This mostly guesses, from posts and mails, i d really appreciate your views on those items, thanks Should winbind run on a PDC ? all account are supposed to exists on it or be managed via add user/ add machine Is winbind recommended on a multi file services network (SMB+NFS+AFS+etc) and when ACL are used: from various it seems not , winbind get the name only from the PDC and set a random id in the idmap, so id differs on pdc and menbers, also between menbers ps: and does running winbind on a PDC could get it to map the user to two id on it : one static created at account genesis and the other when the PDC use getpwnam , getting the libc to call teh local wibind . It depend on the order of the "passwd" attributes in /etc/nsswitch but waht if the admin setted winbind before compat (or unix) ? I also had a difficult case with a domain menber (samba+winbind) where a local user had the same name as the domain one: with "winbind use default domain" set to yes a conflict arise , is there a rational behind this behing default ? For pam: is the winbind domain separator , only for local domain menber usage , or should it be setted up same on the PDC ? Alban
Alban Browaeys wrote:> This mostly guesses, from posts and mails, i d really appreciate your > views on those items, thanks > > Should winbind run on a PDC ?No, winbind gives Unix user information from the SAM. It is only interesting if you have a Windows PDC. Because uid mapping is done on a ? first connected, first mapped ? basis, it won't help a lot if you need to have more than one Unix NT-domain-member server.> all account are supposed to exists on it or be managed via add user/ add > machineDon't understand your question, if any, here ?? User & computers accounts (if Samba PDC) are supposed to exist on the Unix side. It could either be done by /etc/passwd, eg. the standard Unix way, or by a LDAP directory, which would be serving Unix (with the Posix Account schema) and Samba (with the Samba[Sam]Account schema). The real advantage with the LDAP approach, is that it allows a NIS replacement (this answers to your next question) with automount information distributed by LDAP, and also connected with Samba. Don't know for AFS.> > Is winbind recommended on a multi file services network (SMB+NFS+AFS+etc) > and when ACL are used: > from various it seems not , winbind get the name only from the PDC and set > a random id in the idmap, so id differs on pdc and menbers, also between > menbersSee below. This is why Samba screams as a NT4 PDC based on LDAP in a multi-OS environment, compared to a Windows NT4 (or 2K with NT4 domain compatibility), with winbind for Unix. Or if you want to keep your Windows as the domain controller, go and see ADS services, with Samba integration in the ADS. Nice, but you'll still needs to pay MS for client licences, really painful (have not tried it, but look in the list for the technical requirements). And you will also need to use spcifically customized NSS LDAP client on Unix. Can't help further for your last questions. Regards, & RHTH, J?r?me
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Alban Browaeys wrote: | Should winbind run on a PDC ? | all account are supposed to exists on it or be managed | via add user/ add machine wionbindd on a Samba PDC is only needed if the PDC has established trust relationships. | Is winbind recommended on a multi file services network | (SMB+NFS+AFS+etc) and when ACL are used: | from various it seems not , winbind get the name only | from the PDC and set a random id in the idmap, so id differs | on pdc and menbers, also between menbers This can be corrected using the ldap backend for winbindd. It's not really well documented I'm afraid. | ps: and does running winbind on a PDC could get it to | map the user to two id on it : one static created at account | genesis and the other when the PDC use getpwnam , getting | the libc to call teh local wibind . It depend on the order of | the "passwd" attributes in /etc/nsswitch but | waht if the admin setted winbind before compat (or unix) ? If I understand you correctly the answer is no. Think of of like this. On a Samba PDC, smbd is authoritative for its own domain accounts (which must be UNIX users by definition) and winbindd is used to provide UNIX accounts for users and groups from trusted domains. | I also had a difficult case with a domain menber | (samba+winbind) where a local user had the same name | as the domain one: with "winbind use default domain" | set to yes a conflict arise , is there a rational | behind this behing default ? And yet another reason for me to hate that parameter.... | For pam: | is the winbind domain separator , only for local domain menber | usage , or should it be setted up same on the PDC ? I don't understand your question here. cheers, jerry ~ ---------------------------------------------------------------------- ~ Hewlett-Packard ------------------------- http://www.hp.com ~ SAMBA Team ---------------------- http://www.samba.org ~ GnuPG Key ---- http://www.plainjoe.org/gpg_public.asc ~ "You can never go home again, Oatman, but I guess you can shop there." ~ --John Cusack - "Grosse Point Blank" (1997) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQE/oYZ3IR7qMdg1EfYRAv31AKCCXzyDYwapiQLvkqXIN5vytnAExgCgrwAS rgIX4qJr+caHW9/ka7rl33o=t1zz -----END PGP SIGNATURE-----