idmap in 'security = samba-controlled domain' with nss_ldap

Gerald (Jerry) Carter jerry at
Tue Dec 16 15:06:27 GMT 2003

Hash: SHA1

Volker.Lendecke at SerNet.DE wrote:

| Just coming from a customer installation I've found a problem
| in a certain configuration. This is a quite large installation
| with Samba DC infrastructure and an OpenLDAP backend. There
| are member servers that get the unix user database via nss_ldap.
| Samba on the member servers does not know anything about
| LDAP, the servers are set to 'security = domain'. I really
| like this configuration as remote access to the LDAP-stored
| Samba passwords is minimized this way.
| Trying to set an ACL on a file on a member server
| fails because sid_to_uid and sid_to_gid do not find a domain SID.
| Why not? The member server created its own SID in the secrets.tdb.
| The admin picks a domain user or group in the Windows
| security GUI, ending up with a domain SID. Winbind is not
| running on the member server, why should it... The SID is
| not local either, so smbd rejects the ACL which is sort of
| a pain.
| We are in the very comfortable situation that we do *not*
| have to map any uid or gid, as nss_ldap takes care of it, and
| we currently can not handle it.  One solution might be to use
| the existing idmap_ldap backend for winbind. But to
| really do it we need to lift the restriction to only
| search for thesambaIdmapEntry objects in the sid_to_id
| search. This leaves us with a search for any object with a
| sambaSID attribute. If this object contains the expected
| uidNumber and gidNumber, then we believe it.

I've already fixed this in 3.0.1 (a month oago I think).
Run winbindd on the domain member and set

	winbind trusted domains only = yes

This causes winbindd to resolve SID's against local
accounts.  You just better make sure that every account
in your domain has a local unix account.

cheers, jerry
~ ----------------------------------------------------------------------
~ Hewlett-Packard            -------------------------
~ SAMBA Team                 ----------------------
~ GnuPG Key                  ----
~ "If we're adding to the noise, turn off this song" --Switchfoot (2003)
Version: GnuPG v1.2.1 (GNU/Linux)
Comment: Using GnuPG with Mozilla -


More information about the samba-technical mailing list