[Samba] Winbind usage PDC and Domain menber ?

Gerald (Jerry) Carter jerry at samba.org
Thu Oct 30 21:45:27 GMT 2003 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Alban Browaeys wrote:

| Should winbind run on a PDC ?
| all account are supposed to exists on it or be managed
| via add user/ add machine

wionbindd on a Samba PDC is only needed if the PDC
has established trust relationships.

| Is winbind recommended on a multi file services network
| (SMB+NFS+AFS+etc) and when ACL are used:
| from various it seems not , winbind get the name only
| from the PDC and set a random id in the idmap, so id differs
| on pdc and menbers, also between menbers

This can be corrected using the ldap backend for
winbindd.  It's not really well documented I'm afraid.

| ps: and does running winbind on a PDC could get it to
| map the user to two id on it : one static created at account
| genesis and the other when the PDC use getpwnam , getting
| the libc to call teh local wibind . It depend on the order of
| the "passwd" attributes in /etc/nsswitch but
| waht if the admin setted winbind before compat (or unix) ?

If I understand you correctly the answer is no.
Think of of like this.  On a Samba PDC, smbd is
authoritative for its own domain accounts (which
must be UNIX users by definition) and winbindd is
used to provide UNIX accounts for users and groups
from trusted domains.

| I also had a difficult case with a domain menber
| (samba+winbind) where a local user had the same name
| as the domain one: with "winbind use default domain"
| set to yes a conflict arise , is there a rational
| behind this behing default ?

And yet another reason for me to hate that parameter....

| For pam:
| is the winbind domain separator , only for local domain menber
| usage , or should it be setted up same on the PDC ?

I don't understand your question here.






cheers, jerry
~ ----------------------------------------------------------------------
~ Hewlett-Packard            ------------------------- http://www.hp.com
~ SAMBA Team                 ---------------------- http://www.samba.org
~ GnuPG Key                  ---- http://www.plainjoe.org/gpg_public.asc
~ "You can never go home again, Oatman, but I guess you can shop there."
~                            --John Cusack - "Grosse Point Blank" (1997)

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQE/oYZ3IR7qMdg1EfYRAv31AKCCXzyDYwapiQLvkqXIN5vytnAExgCgrwAS
rgIX4qJr+caHW9/ka7rl33o=
=t1zz
-----END PGP SIGNATURE-----

More information about the samba mailing list