[Samba] Samba domain member server using only nss ldap

Alex Domoradov alex.hha at gmail.com
Tue Feb 21 01:13:35 MST 2012

Thanks, I'll try your solution

On Mon, Feb 20, 2012 at 10:56 AM, Angel Bosch <abosch at cilma.net> wrote:

> Hi,
> not sure if you solved this. I'll give my advice anyway.
> if you know how to configure NSS/LDAP at system level is the simplest way
> i've found to configure a member server.
> first, be sure to have all nss related configured (nsswitch.conf,
> ldap.conf) and check it with "getent passwd" and "getent group".
> once you have that, create a machine account on the PDC and join the
> member server (net rpc join).
> then configure member server as a simple file server with no reference to
> LDAP. you don't need any ldap setting in smb.conf, just something like:
> [global]
>        workgroup = MYDOM
>        server string = %h server
>        security = DOMAIN
>        password server = mypdc.example.com
> [prova3]
>        comment = proves de membre samba
>        path = /tmp/prova3
>        read only = No
>        guest ok = Yes
> this is the simplest way i've found to do it.
> regards,
> abosch
> ----- Original Message -----
> From: "Alex Domoradov" <alex.hha at gmail.com>
> To: samba at lists.samba.org
> Sent: Wednesday, February 15, 2012 10:29:19 PM
> Subject: Re: [Samba] Samba domain member server using only nss ldap
> > On a member server, the ldap backend should not be needed for user and
> group look up. You do need some sort of idmapping for the unix level to
> see the UID's and GID's assigned to the samba users, and use those uid's
> and gid's to set file permissions.
> I need to do idmapping via winbind or something else?
> > I haven't had much luck with member servers either. it does get trickier
> when you have ldap used for both unix accounts and samba accounts. I
> found it easier to configure my primary machines as domain controllers.
> I need to use LDAP only for samba accounts, not local (unix)
> > I think generally your nsswitch.conf file should include entries to allow
> unix to retrieve uid's and gid's from winbind.
> > passwd: files ldap winbind
> > shadow: files ldap winbind
> > group: files ldap winbind
> but according to
> http://www.samba.org/samba/docs/man/Samba-Guide/unixclients.html#sdcsdmldapIf
> I have one domain and all server are the member of this domain there
> is
> no need to use winbind at all. Did I miss something?
> > This means that you would be able to type "getent user1" and "getent
> MYDOMAIN\user1." I
> I don't need such case, in my case local and domain users always unique
> > I think it appears you are getting group information from winbind since
> have the "force group" entry in smb.conf.
> It's strange. When I added force user to the share description, samba set
> uid of the new file from ldap
> > You should look at the man page for idmap_nss. In theory, this should
> let you use a local backend to store the idmap entries, and the idmap
> system should use map the SID's to the existing unix uid and gid. Never
> worked for me in practice.
> I read the man
> http://www.samba.org/samba/docs/man/manpages-3/idmap_nss.8.html but didn't
> get clear understanding
> > Alternately, you may want to manually edit the idmap entries in ldap.
> The domain controller should have automatically created them.
> there are a 10-15 entries in the ou Idmap
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba

More information about the samba mailing list