Is it possible at all to use POSIX ACLs without mapping Windows domain SIDs randomly into UNIX UIDs with winbindd? -- Anton Solovyev
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Anton Solovyev wrote: | Is it possible at all to use POSIX ACLs without mapping | Windows domain SIDs randomly into UNIX UIDs with winbindd? Yes. But there have been a few post 3.0.0 fixes for this so you might want to test with the latest SAMBA_3_0 cvs code. cheers, jerry -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQE/lqndIR7qMdg1EfYRArHaAKDVGay9kdnTi4E8m82GmM5s9zl5ywCgxdl+ lhiQ1VjxzGsN7KSM1969Ky0=E2lE -----END PGP SIGNATURE-----
Gerald (Jerry) Carter wrote:> > > Is it possible at all to use POSIX ACLs without mapping > > Windows domain SIDs randomly into UNIX UIDs with winbindd? > > > Yes. But there have been a few post 3.0.0 fixes for this > so you might want to test with the latest SAMBA_3_0 cvs code. >Does this mean it is, in fact, broken in the release code? -- Anton Solovyev
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Anton Solovyev wrote: | Gerald (Jerry) Carter wrote: | |> |> > Is it possible at all to use POSIX ACLs without mapping |> > Windows domain SIDs randomly into UNIX UIDs with winbindd? |> |> |> Yes. But there have been a few post 3.0.0 fixes for this |> so you might want to test with the latest SAMBA_3_0 cvs code. |> | | Does this mean it is, in fact, broken in the release code? In some cases (security = ads and trusted AD domains). cheers, jerry ~ ---------------------------------------------------------------------- ~ Hewlett-Packard ------------------------- http://www.hp.com ~ SAMBA Team ---------------------- http://www.samba.org ~ GnuPG Key ---- http://www.plainjoe.org/gpg_public.asc ~ "You can never go home again, Oatman, but I guess you can shop there." ~ --John Cusack - "Grosse Point Blank" (1997) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQE/lrVMIR7qMdg1EfYRAkuQAKCQt+MAyVOtorpMn2o2y1seQC3m6QCg7yao eBdDxv+k/LsFtjhgifXrSqU=UYiy -----END PGP SIGNATURE-----
Gerald (Jerry) Carter wrote:> |> > Is it possible at all to use POSIX ACLs without mapping > |> > Windows domain SIDs randomly into UNIX UIDs with winbindd? > |> > |> > |> Yes. But there have been a few post 3.0.0 fixes for this > |> so you might want to test with the latest SAMBA_3_0 cvs code. > |> > | > | Does this mean it is, in fact, broken in the release code? > > In some cases (security = ads and trusted AD domains). >I use Samba in security=domain mode and want NT domain SIDs mapped into UNIX UIDs with matching user names. Winbindd does not help, since it wants to assign random UIDs on its own. Am I going to get this functionality after I switch into AD mode? I am surprised it is such a gray area. You would think that pre-existing UNIX accounts matching Windows accounts and mixed access to UNIX boxes through Samba and interactive session is the most common configuration... Thanks! -- Anton Solovyev
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Anton Solovyev wrote: | | I use Samba in security=domain mode and want | NT domain SIDs mapped into UNIX UIDs | with matching user names. Winbindd does not | help, since it wants to assign random UIDs on its own. | | Am I going to get this functionality after I | switch into AD mode? no. It will work without winbindd using security = domain.; | I am surprised it is such a gray area. You | would think that pre-existing UNIX accounts | matching Windows accounts and mixed access to | UNIX boxes through Samba and interactive | session is the most common configuration... What is gray about this to you? If you are running winbindd, then UNIX accounts are created automatically for the windows users. If the winbindd lookup fails, then we lookup an existing UNIX account by the same username. There was one bug in 3.0.0 release regarding this behavior and it has been fixed in cvs. The only installations affected where those joined to an AD domain and trying to user local UNIX accounts for users from truested realms. cheers, jerry ~ ---------------------------------------------------------------------- ~ Hewlett-Packard ------------------------- http://www.hp.com ~ SAMBA Team ---------------------- http://www.samba.org ~ GnuPG Key ---- http://www.plainjoe.org/gpg_public.asc ~ "You can never go home again, Oatman, but I guess you can shop there." ~ --John Cusack - "Grosse Point Blank" (1997) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQE/l9yDIR7qMdg1EfYRAtV7AJ4utLovk8JjJJssCwYKRhoHmdA+CwCgkYBz zi9fuXxatJkmzqB6BAXcoy0=2pyj -----END PGP SIGNATURE-----