Stefan Dengscherz
2008-Apr-16 19:44 UTC
[Samba] Samba PDC and Samba domain member - LDAP/Winbind/Idmap confusion
Hello List, I have the following scenario: 1x Samba PDC with LDAP backend 1x Samba member server 1x Samba member server (Openfiler) However, I'm confused about Idmapping. I want to use ACLs on the PDC and both member servers. Are my thoughts correct? - Samba member server knows the unix users through LDAP (added in nsswitch.conf) - Authentication when accessing a member server share is performed by the PDC - ACLs won't work without a proper Idmapping backend setup (i want to use LDAP for this) - how does Idmapping fit into here? - Would it be possible to achieve my scenario with winbind? - Could I spare the LDAP configuration on the member servers then? Thanks in advance for enlightening me, Stefan
John Drescher
2008-Apr-24 12:56 UTC
[Samba] Samba PDC and Samba domain member - LDAP/Winbind/Idmap confusion
> I have the following scenario: > > 1x Samba PDC with LDAP backend > 1x Samba member server > 1x Samba member server (Openfiler) > > However, I'm confused about Idmapping. I want to use ACLs on the PDC and > both member servers. > > Are my thoughts correct? > > - Samba member server knows the unix users through LDAP (added in > nsswitch.conf) > - Authentication when accessing a member server share is performed by > the PDC > - ACLs won't work without a proper Idmapping backend setup (i want to > use LDAP for this) - how does Idmapping fit into here? >I have been struggling with this (on and off) for a very long time (years). I believe there are far too many incomplete or inaccurate guides on the net and also too many guides that are focused with ADS security which to me is interesting. I went to samba because I wanted to completely get rid of the headaches of having windows servers not to make them an integral part of my network security... However it appears that I have hit a break through recently. You most certainly need a working idmap otherwise you will not be able to set acls in windows (or perhaps a cifs client - not tested by me). In the past I thought I needed to use the ldap backend for this but recently I found that this is wrong. What you need is idmap_nss. Search for that on the net and use the example that sets the idmap read only for the SAMBA domain.> - Would it be possible to achieve my scenario with winbind? >On the PDC (with user security) it does not look like winbind is necessary. On the other member servers with domain security, it appears to me that without winbind you will get SIDs in your properties tab on windows for most domain accounts.> - Could I spare the LDAP configuration on the member servers then? >I still have the ldap configuration on all of my linux machines and also all of the ones that run samba. John