[Samba] security = user, LDAP, and adding users to ACLs

Shammah Chancellor shammah at dri.edu
Fri Dec 7 20:30:24 GMT 2007 

Nelson,

Thanks, I will try that and see how it works.  Though, this isn't really 
possible for me to do on ALL my samba servers, as I can't have them all 
running as in PDC mode and I don't really want everyone to have to be 
logged into a domain. 

Is there a description of how to setup winbind somewhere that obviates 
this problem?  I mean, windows has a concept of "Local Users" for a 
machine when you are logged into another PC's shares in a 
workgroup-style setup.  There must be some way to handle this. 

The Unix Users on an ACL show up as "Unix User\username" instead of 
"MACHINE\username" as they would under a windows share.....

Thanks again,
Shammah Chancellor

Nelson Vale wrote:
> If your Samba is running as a PDC, and you are logged in the samba domain, you 
> are able to list the LDAP users in the shares or files security tab, and you 
> don't need winbind. All you need is nsswitch.conf configured with:
>
> # /etc/nsswitch.conf 
> # 
>  
> passwd:         files   ldap 
> group:          files   ldap 
> shadow:         files   ldap
>
>
> Plus ldap.conf like:
>
> bindpw xxxxxxxx
> binddn xxxxxxxxxxx
> uri ldap://xxx.xxx.xxx.xxx
> base dc=local,dc=loc 
> rootbinddn xxxxxxxxxxxxxxxxxxxxx
> host 127.0.0.1 
> ldap_version 3 
> scope one 
> ssl no 
> pam_login_attribute uid 
> pam_member_attribute gid 
> pam_password md5 
> nss_base_passwd dc=local,dc=loc?sub 
> nss_base_shadow dc=local,dc=loc?sub 
> nss_base_group ou=Groups,dc=local,dc=loc?one
>
>
>
> In smb.conf you need to put something like:
>
> ldap user suffix = ou=People
> ldap machine suffix = ou=Computers 
> ldap group suffix = ou=Groups
> ldap suffix = dc=local,dc=loc
> ldap admin dn = cn=xxxxxxxxxxxxxxxxxxxxxx 
> ldap idmap suffix = ou=Idmap
>
>
> Your LDAP must also have the default samba Domain Groups.
>
>
> Em Thursday 06 December 2007 20:29, o Shammah Chancellor escreveu:
>   
>> Hi,
>>
>> Problem:
>>
>> I seem to be able to add users to ACLs from windows due to an "Name Not
>> Found" error when looking up a username.  According to what I have been
>> able to find, you cannot browse users on a samba server from windows
>> without winbind and "security = domain/ads".   However, winbind does not
>> have any place in my environment aside from remedying this problem.   Is
>> there some alternative to enable this feature, or method of setting up
>> winbind that is innocuous in my environment while maintaining "security
>> = user"?
>>
>> Background on the Environment:
>>
>> I am running Samba 3.0.25c on Solaris 10u4 with "security = user".    I
>> am using the vfs object "zfsacl" to enable ACL support on my zfs
>> filesystem.  We use LDAP as a password backend, which also stores
>> sambaSIDs for every user.  SIDs and unix UIDs are synchronized across
>> all the samba servers because they all use the same LDAP backend.
>>
>> Thanks in advance!
>>

More information about the samba mailing list