force group with security=ads, winbind and local(NIS) groups
not working
Hansjörg Maurer
Hansjoerg.Maurer at dlr.de
Tue Mar 20 06:51:38 GMT 2007
Hi Jerry
>
>
> You are mixing tokens. You want to authenticate against
> AD but not use the group token. So don't run winbindd.
> This will force smbd to attempt to map the Windows user
> logged on via AD to a local Unix account and therefore
> get the list of supplementary groups from Unix rather than
> AD.
>
>
I know, that even if this configuration worked up to now, it is not a
proper design :-)
The force group parameter works, as you suggested, without using winbind.
But when we run winbind (with idmap uid = 10000-10000), all files a user
creates on the samba share
under windows show the owner "DOMAINNAME\Username" (security dialog)
Without winbind the User gets "Unix User\Username" in the security dialog.
I am not sure, if this could affect a windows user (e.g. when copying
files to locale disks with xcopy).
But if a user adds an ACL for another User to a file, he selects
"DOMAINNAME/Username" in the dialog, and after saving,
the ACL shows up as "Unix User/Username".
But as I told before, I think we might have used a feature, which was
not primarly designed
but works nicely :-) , and we already plan to move towards a single
userdatabase at the end of the year (not NIS and AD in parallel and
this name mapping).
Regards
Hansjörg
>
>
> cheers, jerry
--
_________________________________________________________________
Deutsches Zentrum fuer Luft- und Raumfahrt e.V.
in der Helmholtz-Gemeinschaft
Institut fuer Robotik und Mechatronik
Dr. Hansjörg Maurer
LAN- und Systemmanager
Münchner Strasse 20
82234 Wessling
Germany
Telefon: 08153/28-2431
Telefax: 08153/28-1134
E-Mail: Hansjoerg.Maurer at dlr.de
Internet: http://www.robotic.dlr.de/
__________________________________________________________________
There are 10 types of people in this world,
those who understand binary and those who don't.
More information about the samba-technical
mailing list