[Samba] Winbind and nss-ldap

Praveen Ghimire PGhimire at sundata.com.au
Thu Oct 4 09:11:01 UTC 2018 

Totally agree about the AD bit, that's where we are heading.
The box that hosts the files is a Samba 3.6 box and has some mileage under it. So we decided to run up a Samba 4.x box, transfer the pdc role to it and then AD upgrade it. The user permission issue has thrown a spanner to the work. Can you think of a workaround?  Obviously changing the group permission of the home folders is not a good option.
We have used both libnss and or winbind both with varying degrees of issues. Lib-nss causes user level issue and winbind covers the group one :)



Regards,

Praveen Ghimire


-------- Original message --------
From: Rowland Penny via samba <samba at lists.samba.org>
Date: 4/10/2018 6:56 PM (GMT+10:00)
To: samba at lists.samba.org
Subject: Re: [Samba] Winbind and nss-ldap

On Thu, 4 Oct 2018 08:34:03 +0000
Praveen Ghimire <PGhimire at sundata.com.au> wrote:

> Hi Rowland,
>
> We are caught in  a similar situation.  The question is if the users
> and groups are defined in /etc/passwd and /etc/group,  shouldn't the
> server auth them using these first? As nsswitch directs the server to
> look at "files" first . Shouldn't this be the default regardlessof
> winbind/ldap configs?
>

This was the really old way of doing things in an NT4-style domain and
was mostly used where the users would never log into the machine and
only connect via Samba.

Yes, if a user is in /etc/passwd, then this user will be used (if the
user logs into the computer directly) instead of the domain user. This
is why you cannot have a local user with the same name as an AD user.

When you use LDAP with a PDC/BDC, you do not need the local users, you
should set the OS to use ldap for the domain users.

Having said all of that, anybody who is still using an NT4-style domain
should seriously consider upgrading to AD before it is too late.

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

______________________________________________________________________
This email has been scanned by the Symantec Email Security.cloud service.
For more information please visit http://www.symanteccloud.com
______________________________________________________________________

More information about the samba mailing list