[Samba] winbind / trust questions and issues

Eric A. Hall ehall at ntrg.com
Wed Dec 15 20:49:10 MST 2010

On 12/15/2010 4:19 PM, Eric A. Hall wrote:

> First issue is that I would like to filter out the local (LABS) users and
> groups in winbind if possible. I am using LDAP for Posix/Samba accounts,
> and adding winbind to nsswitch.conf results in PAM calling LDAP for users
> and groups then calling winbind which in turn goes back and searches LDAP
> all over again. This results in local users and groups appearing in both
> channels but having different characteristics based on the lookup path
> (different capitalization for group names, etc). The best fix I can see
> here is to prevent Winbind from querying for the local domain, but I can't
> find anything in the smb.conf to do this.

Here's an example of why this is bad: 'getent passwd ehall' points to the
same account as 'getent passwd LABS.ehall' with the same UID, but they
have different full names (Posix uses gecos attribute while Winbind uses
the displayName attribute), and they have different login paths (Posix
uses the homeDirectory attribute while Winbind uses the template value
from smb.conf). So basically there are two logins for every UID, with two
different home directories and display names. BAD BAD BAD how do I turn
this off??

> One big problem that has me stumped is that remote users do not seem  to
> be inheriting the correct filesystem permissions from Samba.

This seems to have been fixed by a reboot. Dunno why, it's working now

Eric A. Hall                                  http://www.eric-a-hall.com/
Network Technology Research Group                    http://www.ntrg.com/
Internet Core Protocols          http://www.oreilly.com/catalog/coreprot/

More information about the samba mailing list