I think I'm getting a better idea of what's required for this... One
thing that I've noticed is that since my user and group management tools
already store the sambaSID attributes in the user/group entries, along
with uidNumber/gidNumber, all that I need to do to make these entries
valid for winbind is add the sambaIdmapEntry objectclass.
Now, in theory my directory is a complete database, usable by winbind
for its idmap functions. However, winbind still seems to require an
admin dn and password to be saved locally. I'd really rather that
winbind treat the directory as a read-only repository of data. Is that
possible?
Gordon Messmer wrote:> I have a domain member server running samba 3. NSS info currently comes
> from ldap, and the PDC is another samba 3 host. The PDC is also using
> the ldap server for its data.
>
> I'm not clear on how winbind is used in this configuration. When I
look
> at the owner/group of files from a Windows workstation, I see names of
> the form "MYHOST\gmessmer" rather than
"MYDOMAIN\gmessmer". I presume
> that this is so because samba can map my domain login
> (MYDOMAIN\gmessmer) to the unix user "gmessmer", but can't do
the
> reverse without winbind.
>
> What is the minimum amount of configuration needed to provide this
> reverse mapping? Do I have to go so far as to replace the NSS source
> with winbind?