[Samba] getting error with setfacl
itsbruce at workshy.org
Wed Nov 3 19:31:44 MDT 2010
On Wed, Nov 03, 2010 at 05:05:28PM -0700, James D. Parra wrote:
> Well it does if you're using winbindd to map DOMAIN\\groupname
> to a group on the box :-).
> Thank you Jeremy. What is the best way to do that?
The key tool is nsswitch. Winbind may or may not be necessary,
depending on your precise set up. It's the nsswitch libraries and
configuration file which tell Linux where to fetch user and group
If your domain stores its user list in the tdb files on your PDC, then
your only option is to use winbind (and the nss_winbind library) to
provide user and group information to nsswitch. However, if you are
using an LDAP directory as the data backend for your domain, you could
use nss_ldap instead, and pull the information straight from LDAP.
That's what I do, for several reasons, of which the best two are:
1. It allows me to have a consistent nsswitch configuration across all
servers, whether or not they are running Samba, and have domain users
able to access services consistently.
2. It simplifies the Samba configuration on servers which are domain
You have this choice both if your domain controllers are LDAP-backed
Samba ones (as mine are), or Windows Active Directory servers - all you
have to do is make sure your AD servers have the extension to their
schema to support POSIX user/group information.
Given the choice, I would always go for the direct LDAP route, with
users and groups that have intrinsic, permanent UIDs and GIDs; it's less
fragile. I'll happily create those users and groups via Samba/Winbind
on the PDC (love the whole "idmap alloc" and ldmapsam:editposix
combination), but once they're in the LDAP directory, they're permanent,
and available to anything that speaks LDAP.
I must admit that the existence of Disneyland (which I know is real)
proves that we are not living in Judea in AD 50. -- Philip K. Dick
More information about the samba