[Samba] previous working smb.conf without winbind, now fails with samba 4.15.8 and winbind running
Rowland Penny
rpenny at samba.org
Sat Feb 18 07:59:55 UTC 2023
On 18/02/2023 00:20, Bob Green via samba wrote:
> idmap config rid will map my SID to a UID, but it's a different UID
> than what "getent passwd $USER" reports on the samba server.
Ah, you have local users with the same name as users in AD, totally
un-required as Samba now makes AD users into local Unix users.
In my
> scenario most files being served by samba are created by Linux
> accounts, whose linux group IDs are not rationalized in AD. I was
> hoping idmap_nss might "offload/ignore" the SID information, and that
> samba could simply map the kerberos principal name in the
> authentication to what the samba server OS knows about the matching
> account name including extended group membership, perhaps similar to
> how openssh or some other kerberized application might try to map a
> principalname to local account.
idmap nss should do what you require.
Like a lot of posts on here, yours required me to be something I am not,
a mind reader.
>
> Can I configure samba to allow kerberized authentications while not
> having it attempt to do any uid or gid mapping?
No
< Perhaps I should try
> security = user or security = domain?
No and no
The first is for a standalone server and will not work, the second is
very similar to 'security = ADS' but is used against the deprecated
NT4-style domains (which didn't use kerberos).
Rowland
More information about the samba
mailing list