[Samba] understanding pam_ldap vs. winbindd

Craig White craigwhite at azapple.com
Tue Mar 16 16:26:03 GMT 2004


On Tue, 2004-03-16 at 01:53, Beast wrote:
> * Matthias Eichler <mylists at ame.de> nulis:
> 
> > on the member server:
> > ---cut---
> > fileserver:~# net groupmap list
> > System Operators (S-1-5-32-549) -> -1
> > Replicators (S-1-5-32-552) -> -1
> > Guests (S-1-5-32-546) -> -1
> > Power Users (S-1-5-32-547) -> -1
> > Domain Admins (S-1-5-21-243015202-3338874213-4097231961-512) -> -1
> > Print Operators (S-1-5-32-550) -> -1
> > Administrators (S-1-5-32-544) -> -1
> > Domain Guests (S-1-5-21-243015202-3338874213-4097231961-514) -> -1
> > Domain Users (S-1-5-21-243015202-3338874213-4097231961-513) -> -1
> > Account Operators (S-1-5-32-548) -> -1
> > Backup Operators (S-1-5-32-551) -> -1
> > Users (S-1-5-32-545) -> -1
> > ---cut---
> > 
> > > net groupmap modify sid=S-1-5-AND-SO-ON ntgroup="Domain Users"
> > > unixgroup=valid_unix_group type=domain
> > > if groupmap exists for ntgroup, you either must delete it and
> > > then add it or modify it.
> > 
> > OK, maybe this was what I was misunderstanding:
> > I thought that with security=DOMAIN the groupmaps
> > should be some kind of resolved between PDC and
> > the members server or at least with groupmap = -1
> > I have to create them which didnt work.
> > 
> 
> Groupmapping was stored on ldap (if using ldapsam), so for every samba machine you wish to obtain the mapping should using same backend.
---
seems to me the choice for member server is either to be a slave ldap
(necessary for BDC but not for member server) or winbind.

Craig



More information about the samba mailing list