Shammah Chancellor
2007-Dec-06 20:53 UTC
[Samba] security = user, LDAP, and adding users to ACLs
Hi, Problem: I seem to be able to add users to ACLs from windows due to an "Name Not Found" error when looking up a username. According to what I have been able to find, you cannot browse users on a samba server from windows without winbind and "security = domain/ads". However, winbind does not have any place in my environment aside from remedying this problem. Is there some alternative to enable this feature, or method of setting up winbind that is innocuous in my environment while maintaining "security = user"? Background on the Environment: I am running Samba 3.0.25c on Solaris 10u4 with "security = user". I am using the vfs object "zfsacl" to enable ACL support on my zfs filesystem. We use LDAP as a password backend, which also stores sambaSIDs for every user. SIDs and unix UIDs are synchronized across all the samba servers because they all use the same LDAP backend. Thanks in advance!
If your Samba is running as a PDC, and you are logged in the samba domain, you are able to list the LDAP users in the shares or files security tab, and you don't need winbind. All you need is nsswitch.conf configured with: # /etc/nsswitch.conf # passwd: files ldap group: files ldap shadow: files ldap Plus ldap.conf like: bindpw xxxxxxxx binddn xxxxxxxxxxx uri ldap://xxx.xxx.xxx.xxx base dc=local,dc=loc rootbinddn xxxxxxxxxxxxxxxxxxxxx host 127.0.0.1 ldap_version 3 scope one ssl no pam_login_attribute uid pam_member_attribute gid pam_password md5 nss_base_passwd dc=local,dc=loc?sub nss_base_shadow dc=local,dc=loc?sub nss_base_group ou=Groups,dc=local,dc=loc?one In smb.conf you need to put something like: ldap user suffix = ou=People ldap machine suffix = ou=Computers ldap group suffix = ou=Groups ldap suffix = dc=local,dc=loc ldap admin dn = cn=xxxxxxxxxxxxxxxxxxxxxx ldap idmap suffix = ou=Idmap Your LDAP must also have the default samba Domain Groups. Em Thursday 06 December 2007 20:29, o Shammah Chancellor escreveu:> Hi, > > Problem: > > I seem to be able to add users to ACLs from windows due to an "Name Not > Found" error when looking up a username. According to what I have been > able to find, you cannot browse users on a samba server from windows > without winbind and "security = domain/ads". However, winbind does not > have any place in my environment aside from remedying this problem. Is > there some alternative to enable this feature, or method of setting up > winbind that is innocuous in my environment while maintaining "security > = user"? > > Background on the Environment: > > I am running Samba 3.0.25c on Solaris 10u4 with "security = user". I > am using the vfs object "zfsacl" to enable ACL support on my zfs > filesystem. We use LDAP as a password backend, which also stores > sambaSIDs for every user. SIDs and unix UIDs are synchronized across > all the samba servers because they all use the same LDAP backend. > > Thanks in advance!