[Samba] Grant only one AD group to samba share ?
ndk.clanbo at gmail.com
Wed May 23 14:27:55 MDT 2012
On 22/05/2012 22:17, Newman, John W wrote:
> Well.. I'm not really sure what that is (I inherited this project). In smb.conf all he has here is: idmap uid = 10000-20000 idmap gid=10000-20000 .... I don't see idmap backend = set at all in here. That is probably a big part of the problem isn't it?
If you have to keep a consistent uid and gid mapping (not really needed,
unless you use NFS, I think), use another idmap backend. I used RID that
applies a simple formula to the SID to obtain uid and gid consistent
across all the clients accessing an NFS server.
>> Are nsswitch.conf and PAM configured for authentication?
> For what kind of authentication? /etc/nsswitch and /etc/pam/* are untouched from the defaults.
Edit /etc/nsswitch.conf to include winbind as data source for both
passwd and group info. Once you've done this, you'll be able to use AD
names as standard *nix names, and the reverse mapping will automatically
happen (like when doing an "ls -l").
If you don't do that, you'll keep getting "unknown group".
PS: I prefer to keep "normalize names", that makes AD names lowercase
and replaces spaces with underscores. This is my winbind-related part of
# Big dir -- I must disable enums. If your dir is small, enable 'em!
winbind enum users = No
winbind enum groups = No
# Allow logon even if network isn't available
winbind offline logon = Yes
# Deep-resolve groups (heavy and slow!)
winbind nested groups = Yes
# *nix-friendly names
winbind normalize names = Yes
winbind refresh tickets = Yes
winbind use default domain = yes
winbind uid = 10000-99999
winbind gid = 10000-99999
idmap domains = PERSONALE STUDENTI
idmap config PERSONALE:backend = rid
idmap config PERSONALE:base_rid = 500
idmap config PERSONALE:range = 100000 - 49999999
idmap config STUDENTI:backend = rid
idmap config STUDENTI:base_rid = 500
idmap config STUDENTI:range = 50000000 - 99999999
More information about the samba