[Samba] ACLs and winbind

Thierry Lacoste lacoste at miage.univ-paris12.fr
Fri Aug 10 20:38:04 GMT 2007


On Thursday 09 August 2007 15:58, Angela Gavazzi wrote:
> My working nsswitch.conf look like this:
>
> passwd:         files winbind ldap
> group:          files winbind ldap
> shadow:         files winbind ldap
>
> By, Angela
Can nss_winbind be used against a Samba domain? AFAICS it is only used to
identify users/groups of Windows domains. Please correct me if I'm wrong.

I found three options to allow windows users to manage ACLs in their homes
on a Samba server which is joined to a Samba domain and uses nss_ldap against
the DC's backend LDAP server.

option 1: basic smb.conf
- winbind needed to add ACLs
- "winbind trusted domains only = yes" needed so that the domain appears
in the original ACLs (and not the NetBIOS name of the server) and 
winbind_idmap.tdb maps domain users/groups to their LDAP uids/gids

option2: smb.conf with LDAP idmap backend
Same requirements. Note that as above I need to define ranges for
idmap uid and gid although winbindd_idmap.tdb never changes

option3: smb.conf with LDAP passdb backend
- winbind needed (but netlogon proxy only mode is OK) otherwise
ACLs can be added but when displayed users/groups are not resolved

Are there other options? What is the best in terms of performance?

While I can imagine why winbind is needed for option 1 I don't see
- why it can't be used in netlogon proxy only mode for option 2 and
- why it is needed at all for otion 3.

Regards,
Thierry.



More information about the samba mailing list