search for: idmap_nss

...troller and the member server. The "wbinfo -u" and "winfo -g" commands show the users and groups. This machine does not need to support trusted domains. It looks like I need some sort of IDMapping. SInce I have unix accounts in LDAP backend I was trying to configure idmap_nss. idmap config MYDOMAIN : backend = nss idmap config MYDOMAIN : range = 100-300 wbinfo correctly translates between names and SIDs :/# wbinfo -n myname S-1-5-21-xxxxx-xxxxx-xxxxx-1234 SID_USER (1) :/# S-1-5-21-xxxxx-xxxxx-xxxxx-1234...

...ver. The "wbinfo -u" and "winfo -g" commands show the users and >> groups. This machine does not need to support trusted >> domains. It looks like I need some sort of IDMapping. SInce I >> have unix accounts in LDAP backend I was trying to configure idmap_nss. >> >> >> idmap config MYDOMAIN : backend = nss >> idmap config MYDOMAIN : range = 100-300 >> >> >> >> wbinfo correctly translates between names and SIDs >> >> :/# wbinfo -n myname >> S-1-...

...member server. > The "wbinfo -u" and "winfo -g" commands show the users and groups. This > machine does not need to support trusted domains. It looks like I > need some sort of IDMapping. SInce I have unix accounts in LDAP backend > I was trying to configure idmap_nss. > > > idmap config MYDOMAIN : backend = nss > idmap config MYDOMAIN : range = 100-300 > > > > wbinfo correctly translates between names and SIDs > > :/# wbinfo -n myname > S-1-5-21-xxxxx-xxxxx-xxxxx-1234 SID_USER (1)...

...er > server. The "wbinfo -u" and "winfo -g" commands show the users and > groups. This machine does not need to support trusted domains. > It looks like I need some sort of IDMapping. SInce I have unix > accounts in LDAP backend I was trying to configure idmap_nss. > > > idmap config MYDOMAIN : backend = nss > idmap config MYDOMAIN : range = 100-300 > > > > wbinfo correctly translates between names and SIDs > > :/# wbinfo -n myname > S-1-5-21-xxxxx-xxxxx-xxxxx-1234 SID_USER (1) &gt...

...uot;wbinfo -u" and "winfo -g" commands show the users and >>> groups. This machine does not need to support trusted >>> domains. It looks like I need some sort of IDMapping. SInce I >>> have unix accounts in LDAP backend I was trying to configure idmap_nss. >>> >>> >>> idmap config MYDOMAIN : backend = nss >>> idmap config MYDOMAIN : range = 100-300 >>> >>> >>> >>> wbinfo correctly translates between names and SIDs >>> >>> :...

...winfo -g" commands show the users and >>>> groups. This machine does not need to support trusted >>>> domains. It looks like I need some sort of IDMapping. SInce >>>> I have unix accounts in LDAP backend I was trying to configure >>>> idmap_nss. >>>> >>>> >>>> idmap config MYDOMAIN : backend = nss >>>> idmap config MYDOMAIN : range = 100-300 >>>> >>>> >>>> log.192.168.0.105 >>>> wbinfo correctly translates between n...

...ommands show the users >>>>> and groups. This machine does not need to support trusted >>>>> domains. It looks like I need some sort of IDMapping. SInce >>>>> I have unix accounts in LDAP backend I was trying to configure >>>>> idmap_nss. >>>>> >>>>> >>>>> idmap config MYDOMAIN : backend = nss >>>>> idmap config MYDOMAIN : range = 100-300 >>>>> >>>>> >>>>> log.192.168.0.105 >>>>> wbinf...

Hi! In my samba controlled domain, most users are stored in an LDAP directory. The Unix boxes use nss_ldap but they also have a few local users (mostly system-users) whose user-ids are not synchronized. I've read the documentation about idmap_nss but I'm still not sure if this is needed for my setup. Will using idmap_nss in addition to idmap_ldap result in any benefit (e.g. when mapping local, non-ldap unix users)? I am thinking of a setup like: -------------------- 8< -------------------- idmap domains = NSS TRUSTEDDOMAINS # <i...

Hello, I have a PDC and BDC servers with an OpenLDAP backend. It works fine for a 500 users office. I also have some servers with LDAP NSS and PAM and Samba with idmap_nss backend. It also works fine. The configuration for theses servers is: [global] workgroup = AURORA ... idmap domains = AURORA idmap config AURORA:backend = nss idmap config AURORA:readonly = yes winbind use default domain = no ... Now, I have detected that when winbin...

...10/30/20 um 12:11 PM schrieb Rowland penny via samba: >> On 30/10/2020 11:06, Ralph Boehme via samba wrote: >>> Am 10/30/20 um 10:20 AM schrieb Thomas Besser via samba: >>>> Can I configure winbind to use 'local' users and groups from NSS? >>> there's idmap_nss that may work for you. >>> >>> -slow >> Already mentioned that, problem is it is an allocating backend, unless I >> am reading the manpage wrong. > ah, missed that. :) > > idmap_nss is not an allocating backend, I guess the manpage text might > be a bit mis...

...;>>> On 30/10/2020 11:06, Ralph Boehme via samba wrote: >>>>> Am 10/30/20 um 10:20 AM schrieb Thomas Besser via samba: >>>>>> Can I configure winbind to use 'local' users and groups from >>>>>> NSS? >>>>> there's idmap_nss that may work for you. >>>>> >>>>> -slow >>>> Already mentioned that, problem is it is an allocating backend, >>>> unless I am reading the manpage wrong. >>> ah, missed that. :) >>> >>> idmap_nss is not an allocating b...

...e root user and thus the mapping fails. > username map = /etc/samba/samba_usermapping well, I have been working on this issue quite a bit, lately. The working recipe for me was: 1) configure sssd to fetch users from ad; 2) configure winbind to fetch sid/uid and sid/gid mappings from nss (with idmap_nss); 3) provide group 'domain users' with a valid gidNumber: it looks the prescription from idmap_ad "Winbind will only map users that have a uidNumber and whose primary group have a gidNumber attribute set." holds for idmap_nss as well. If you plan to use sssd on Debian, beware of:...

On 30/10/2020 11:06, Ralph Boehme via samba wrote: > Am 10/30/20 um 10:20 AM schrieb Thomas Besser via samba: >> Can I configure winbind to use 'local' users and groups from NSS? > there's idmap_nss that may work for you. > > -slow Already mentioned that, problem is it is an allocating backend, unless I am reading the manpage wrong. Rowland

...> > security = ADS > > idmap config * : range = 100000:199999 > > idmap config AMERICAS : backend = nss > > idmap config AMERICAS : range = 1000:99999 > > > > Thoughts? > > You mean apart from thinking 'I wouldn't use idmap_nss' ? ;-) > > It should be '100000-199999' not '100000:19999' > > You will also need winbind running. > > Rowland > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/opt...

I have an existing PDC which I am attempting to move across to a new server. On the new server, I'm having trouble with idmap (using an LDAP backend) and trusted domains. The smb.conf file is the same on both servers. My idmap & winbind parameters are as follows: ldap idmap suffix = ou=idmap idmap backend = ldap:ldap://127.0.0.1 idmap uid = 10000-29000 idmap gid = 10000-29000 winbind

...penny via samba: >>> On 30/10/2020 11:06, Ralph Boehme via samba wrote: >>>> Am 10/30/20 um 10:20 AM schrieb Thomas Besser via samba: >>>>> Can I configure winbind to use 'local' users and groups from >>>>> NSS? >>>> there's idmap_nss that may work for you. >>>> >>>> -slow >>> Already mentioned that, problem is it is an allocating backend, >>> unless I am reading the manpage wrong. >> ah, missed that. :) >> >> idmap_nss is not an allocating backend, I guess the manpag...

...ll, I have been working on this issue quite a bit, lately. > > The working recipe for me was: > 1) configure sssd to fetch users from ad; winbind will do this as well, provided the correct info is in AD. > 2) configure winbind to fetch sid/uid and sid/gid mappings from nss > (with idmap_nss); Do you have users & groups in /etc/passwd & /etc/group that are also in AD, I ask this because idmap_nss maps Unix users & groups (i.e. those in /etc/passwd & /etc/group) to users & groups in AD. > 3) provide group 'domain users' with a valid gidNumber: And that...

Hi List, I want to use Active Directory for my samba users passwords and /etc/group for storing group membership. /etc/nsswitch.conf looks like: group: file Problem: the tests i ran show that the samba server does not know about group membership (deleting file from other user belonging to the same group fails). The same test works as expectet when winbindd is switched off. What do i have to

...em. About ldap connector we just thought winbind would use it towards ldap server for DOMAIN_B (Samba 3.5 domain) uid/gid resolution. We actually use nss to resolve those uid/gid > > Can I suggest you read 'man smb.conf', 'man idmap_rid' 'man idmap_ad', > 'man idmap_nss' and finally this: > > https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member > > Sorry to be the bearer of bad news, but your smb.conf is a mess, you > should be using the winbind 'ad' or 'rid' backend for DOMAIN_A >> Yes I know it's ugly...

...m any > > domain (i.e. the share should be accessable > > via windows client) > > Is't this a reimplementation on winbind nss interface?. Why not just > use winbind with one of it's mapping strategies. I am pretty sure it > should work for standalone servers. > idmap_nss maps Unix users to Domain users, it needs users in /etc/passwd, the OP doesn't want this. Rowland