Colleagues, I am running smbd in a setup described in http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/idmapper.html#id2604553 under "Winbind is not used; users and groups are local". Samba is running in the security=domain mode, but all Windows users are being mapped to Unix users in /etc/passwd. Now I need to run winbindd for Squid authentication. The problem is, as soon as I start winbindd, smbd begins consulting it and all Windows users start receiving uids/gids different from those in /etc/passwd. How do I prevent smbd from consulting winbindd and make it use the old /etc/passwd mechanism for uids? TIA for any input. -- Victor Sudakov, VAS4-RIPE, VAS47-RIPN sip:sudakov at sibptus.tomsk.ru
Colleagues, please respond. Have I asked something too unconventional or something too trivial? Victor Sudakov wrote:> Colleagues, > > I am running smbd in a setup described in > http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/idmapper.html#id2604553 > under "Winbind is not used; users and groups are local". Samba is > running in the security=domain mode, but all Windows users are being > mapped to Unix users in /etc/passwd. > > Now I need to run winbindd for Squid authentication. The problem is, > as soon as I start winbindd, smbd begins consulting it and all Windows > users start receiving uids/gids different from those in /etc/passwd. > How do I prevent smbd from consulting winbindd and make it use the old > /etc/passwd mechanism for uids? > > TIA for any input. > > -- > Victor Sudakov, VAS4-RIPE, VAS47-RIPN > sip:sudakov at sibptus.tomsk.ru > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba-- Victor Sudakov, VAS4-RIPE, VAS47-RIPN sip:sudakov at sibptus.tomsk.ru
On Mon, Jan 23, 2012 at 05:34:35PM +0700, Victor Sudakov wrote:> Colleagues, please respond. Have I asked something too unconventional > or something too trivial?idmap backend = nss ?? Volker -- SerNet GmbH, Bahnhofsallee 1b, 37081 G?ttingen phone: +49-551-370000-0, fax: +49-551-370000-9 AG G?ttingen, HRB 2816, GF: Dr. Johannes Loxen http://www.sernet.de, mailto:kontakt at sernet.de
Volker Lendecke wrote:> > Colleagues, please respond. Have I asked something too unconventional > > or something too trivial? > > idmap backend = nss ??Its man page is very scarce. Is it supposed to work at all? Do you have any experience with it? root at fs02-sibptus:~# id zimaev uid=3237(zimaev) gid=2000(user) groups=2000(user),2012(budget),3134(pto),2011(ntd) root at fs02-sibptus:~# wbinfo -n zimaev S-1-5-21-839522115-2139871995-725345543-1618 User (1) root at fs02-sibptus:~# wbinfo -i zimaev Could not get info for user zimaev root at fs02-sibptus:~# what gives? -- Victor Sudakov, VAS4-RIPE, VAS47-RIPN sip:sudakov at sibptus.tomsk.ru
Am 25.01.2012 09:58, schrieb Victor Sudakov:> Volker Lendecke wrote: >>> Colleagues, please respond. Have I asked something too unconventional >>> or something too trivial? >> >> idmap backend = nss ?? > > Its man page is very scarce. Is it supposed to work at all? Do you have any > experience with it? > > root at fs02-sibptus:~# id zimaev uid=3237(zimaev) gid=2000(user) groups=2000(user),2012(budget),3134(pto),2011(ntd) > root at fs02-sibptus:~# wbinfo -n zimaev S-1-5-21-839522115-2139871995-725345543-1618 User (1) > root at fs02-sibptus:~# wbinfo -i zimaev > Could not get info for user zimaev > root at fs02-sibptus:~# > > what gives? >what do you have in smb.conf defined for security? (general portion of smb.conf) Greetz, L.
Lukas wrote:> >>> Colleagues, please respond. Have I asked something too unconventional > >>> or something too trivial? > >> > >> idmap backend = nss ?? > > > > Its man page is very scarce. Is it supposed to work at all? Do you have any > > experience with it? > > > > root at fs02-sibptus:~# id zimaev uid=3237(zimaev) gid=2000(user) groups=2000(user),2012(budget),3134(pto),2011(ntd) > > root at fs02-sibptus:~# wbinfo -n zimaev S-1-5-21-839522115-2139871995-725345543-1618 User (1) > > root at fs02-sibptus:~# wbinfo -i zimaev > > Could not get info for user zimaev > > root at fs02-sibptus:~# > > > > what gives? > > > > what do you have in smb.conf defined for security? > (general portion of smb.conf)[global] workgroup = SIBPTUS wins server = 10.14.134.1 10.14.134.4 security = domain idmap backend = nss idmap uid = 1000-1999999 idmap gid = 1000-1999999 template shell = /bin/bash winbind use default domain = Yes allow trusted domains = Yes -- Victor Sudakov, VAS4-RIPE, VAS47-RIPN sip:sudakov at sibptus.tomsk.ru
On 13:37:19 wrote Victor Sudakov:> Colleagues, > > I am running smbd in a setup described in > http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/idmapper.h > tml#id2604553 under "Winbind is not used; users and groups are > local". Samba is running in the security=domain mode,Do you have a PDC with the same setup? Are you syncing uid/gid manually?> but all > Windows users are being mapped to Unix users in /etc/passwd.This will break the setup which is described in the Samba-HOWTO- Collection you refere above :-( . "The only way in which this differs from having local accounts is that the accounts are stored in a repository that *can be shared* . In practice this means that they will reside in either *an NIS-type database or else in LDAP* ." So only NIS or LDAP will guarantee that you have identical uid/gid mapping across different machines.> Now I need to run winbindd for Squid authentication. The problem is, > as soon as I start winbindd, smbd begins consulting itso you are running smbd and winbind an squid on the same machine> and all > Windows users start receiving uids/gids different from those in > /etc/passwd.Thats quite normal.> How do I prevent smbd from consulting winbindd and make > it use the old /etc/passwd mechanism for uids?I do not know. I believe it's not possible. Run smbd on one machine with NIS or LDAP, winbind for squid on an other machine. Alternatively you may try to run winbind with an own smb.conf for example # smb.conf for winbind only # Here you MUST have one blank line include /etc/samba.conf [global] security = domain winbind use default domain = yes # and so on if you wish to try this, you may start with a new setup. I have done this tree times with LDAP as backend, it works. If you need more details, I can write a step-by-step guide, maybe next week. In all cases you must have a PDC with security=user in smb.conf.> > TIA for any input.-- regards Harry Jede