[Samba] Samba domain member server using only nss ldap

Angel Bosch abosch at cilma.net
Mon Feb 20 01:56:11 MST 2012


not sure if you solved this. I'll give my advice anyway. 

if you know how to configure NSS/LDAP at system level is the simplest way i've found to configure a member server. 

first, be sure to have all nss related configured (nsswitch.conf, ldap.conf) and check it with "getent passwd" and "getent group". 

once you have that, create a machine account on the PDC and join the member server (net rpc join). 

then configure member server as a simple file server with no reference to LDAP. you don't need any ldap setting in smb.conf, just something like: 

	workgroup = MYDOM
	server string = %h server
	security = DOMAIN
	password server = mypdc.example.com
	comment = proves de membre samba
	path = /tmp/prova3
	read only = No
	guest ok = Yes

this is the simplest way i've found to do it.



----- Original Message ----- 
From: "Alex Domoradov" <alex.hha at gmail.com> 
To: samba at lists.samba.org 
Sent: Wednesday, February 15, 2012 10:29:19 PM 
Subject: Re: [Samba] Samba domain member server using only nss ldap 

> On a member server, the ldap backend should not be needed for user and 
group look up. You do need some sort of idmapping for the unix level to 
see the UID's and GID's assigned to the samba users, and use those uid's 
and gid's to set file permissions. 
I need to do idmapping via winbind or something else? 

> I haven't had much luck with member servers either. it does get trickier 
when you have ldap used for both unix accounts and samba accounts. I 
found it easier to configure my primary machines as domain controllers. 
I need to use LDAP only for samba accounts, not local (unix) 

> I think generally your nsswitch.conf file should include entries to allow 
unix to retrieve uid's and gid's from winbind. 
> passwd: files ldap winbind 
> shadow: files ldap winbind 
> group: files ldap winbind 
but according to 
I have one domain and all server are the member of this domain there 
no need to use winbind at all. Did I miss something? 

> This means that you would be able to type "getent user1" and "getent 
MYDOMAIN\user1." I 
I don't need such case, in my case local and domain users always unique 

> I think it appears you are getting group information from winbind since 
have the "force group" entry in smb.conf. 
It's strange. When I added force user to the share description, samba set 
uid of the new file from ldap 

> You should look at the man page for idmap_nss. In theory, this should 
let you use a local backend to store the idmap entries, and the idmap 
system should use map the SID's to the existing unix uid and gid. Never 
worked for me in practice. 
I read the man 
http://www.samba.org/samba/docs/man/manpages-3/idmap_nss.8.html but didn't 
get clear understanding 

> Alternately, you may want to manually edit the idmap entries in ldap. 
The domain controller should have automatically created them. 
there are a 10-15 entries in the ou Idmap 
To unsubscribe from this list go to the following URL and read the 
instructions: https://lists.samba.org/mailman/options/samba 

More information about the samba mailing list