[Samba] winbind: uid range is ignored

steve steve at steve-ss.com
Wed Aug 8 01:49:30 MDT 2012 

On 08/08/2012 12:35 AM, Jonathan Buzzard wrote:
> steve wrote:
>> On 07/08/12 16:15, Jonathan Buzzard wrote:
>>> On 07/08/12 15:10, steve wrote:
>>>> On 04/08/12 22:06, NdK wrote:
>>>>> Il 04/08/2012 21:13, steve ha scritto:
>>>>>
>>>>
>>>>> Uh? "wide links" seems a bad idea to me... At least from a security
>>>>> perspective.
>>>>> Why a single home directory? We have a single NFS share containing
>>>>> folders for the two domains and inside those a folder for each home.
>>>>> We are trying to migrate away from that, preferring a '[homes]' share
>>>>> where users will place the data they want to have available on 
>>>>> every PC.
>>>>> This way even Firefox should work...
>>>>>
>>>> Hi Diego
>>>> We have home directories like:
>>>> home2/staff
>>>> home2/students/7a
>>>> home2/students/7b
>>>>
>>>> Winbind allows only one template homedir and all user home folders 
>>>> must
>>>> reside there (or tell me otherwise).
>>>>
>>>> The only way we can have what we want is:
>>>> 1. use nss-ldapd and store the true uinixHomeDirectory in AD
>>>> 2. winbind. We have a symlink in template homedir to the real data. 
>>>> For
>>>> that we need wide links.
>>>>
>>>
>>> 3. Use winbind to store the true unixHomeDirectory in AD.
>>>
>>
>> Hi
>> If I store unixHomeDirectory in AD, winbind seems to ignore it. As 
>> far as it's concerned, all home directories have to be in template 
>> homedir.
>>
>> How would I use winbind to store it? This is why we tend toward 1. 
>> nss-ldapd pulls all of rfc2307 from AD. winbind seems to recognise 
>> only uidNumber and gidNumber. It doesn't sem to give you any control 
>> over login shell and unixHomeDirectory. Everyone has the same shell 
>> and homedir.
>>
>
> Well it's read only, winbind pulls the information from the AD, but 
> take  out your template homedir/shell lines from smb.conf and do 
> something like
>
>     winbind nss info = rfc2307
>     winbind expand groups = 2
>     winbind nested groups = yes
>     winbind enum users = yes
>     winbind enum groups = yes
>
> Note you can get nested groups this way, something I don't think 
> nss-ldapd provides. It does work I have it in production for over 1500 
> users right now with some 900 active SMB sessions.
>
Hi Jonathan
Is that with Samba3 or 4? I just tried it with Samba4 with 
unixHomeDirectory in AD. I removed template homedir =, created the user 
directory and gave it the correct permissions, but logging in, winbind 
tries to create the directory:
  su steve2
Creating directory ''.
Unable to create and initialize directory ''.
su: Permission denied

Cheers,
Steve

More information about the samba mailing list