[Samba] understanding pam_ldap vs. winbindd

Craig White craigwhite at azapple.com
Tue Mar 16 16:24:16 GMT 2004 

On Tue, 2004-03-16 at 01:34, Matthias Eichler wrote:
> Hi Craig,
> 
> On Mon, 2004-03-15 at 21:18, Craig White wrote:
> 
> > > Do I understand winbindd right in that way that I do not
> > > need winbindd at all in this setup?
> > ---
> > I would agree with that
> 
> That sounds good to me and my logic...:-)
> 
> > > 	If no, why does I get map errors in the log that
> > > 	SIDs cant be mapped to gid or uid?
> > > 	(net groupmap list just shows -1 entries,
> > > 	 manual groupmaps cant be inserted => error)
> > ---
> > net groupmap list (would have been nice to see that)
> 
> on the pdc:
> ---cut---
> pfoertner:~# net groupmap list
> Domain Admins (S-1-5-21-2443489570-4015384086-1858331161-512) -> root
> Domain Users (S-1-5-21-2443489570-4015384086-1858331161-513) -> users
> Domain Guests (S-1-5-21-2443489570-4015384086-1858331161-514) -> nogroup
> Technik (S-1-5-21-2443489570-4015384086-1858331161-3005) -> technik
> Vorstand (S-1-5-21-2443489570-4015384086-1858331161-3003) -> vorstand
> Buchhaltung (S-1-5-21-2443489570-4015384086-1858331161-3009) ->
> buchhaltung
> Marketing (S-1-5-21-2443489570-4015384086-1858331161-3007) -> marketing
> Verwaltung (S-1-5-21-2443489570-4015384086-1858331161-3001) ->
> verwaltung
> ---cut---
> 
> on the member server:
> ---cut---
> fileserver:~# net groupmap list
> System Operators (S-1-5-32-549) -> -1
> Replicators (S-1-5-32-552) -> -1
> Guests (S-1-5-32-546) -> -1
> Power Users (S-1-5-32-547) -> -1
> Domain Admins (S-1-5-21-243015202-3338874213-4097231961-512) -> -1
> Print Operators (S-1-5-32-550) -> -1
> Administrators (S-1-5-32-544) -> -1
> Domain Guests (S-1-5-21-243015202-3338874213-4097231961-514) -> -1
> Domain Users (S-1-5-21-243015202-3338874213-4097231961-513) -> -1
> Account Operators (S-1-5-32-548) -> -1
> Backup Operators (S-1-5-32-551) -> -1
> Users (S-1-5-32-545) -> -1
> ---cut---
> 
> > net groupmap modify sid=S-1-5-AND-SO-ON ntgroup="Domain Users"
> > unixgroup=valid_unix_group type=domain
> > if groupmap exists for ntgroup, you either must delete it and
> > then add it or modify it.
> 
> OK, maybe this was what I was misunderstanding:
> I thought that with security=DOMAIN the groupmaps
> should be some kind of resolved between PDC and
> the members server or at least with groupmap = -1
> I have to create them which didnt work.
---
Actually, I think that on 'member' servers, you should use security =
domain AND winbind to resolve all the samba groups from the PDC

Craig

More information about the samba mailing list