[Samba] Settings ACLS from Windows via member server
Mark Dieterich
mkd at cs.brown.edu
Wed Feb 23 12:18:47 MST 2011
John,
> I just posted a long reply to help you understand how the pieces fit
> together. Yell out if you are still confused after reading my posting.
Thanks for the lengthy reply and also the suggestion to read man pages
instead of doc, I didn't realize there was such a big difference. The
pieces are starting to fall into place, but I still have more questions.
I've become convinced that my member servers need to be running
winbind, especially since I want the builtin accounts to work. So...
My sense is that my member servers should NOT require the LDAP passdb
backend settings. Can someone confirm that only PDC/BDC should require
this?
If so, I think my problem boils down to an issue resolving sids -> uids.
Playing around with wbinfo on my member workstation, I see that I can
resolve things like:
[root]# wbinfo -n "mkd"
S-1-5-21-2830206405-3223145701-231191277-7214 SID_USER (1)
[root]# wbinfo -n "CS.BROWN.EDU\mkd"
S-1-5-21-2830206405-3223145701-231191277-7214 SID_USER (1)
so far so good, but
[root]# wbinfo -S S-1-5-21-2830206405-3223145701-231191277-7214
Could not convert sid S-1-5-21-2830206405-3223145701-231191277-7214 to uid
This "seemed" to work for a short while after I added the passdb LDAP
entries to my member server, but I think it was a red herring, as it
stopped working and worked only for a select number of users. So the
question becomes, what am I missing that is preventing the PDC from
resolving these for my member servers? It's quite possible there is
some sort of LDAP mapping that we are just missing... we've been running
LDAP for a while prior to getting samba up and working, so we had to
modify our existing schema and add in the LDAP necessary stuff, rather
than let samba do it as we couldn't afford to loose the existing data.
Is this where the idmap_ldap stuff comes in? If so, can I just pre-seed
these entries so all the information is there and run it in a "read
only" ldap mode?
Thanks!
Mark
More information about the samba
mailing list