[Samba] winbind: uid range is ignored

steve steve at steve-ss.com
Wed Aug 8 09:41:55 MDT 2012 

On 08/08/12 10:40, Jonathan Buzzard wrote:
> On 08/08/12 08:49, steve wrote:
>> On 08/08/2012 12:35 AM, Jonathan Buzzard wrote:
>>> steve wrote:
>>>> On 07/08/12 16:15, Jonathan Buzzard wrote:
>>>>> On 07/08/12 15:10, steve wrote:
>>>>>> On 04/08/12 22:06, NdK wrote:
>>>>>>> Il 04/08/2012 21:13, steve ha scritto:
>>>>>>>
>>>>>>
>>>>>>> Uh? "wide links" seems a bad idea to me... At least from a security
>>>>>>> perspective.
>>>>>>> Why a single home directory? We have a single NFS share containing
>>>>>>> folders for the two domains and inside those a folder for each home.
>>>>>>> We are trying to migrate away from that, preferring a '[homes]'
>>>>>>> share
>>>>>>> where users will place the data they want to have available on
>>>>>>> every PC.
>>>>>>> This way even Firefox should work...
>>>>>>>
>>>>>> Hi Diego
>>>>>> We have home directories like:
>>>>>> home2/staff
>>>>>> home2/students/7a
>>>>>> home2/students/7b
>>>>>>
>>>>>> Winbind allows only one template homedir and all user home folders
>>>>>> must
>>>>>> reside there (or tell me otherwise).
>>>>>>
>>>>>> The only way we can have what we want is:
>>>>>> 1. use nss-ldapd and store the true uinixHomeDirectory in AD
>>>>>> 2. winbind. We have a symlink in template homedir to the real data.
>>>>>> For
>>>>>> that we need wide links.
>>>>>>
>>>>>
>>>>> 3. Use winbind to store the true unixHomeDirectory in AD.
>>>>>
>>>>
>>>> Hi
>>>> If I store unixHomeDirectory in AD, winbind seems to ignore it. As
>>>> far as it's concerned, all home directories have to be in template
>>>> homedir.
>>>>
>>>> How would I use winbind to store it? This is why we tend toward 1.
>>>> nss-ldapd pulls all of rfc2307 from AD. winbind seems to recognise
>>>> only uidNumber and gidNumber. It doesn't sem to give you any control
>>>> over login shell and unixHomeDirectory. Everyone has the same shell
>>>> and homedir.
>>>>
>>>
>>> Well it's read only, winbind pulls the information from the AD, but
>>> take out your template homedir/shell lines from smb.conf and do
>>> something like
>>>
>>> winbind nss info = rfc2307
>>> winbind expand groups = 2
>>> winbind nested groups = yes
>>> winbind enum users = yes
>>> winbind enum groups = yes

Thanks Jonathan
I got it working. It needed a schema_mode line:
idmap config MYDOMAIN:schema_mode = rfc2307

I can now finally remove wide links = Yes :-)

nss-winbind seems slow. You can see the results of getent passwd 
appearing one at a time. With nss-ldapd, the second time you do a 
getent, it's instantaneous. Is there perhaps a cache I'm missing for 
winbind? (I have nscd turned off)

Cheers,
Steve

More information about the samba mailing list