[Samba] Restricting access to [homes]

NdK ndk.clanbo at gmail.com
Wed May 23 13:39:29 MDT 2012

On 23/05/2012 15:30, steve wrote:

> If the gidNumber for the gid is stored in AD (as the 2008 and samba4
> schema allow) then there can be no clash. It is then no problem in
> extracting it and applying it using normal /etc/nsswitch.conf format.
The AD schema is still 2003. And who manages it thinks the world is
Win-only :( It's easier to talk a mountain into moving itself than
making 'em change a single bit in the schema...

> With ldapd/nslcd running, you can chown and chmod using the names of the
> AD groups and users exactly as advertised in getent passwd or wbinfo
> calls. It is then reflected perfectly by the filer. OK, with samba4 and
> cifs/s3fs there are currently a few problems but under 3.6 it maps
> perfectly.
I'm using Squeeze, that ships w/ 3.5.6 (I know it's old, and actually it
gives troubles when its ntlm_auth is used by FreeRadius!).

I'm locked into using idmap rid:
        winbind enum users = No
        winbind enum groups = No
        winbind offline logon = Yes
        winbind nested groups = Yes
        winbind normalize names = Yes
        winbind refresh tickets = Yes
        winbind use default domain = yes
# old values, changed to see if it could fix the wrong mapping
#        winbind uid = 100000-100000001
#        winbind gid = 100000-100000001
        winbind uid = 10000-99999
        winbind gid = 10000-99999

        idmap domains = PERSONALE STUDENTI

        idmap config PERSONALE:backend = rid
        idmap config PERSONALE:base_rid  = 500
        idmap config PERSONALE:range = 100000 - 49999999
        idmap config STUDENTI:backend = rid
        idmap config STUDENTI:base_rid  = 500
        idmap config STUDENTI:range = 50000000 - 99999999

root at str00160-samba:~# wbinfo -n domain_users
S-1-5-21-2162351890-1506888927-3107636301-513 SID_DOM_GROUP (2)
root at str00160-samba:~# wbinfo -Y
root at str00160-samba:~# wbinfo -G 100013

As you can see, the mapping from gid to sid resolves to a different
domain (and, obv, different group). I'm not interested in resolving
users and groups from other domains except PERSONALE and STUDENTI, so if
it would be possible to disable 'em, it would be great!

And I hate not being able to understand why it happens. I already
deleted all .tdb files (except secrets.tdb, or I'd have had to rejoin
the machine), with samba and winbind services stopped.
No nscd or similar daemon installed (I remember reading it could give

I can't enable enum users or enum groups due to the size of the
directory (last time I did a wbinfo -g it took hours to complete, on
100Mbit link!).


More information about the samba mailing list