[Samba] Prevent smbd from consulting winbindd

Victor Sudakov vas at mpeks.tomsk.su
Wed Jan 25 07:06:34 MST 2012 

Lukas wrote:
> > Lukas wrote:
> >>>>> Colleagues, please respond. Have I asked something too unconventional
> >>>>> or something too trivial?
> >>>>
> >>>> idmap backend = nss ??
> >>>
> >>> Its man page is very scarce. Is it supposed to work at all? Do you have any
> >>> experience with it?
> >>>
> >>> root at fs02-sibptus:~# id zimaev uid=3237(zimaev) gid=2000(user) groups=2000(user),2012(budget),3134(pto),2011(ntd)
> >>> root at fs02-sibptus:~# wbinfo -n zimaev S-1-5-21-839522115-2139871995-725345543-1618 User (1)
> >>> root at fs02-sibptus:~# wbinfo -i zimaev
> >>> Could not get info for user zimaev
> >>> root at fs02-sibptus:~#
> >>>
> >>> what gives?
> >>>
> >>
> >> what do you have in smb.conf defined for security?
> >> (general portion of smb.conf)
> >
> > [global]
> > workgroup = SIBPTUS
> > wins server = 10.14.134.1 10.14.134.4
> > security = domain
> > idmap backend = nss
> > idmap uid = 1000-1999999
> > idmap gid = 1000-1999999
> > template shell = /bin/bash
> > winbind use default domain = Yes
> > allow trusted domains = Yes
> >
> >
> To me it seems, since you have security = domain, samba will try to 
> authenticate4 always to the domain controller.
> Therefore: wbinfo -i zimaev will not return something valid, unless you 
> prepend the user with the domain (wbinfo -i DOMAIN\zimaev don't forget 
> to map the backslash with a second one DOMAIN\\zimaev) :-)

Don't forget, I have "winbind use default domain = Yes" and 
"wbinfo -n user_without_domain" is successful. Anyway, I have tried both:

root at fs02-sibptus:~# wbinfo -n kuskovaa
S-1-5-21-839522115-2139871995-725345543-1114 User (1)
root at fs02-sibptus:~# wbinfo -i kuskovaa
Could not get info for user kuskovaa
root at fs02-sibptus:~# wbinfo -i SIBPTUS\\kuskovaa
Could not get info for user SIBPTUS\kuskovaa
root at fs02-sibptus:~# wbinfo --own-domain
SIBPTUS
root at fs02-sibptus:~# 


> More about how that works with the security:
> http://www.samba.org/samba/docs/man/manpages-3/smb.conf.5.html#SECURITY
> 
> The idmap backend = nss just tells samba, where to store the mapping 
> informations from AD- versus *nix-Users.

Yes, I want to store the mapping in getpwnam() and the primary group
in getgrnam().

-- 
Victor Sudakov,  VAS4-RIPE, VAS47-RIPN
sip:sudakov at sibptus.tomsk.ru

More information about the samba mailing list