[Samba] Samba-Guide chapter 10
John H Terpstra
jht at samba.org
Tue Mar 29 17:18:25 GMT 2005
On Tuesday 29 March 2005 09:56, Dr. Matthias Schlett (987) wrote:
> Hi John T. et al.,
> here is my comment about the Samba-Guide chapter 10.
The Samba-Guide (Samba-3 by Example) is not intended as a comprehensive
technical overview of how Samba works. It is meant as a quick guide that will
help our users to create a working network environment. The premise behind
the Samba-Guide is "learn be seeing Samba work" - not "see how every nut and
bolt of Samba works". The nuts and bolts should be covered in the
> In my opinion this chapter is a good place to explain the nature of Samba:
> joining the unix and the windows world by mapping.
This is handled in the Samba-HOWTO-Collection. Is that the wrong place?
> In most of the cases discussed on this list a unix server is used only as a
> container for the windows world. The Samba team tries to smooth the
> differences between unix and windows and to put windows functionality into
> unix. For me everything is merged into one big cloud. As an administrator I
> want to look behind the scene and to understand the different cases which
> Samba as an all-purpose software can serve for.
Right. Refer to the Samba-HOWTO-Collection and if that is deficient it must be
> We don't use Samba as a general tool for everything. For the user and group
> management we have an external Oracle database. From this database we feed
> a mixed mode AD for the windows world and a LDAP for the unix world using
> there nss_ldap.
> A windowsusername = DOMAIN\unixusername and some windowsgroupname =
> DOMAIN\unixgroupname, some windowsgroupnames differ from unixgroupnames.
AS shown in the Samba-Guide and as explained in detail in the
Samba-HOWTO-Collection a Windows username should be the same as a UNIX
username. The 'username map' facility is a kludge for handling out-lying
cases where the names must for a particular reason differ, not as a panacea
for general use. The 'username map' facility violates one of the principle
rules of using Samba - that there must be only unique resolution of
login_ID<=>UID<=>SID as any ambiguity may end up biting the hand off.
The same rules apply to group mappings. The tool for setting up group mappings
is: 'net groupmap [add | modify | delete] ntgroup=[...] unixgroup=[...]'
> Both group membership trees are identical ( LDAP supports nested unix
> groups). The password entries for unix and windows are managed by the
> external database.
> On our NFS and CIFS fileserver both worlds get in touch with the help of
> winbind: the idmap backend on a LDAP server is also feeded by our database,
> winbind has only to read the mappings. We don't use winbind for name
> resolution or automatic creation of uid/gid.
What do you see as the role of winbind?
> In chapter 10 there are some common phrases about the winbind role, but in
> my opinion we need a more detailed explanation how it manages the mapping
> in different cases. More general, I would like to have a chapter from the
> mapping viewpoint. For my particular case I had to read many different
> places in the documentation (and I'm reading it the third month) to find a
> working configuration (which I'll send to the list if you would like ), but
> there are still some open questions:
Have you referred to the Samba-HOWTO-Collection? Both the HOWTO and the Guide
have recently been significantly updated. They are available on-line at:
> - Must the idmap be a one-to-one mapping or can several sid point to one
> uid/gid ? or is the username map the only tool in this case (and what about
IDMAP can handle only single and unambiguous mapping of SID to UID and vica
> a groupname map ) ? - Why does the user mapping mechanism differ from the
> group mapping mechanism ? - How is a windows group membership mapped
> automatically to a unix membership (We do it by the external database) ?
Groups are only explicitly mapped since 3.0.0. That is why you need to create
the mapping using the 'net groupmap' facility.
> - How are the 14 different windows security attributes mapped into the
> Posix ACLs and how are the Posix ACLs displayed in windows ?
Perhaps Jeremy can best answer this.
> I hope this email is not too confusingly, but I tried be short.
- John T.
John H Terpstra
Phone: +1 (650) 580-8668
The Official Samba-3 HOWTO & Reference Guide, ISBN: 0131453556
Samba-3 by Example, ISBN: 0131472216
Hardening Linux, ISBN: 0072254971
Other books in production.
More information about the samba