[Samba] ACLs and winbind

Angela Gavazzi edv at goetheanum.ch
Thu Aug 9 13:58:40 GMT 2007 

On Thursday 09 August 2007 13:28:49 Thierry Lacoste wrote:

>
> Thanks Henrik.
> Can someone explain why or point me to some doc?
> What I read everywhere is that winbind is used to identify users of a
> windows domain at the NSS level (mapping them localy with
> winbindd_idmap.tdb or globaly with ldap) while my users are correctly
> identified by nss_ldap.
>
> What puzzles me is that I didn't touch my /etc/nsswitch.conf which reads:
> group: files ldap
> hosts: files dns
> networks: files
> passwd: files ldap
>
> Is this a common setting to use winbind for samba and not for NSS?

My working nsswitch.conf look like this:

passwd:         files winbind ldap
group:          files winbind ldap
shadow:         files winbind ldap

By, Angela


>
> Also I realized that my smb.conf was not entirely functional.
> When I create a file with XP the domain part of the initial ACLs
> is the NetBIOS name of the server and not my domain name.
> Moreover when I pick a domain group (which truly appears as
> a domain group) to add it in the ACLs of the file it is mapped
> to gid 10000 through entries in winbindd_idmap.tdb.
>
> Adding the following lines to my smb.conf solved the problem.
>   passdb backend = ldapsam:ldap://aldap1.stars.net
>   ldap ssl = start_tls
>   ldap suffix = o=stars
>   ldap admin dn = cn=sambamgr,ou=Managers,o=stars
>   ldap machine suffix = ou=Computers,ou=Accounts
>   ldap user suffix = ou=Users,ou=Accounts
>   ldap group suffix = ou=Groups
>
> In this case getfacl reports the correct group and winbindd_idmap.tdb
> appears to never change.
> Still I need the idmap lines to be able to add ACLs.
>
> Regards,
> Thierry.
>
> > > workgroup = STARS
> > > netbios name = CAPELLA
> > > security = DOMAIN
> > > name resolve order = wins bcast
> > > wins server = castor
> > > netbios aliases = AHOMES APROFILES
> > > password server = ALDAP1 ALDAP2
> > >
> > > log level = 2
> > >
> > > idmap gid = 10000-20000
> > > idmap uid = 10000-20000
> > >
> > > [homes]
> > >   comment = Home Directories
> > >   valid users = %S
> > >   read only = No
> > >   browseable = No
> > >
> > > [Profiles]
> > >   comment = Roaming Profile Share
> > >   path = /export/profiles
> > >   read only = No
> > >   profile acls = Yes

More information about the samba mailing list