[Samba] Samba domain member server using only nss ldap
Angel Bosch
abosch at cilma.net
Mon Feb 20 01:56:11 MST 2012
Hi,
not sure if you solved this. I'll give my advice anyway.
if you know how to configure NSS/LDAP at system level is the simplest way i've found to configure a member server.
first, be sure to have all nss related configured (nsswitch.conf, ldap.conf) and check it with "getent passwd" and "getent group".
once you have that, create a machine account on the PDC and join the member server (net rpc join).
then configure member server as a simple file server with no reference to LDAP. you don't need any ldap setting in smb.conf, just something like:
[global]
workgroup = MYDOM
server string = %h server
security = DOMAIN
password server = mypdc.example.com
[prova3]
comment = proves de membre samba
path = /tmp/prova3
read only = No
guest ok = Yes
this is the simplest way i've found to do it.
regards,
abosch
----- Original Message -----
From: "Alex Domoradov" <alex.hha at gmail.com>
To: samba at lists.samba.org
Sent: Wednesday, February 15, 2012 10:29:19 PM
Subject: Re: [Samba] Samba domain member server using only nss ldap
> On a member server, the ldap backend should not be needed for user and
group look up. You do need some sort of idmapping for the unix level to
see the UID's and GID's assigned to the samba users, and use those uid's
and gid's to set file permissions.
I need to do idmapping via winbind or something else?
> I haven't had much luck with member servers either. it does get trickier
when you have ldap used for both unix accounts and samba accounts. I
found it easier to configure my primary machines as domain controllers.
I need to use LDAP only for samba accounts, not local (unix)
> I think generally your nsswitch.conf file should include entries to allow
unix to retrieve uid's and gid's from winbind.
> passwd: files ldap winbind
> shadow: files ldap winbind
> group: files ldap winbind
but according to
http://www.samba.org/samba/docs/man/Samba-Guide/unixclients.html#sdcsdmldapIf
I have one domain and all server are the member of this domain there
is
no need to use winbind at all. Did I miss something?
> This means that you would be able to type "getent user1" and "getent
MYDOMAIN\user1." I
I don't need such case, in my case local and domain users always unique
> I think it appears you are getting group information from winbind since
have the "force group" entry in smb.conf.
It's strange. When I added force user to the share description, samba set
uid of the new file from ldap
> You should look at the man page for idmap_nss. In theory, this should
let you use a local backend to store the idmap entries, and the idmap
system should use map the SID's to the existing unix uid and gid. Never
worked for me in practice.
I read the man
http://www.samba.org/samba/docs/man/manpages-3/idmap_nss.8.html but didn't
get clear understanding
> Alternately, you may want to manually edit the idmap entries in ldap.
The domain controller should have automatically created them.
there are a 10-15 entries in the ou Idmap
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
More information about the samba
mailing list