[Samba] Samba domain member server using only nss ldap
gaiseric.vandal at gmail.com
Thu Feb 16 08:04:03 MST 2012
Unfortunately I am not sure if the idmapping functionality in Samba
depends on winbind. it appears that it does
I do have some member servers that I am not using winbindd. We are
using LDAP for Unix level authentication since we have both windows and
unix clients. On these member servers, if you look at the file
permissions in windows you will see entries like "UNIX\someuser" instead
of "MYDOMAIN\someuser." I have not tried the idmap_nss on this.
This is OK if most of the changes to the files or file permissions is
done in unix. If a windows user connects, samba will map
"MYDOMAIN\someuser" to the unix user and respect the existing unix
permissions. but it makes it hard to set file permissions in windows.
From a windows client, you may try to grant permissions to
"MYDOMAIN\someotheruser" but in that case samba will not handle the
mapping correctly and setting permissions fails.
With the idmap_nss backend example, samba should try to use nsswitch to
locate the user id's for user's in your domain. It will expect user and
group uid's to be 1000 or higher but under 1 milllion. Any other users
or groups (e.g. from trusted domains) will have use a local database
file to create or retrieve idmapping entries. For users in your domain
samba should determine that "MYDOMAIN\someuser" is the same person as
the unix "someuser" account. And hopefully display the file
permissions in windows appropriately.
idmap backend = tdb
idmap uid = 1000000-1999999
idmap gid = 1000000-1999999
idmap config SAMBA : backend = nss
idmap config SAMBA : range = 1000-999999
As I said, I have not got this to work. I have also found that the
samba how-to documentation does not always keep pace with the software
updates- although the man pages usually do. It is just sometimes
difficult to get an overall picture of how something should work from
the man pages.
On 02/15/12 16:29, Alex Domoradov wrote:
> > On a member server, the ldap backend should not be needed for user
> and group look up. You do need some sort of idmapping for the unix
> level to see the UID's and GID's assigned to the samba users, and use
> those uid's and gid's to set file permissions.
> I need to do idmapping via winbind or something else?
> > I haven't had much luck with member servers either. it does get
> trickier when you have ldap used for both unix accounts and samba
> accounts. I found it easier to configure my primary machines as
> domain controllers.
> I need to use LDAP only for samba accounts, not local (unix)
> > I think generally your nsswitch.conf file should include entries to
> allow unix to retrieve uid's and gid's from winbind.
> > passwd: files ldap winbind
> > shadow: files ldap winbind
> > group: files ldap winbind
> but according to
> If I have one domain and all server are the member of this domain
> there is no need to use winbind at all. Did I miss something?
> > This means that you would be able to type "getent user1" and "getent
> MYDOMAIN\user1." I
> I don't need such case, in my case local and domain users always unique
> > I think it appears you are getting group information from winbind
> since have the "force group" entry in smb.conf.
> It's strange. When I added force user to the share description, samba
> set uid of the new file from ldap
> > You should look at the man page for idmap_nss. In theory, this
> should let you use a local backend to store the idmap entries, and the
> idmap system should use map the SID's to the existing unix uid and
> gid. Never worked for me in practice.
> I read the man
> http://www.samba.org/samba/docs/man/manpages-3/idmap_nss.8.html but
> didn't get clear understanding
> > Alternately, you may want to manually edit the idmap entries in
> ldap. The domain controller should have automatically created them.
> there are a 10-15 entries in the ou Idmap
More information about the samba