Hello list, I need to setup a samba file server with user access from a Windows AD domain and a separate Solaris NIS domain. All of our users have an account on the AD domain but only some of our users have a Unix account. I would like Windows users that have a Unix account to have files written as per their Unix uid and users that do not have an account to have a uid assigned from winbind. I had thought of using winbind with winbind trusted domains only = yes with the nsswitch.conf file listing passwd: files winbind nis shadow: files winbind nis group: files winbind nis which I thought would match known user names to NIS id's and unknown user names to winbind uid's. This does not work as I expected as all users are given winbind uid's If I change nsswitch.conf to passwd: files nis winbind shadow: files nis winbind group: files nis winbind Users that have Unix accounts are given the NIS uid but users without a Unix account are asked for a username/password when connecting to Samba. Can anyone confirm that what I am trying to do is possible and if so any idea's what I have missed. I am testing with 3.0.9 on FC3 My smb.conf below [global] workgroup = AD server string = Samba printcap name = /etc/printcap load printers = yes cups options = raw log file = /var/log/samba/%m.log max log size = 50 security = ads socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 name resolve order = wins bcast wins server = 192.168.2.19 dns proxy = no idmap uid = 16777216-33554431 idmap gid = 16777216-33554431 template shell = /bin/false password server = * realm = AD.MYDOMAIN.CO.UK winbind trusted domains only = yes winbind use default domain = no Thanks in advance Dean Plant -- Visit our website at www.roke.co.uk Roke Manor Research Ltd, Roke Manor, Romsey, Hampshire SO51 0ZN, UK. The information contained in this e-mail and any attachments is proprietary to Roke Manor Research Ltd and must not be passed to any third party without permission. This communication is for information only and shall not create or change any contractual relationship.
On Wed, Dec 15, 2004 at 10:14:12AM -0000, Plant, Dean wrote: | I need to setup a samba file server with user access from a Windows AD | domain and a separate Solaris NIS domain. All of our users have an account | on the AD domain but only some of our users have a Unix account. I would | like Windows users that have a Unix account to have files written as per | their Unix uid and users that do not have an account to have a uid assigned | from winbind. | | [...] | | Can anyone confirm that what I am trying to do is possible and if so any | idea's what I have missed. It's not possible with Samba "as-is". I worked out a solution by implementing a new option -- "trim default domain", and posted the patches to samba-technical. See: http://www.dragoninc.on.ca/mail-archives/samba-technical/2004-10/0342.html Maybe the Samba team will consider the patch (or another way to solve this problem), as it's apparent that I'm not the only person who needs to do this. Cheers, Luke. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 186 bytes Desc: not available Url : http://lists.samba.org/archive/samba/attachments/20041215/cebe2f99/attachment.bin
Hi, that behavior is logical correct, i would say. What happens is: the user is found from nis, and gets an userid not from the winbind-range. As a result samba is not able to verify this uid against the AD, as it is not an AD-user-id. i guess to achive what you want you would have to add the nis-users to the local smbpasswd-database with the correct username and password and tell samba to loock up users first in local database and then in AD. But i don't know if this is possible, i never tried it. question to the developpers, IF the AD-mode is implemented as a normal TDB-Backend i guess it would work, but i think this is a little bit a diffrent beast, isn't it? wouldn't it be a nifty feature for futere versions of samba, giving it much more flexibility? Christoph Plant, Dean schrieb:> Hello list, > > I need to setup a samba file server with user access from a Windows AD > domain and a separate Solaris NIS domain. All of our users have an account > on the AD domain but only some of our users have a Unix account. I would > like Windows users that have a Unix account to have files written as per > their Unix uid and users that do not have an account to have a uid assigned > from winbind. > > I had thought of using winbind with > > winbind trusted domains only = yes > > with the nsswitch.conf file listing > > passwd: files winbind nis > shadow: files winbind nis > group: files winbind nis > > which I thought would match known user names to NIS id's and unknown user > names to winbind uid's. This does not work as I expected as all users are > given winbind uid's > > If I change nsswitch.conf to > > passwd: files nis winbind > shadow: files nis winbind > group: files nis winbind > > Users that have Unix accounts are given the NIS uid but users without a Unix > account are asked for a username/password when connecting to Samba. > > Can anyone confirm that what I am trying to do is possible and if so any > idea's what I have missed. > > I am testing with 3.0.9 on FC3 > > My smb.conf below > > [global] > > workgroup = AD > server string = Samba > printcap name = /etc/printcap > load printers = yes > cups options = raw > log file = /var/log/samba/%m.log > max log size = 50 > security = ads > socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 > name resolve order = wins bcast > wins server = 192.168.2.19 > dns proxy = no > idmap uid = 16777216-33554431 > idmap gid = 16777216-33554431 > template shell = /bin/false > password server = * > realm = AD.MYDOMAIN.CO.UK > winbind trusted domains only = yes > winbind use default domain = no > > Thanks in advance > > Dean Plant >