[Samba] winbind and group permissions

Gaiseric Vandal gaiseric.vandal at gmail.com
Tue Jan 4 09:18:22 MST 2011

That sounds like a pretty good description of winbind and nsswitch.

The tricky party, depending on your configuration, is that one "real" 
user can end up with two uid's-  one from the "unix" account (e.g. 
/etc/passwd, nis or ldap) and one from winbind.    Your DC's should not 
be using winbind for the local samba domain if the users already have 
unix accounts that are also being used for things like nfs or ssh.

On 01/04/2011 09:45 AM, Michael Wood wrote:
> On 4 January 2011 05:50, Bob Miller<bob at computerisms.ca>  wrote:
>> Gaiseric,
>> thank you sooo much for the reply....
>> I will make comments inline:
>> On Mon, 2011-01-03 at 20:06 -0500, Gaiseric Vandal wrote:
>>> Winbind is used for allowing unix things like file system access, getent
>>> passwd and getent group to handle windows users (windows users and groups
>>> get unix uid's and gid's allocated.)
>> To say this another way; getent maps users/groups and their respective
>> uids/gids/sids, winbind is what determines if those uids/gids have
>> permission to do what is being requested?
> That is not how I understand it at all.
> "getent passwd" and "getent group" are basically front-ends to winbind
> (when you have winbind specified in your nsswitch.conf.)  So winbind
> does the talking to a Windows (or Samba) server and maps the uids/gids
> to/from sids.
> i.e. winbind maps uids/gids to/from sids/names.  getent passwd/group
> maps between uids/gids and names (via winbind).
> It's the local filesystem permissions/acls or your smb.conf that
> determine whether a particular user/group has access to something.
> I have never used winbind, but that's basically my understanding of it.
>>>      I don't use winbind to login to a
>>> unix system as a windows user but I do use it to allow the unix file system
>>> on a samba server to handle file perms for windows users.  Winbind would
>>> have nothing to do with subnet issues.
>> So wbinfo commands are not affected by working across a vpn...
> I suppose if winbind can talk to the Windows (or Samba) server where
> it gets its information, it should not matter if that server is on the
> other end of a VPN link.

More information about the samba mailing list