get users names in the ACLs tab under windwows? Do you get these? BTW, for this comment I mean when a Windows PC connects to a samba domain member server the ACLs tab displays SIDs instead of usernames. On the PDC/BDC winbind is not needed for the display of user names in the ACLs tab. In either case winbind has nothing to do with the functionality of the acls. They still would work without winbind but you just cant tell who has access writes that is unless you memorized the SIDs... -- John M. Drescher -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Settings ACLS from Windows via member server
BTW, for this comment I mean when a Windows PC connects to a samba domain member server the ACLs tab displays SIDs instead of usernames. On the PDC/BDC winbind is not needed for the display of user names in the ACLs tab. In either case winbind has nothing to do with the functionality of the acls. They still would work without winbind but you just cant tell who has access writes that is unless you memorized the SIDs... I wish I could even get to the point of seeing numeric SIDs ;) I guess my next question would be... is there a way to setup winbind and idmap in such a way that it is read only and doesn't try to dynamically map anything? We pre-seed our LDAP database and I don't really want samba trying to dynamic change anything on us, especially when it comes to user mappings. Mark -- -- I'd rather be burning carbohydrates than hydrocarbons -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Settings ACLS from Windows via member server
valuable if you would explain WHYOn 02/23/2011 03:46 AM, John Drescher wrote: On Tue, Feb 22, 2011 at 11:04 AM, Mark Dieterich m...@cs.brown.edu wrote: I have a purely samba domain: samba PDC, BDC, and a collection of clustered member servers that provide CIFS access to our underlying file system. Things are working fine, with the exception of users being able to set ACLS from Windows workstations. When they try to do so, they can search for and properly find domain members, but when they try to apply the changes, the settings simply vanish from the Window! We setup a test share from our PDC and users **can** set permissions properly on this share, so I would think we are looking at a configuration problem on our member servers. A couple generic questions about member servers: 1) Our password backend is stored in LDAP. Currently, we only have the LDAP configuration on the PDC and BDC samba setups. My understanding is that all other machines, including samba member servers, join the domain and get their user information that way, correct? 2) With a non-AD environment, should our samba member servers run winbind? My understanding is not, but this could be part of the problem. I'm happy to provide any other information that may be of help, this problem is driving us nuts! I believe the PDC/BDC does not need winbind but the member servers do. Also you need idmap to work on the member servers. I believe I use a nss backend for my idmap setup at work. John John, It would help the list to understand WHY you believe that winbind is NOT needed by the PDC/BDC, and WHY it is needed on member servers. While subscribers keep explaining what they believe, and keep giving advice based on their belief system, rather than on well reasoned fact, confusion will continue to exist and complaints regarding Samba documentation will continue also. Are you willing to take a brave step to explain your reasoning? Cheers, John T. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Settings ACLS from Windows via member server
John, It would help the list to understand WHY you believe that winbind is NOT needed by the PDC/BDC, and WHY it is needed on member servers. Winbind, as the name suggests, does authentication for the unix server. Of course the manual has a very good write up of it: Winbind unifies UNIX and Windows NT account management by allowing a UNIX box to become a full member of an NT domain. Once this is done, the UNIX box will see NT users and groups as if they were “native” UNIX users and groups, allowing the NT domain to be used in much the same manner that NIS+ is used within UNIX-only environments... Additionally, Winbind provides an authentication service that hooks into the PAM system to provide authentication via an NT domain to any PAM-enabled applications. This capability solves the problem of synchronizing passwords between systems, since all passwords are stored in a single location (on the domain controller). http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/winbind.html While subscribers keep explaining what they believe, and keep giving advice based on their belief system, rather than on well reasoned fact, confusion will continue to exist and complaints regarding Samba documentation will continue also. Are you willing to take a brave step to explain your reasoning? Cheers, John T. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Settings ACLS from Windows via member server
While subscribers keep explaining what they believe, and keep giving advice based on their belief system, rather than on well reasoned fact, confusion will continue to exist and complaints regarding Samba documentation will continue also. Are you willing to take a brave step to explain your reasoning? This was acquired by several weeks of testing on some version of samba with test PDC/BDC and a few windows clients. I am not sure of the exact version. It was probably 3.0.X. The clients were mostly 32 bit windows XP with a few 64 bit XP machines. Outside of this test domain we have used samba for around 10 years and we are still using the original domain which has grown from a single samba PDC to a PDC with several BDCs, multiple LDAP servers and at least 1/2 dozen domain member servers since the PDC and BDCs do not act as fileservers. I do not have the test setup to try again with more recent samba but I guess I could easily create servers under Virtual Machines. John -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Settings ACLS from Windows via member server
On 02/23/2011 07:26 AM, John Drescher wrote: While subscribers keep explaining what they believe, and keep giving advice based on their belief system, rather than on well reasoned fact, confusion will continue to exist and complaints regarding Samba documentation will continue also. Are you willing to take a brave step to explain your reasoning? This was acquired by several weeks of testing on some version of samba with test PDC/BDC and a few windows clients. I am not sure of the exact version. It was probably 3.0.X. The clients were mostly 32 bit windows XP with a few 64 bit XP machines. Outside of this test domain we have used samba for around 10 years and we are still using the original domain which has grown from a single samba PDC to a PDC with several BDCs, multiple LDAP servers and at least 1/2 dozen domain member servers since the PDC and BDCs do not act as fileservers. I do not have the test setup to try again with more recent samba but I guess I could easily create servers under Virtual Machines. John John, The role of winbindd has morphed considerably since the time the HOWTO document was written. The most recent version of Samba covered by the HOWTO is 3.0.20. The HOWTO has languished since that time. Winbind has been significantly rewritten in 3.2.x, and gain in 3.3.x, and in 3.4.x. It is no surprise that there is confusion regarding its role, when it is needed, and how to configure it. The best place to start (always) is the man pages that ship with the version of Samba you are using. The man pages that should be consulted includes: man winbindd man idmap_nss man idmap_ad man idmap_hash man idmap_rid man idmap_adex The man page for winbindd for samba-3.5.4 says: quote winbindd is a daemon that provides a number of services to the Name service Switch capability found in most modern C libraries, to arbitrary applications via PAM and ntlm_auth and to Samba itself. Even if winbind is not used for nsswitch, it still provides a service to smbd, ntlm_auth and the pam_winbind.so PAM module, by managing connections to domain controllers. In this configuraiton the idmap uid and idmap gid parameters are not required. (This is known as `netlogon proxy only mode´.) The Name Service Switch allows user and system information to be obtained from different databases services such as NIS or DNS. The exact behaviour can be configured through the /etc/nsswitch.conf file. Users and groups are allocated as they are resolved to a range of user and group ids specified by the administrator of the Samba system. The service provided by winbindd is called `winbind´ and can be used to resolve user and group information from a Windows NT server. The service can also provide authentication services via an associated PAM module. The pam_winbind module supports the auth, account and password module-types. It should be noted that the account module simply performs a getpwnam() to verify that the system can obtain a uid for the user, as the domain controller has already performed access control. If the libnss_winbind library has been correctly installed, or an alternate source of names configured, this should always succeed. unquote The components that make up the winbindd services includes: winbindd- the daemon that itself pam_winbind.so - the PAM library module libnss_winbind.so - the NSS library module idmap_xxx.so- Samba modules The Samba modules provide identity mapping/resolution capabilities - see the man pages for details. The idmap_ad, idmap_adex, idmap_has, and idmap_rid modules make use of winbindd. The idmap_nss module can be used with, or without winbind. Samba CAN be used without winbind - that is a fact. Samba's smbd makes calls to the getpwent() group of system calls whenever it needs to obtain the uid/gid for a user of a group. Where NSS has been configured to resolve user and group information via LDAP, a system call to getpwent() will search the libnss libraries in the order they are specified in the nsswitch.conf file. For example: Consider where nsswitch.conf is configured with the following: passwd: files compat ldap hesoid winbind A call to getpwnam() will invoke the libraries specified in the order given until a match is found. These libraries are used in the order (from left to right) specified in the nsswitch.conf file: libnss_files.so libnss_compat.so libnss_ldap.so libnss_hesoid.so libnss_winbind.so Winbindd is necessary when Samba is a domain member server in a Windows domain environment where the domain controllers are running MS Windows (NT later) so that it can obtain user and group credentials from the Microsoft domain controllers. In this role, Samba will need to resolve the Windows user and group SID to a uid/gid tuple. This is handled through a combination of winbindd and the
Re: [Samba] Settings ACLS from Windows via member server
So... I could use some help explaining this. I finally decided to just start playing and ended up doing the following: 1) Added passdb backend entries on my member servers pointing to LDAP, similar to what the PDC/BDC configurations have. This addition, when viewed from Windows suddenly started displaying SIDs. Going back a few emails in this thread someone else brought up they were seeing this behavior without winbind running. 2) Started up winbind and everything appears to be working now. So my question is, why? I still don't quite understand how all these pieces fit together. Is it wrong to have the passdb backend on a member server? Thanks! Mark -- -- I'd rather be burning carbohydrates than hydrocarbons -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Settings ACLS from Windows via member server
On 02/23/2011 08:23 AM, Mark Dieterich wrote: So... I could use some help explaining this. I finally decided to just start playing and ended up doing the following: 1) Added passdb backend entries on my member servers pointing to LDAP, similar to what the PDC/BDC configurations have. This addition, when viewed from Windows suddenly started displaying SIDs. Going back a few emails in this thread someone else brought up they were seeing this behavior without winbind running. 2) Started up winbind and everything appears to be working now. So my question is, why? I still don't quite understand how all these pieces fit together. Is it wrong to have the passdb backend on a member server? Thanks! Markto Mark, I just posted a long reply to help you understand how the pieces fit together. Yell out if you are still confused after reading my posting. Cheers, John T. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
