[Samba] Settings ACLS from Windows via member server

John H Terpstra jht at samba.org
Wed Feb 23 14:26:29 MST 2011

On 02/24/2011 06:18 AM, Mark Dieterich wrote:
> John,
>> I just posted a long reply to help you understand how the pieces fit
>> together. Yell out if you are still confused after reading my posting.
> Thanks for the lengthy reply and also the suggestion to read man pages
> instead of doc, I didn't realize there was such a big difference.  The
> pieces are starting to fall into place, but I still have more questions.
>  I've become convinced that my member servers need to be running
> winbind, especially since I want the builtin accounts to work.  So...
> My sense is that my member servers should NOT require the LDAP passdb
> backend settings.  Can someone confirm that only PDC/BDC should require
> this?

Correct. Samba domain member servers do not require NSS-LDAP because
winbind can resolve SID to uid/gid.  The SID to uid.gid mapping can be
stored locally (which means the mappings will differ on each member
server in your domain), or the mappings can be stored in LDAP in the
"idmap suffix" specified in the smb.conf file on the domain member
itself (this enables the mappings to be shared across Samba domain
member servers).

On the other hand, some sites require the same uid/gid across domain
controllers (PDC/BDC) and domain member servers (dms). Where this is
required you CAN use NSS-LDAP to get globally consistent uid/gid values
for each user and then use idmap_ldap to handle SID to uid/gid mappings.
This configuration can get a little messy and my preference is to not
have any domain member server but rather make them all domain
controllers - that way all BDCs can share the exact same smb.conf
configuration for simpler admin.

> If so, I think my problem boils down to an issue resolving sids -> uids.
>  Playing around with wbinfo on my member workstation, I see that I can
> resolve things like:
> [root]# wbinfo -n "mkd"
> S-1-5-21-2830206405-3223145701-231191277-7214 SID_USER (1)
> [root]# wbinfo -n "CS.BROWN.EDU\mkd"
> S-1-5-21-2830206405-3223145701-231191277-7214 SID_USER (1)
> so far so good, but


> [root]# wbinfo -S S-1-5-21-2830206405-3223145701-231191277-7214
> Could not convert sid S-1-5-21-2830206405-3223145701-231191277-7214 to uid
> This "seemed" to work for a short while after I added the passdb LDAP
> entries to my member server, but I think it was a red herring, as it
> stopped working and worked only for a select number of users.  So the
> question becomes, what am I missing that is preventing the PDC from
> resolving these for my member servers?  It's quite possible there is
> some sort of LDAP mapping that we are just missing... we've been running
> LDAP for a while prior to getting samba up and working, so we had to
> modify our existing schema and add in the LDAP necessary stuff, rather
> than let samba do it as we couldn't afford to loose the existing data.
> Is this where the idmap_ldap stuff comes in?  If so, can I just pre-seed
> these entries so all the information is there and run it in a "read
> only" ldap mode? 

The domain member server should be configured so it can write to the
LDAP directory so that it can assign (out of the idmap range provided in
the smb.conf file) the idmap entries.  These should populate into the
"idmap suffix" container.

John T.

More information about the samba mailing list