[Samba] Samba domain member server using only nss ldap

Gaiseric Vandal gaiseric.vandal at gmail.com
Thu Feb 16 08:04:03 MST 2012


Unfortunately I am not sure if the idmapping functionality in Samba 
depends on winbind.   it appears that it does

http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/idmapper.html


I do have some member servers that I am not using winbindd.  We are 
using LDAP for Unix level authentication since we have both windows and 
unix clients.   On these member servers, if you look at the file 
permissions in windows you will see entries like "UNIX\someuser" instead 
of "MYDOMAIN\someuser."    I have not tried the idmap_nss on this.    
This is OK if most of the changes to the files or file permissions is 
done in unix.   If a windows user connects, samba will map 
"MYDOMAIN\someuser" to the unix user and respect the existing unix 
permissions.  but it makes it hard to set file permissions in windows.  
 From a windows client, you may try to grant permissions to 
"MYDOMAIN\someotheruser" but in that case samba will not handle the 
mapping correctly and setting permissions fails.


With the idmap_nss backend example, samba should try to use nsswitch to 
locate the user id's for user's in your domain.  It will expect user and 
group uid's to be 1000 or higher but under 1 milllion.   Any other users 
or groups (e.g. from trusted domains) will have use a local database 
file to create or retrieve idmapping entries.  For users in your domain 
samba should determine that "MYDOMAIN\someuser" is the same person as 
the unix "someuser" account.   And hopefully display the file 
permissions in windows appropriately.


     [global]
     idmap backend = tdb
     idmap uid = 1000000-1999999
     idmap gid = 1000000-1999999

     idmap config SAMBA : backend  = nss
     idmap config SAMBA : range = 1000-999999


As I said, I have not got this to work.  I have also found that the 
samba how-to documentation does not always keep pace with the software 
updates-  although the man pages usually do.  It is just sometimes 
difficult to get an overall picture of how something should work from 
the man pages.


On 02/15/12 16:29, Alex Domoradov wrote:
> > On a member server,  the ldap backend should not be needed for user 
> and group look up.  You do need some sort of idmapping for the unix 
> level to see the UID's and GID's assigned to the samba users, and use 
> those uid's and gid's to set file permissions.
> I need to do idmapping via winbind or something else?
>
> > I haven't had much luck with member servers either. it does get 
> trickier when you have ldap used for both unix accounts and samba 
> accounts.   I found it easier to configure my primary machines as 
> domain controllers.
> I need to use LDAP only for samba accounts, not local (unix)
>
> > I think generally your nsswitch.conf file should include entries to 
> allow unix to retrieve uid's and gid's from winbind.
> > passwd:     files ldap winbind
> > shadow:     files ldap winbind
> > group:      files ldap winbind
> but according to 
> http://www.samba.org/samba/docs/man/Samba-Guide/unixclients.html#sdcsdmldap 
> If I have one domain and all server are the member of this domain 
> there is no need to use winbind at all. Did I miss something?
>
> > This means that you would be able to type "getent user1" and "getent 
> MYDOMAIN\user1."   I
> I don't need such case, in my case local and domain users always unique
>
> > I think it appears you are getting group information from winbind 
> since have the "force group" entry in smb.conf.
> It's strange. When I added force user to the share description, samba 
> set uid of the new file from ldap
>
> > You should look at the man page for idmap_nss.  In theory, this 
> should let you use a local backend to store the idmap entries, and the 
> idmap system should use map the SID's to the existing unix uid and 
> gid.  Never worked for me in practice.
> I read the man 
> http://www.samba.org/samba/docs/man/manpages-3/idmap_nss.8.html but 
> didn't get clear understanding
>
> > Alternately, you may want to manually edit the idmap entries in 
> ldap.  The domain controller should have automatically created them.
> there are a 10-15 entries in the ou Idmap



More information about the samba mailing list