[Samba] winbind and group permissions
Michael Wood
esiotrot at gmail.com
Tue Jan 4 07:45:49 MST 2011
On 4 January 2011 05:50, Bob Miller <bob at computerisms.ca> wrote:
> Gaiseric,
> thank you sooo much for the reply....
> I will make comments inline:
>
> On Mon, 2011-01-03 at 20:06 -0500, Gaiseric Vandal wrote:
>> Winbind is used for allowing unix things like file system access, getent
>> passwd and getent group to handle windows users (windows users and groups
>> get unix uid's and gid's allocated.)
>
> To say this another way; getent maps users/groups and their respective
> uids/gids/sids, winbind is what determines if those uids/gids have
> permission to do what is being requested?
That is not how I understand it at all.
"getent passwd" and "getent group" are basically front-ends to winbind
(when you have winbind specified in your nsswitch.conf.) So winbind
does the talking to a Windows (or Samba) server and maps the uids/gids
to/from sids.
i.e. winbind maps uids/gids to/from sids/names. getent passwd/group
maps between uids/gids and names (via winbind).
It's the local filesystem permissions/acls or your smb.conf that
determine whether a particular user/group has access to something.
I have never used winbind, but that's basically my understanding of it.
>> I don't use winbind to login to a
>> unix system as a windows user but I do use it to allow the unix file system
>> on a samba server to handle file perms for windows users. Winbind would
>> have nothing to do with subnet issues.
>
> So wbinfo commands are not affected by working across a vpn...
I suppose if winbind can talk to the Windows (or Samba) server where
it gets its information, it should not matter if that server is on the
other end of a VPN link.
--
Michael Wood <esiotrot at gmail.com>
More information about the samba
mailing list