[Samba] Samba3.0 domain GID/UID/SID transformations

Andrew Bartlett abartlet at samba.org
Tue Jun 17 12:11:15 GMT 2003

On Tue, 2003-06-17 at 15:59, Nick Stephens wrote:
> NS> Andrew Bartlett (abartlet at samba.org) AB wrote on Jun 17, 2003:
> > There are a few solutions to your problem - one that many sites will be
> > coming across as they attempt migrations.
> > 
> > Firstly, if you just want to deal with the passwords, and don't mind
> > keeping the users database as it was, you just use pam_winbind, but not
> > nss_winbind.  If you then set 'winbind use default domain = yes', and
> > the NT usernames are the same as your unix ones, then it should all
> > 'just work'.  ie, only the passwords are redirected.
> In this case, do you mean to remove the winbind references from my 
> nsswitch.conf?  Is this the portion of it that deploys the gid/uid/sid 
> information?

Yes.  PAM and nsswitch are seperate, and it can be quite handy to
seperate them.  Note that it doesn't work as well running winbind, not
having winbind in nsswtich, but running the Samba file-server.

> > If you want to go future, and ditch the unix username database, you can
> > alter the 'idmap' that Samba controls (mapping the NT sids to uids) so
> > that they match the existing unix accounts to the NT accounts.  I think
> > 'net idmap' should let you do this, but it's only just in CVS, and I've
> > not played with it.  
> so in this instance, would you mean removing any /etc/passwd & shadow 
> entries for the users, and letting it all be done via the smb.conf and 
> winbindd?  That actually sounds like a good idea (it saves me from having 
> to be redundant with my userbase still), but my concern is this:  i am 
> running samba on my linux mailserver that my users pop3 to.. i wanted to 
> synch my nt domain/unix passwds, as users will really appreciate the 
> ability to just have to change the one passwd, etc.. if i remove the 
> accounts from the passwd/shadow files, would i just have to rely on 
> properly created aliases to deliver the mail, since i don't think sendmail 
> will be aware of the nt domain users...

If you have the winbind entry in the nsswtich.conf, and you have
'winbind use default domain = yes' and you have the same name on NT as
on unix, then sendmail won't know the difference.  You will need to set
the idmap correctly if you don't want to chown the files.

> along those same lines but kind of off 'samba' base (read: feel free to 
> ignore this if you have no idea what im talkin about :)... I am trying to 
> configure the pop3 pam.d conf to be able to accept those nt usernames, and 
> i'm curious if anyone has an example config for this very idea.. if so, 
> that would definitely save me some headaches im sure, and if not maybe i 
> can write one up for samba.org when i'm done ;)
> here is my (surely weak) attempt at /etc/pam.d/pop3:

Looks good.

> auth       sufficient   /lib/security/pam_winbind.so
> auth       required     /lib/security/pam_pwdb.so use_first_pass shadow 
> nullok
> auth       required     /lib/security/pam_shells.so
> account    sufficient   /lib/security/pam_winbind.so
> account    required     /lib/security/pam_pwdb.so
> session    required     /lib/security/pam_stack.so service=system-auth
> -- 
> Nick Stephens
> Systems Administrator
> Ceiva Logic, Inc.
> (818) 481-6332
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  http://lists.samba.org/mailman/listinfo/samba
Andrew Bartlett                                 abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team  abartlet at samba.org
Student Network Administrator, Hawker College   abartlet at hawkerc.net
http://samba.org     http://build.samba.org     http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba/attachments/20030617/b674473f/attachment.bin

More information about the samba mailing list