[Samba] Settings ACLS from Windows via member server
John H Terpstra
jht at samba.org
Wed Feb 23 14:30:44 MST 2011
On 02/24/2011 06:49 AM, Mark Dieterich wrote:
> Associated question...
>
> When I perform the following looking up on a member server:
>
>> [root]# wbinfo -S S-1-5-21-2830206405-3223145701-231191277-7214
>> Could not convert sid S-1-5-21-2830206405-3223145701-231191277-7214 to
>> uid
>
> When the result is not cached on the machine doing the lookup (which by
> the way I can't keep it from caching results even when I toss the "-n"
> flag on winbindd), I see traffic between the member server and PDC.
> Good. The PDC has access to all the information in needs to resolve
> this query, it's all contained within a user/group entry in LDAP.
> However, I can see no evidence it is trying to resolve this. If idmap
> is the portion responsible for this resolution, doesn't it make sense
> that I should be running idmap_ldap on the PDC?
>
> I've been looking over the LDAP schema and it has the following:
>
> objectclass ( 1.3.6.1.4.1.7165.2.2.8 NAME 'sambaIdmapEntry' SUP top
> AUXILIARY
> DESC 'Mapping from a SID to an ID'
> MUST ( sambaSID )
> MAY ( uidNumber $ gidNumber ) )
>
> which I do NOT have defined in our LDAP db. I'm planning to just toss
> this in to see whether it helps, but still don't fully understand where
> the idmap_ldap stuff should be defined...
>
> Sorry the pieces just aren't falling into place. Hopefully, I'm not the
> only one struggling with this and the resulting discussions can someday
> help others.
>
> Mark
As mentioned in my previous response, it is best to let smbd (via the
idmap handler) automatically create these entries as they are needed.
Using nss_ldap to share a common mapping across all domain member
servers is a "good thing"(tm).
- John T.
More information about the samba
mailing list