[Samba] Winbindd on a pdc??

[Frank Van Damme]

Hello,

I'm learning Samba with the aid of the excellent "Samba by example".
I've used Samba for years in my home network, but only to share home
directories and few extra shares with tdbsam with manually entered
passwords.

Having worked myself through domain control, member servers and the
working of pam, nsswitch and LDAP (and posix accounts in LDAP!) I
reached the point (in chapter 5, "making happy users") where I'm
trying to configure my Samba PDC to use the LDAP backend for
user/computer accounts, groups, idmap settings etc.

I understand most of the things explained in the chapter except for
this: step 21 on page  196. I quote:

" The next step might seem a little odd at this point, but take note
that you are about to start winbindd, which must be able to
authenticate to the PDC via the localhost interface with the smbd
process. This account can be easily created by joining the PDC to the
domain by executing the following command:

root#  net rpc join -S MASSIVE -U root%not24get
"

I'm not sure I understand this part and  could be helped if someone
did a sanity check on my reasoning below. As far as I understood,
there are two ways to resolve a windows sid to a Unix uid:

1. if your users are in a Windowsy database, like Active Directory, or
if we're speaking about Samba member servers, your unix users do not
exist in the local passwd database. In these cases, you can use
winbind to authenticate users and to get (via nsswitch?) a unix user
id that matches your windows user (and it saves those mapping in the
passdb for reuse).

2. You use LDAP, and (I expected it to function like this) Samba
authenticates the incoming connections to LDAP (it searches for a
"sambaSamAccount" object with the correct "cn"). It knows what the
unix uid is, because the very same object is also a posixAccount and
shadowAccount with a "uidNumber" - so there we are, samba nor nsswitch
need winbind, since all the information is in LDAP. Earlier on in the
chapter, nsswitch.conf is configured to look up passwd, shadow and
group information through LDAP (see 5.4.2, PAM and NSS Client
Configuration).

But then again, I first fiddled with LDAP to put my unix id's in the
database. So, what I believe is that in the example, unix user id's
are still generated "old style" in the same way as with eg tdbsam, so
user connects, samba looks up the user in LDAP, authenticates him,
then uses winbindd to resolve the Unix uid of that Windows user. It
will first look in the idmap ou of our LDAP directory if there's
allready a mapping for that user, else create one, then return the uid
value.

So, come to think of it, nsswitch is probably configured to use files
and ldap so winbindd can do a proper, reliable job of choosing the
right uid to chain to the windows sid. Or does winbindd not use
nsswitch? I can imagine so because it would probably create a nice
infinite loop if you're also trying to use winbind to let your users
which are, let's say, in Active Directory or on an NT server, log in
to the Unix machine.

How many mistakes did I make? :-)


-- 
Frank Van Damme

A: Because it destroys the flow of the conversation
Q: Why is it bad?
A: No, it's bad.
Q: Should I top post in replies to mails or on usenet?