[Samba] Retry: Mapping AD domain users to UNIX users

[Bardo Wolf]

perhaps it is not a good idea to use the same names for a Unix User and
the AD User.

If for example you have unix-user xyz with uid=7738

and an AD-User xyz so the AD-USer xyz gets via winbind perhaps uid=199300

What answer should
id xyz

give?

Bardo

Nigel.Pain at scotland.gsi.gov.uk schrieb:
> I posted this last week but haven't heard anything. I'm not sure if this
> is because nobody knows the answer (can't believe that!) or I'm missing
> something obvious in the documentation and people are thinking "Read The
> Fine Manual". Whatever the reason, if anyone has any insights into this
> problem I'd be very grateful for their comments.
> 
> We're using Samba 3.0.23b (binaries downloaded from Sunfreeware) on
> Solaris 9 as a member server, using "security = DOMAIN" in an Active
> Directory 2003 domain. The server is primarily an application server,
> running SAS software, but we have a share to Windows to enable users to
> save programs and data from their Windows XP workstations. Historically
> we've been using PC Netlink, Sun's version of Lanman, but this isn't
> compatible with AD 2003 so we need to move to Samba.
> 
> We're struggling to establish a mapping between domain user accounts and
> UNIX user accounts that are similarly named (the same naming convention
> is used for both). My understanding of Samba, albeit sketchy, was that
> it could automatically make a mapping between local and domain accounts
> of the same name. However, this doesn't appear to be happening. If I set
> a file's permissions for a specified user in Solaris it appears in the
> file's security within Windows, but the user is listed as a Unix User
> along the lines of:
> 
> u123456 (Unix User\u123456)
> 
> I was expecting that there should be an implicit mapping between u123456
> in Solaris and domain\u123456 but maybe I've got the wrong end of the
> stick. We need to maintain the local users so that we can control who
> has access to the server software, and we maintain password aging both
> on the server and the domain so maintaining a separate password database
> for Samba would be a complication. an Extract from nsswitch.conf and
> (edited) smb.conf and included below.
> 
> As you will see from nsswitch.conf, we are using winbind. wbinfo will
> resolve any domain information and getent passwd will return domain user
> accounts.
> 
> Many thanks in advance.
> 
> nsswitch.conf:
> 
> passwd:     files winbind
> group:      files winbind
> 
> hosts:      files dns winbind
> 
> smb.conf:
> 
> [global]
> 	workgroup = our-domain-name
> 	netbios aliases = mc18unxa
> # dual nics: the netmask is correct for our network
> 	interfaces = xx.xx.xxx.xx/255.255.240.0,
> yy.yy.yyy.yy/255.255.240.0
> 	security = DOMAIN
> 	null passwords = Yes
> 	password server = *
> 	passdb backend = tdbsam
> 	lanman auth = No
> 	client NTLMv2 auth = Yes
> 	client lanman auth = No
> 	client plaintext auth = No
> 	log level = 1
> 	log file = /var/samba/log/log.%m
> 	max log size = 50000
> 	load printers = No
> 	dns proxy = No
> 	ldap ssl = no
> 	idmap uid = 10000-100000000
> 	idmap gid = 10000-100000000
> 	winbind enum users = Yes
> 	winbind enum groups = Yes
> 	winbind use default domain = Yes
> 	create mask = 0644
> 	directory mask = 0775
> 	hosts deny = none
> 	case sensitive = No
> 	preserve case = No
>       domain master = no
>       local master = no
>       preferred master = no
>       os level = 0
> 
> [dosptn]
> 	path = /dosptn
> 	read only = No
> 	inherit permissions = Yes
> 	guest ok = Yes
> 
> 
> ----------------------------------------
> Nigel Pain
> The Scottish Government
> Corporate Systems Support
> Information Systems and Information Services (ISIS)
> Victoria Quay 
> EDINBURGH 
> EH6 6QQ 
> UK
> 
> 
> 
> 
> ********************************************************
> 
> This e-mail (and any files or other attachments transmitted with it) is intended solely for the attention of the addressee(s).  Unauthorised use, disclosure, storage, copying or distribution of any part of this e-mail is not permitted.  If you are not the intended recipient please destroy the email, remove any copies from your system and inform the sender immediately by return.
> 
>  
> 
> Communications with the Scottish Government may be monitored or recorded in order to secure the effective operation of the system and for other lawful purposes.  The views or opinions contained within this e-mail may not necessarily reflect those of the Scottish Government.
> 
> ********************************************************
> 
> 
> The original of this email was scanned for viruses by the Government Secure Intranet virus scanning service supplied by Cable&Wireless in partnership with MessageLabs. (CCTM Certificate Number 2007/11/0032.) On leaving the GSi this email was certified virus free.
> Communications via the GSi may be automatically logged, monitored and/or recorded for legal purposes.