[Samba] Settings ACLS from Windows via member server

Mark Dieterich mkd at cs.brown.edu
Wed Feb 23 12:18:47 MST 2011


> I just posted a long reply to help you understand how the pieces fit
> together. Yell out if you are still confused after reading my posting.

Thanks for the lengthy reply and also the suggestion to read man pages 
instead of doc, I didn't realize there was such a big difference.  The 
pieces are starting to fall into place, but I still have more questions. 
  I've become convinced that my member servers need to be running 
winbind, especially since I want the builtin accounts to work.  So...

My sense is that my member servers should NOT require the LDAP passdb 
backend settings.  Can someone confirm that only PDC/BDC should require 

If so, I think my problem boils down to an issue resolving sids -> uids. 
  Playing around with wbinfo on my member workstation, I see that I can 
resolve things like:

[root]# wbinfo -n "mkd"
S-1-5-21-2830206405-3223145701-231191277-7214 SID_USER (1)

[root]# wbinfo -n "CS.BROWN.EDU\mkd"
S-1-5-21-2830206405-3223145701-231191277-7214 SID_USER (1)

so far so good, but

[root]# wbinfo -S S-1-5-21-2830206405-3223145701-231191277-7214
Could not convert sid S-1-5-21-2830206405-3223145701-231191277-7214 to uid

This "seemed" to work for a short while after I added the passdb LDAP 
entries to my member server, but I think it was a red herring, as it 
stopped working and worked only for a select number of users.  So the 
question becomes, what am I missing that is preventing the PDC from 
resolving these for my member servers?  It's quite possible there is 
some sort of LDAP mapping that we are just missing... we've been running 
LDAP for a while prior to getting samba up and working, so we had to 
modify our existing schema and add in the LDAP necessary stuff, rather 
than let samba do it as we couldn't afford to loose the existing data. 
Is this where the idmap_ldap stuff comes in?  If so, can I just pre-seed 
these entries so all the information is there and run it in a "read 
only" ldap mode?



More information about the samba mailing list