[Samba] getting error with setfacl

James D. Parra jamesp at musicreports.com
Thu Nov 4 05:53:05 MDT 2010 

----- Original Message -----
From: "Bruce Richardson" <itsbruce at workshy.org>
To: samba at lists.samba.org
Sent: Wednesday, November 3, 2010 6:31:44 PM GMT -08:00 US/Canada Pacific
Subject: Re: [Samba] getting error with setfacl

On Wed, Nov 03, 2010 at 05:05:28PM -0700, James D. Parra wrote:
> Well it does if you're using winbindd to map DOMAIN\\groupname
> to a group on the box :-).
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> 
> Thank you Jeremy. What is the best way to do that?

The key tool is nsswitch.  Winbind may or may not be necessary,
depending on your precise set up.  It's the nsswitch libraries and
configuration file which tell Linux where to fetch user and group
information.

If your domain stores its user list in the tdb files on your PDC, then
your only option is to use winbind (and the nss_winbind library) to
provide user and group information to nsswitch.  However, if you are
using an LDAP directory as the data backend for your domain, you could
use nss_ldap instead, and pull the information straight from LDAP.
That's what I do, for several reasons, of which the best two are:

 1.  It allows me to have a consistent nsswitch configuration across all
servers, whether or not they are running Samba, and have domain users
able to access services consistently.

 2.  It simplifies the Samba configuration on servers which are domain
members.

You have this choice both if your domain controllers are LDAP-backed
Samba ones (as mine are), or Windows Active Directory servers - all you
have to do is make sure your AD servers have the extension to their
schema to support POSIX user/group information.

Given the choice, I would always go for the direct LDAP route, with
users and groups that have intrinsic, permanent UIDs and GIDs; it's less
fragile.  I'll happily create those users and groups via Samba/Winbind
on the PDC (love the whole "idmap alloc" and ldmapsam:editposix
combination), but once they're in the LDAP directory, they're permanent,
and available to anything that speaks LDAP.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Thank you Bruce. I am using ldap on the Samba server joined to an AD domain. Could you point me to a URL for instructions on setup nss_ldap to use the groups on the AD.

Many thanks,

James

More information about the samba mailing list