[Samba] security = user, LDAP, and adding users to ACLs
Shammah Chancellor
shammah at dri.edu
Fri Dec 7 20:30:24 GMT 2007
Nelson,
Thanks, I will try that and see how it works. Though, this isn't really
possible for me to do on ALL my samba servers, as I can't have them all
running as in PDC mode and I don't really want everyone to have to be
logged into a domain.
Is there a description of how to setup winbind somewhere that obviates
this problem? I mean, windows has a concept of "Local Users" for a
machine when you are logged into another PC's shares in a
workgroup-style setup. There must be some way to handle this.
The Unix Users on an ACL show up as "Unix User\username" instead of
"MACHINE\username" as they would under a windows share.....
Thanks again,
Shammah Chancellor
Nelson Vale wrote:
> If your Samba is running as a PDC, and you are logged in the samba domain, you
> are able to list the LDAP users in the shares or files security tab, and you
> don't need winbind. All you need is nsswitch.conf configured with:
>
> # /etc/nsswitch.conf
> #
>
> passwd: files ldap
> group: files ldap
> shadow: files ldap
>
>
> Plus ldap.conf like:
>
> bindpw xxxxxxxx
> binddn xxxxxxxxxxx
> uri ldap://xxx.xxx.xxx.xxx
> base dc=local,dc=loc
> rootbinddn xxxxxxxxxxxxxxxxxxxxx
> host 127.0.0.1
> ldap_version 3
> scope one
> ssl no
> pam_login_attribute uid
> pam_member_attribute gid
> pam_password md5
> nss_base_passwd dc=local,dc=loc?sub
> nss_base_shadow dc=local,dc=loc?sub
> nss_base_group ou=Groups,dc=local,dc=loc?one
>
>
>
> In smb.conf you need to put something like:
>
> ldap user suffix = ou=People
> ldap machine suffix = ou=Computers
> ldap group suffix = ou=Groups
> ldap suffix = dc=local,dc=loc
> ldap admin dn = cn=xxxxxxxxxxxxxxxxxxxxxx
> ldap idmap suffix = ou=Idmap
>
>
> Your LDAP must also have the default samba Domain Groups.
>
>
> Em Thursday 06 December 2007 20:29, o Shammah Chancellor escreveu:
>
>> Hi,
>>
>> Problem:
>>
>> I seem to be able to add users to ACLs from windows due to an "Name Not
>> Found" error when looking up a username. According to what I have been
>> able to find, you cannot browse users on a samba server from windows
>> without winbind and "security = domain/ads". However, winbind does not
>> have any place in my environment aside from remedying this problem. Is
>> there some alternative to enable this feature, or method of setting up
>> winbind that is innocuous in my environment while maintaining "security
>> = user"?
>>
>> Background on the Environment:
>>
>> I am running Samba 3.0.25c on Solaris 10u4 with "security = user". I
>> am using the vfs object "zfsacl" to enable ACL support on my zfs
>> filesystem. We use LDAP as a password backend, which also stores
>> sambaSIDs for every user. SIDs and unix UIDs are synchronized across
>> all the samba servers because they all use the same LDAP backend.
>>
>> Thanks in advance!
>>
More information about the samba
mailing list