[Samba] Samba domain member server using only nss ldap
alex.hha at gmail.com
Tue Feb 21 01:13:35 MST 2012
Thanks, I'll try your solution
On Mon, Feb 20, 2012 at 10:56 AM, Angel Bosch <abosch at cilma.net> wrote:
> not sure if you solved this. I'll give my advice anyway.
> if you know how to configure NSS/LDAP at system level is the simplest way
> i've found to configure a member server.
> first, be sure to have all nss related configured (nsswitch.conf,
> ldap.conf) and check it with "getent passwd" and "getent group".
> once you have that, create a machine account on the PDC and join the
> member server (net rpc join).
> then configure member server as a simple file server with no reference to
> LDAP. you don't need any ldap setting in smb.conf, just something like:
> workgroup = MYDOM
> server string = %h server
> security = DOMAIN
> password server = mypdc.example.com
> comment = proves de membre samba
> path = /tmp/prova3
> read only = No
> guest ok = Yes
> this is the simplest way i've found to do it.
> ----- Original Message -----
> From: "Alex Domoradov" <alex.hha at gmail.com>
> To: samba at lists.samba.org
> Sent: Wednesday, February 15, 2012 10:29:19 PM
> Subject: Re: [Samba] Samba domain member server using only nss ldap
> > On a member server, the ldap backend should not be needed for user and
> group look up. You do need some sort of idmapping for the unix level to
> see the UID's and GID's assigned to the samba users, and use those uid's
> and gid's to set file permissions.
> I need to do idmapping via winbind or something else?
> > I haven't had much luck with member servers either. it does get trickier
> when you have ldap used for both unix accounts and samba accounts. I
> found it easier to configure my primary machines as domain controllers.
> I need to use LDAP only for samba accounts, not local (unix)
> > I think generally your nsswitch.conf file should include entries to allow
> unix to retrieve uid's and gid's from winbind.
> > passwd: files ldap winbind
> > shadow: files ldap winbind
> > group: files ldap winbind
> but according to
> I have one domain and all server are the member of this domain there
> no need to use winbind at all. Did I miss something?
> > This means that you would be able to type "getent user1" and "getent
> MYDOMAIN\user1." I
> I don't need such case, in my case local and domain users always unique
> > I think it appears you are getting group information from winbind since
> have the "force group" entry in smb.conf.
> It's strange. When I added force user to the share description, samba set
> uid of the new file from ldap
> > You should look at the man page for idmap_nss. In theory, this should
> let you use a local backend to store the idmap entries, and the idmap
> system should use map the SID's to the existing unix uid and gid. Never
> worked for me in practice.
> I read the man
> http://www.samba.org/samba/docs/man/manpages-3/idmap_nss.8.html but didn't
> get clear understanding
> > Alternately, you may want to manually edit the idmap entries in ldap.
> The domain controller should have automatically created them.
> there are a 10-15 entries in the ou Idmap
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
More information about the samba