[Samba] Prevent smbd from consulting winbindd
Lukas
w3l at suva.ch
Wed Jan 25 04:08:33 MST 2012
Am 25.01.2012 11:49, schrieb Victor Sudakov:
> Lukas wrote:
>>>>> Colleagues, please respond. Have I asked something too unconventional
>>>>> or something too trivial?
>>>>
>>>> idmap backend = nss ??
>>>
>>> Its man page is very scarce. Is it supposed to work at all? Do you have any
>>> experience with it?
>>>
>>> root at fs02-sibptus:~# id zimaev uid=3237(zimaev) gid=2000(user) groups=2000(user),2012(budget),3134(pto),2011(ntd)
>>> root at fs02-sibptus:~# wbinfo -n zimaev S-1-5-21-839522115-2139871995-725345543-1618 User (1)
>>> root at fs02-sibptus:~# wbinfo -i zimaev
>>> Could not get info for user zimaev
>>> root at fs02-sibptus:~#
>>>
>>> what gives?
>>>
>>
>> what do you have in smb.conf defined for security?
>> (general portion of smb.conf)
>
> [global]
> workgroup = SIBPTUS
> wins server = 10.14.134.1 10.14.134.4
> security = domain
> idmap backend = nss
> idmap uid = 1000-1999999
> idmap gid = 1000-1999999
> template shell = /bin/bash
> winbind use default domain = Yes
> allow trusted domains = Yes
>
>
To me it seems, since you have security = domain, samba will try to
authenticate4 always to the domain controller.
Therefore: wbinfo -i zimaev will not return something valid, unless you
prepend the user with the domain (wbinfo -i DOMAIN\zimaev don't forget
to map the backslash with a second one DOMAIN\\zimaev) :-)
More about how that works with the security:
http://www.samba.org/samba/docs/man/manpages-3/smb.conf.5.html#SECURITY
The idmap backend = nss just tells samba, where to store the mapping
informations from AD- versus *nix-Users.
that's about what I know of... :)
hope it can hint you to where you'd like to go ...
L.
More information about the samba
mailing list