[Samba] Re: security = user, LDAP, and adding users to ACLs

Stephane Russell stephane.russell at prodigeinfo.com
Wed Dec 12 03:20:25 GMT 2007

Except for the ldap.conf file, my machine was well configured. But I
learned that nsswitch is not yet fully implemented in DragonFly BSD, the
OS I use. So I guess this is why it won't work. Fortunatly, Samba works
great as a simple print/file manager, but it's not fully fonctionnal
here as a domain server.

Thanks for the answer.


Nelson Vale a écrit :
> If your Samba is running as a PDC, and you are logged in the samba domain, you 
> are able to list the LDAP users in the shares or files security tab, and you 
> don't need winbind. All you need is nsswitch.conf configured with:
> # /etc/nsswitch.conf 
> # 
> passwd:         files   ldap 
> group:          files   ldap 
> shadow:         files   ldap
> Plus ldap.conf like:
> bindpw xxxxxxxx
> binddn xxxxxxxxxxx
> uri ldap://xxx.xxx.xxx.xxx
> base dc=local,dc=loc 
> rootbinddn xxxxxxxxxxxxxxxxxxxxx
> host 
> ldap_version 3 
> scope one 
> ssl no 
> pam_login_attribute uid 
> pam_member_attribute gid 
> pam_password md5 
> nss_base_passwd dc=local,dc=loc?sub 
> nss_base_shadow dc=local,dc=loc?sub 
> nss_base_group ou=Groups,dc=local,dc=loc?one
> In smb.conf you need to put something like:
> ldap user suffix = ou=People
> ldap machine suffix = ou=Computers 
> ldap group suffix = ou=Groups
> ldap suffix = dc=local,dc=loc
> ldap admin dn = cn=xxxxxxxxxxxxxxxxxxxxxx 
> ldap idmap suffix = ou=Idmap
> Your LDAP must also have the default samba Domain Groups.
> Em Thursday 06 December 2007 20:29, o Shammah Chancellor escreveu:
>> Hi,
>> Problem:
>> I seem to be able to add users to ACLs from windows due to an "Name Not
>> Found" error when looking up a username.  According to what I have been
>> able to find, you cannot browse users on a samba server from windows
>> without winbind and "security = domain/ads".   However, winbind does not
>> have any place in my environment aside from remedying this problem.   Is
>> there some alternative to enable this feature, or method of setting up
>> winbind that is innocuous in my environment while maintaining "security
>> = user"?
>> Background on the Environment:
>> I am running Samba 3.0.25c on Solaris 10u4 with "security = user".    I
>> am using the vfs object "zfsacl" to enable ACL support on my zfs
>> filesystem.  We use LDAP as a password backend, which also stores
>> sambaSIDs for every user.  SIDs and unix UIDs are synchronized across
>> all the samba servers because they all use the same LDAP backend.
>> Thanks in advance!

More information about the samba mailing list