[Samba] winbind: uid range is ignored

Jonathan Buzzard jonathan at buzzard.me.uk
Wed Aug 8 02:40:02 MDT 2012


On 08/08/12 08:49, steve wrote:
> On 08/08/2012 12:35 AM, Jonathan Buzzard wrote:
>> steve wrote:
>>> On 07/08/12 16:15, Jonathan Buzzard wrote:
>>>> On 07/08/12 15:10, steve wrote:
>>>>> On 04/08/12 22:06, NdK wrote:
>>>>>> Il 04/08/2012 21:13, steve ha scritto:
>>>>>>
>>>>>
>>>>>> Uh? "wide links" seems a bad idea to me... At least from a security
>>>>>> perspective.
>>>>>> Why a single home directory? We have a single NFS share containing
>>>>>> folders for the two domains and inside those a folder for each home.
>>>>>> We are trying to migrate away from that, preferring a '[homes]' share
>>>>>> where users will place the data they want to have available on
>>>>>> every PC.
>>>>>> This way even Firefox should work...
>>>>>>
>>>>> Hi Diego
>>>>> We have home directories like:
>>>>> home2/staff
>>>>> home2/students/7a
>>>>> home2/students/7b
>>>>>
>>>>> Winbind allows only one template homedir and all user home folders
>>>>> must
>>>>> reside there (or tell me otherwise).
>>>>>
>>>>> The only way we can have what we want is:
>>>>> 1. use nss-ldapd and store the true uinixHomeDirectory in AD
>>>>> 2. winbind. We have a symlink in template homedir to the real data.
>>>>> For
>>>>> that we need wide links.
>>>>>
>>>>
>>>> 3. Use winbind to store the true unixHomeDirectory in AD.
>>>>
>>>
>>> Hi
>>> If I store unixHomeDirectory in AD, winbind seems to ignore it. As
>>> far as it's concerned, all home directories have to be in template
>>> homedir.
>>>
>>> How would I use winbind to store it? This is why we tend toward 1.
>>> nss-ldapd pulls all of rfc2307 from AD. winbind seems to recognise
>>> only uidNumber and gidNumber. It doesn't sem to give you any control
>>> over login shell and unixHomeDirectory. Everyone has the same shell
>>> and homedir.
>>>
>>
>> Well it's read only, winbind pulls the information from the AD, but
>> take out your template homedir/shell lines from smb.conf and do
>> something like
>>
>> winbind nss info = rfc2307
>> winbind expand groups = 2
>> winbind nested groups = yes
>> winbind enum users = yes
>> winbind enum groups = yes
>>
>> Note you can get nested groups this way, something I don't think
>> nss-ldapd provides. It does work I have it in production for over 1500
>> users right now with some 900 active SMB sessions.
>>
> Hi Jonathan
> Is that with Samba3 or 4?

Do you think it is likely that I would have a production file server 
system in place with over 900 active SMB connections using an Alpha 
release piece of software?

I don't even use 3.6 yet because it is showing too many issues in testing.

JAB.

-- 
Jonathan A. Buzzard                 Email: jonathan (at) buzzard.me.uk
Fife, United Kingdom.


More information about the samba mailing list