[Samba] ACLs and winbind
Thierry Lacoste
lacoste at miage.univ-paris12.fr
Fri Aug 10 20:38:04 GMT 2007
On Thursday 09 August 2007 15:58, Angela Gavazzi wrote:
> My working nsswitch.conf look like this:
>
> passwd: files winbind ldap
> group: files winbind ldap
> shadow: files winbind ldap
>
> By, Angela
Can nss_winbind be used against a Samba domain? AFAICS it is only used to
identify users/groups of Windows domains. Please correct me if I'm wrong.
I found three options to allow windows users to manage ACLs in their homes
on a Samba server which is joined to a Samba domain and uses nss_ldap against
the DC's backend LDAP server.
option 1: basic smb.conf
- winbind needed to add ACLs
- "winbind trusted domains only = yes" needed so that the domain appears
in the original ACLs (and not the NetBIOS name of the server) and
winbind_idmap.tdb maps domain users/groups to their LDAP uids/gids
option2: smb.conf with LDAP idmap backend
Same requirements. Note that as above I need to define ranges for
idmap uid and gid although winbindd_idmap.tdb never changes
option3: smb.conf with LDAP passdb backend
- winbind needed (but netlogon proxy only mode is OK) otherwise
ACLs can be added but when displayed users/groups are not resolved
Are there other options? What is the best in terms of performance?
While I can imagine why winbind is needed for option 1 I don't see
- why it can't be used in netlogon proxy only mode for option 2 and
- why it is needed at all for otion 3.
Regards,
Thierry.
More information about the samba
mailing list