[Samba] ACLs and winbind

Thierry Lacoste lacoste at miage.univ-paris12.fr
Thu Aug 9 11:28:49 GMT 2007


On Thursday 09 August 2007 08:38, Henrik Zagerholm wrote:
> 8 aug 2007 kl. 16:18 skrev Thierry Lacoste:
> > I'm trying to allow XP clients to add ACLs in the homes share.
> > It appears that I'm unable to do it unless I use winbind
> > although I'm in a pure Samba/OpenLDAP environment.
> >
> > I have a PDC and BDC with Samba/OpenLDAP
> > and a member Samba server with homes and profiles (below
> > is its smb.conf) on which I have Posix ACLs.
> > If I comment out the idmap lines I cannot add ACLs from XP
> > in my home share though. I can browse and pick domain users
> > and groups but cannot add them to the security tab of a file
> > in a user's home share.
> >
> > Do I really need winbind?
>
> Yes, I'm pretty sure you'll need winbind.
> Cheers,
> henke
Thanks Henrik.
Can someone explain why or point me to some doc?
What I read everywhere is that winbind is used to identify users of a windows
domain at the NSS level (mapping them localy with winbindd_idmap.tdb or
globaly with ldap) while my users are correctly identified by nss_ldap.

What puzzles me is that I didn't touch my /etc/nsswitch.conf which reads:
group: files ldap
hosts: files dns
networks: files
passwd: files ldap

Is this a common setting to use winbind for samba and not for NSS?

Also I realized that my smb.conf was not entirely functional.
When I create a file with XP the domain part of the initial ACLs
is the NetBIOS name of the server and not my domain name.
Moreover when I pick a domain group (which truly appears as
a domain group) to add it in the ACLs of the file it is mapped
to gid 10000 through entries in winbindd_idmap.tdb.

Adding the following lines to my smb.conf solved the problem.
  passdb backend = ldapsam:ldap://aldap1.stars.net
  ldap ssl = start_tls
  ldap suffix = o=stars
  ldap admin dn = cn=sambamgr,ou=Managers,o=stars
  ldap machine suffix = ou=Computers,ou=Accounts
  ldap user suffix = ou=Users,ou=Accounts
  ldap group suffix = ou=Groups

In this case getfacl reports the correct group and winbindd_idmap.tdb
appears to never change.
Still I need the idmap lines to be able to add ACLs.

Regards,
Thierry.
> >
> > workgroup = STARS
> > netbios name = CAPELLA
> > security = DOMAIN
> > name resolve order = wins bcast
> > wins server = castor
> > netbios aliases = AHOMES APROFILES
> > password server = ALDAP1 ALDAP2
> >
> > log level = 2
> >
> > idmap gid = 10000-20000
> > idmap uid = 10000-20000
> >
> > [homes]
> >   comment = Home Directories
> >   valid users = %S
> >   read only = No
> >   browseable = No
> >
> > [Profiles]
> >   comment = Roaming Profile Share
> >   path = /export/profiles
> >   read only = No
> >   profile acls = Yes




More information about the samba mailing list