samba - Dec 2007 - security = user, LDAP, and adding users to ACLs

Hi,

Problem:

I seem to be able to add users to ACLs from windows due to an "Name Not 
Found" error when looking up a username.  According to what I have been 
able to find, you cannot browse users on a samba server from windows 
without winbind and "security = domain/ads".   However, winbind does
not
have any place in my environment aside from remedying this problem.   Is 
there some alternative to enable this feature, or method of setting up 
winbind that is innocuous in my environment while maintaining "security 
= user"?

Background on the Environment:

I am running Samba 3.0.25c on Solaris 10u4 with "security = user".   
I
am using the vfs object "zfsacl" to enable ACL support on my zfs 
filesystem.  We use LDAP as a password backend, which also stores 
sambaSIDs for every user.  SIDs and unix UIDs are synchronized across 
all the samba servers because they all use the same LDAP backend.

Thanks in advance!

If your Samba is running as a PDC, and you are logged in the samba domain, you 
are able to list the LDAP users in the shares or files security tab, and you 
don't need winbind. All you need is nsswitch.conf configured with:

# /etc/nsswitch.conf 
# 
 
passwd:         files   ldap 
group:          files   ldap 
shadow:         files   ldap


Plus ldap.conf like:

bindpw xxxxxxxx
binddn xxxxxxxxxxx
uri ldap://xxx.xxx.xxx.xxx
base dc=local,dc=loc 
rootbinddn xxxxxxxxxxxxxxxxxxxxx
host 127.0.0.1 
ldap_version 3 
scope one 
ssl no 
pam_login_attribute uid 
pam_member_attribute gid 
pam_password md5 
nss_base_passwd dc=local,dc=loc?sub 
nss_base_shadow dc=local,dc=loc?sub 
nss_base_group ou=Groups,dc=local,dc=loc?one



In smb.conf you need to put something like:

ldap user suffix = ou=People
ldap machine suffix = ou=Computers 
ldap group suffix = ou=Groups
ldap suffix = dc=local,dc=loc
ldap admin dn = cn=xxxxxxxxxxxxxxxxxxxxxx 
ldap idmap suffix = ou=Idmap


Your LDAP must also have the default samba Domain Groups.


Em Thursday 06 December 2007 20:29, o Shammah Chancellor
escreveu:
> Hi,
>
> Problem:
>
> I seem to be able to add users to ACLs from windows due to an "Name
Not
> Found" error when looking up a username.  According to what I have
been
> able to find, you cannot browse users on a samba server from windows
> without winbind and "security = domain/ads".   However, winbind
does not
> have any place in my environment aside from remedying this problem.   Is
> there some alternative to enable this feature, or method of setting up
> winbind that is innocuous in my environment while maintaining
"security
> = user"?
>
> Background on the Environment:
>
> I am running Samba 3.0.25c on Solaris 10u4 with "security =
user".    I
> am using the vfs object "zfsacl" to enable ACL support on my zfs
> filesystem.  We use LDAP as a password backend, which also stores
> sambaSIDs for every user.  SIDs and unix UIDs are synchronized across
> all the samba servers because they all use the same LDAP backend.
>
> Thanks in advance!