[Samba] Samba PDC and Samba domain member - LDAP/Winbind/Idmap confusion

[John Drescher]

>  I have the following scenario:
>
>  1x Samba PDC with LDAP backend
>  1x Samba member server
>  1x Samba member server (Openfiler)
>
>  However, I'm confused about Idmapping. I want to use ACLs on the PDC and
>  both member servers.
>
>  Are my thoughts correct?
>
>  - Samba member server knows the unix users through LDAP (added in
>   nsswitch.conf)
>  - Authentication when accessing a member server share is performed by
>   the PDC
>  - ACLs won't work without a proper Idmapping backend setup (i want to
>   use LDAP for this) - how does Idmapping fit into here?
>
I have been struggling with this (on and off) for a very long time
(years). I believe there are far too many incomplete or inaccurate
guides on the net and also too many guides that are focused with ADS
security which to me is interesting. I went to samba because I wanted
to completely get rid of the headaches of having windows servers not
to make them an integral part of my network security...

However it appears that I have hit a break through recently. You most
certainly need a working idmap otherwise you will not be able to set
acls in windows (or perhaps a cifs client - not tested by me). In the
past I thought I needed to use the ldap backend for this but recently
I found that this is wrong. What you need is idmap_nss. Search for
that on the net and use the example that sets the idmap read only for
the SAMBA domain.

>  - Would it be possible to achieve my scenario with winbind?
>
On the PDC (with user security) it does not look like winbind is
necessary. On the other member servers with domain security,  it
appears to me that without winbind you will get SIDs in your
properties tab on windows for most domain accounts.

>  - Could I spare the LDAP configuration on the member servers then?
>
I still have the ldap configuration on all of my linux machines and
also all of the ones that run samba.

John