[Samba] winbind: uid range is ignored

Jonathan Buzzard jonathan at buzzard.me.uk
Wed Aug 8 09:57:15 MDT 2012


On 08/08/12 16:41, steve wrote:
> On 08/08/12 10:40, Jonathan Buzzard wrote:
>> On 08/08/12 08:49, steve wrote:
>>> On 08/08/2012 12:35 AM, Jonathan Buzzard wrote:
>>>> steve wrote:
>>>>> On 07/08/12 16:15, Jonathan Buzzard wrote:
>>>>>> On 07/08/12 15:10, steve wrote:
>>>>>>> On 04/08/12 22:06, NdK wrote:
>>>>>>>> Il 04/08/2012 21:13, steve ha scritto:
>>>>>>>>
>>>>>>>
>>>>>>>> Uh? "wide links" seems a bad idea to me... At least from a security
>>>>>>>> perspective.
>>>>>>>> Why a single home directory? We have a single NFS share containing
>>>>>>>> folders for the two domains and inside those a folder for each
>>>>>>>> home.
>>>>>>>> We are trying to migrate away from that, preferring a '[homes]'
>>>>>>>> share
>>>>>>>> where users will place the data they want to have available on
>>>>>>>> every PC.
>>>>>>>> This way even Firefox should work...
>>>>>>>>
>>>>>>> Hi Diego
>>>>>>> We have home directories like:
>>>>>>> home2/staff
>>>>>>> home2/students/7a
>>>>>>> home2/students/7b
>>>>>>>
>>>>>>> Winbind allows only one template homedir and all user home folders
>>>>>>> must
>>>>>>> reside there (or tell me otherwise).
>>>>>>>
>>>>>>> The only way we can have what we want is:
>>>>>>> 1. use nss-ldapd and store the true uinixHomeDirectory in AD
>>>>>>> 2. winbind. We have a symlink in template homedir to the real data.
>>>>>>> For
>>>>>>> that we need wide links.
>>>>>>>
>>>>>>
>>>>>> 3. Use winbind to store the true unixHomeDirectory in AD.
>>>>>>
>>>>>
>>>>> Hi
>>>>> If I store unixHomeDirectory in AD, winbind seems to ignore it. As
>>>>> far as it's concerned, all home directories have to be in template
>>>>> homedir.
>>>>>
>>>>> How would I use winbind to store it? This is why we tend toward 1.
>>>>> nss-ldapd pulls all of rfc2307 from AD. winbind seems to recognise
>>>>> only uidNumber and gidNumber. It doesn't sem to give you any control
>>>>> over login shell and unixHomeDirectory. Everyone has the same shell
>>>>> and homedir.
>>>>>
>>>>
>>>> Well it's read only, winbind pulls the information from the AD, but
>>>> take out your template homedir/shell lines from smb.conf and do
>>>> something like
>>>>
>>>> winbind nss info = rfc2307
>>>> winbind expand groups = 2
>>>> winbind nested groups = yes
>>>> winbind enum users = yes
>>>> winbind enum groups = yes
>
> Thanks Jonathan
> I got it working. It needed a schema_mode line:
> idmap config MYDOMAIN:schema_mode = rfc2307
>
> I can now finally remove wide links = Yes :-)
>
> nss-winbind seems slow. You can see the results of getent passwd
> appearing one at a time. With nss-ldapd, the second time you do a
> getent, it's instantaneous. Is there perhaps a cache I'm missing for
> winbind? (I have nscd turned off)
>

Noting that nscd and winbind don't work properly together, the settings 
I use are

idmap cache time = 604800
idmap negative cache time = 20
winbind cache time = 600

Performance seems good to me, especially once cached.


JAB.

-- 
Jonathan A. Buzzard                 Email: jonathan (at) buzzard.me.uk
Fife, United Kingdom.


More information about the samba mailing list