[Samba] Winbind + NIS + winbind trusted domains

Luke Mewburn luke at mewburn.net
Wed Dec 15 10:44:32 GMT 2004

On Wed, Dec 15, 2004 at 11:36:38AM +0100, Christoph Scheeder wrote:
  | Hi,
  | that behavior is logical correct, i would say.
  | What happens is:
  | the user is found from nis, and gets an userid not from the winbind-range.
  | As a result samba is not able to verify this uid against the AD, as it 
  | is not an AD-user-id.
  | i guess to achive what you want you would have to add the nis-users to 
  | the local smbpasswd-database with the correct username and password and 
  | tell samba to loock up users first in local database and then in AD.
  | But i don't know if this is possible, i never tried it.

That's not quite correct.

If you have _all_ of your ADS users in NIS (without the leading
"DOMAIN\") then you can use NIS for the username->UID mapping
and ADS for samba password authentication.  You don't need
winbind in nsswitch.conf for this.  (I.e, just "passwd: files nis")

The problem is if you only have _some_ of your ADS users in NIS,
and want to use "passwd: files nis winbind" to take advantage
of winbindd's "fake up a UID" behaviour, then you currently can't
do this with samba, due to reasons I have detailed in other posts.

As far as I can tell, no other "usermapper" product solves this
problem either (e.g, EMC's NAS product, etc).  Which doesn't make
it an invalid problem, just one that hasn't been solved elsewhere.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 186 bytes
Desc: not available
Url : http://lists.samba.org/archive/samba/attachments/20041215/b011c3db/attachment.bin

More information about the samba mailing list