[Samba] Settings ACLS from Windows via member server
Mark Dieterich
mkd at cs.brown.edu
Wed Feb 23 12:49:27 MST 2011
Associated question...
When I perform the following looking up on a member server:
> [root]# wbinfo -S S-1-5-21-2830206405-3223145701-231191277-7214
> Could not convert sid S-1-5-21-2830206405-3223145701-231191277-7214 to uid
When the result is not cached on the machine doing the lookup (which by
the way I can't keep it from caching results even when I toss the "-n"
flag on winbindd), I see traffic between the member server and PDC.
Good. The PDC has access to all the information in needs to resolve
this query, it's all contained within a user/group entry in LDAP.
However, I can see no evidence it is trying to resolve this. If idmap
is the portion responsible for this resolution, doesn't it make sense
that I should be running idmap_ldap on the PDC?
I've been looking over the LDAP schema and it has the following:
objectclass ( 1.3.6.1.4.1.7165.2.2.8 NAME 'sambaIdmapEntry' SUP top
AUXILIARY
DESC 'Mapping from a SID to an ID'
MUST ( sambaSID )
MAY ( uidNumber $ gidNumber ) )
which I do NOT have defined in our LDAP db. I'm planning to just toss
this in to see whether it helps, but still don't fully understand where
the idmap_ldap stuff should be defined...
Sorry the pieces just aren't falling into place. Hopefully, I'm not the
only one struggling with this and the resulting discussions can someday
help others.
Mark
More information about the samba
mailing list