[Samba] understanding pam_ldap vs. winbindd
craigwhite at azapple.com
Tue Mar 16 16:26:03 GMT 2004
On Tue, 2004-03-16 at 01:53, Beast wrote:
> * Matthias Eichler <mylists at ame.de> nulis:
> > on the member server:
> > ---cut---
> > fileserver:~# net groupmap list
> > System Operators (S-1-5-32-549) -> -1
> > Replicators (S-1-5-32-552) -> -1
> > Guests (S-1-5-32-546) -> -1
> > Power Users (S-1-5-32-547) -> -1
> > Domain Admins (S-1-5-21-243015202-3338874213-4097231961-512) -> -1
> > Print Operators (S-1-5-32-550) -> -1
> > Administrators (S-1-5-32-544) -> -1
> > Domain Guests (S-1-5-21-243015202-3338874213-4097231961-514) -> -1
> > Domain Users (S-1-5-21-243015202-3338874213-4097231961-513) -> -1
> > Account Operators (S-1-5-32-548) -> -1
> > Backup Operators (S-1-5-32-551) -> -1
> > Users (S-1-5-32-545) -> -1
> > ---cut---
> > > net groupmap modify sid=S-1-5-AND-SO-ON ntgroup="Domain Users"
> > > unixgroup=valid_unix_group type=domain
> > > if groupmap exists for ntgroup, you either must delete it and
> > > then add it or modify it.
> > OK, maybe this was what I was misunderstanding:
> > I thought that with security=DOMAIN the groupmaps
> > should be some kind of resolved between PDC and
> > the members server or at least with groupmap = -1
> > I have to create them which didnt work.
> Groupmapping was stored on ldap (if using ldapsam), so for every samba machine you wish to obtain the mapping should using same backend.
seems to me the choice for member server is either to be a slave ldap
(necessary for BDC but not for member server) or winbind.
More information about the samba