[Samba] Domain member (2k8R2) server, problem mapping Kerberos/NSS users
Rowland Penny
rowlandpenny at googlemail.com
Mon Jul 21 10:03:05 MDT 2014
On 21/07/14 16:47, Elias Probst wrote:
> On 07/21/2014 05:38 PM, Rowland Penny wrote:
>> This seems to say that winbind will map the domain users to local users,
>> so I suppose the next question has to be, is winbind running ?
> Looking at [1] I don't think I'd need winbindd, as winbindd is in this
> scenario obsoleted by SSSD.
>
>
> [1]
> https://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/idmapper.html#id2604553
>
>> Winbind is not used; users and groups resolved via NSS:
>>
>> In this situation user and group accounts are treated as if they are
>> local accounts. The only way in which this differs from having local
>> accounts is that the accounts are stored in a repository that can be
>> shared. In practice this means that they will reside in either an
>> NIS-type database or else in LDAP.
>>
>> This configuration may be used with standalone Samba servers, domain
>> member servers [sic!] (NT4 or ADS), and for a PDC that uses either an
>> smbpasswd or a tdbsam-based Samba passdb backend.
> winbind would just duplicate the efforts (talk to LDAP/AD to resolve
> users etc.) already done by SSSD.
> See also: https://www.fedorahosted.org/sssd/wiki/SSSD-vs-Winbind
>
> - Elias
>
Hi, but this is what you are doing, samba is providing the shares and
allowing entry based on what you have in smb.conf on the fileserver but
authentication is coming via sssd, The user that winbind expects could
have the ID xxxxxx but sssd is supplying yyyyyyyyyy
The only way that I have found that works is to give every user an
uidNumber and the groups a gidNumber and then use the winbind ad
backend, this way you can ensure that the user gets the same ID everywhere.
Rowland
More information about the samba
mailing list