[Samba] winbind and group permissions

Michael Wood esiotrot at gmail.com
Tue Jan 4 07:45:49 MST 2011

On 4 January 2011 05:50, Bob Miller <bob at computerisms.ca> wrote:
> Gaiseric,
> thank you sooo much for the reply....
> I will make comments inline:
> On Mon, 2011-01-03 at 20:06 -0500, Gaiseric Vandal wrote:
>> Winbind is used for allowing unix things like file system access, getent
>> passwd and getent group to handle windows users (windows users and groups
>> get unix uid's and gid's allocated.)
> To say this another way; getent maps users/groups and their respective
> uids/gids/sids, winbind is what determines if those uids/gids have
> permission to do what is being requested?

That is not how I understand it at all.

"getent passwd" and "getent group" are basically front-ends to winbind
(when you have winbind specified in your nsswitch.conf.)  So winbind
does the talking to a Windows (or Samba) server and maps the uids/gids
to/from sids.

i.e. winbind maps uids/gids to/from sids/names.  getent passwd/group
maps between uids/gids and names (via winbind).

It's the local filesystem permissions/acls or your smb.conf that
determine whether a particular user/group has access to something.

I have never used winbind, but that's basically my understanding of it.

>>     I don't use winbind to login to a
>> unix system as a windows user but I do use it to allow the unix file system
>> on a samba server to handle file perms for windows users.  Winbind would
>> have nothing to do with subnet issues.
> So wbinfo commands are not affected by working across a vpn...

I suppose if winbind can talk to the Windows (or Samba) server where
it gets its information, it should not matter if that server is on the
other end of a VPN link.

Michael Wood <esiotrot at gmail.com>

More information about the samba mailing list