[Samba] Domain member (2k8R2) server, problem mapping Kerberos/NSS users

[Rowland Penny]

On 21/07/14 16:22, Elias Probst wrote:
> On 07/21/2014 05:15 PM, Rowland Penny wrote:
>> OK, have you joined the fileserver to the domain? what is in
>> /etc/nsswitch.conf or to put it another way, how does the fileserver
>> know about the domain users & groups? does getent passwd show the domain
>> users ?
> The server is joined to the domain.
>
> nsswitch.conf is set up properly which is backed by the fact that things
> like
>    getent passwd some-domain-user
>    getent group some-domain-group
>    chown some-domain-user:some-domain-group /tmp/foobar
> work just fine and show the expected results.
>
> 'klist -ke' (full output see also my initial mail) looks good to me.
>
>
>
Hi, to be honest, I have never used the 'nss' backend, but a quick look 
at the idmap_nss manpage reveals this:

DESCRIPTION
        The idmap_nss plugin provides a means to map Unix users and 
groups to
        Windows accounts and obsoletes the "winbind trusted domains only"
        smb.conf option. This provides a simple means of ensuring that 
the SID
        for a Unix user named jsmith is reported as the one assigned to
        DOMAIN\jsmith which is necessary for reporting ACLs on files and
        printers stored on a Samba member server.

This seems to say that winbind will map the domain users to local users, 
so I suppose the next question has to be, is winbind running ?

Rowland