[Samba] Samba domain member server using only nss ldap
Gaiseric Vandal
gaiseric.vandal at gmail.com
Wed Feb 15 10:46:26 MST 2012
On a member server, the ldap backend should not be needed for user and
group look up. You do need some sort of idmapping for the unix level to
see the UID's and GID's assigned to the samba users, and use those uid's
and gid's to set file permissions.
I haven't had much luck with member servers either. it does get
trickier when you have ldap used for both unix accounts and samba
accounts. I found it easier to configure my primary machines as domain
controllers.
I think generally your nsswitch.conf file should include entries to
allow unix to retrieve uid's and gid's from winbind.
passwd: files ldap winbind
shadow: files ldap winbind
group: files ldap winbind
This means that you would be able to type "getent user1" and "getent
MYDOMAIN\user1." I
I think it appears you are getting group information from winbind since
have the "force group" entry in smb.conf.
You should look at the man page for idmap_nss. In theory, this should
let you use a local backend to store the idmap entries, and the idmap
system should use map the SID's to the existing unix uid and gid. Never
worked for me in practice.
Alternately, you may want to manually edit the idmap entries in ldap.
The domain controller should have automatically created them.
On 02/15/12 10:21, Alex Domoradov wrote:
> I have NT4 domain on samba-3.x integrated with LDAP. I need to use domain
> users in the shares permissions
>
> On the domain member server I have the following smb.conf
>
> [global]
>
> workgroup = W3
> server string = File server
> netbios name = FS1
> security = domain
>
> load printers = no
> show add printer wizard = no
> printcap name = /dev/null
> disable spoolss = yes
>
> log file = /var/log/samba/samba.log
> max log size = 50000
>
> encrypt passwords = yes
>
> winbind trusted domains only = yes
>
> idmap backend = ldap:"ldap://pdc.w3.lan/"
> ldap idmap suffix = ou=idmap
>
> idmap uid = 50000-500000
> idmap gid = 50000-500000
>
> ldapsam:trusted = yes
> ldapsam:editposix = yes
>
> ldap suffix = dc=w3,dc=lan
> ldap user suffix = ou=users
> ldap group suffix = ou=groups
> ldap machine suffix = ou=computers
> ldap admin dn = "cn=root,dc=w3,dc=lan"
> ldap ssl = no
>
> socket options = TCP_NODELAY SO_SNDBUF=8192 SO_RCVBUF=8192
>
> enable privileges = yes
>
> os level = 8
> local master = no
> domain master = no
> preferred master = no
> domain logons = no
>
> wins server = 192.168.210.104
> dns proxy = yes
>
> client ntlmv2 auth = yes
> client plaintext auth = no
>
> lanman auth = no
> lm announce = no
>
> deadtime = 15
>
> display charset = utf8
> unix charset = utf8
> dos charset = cp866
>
> log level = 3
> host msdfs = no
>
> [Test]
> comment = Test
> path = /data/production/Test/
> public = yes
> guest ok = no
> valid users = @W3\w3-nssldap
> write list = @W3\w3-nssldap
> browseable = yes
> force create mode = 0770
> create mode = 0770
> force directory mode = 0770
> directory mode = 0770
> create mask = 0660
> directory mask = 0770
> force group = @W3\w3-nssldap
>
> # cat /etc/nsswitch.conf | grep ldap
> passwd: files ldap
> shadow: files ldap
> group: files ldap
>
> When I create any folder in the share Test I get the following uid/gid
>
> # ls -l
> total 4
> drwxrwx--- 2 nssldap 321909 4096 Feb 15 17:00 test
>
> # ls -ln
> total 4
> drwxrwx--- 2 1890 321909 4096 Feb 15 17:00 test
>
> # getent group | grep ^w3-nssldap
> w3-nssldap:*:1354:nssldap
>
> # id nssldap
> uid=1890(nssldap) gid=1354(w3-nssldap) groups=1354(w3-nssldap),513(Domain
> Users)
>
> # wbinfo --name-to-sid=nssldap
> S-1-5-21-250625134-237382211-2379110221-4780 SID_USER (1)
>
> # wbinfo --sid-to-uid=S-1-5-21-250625134-237382211-2379110221-4780
> 50290
>
> It's seems that samba get uid from LDAP and gid from winbind. So my
> question is - Is it possible to use only nss ldap on domain member server
> to mapping uid/gid?
More information about the samba
mailing list