[Samba] Samba domain member server using only nss ldap

Alex Domoradov alex.hha at gmail.com
Wed Feb 15 08:21:29 MST 2012 

I have NT4 domain on samba-3.x integrated with LDAP. I need to use domain
users in the shares permissions

On the domain member server I have the following smb.conf

[global]

    workgroup = W3
    server string = File server
    netbios name = FS1
    security = domain

    load printers = no
    show add printer wizard = no
    printcap name = /dev/null
    disable spoolss = yes

    log file = /var/log/samba/samba.log
    max log size = 50000

    encrypt passwords = yes

    winbind trusted domains only = yes

    idmap backend = ldap:"ldap://pdc.w3.lan/"
    ldap idmap suffix = ou=idmap

    idmap uid = 50000-500000
    idmap gid = 50000-500000

    ldapsam:trusted = yes
    ldapsam:editposix = yes

    ldap suffix = dc=w3,dc=lan
    ldap user suffix = ou=users
    ldap group suffix = ou=groups
    ldap machine suffix = ou=computers
    ldap admin dn = "cn=root,dc=w3,dc=lan"
    ldap ssl = no

    socket options = TCP_NODELAY SO_SNDBUF=8192 SO_RCVBUF=8192

    enable privileges = yes

    os level = 8
    local master = no
    domain master = no
    preferred master = no
    domain logons = no

    wins server = 192.168.210.104
    dns proxy = yes

    client ntlmv2 auth = yes
    client plaintext auth = no

    lanman auth = no
    lm announce = no

    deadtime = 15

    display charset = utf8
    unix charset = utf8
    dos charset = cp866

    log level  = 3
    host msdfs  = no

[Test]
    comment = Test
    path = /data/production/Test/
    public = yes
    guest ok = no
    valid users = @W3\w3-nssldap
    write list = @W3\w3-nssldap
    browseable = yes
    force create mode = 0770
    create mode = 0770
    force directory mode = 0770
    directory mode = 0770
    create mask = 0660
    directory mask = 0770
    force group = @W3\w3-nssldap

# cat /etc/nsswitch.conf | grep ldap
passwd:     files ldap
shadow:     files ldap
group:      files ldap

When I create any folder in the share Test I get the following uid/gid

# ls -l
total 4
drwxrwx--- 2 nssldap 321909 4096 Feb 15 17:00 test

# ls -ln
total 4
drwxrwx--- 2 1890 321909 4096 Feb 15 17:00 test

# getent group | grep ^w3-nssldap
w3-nssldap:*:1354:nssldap

# id nssldap
uid=1890(nssldap) gid=1354(w3-nssldap) groups=1354(w3-nssldap),513(Domain
Users)

# wbinfo --name-to-sid=nssldap
S-1-5-21-250625134-237382211-2379110221-4780 SID_USER (1)

# wbinfo --sid-to-uid=S-1-5-21-250625134-237382211-2379110221-4780
50290

It's seems that samba get uid from LDAP and gid from winbind. So my
question is - Is it possible to use only nss ldap on domain member server
to mapping uid/gid?

More information about the samba mailing list