[Samba] IDMAP, WINBIND and NIS
Gaiseric Vandal
gaiseric.vandal at gmail.com
Fri Dec 21 18:41:41 GMT 2007
I have posted on this subject before but am still running into
problems. The main question is whether I need to use Windbind in a
single samba domain when each samba server also uses NIS for
centralized unix level authentication. And if, in fact, I need
windbind do I need it on all the samba servers? And do I need a
central IDMAP respositoryor other mechanism to maintain consident
SIDs?
My interpretation of the "Samba How To" documentation is that
Windbind is not needed in a single samba domain, with multiple samba
servers, if the samba servers are using NIS or LDAP for unix
accounts.
-----------------------------------------------------------------------------------------------------------------------------
The "Samba How To" chapter on "Identity Mapping" has the following
(paraphrased) entry
Domain Member Server or Domain Member Client ->
Winbind is not used; users and groups resolved via NSS ->
user and group accounts are treated as if they are local accounts,
accounts are stored in a shared repository (NIS or LDAP.) This
configuration may be used with domain
member servers (NT4 or ADS) or PDC
-----------------------------------------------------------------------------------------------------------------------------
My PDC is Samba 3.026a on Solaris. I have member servers that are a
mix of Samba 3.026a on Solaris and Samba 3.024a on Linux. All
machines are using NIS for unix authentication. Some groups are
explicitly mapped between unix and windows, some aren't. I am
not (usually) running winbind on either PDC or member server. I have
not configured nsswitch.conf to use winbind for unix-level
authentication.
On a member server (from a Windows client), file or folder
permissions are assigned to "unix\someuser." However, permissions
still work as I expect. From the Windows perspective, this seems to
be a standalone workgroup machine that happen to have the same user
id and password. Since the file permissions work this is OK most of
the time. However, if I try to add or modify permssions under
Windows I run into problems (symptoms depend on if and when winbind
has been started.)
1. If winbind is not running, I can browser users or groups from the
domain but the permissions don't hold. Presumably Samba doesn't
match up "mydomain\someuser" with "unix\someuser." So it looks like
I would need winbind.
2. If, after I have already connected to a share, and then start
winbind on the member , the file permissions will show the domain
component, and I can set permissions
3. However, if I start winbind before I connect to the share, I just
get prompted for a user name and password- and I am unable to connect.
If winbind is running on the memeber server "wbinfo -u" will list the
domain accounts in "DOMAINNAME\user" format.
Member server smb.conf includes
idmap uid = 10000-20000
idmap gid = 10000-20000
template shell = /bin/bash
winbind use default domain = no
winbind trusted domains only = no
winbind enum users = Yes
winbind enum groups = Yes
name resolve order = host wins bcast
workgroup = mydomain
security = domain
password server = mypdc
The PDC smb.conf does not include the idmap entries. If I run
'wbinfo -i "mydomain/someuser" ' on each machine (assuming winbind is
running) it shows a user ID for that user. On the member server, the
user id's are in the 10000 range. On the PDC, the user ID matches
the unix user id. But I am not sure if this is relevant, or it
idmap is only required in a multi-domain environment. Even if I were
to assign an "idmap uid" range on the PDC, there is no guarantee they
would be assigned in the same order.
Thanks
More information about the samba
mailing list