[Samba] IDMAP, WINBIND and NIS

[Gaiseric Vandal]

I have posted on this subject before but am still running into
problems.   The main question is whether I need to use Windbind in a
single samba domain when each samba server also uses NIS for
centralized unix level authentication.  And if, in fact, I need
windbind do I need it on all the samba servers?  And do I need a
central IDMAP respositoryor other mechanism  to maintain consident
SIDs?


My interpretation of the "Samba How To" documentation is that
Windbind is not needed in a single samba domain, with  multiple  samba
servers,  if the samba servers are using NIS or LDAP for unix
accounts.

-----------------------------------------------------------------------------------------------------------------------------
The "Samba How To" chapter on "Identity Mapping"  has the following
(paraphrased) entry

Domain Member Server or Domain Member Client ->
Winbind is not used; users and groups resolved via NSS ->
user and group accounts are treated as if they are local accounts,
accounts are stored in a shared repository (NIS or LDAP.)  This
configuration may be used with domain
member servers (NT4 or ADS) or PDC
-----------------------------------------------------------------------------------------------------------------------------



My PDC is Samba 3.026a on  Solaris.  I have member servers that are a
mix of Samba 3.026a on Solaris and Samba 3.024a on Linux.  All
machines are using NIS for unix authentication.   Some groups are
explicitly mapped between unix and windows, some aren't.        I am
not (usually) running winbind on either PDC or member server.   I have
not configured nsswitch.conf to use winbind for unix-level
authentication.


On a member server  (from a Windows client), file or folder
permissions are assigned to "unix\someuser."   However, permissions
still work as I expect.    From the Windows perspective, this seems to
be  a standalone  workgroup machine that  happen to have the same user
id and password.  Since the file permissions work this is OK most of
the time.    However, if I try to add or modify permssions under
Windows I run into problems (symptoms depend on if and when winbind
has been started.)

1.  If winbind is not running,  I can browser users or groups from the
domain but the permissions don't hold.   Presumably Samba doesn't
match up "mydomain\someuser" with "unix\someuser."   So it looks like
I would need winbind.


2.  If, after I have already connected to a share, and then start
winbind on the member , the file permissions will show the domain
component, and I can set permissions

3.  However, if I start winbind before I connect to the share, I just
get prompted for a user name and password- and I am unable to connect.

 If winbind is running on the memeber server "wbinfo -u" will list the
domain accounts in "DOMAINNAME\user" format.

Member server smb.conf includes

	idmap uid = 10000-20000
	idmap gid = 10000-20000
	template shell = /bin/bash
	winbind use default domain =  no
	winbind trusted domains only = no
	winbind enum users = Yes
	winbind enum groups = Yes
	name resolve order = host wins  bcast
	workgroup = mydomain
	security = domain
	password server = mypdc
	



The PDC smb.conf does not include the idmap entries.     If I run
'wbinfo -i "mydomain/someuser" ' on each machine (assuming winbind is
running) it shows a  user ID for that user.  On the member server, the
user id's are in the 10000 range.    On the PDC, the user ID matches
the unix user id.    But I am not sure if this is relevant, or it
idmap is only required in a multi-domain environment.   Even if I were
to assign an "idmap uid" range on the PDC, there is no guarantee they
would be assigned in the same order.

Thanks