[Samba] winbind: uid range is ignored

Jonathan Buzzard jonathan at buzzard.me.uk
Tue Aug 7 16:35:18 MDT 2012 

steve wrote:
> On 07/08/12 16:15, Jonathan Buzzard wrote:
>> On 07/08/12 15:10, steve wrote:
>>> On 04/08/12 22:06, NdK wrote:
>>>> Il 04/08/2012 21:13, steve ha scritto:
>>>>
>>>
>>>> Uh? "wide links" seems a bad idea to me... At least from a security
>>>> perspective.
>>>> Why a single home directory? We have a single NFS share containing
>>>> folders for the two domains and inside those a folder for each home.
>>>> We are trying to migrate away from that, preferring a '[homes]' share
>>>> where users will place the data they want to have available on every 
>>>> PC.
>>>> This way even Firefox should work...
>>>>
>>> Hi Diego
>>> We have home directories like:
>>> home2/staff
>>> home2/students/7a
>>> home2/students/7b
>>>
>>> Winbind allows only one template homedir and all user home folders must
>>> reside there (or tell me otherwise).
>>>
>>> The only way we can have what we want is:
>>> 1. use nss-ldapd and store the true uinixHomeDirectory in AD
>>> 2. winbind. We have a symlink in template homedir to the real data. For
>>> that we need wide links.
>>>
>>
>> 3. Use winbind to store the true unixHomeDirectory in AD.
>>
> 
> Hi
> If I store unixHomeDirectory in AD, winbind seems to ignore it. As far 
> as it's concerned, all home directories have to be in template homedir.
> 
> How would I use winbind to store it? This is why we tend toward 1. 
> nss-ldapd pulls all of rfc2307 from AD. winbind seems to recognise only 
> uidNumber and gidNumber. It doesn't sem to give you any control over 
> login shell and unixHomeDirectory. Everyone has the same shell and homedir.
> 

Well it's read only, winbind pulls the information from the AD, but take 
  out your template homedir/shell lines from smb.conf and do something like

	winbind nss info = rfc2307
	winbind expand groups = 2
	winbind nested groups = yes
	winbind enum users = yes
	winbind enum groups = yes

Note you can get nested groups this way, something I don't think 
nss-ldapd provides. It does work I have it in production for over 1500 
users right now with some 900 active SMB sessions.


JAB.

-- 
Jonathan A. Buzzard                 Email: jonathan (at) buzzard.me.uk
Fife, United Kingdom.

More information about the samba mailing list