[Samba] Samba PDC and Samba domain member - LDAP/Winbind/Idmap confusion - Samba

This is a discussion on [Samba] Samba PDC and Samba domain member - LDAP/Winbind/Idmap confusion - Samba ; Hello List, I have the following scenario: 1x Samba PDC with LDAP backend 1x Samba member server 1x Samba member server (Openfiler) However, I'm confused about Idmapping. I want to use ACLs on the PDC and both member servers. Are ...

+ Reply to Thread
Results 1 to 2 of 2

Thread: [Samba] Samba PDC and Samba domain member - LDAP/Winbind/Idmap confusion

  1. [Samba] Samba PDC and Samba domain member - LDAP/Winbind/Idmap confusion

    Hello List,


    I have the following scenario:

    1x Samba PDC with LDAP backend
    1x Samba member server
    1x Samba member server (Openfiler)

    However, I'm confused about Idmapping. I want to use ACLs on the PDC and
    both member servers.

    Are my thoughts correct?

    - Samba member server knows the unix users through LDAP (added in
    nsswitch.conf)
    - Authentication when accessing a member server share is performed by
    the PDC
    - ACLs won't work without a proper Idmapping backend setup (i want to
    use LDAP for this) - how does Idmapping fit into here?
    - Would it be possible to achieve my scenario with winbind?
    - Could I spare the LDAP configuration on the member servers then?


    Thanks in advance for enlightening me,

    Stefan
    --
    To unsubscribe from this list go to the following URL and read the
    instructions: https://lists.samba.org/mailman/listinfo/samba

  2. Re: [Samba] Samba PDC and Samba domain member - LDAP/Winbind/Idmap confusion

    > I have the following scenario:
    >
    > 1x Samba PDC with LDAP backend
    > 1x Samba member server
    > 1x Samba member server (Openfiler)
    >
    > However, I'm confused about Idmapping. I want to use ACLs on the PDC and
    > both member servers.
    >
    > Are my thoughts correct?
    >
    > - Samba member server knows the unix users through LDAP (added in
    > nsswitch.conf)
    > - Authentication when accessing a member server share is performed by
    > the PDC
    > - ACLs won't work without a proper Idmapping backend setup (i want to
    > use LDAP for this) - how does Idmapping fit into here?
    >

    I have been struggling with this (on and off) for a very long time
    (years). I believe there are far too many incomplete or inaccurate
    guides on the net and also too many guides that are focused with ADS
    security which to me is interesting. I went to samba because I wanted
    to completely get rid of the headaches of having windows servers not
    to make them an integral part of my network security...

    However it appears that I have hit a break through recently. You most
    certainly need a working idmap otherwise you will not be able to set
    acls in windows (or perhaps a cifs client - not tested by me). In the
    past I thought I needed to use the ldap backend for this but recently
    I found that this is wrong. What you need is idmap_nss. Search for
    that on the net and use the example that sets the idmap read only for
    the SAMBA domain.

    > - Would it be possible to achieve my scenario with winbind?
    >

    On the PDC (with user security) it does not look like winbind is
    necessary. On the other member servers with domain security, it
    appears to me that without winbind you will get SIDs in your
    properties tab on windows for most domain accounts.

    > - Could I spare the LDAP configuration on the member servers then?
    >

    I still have the ldap configuration on all of my linux machines and
    also all of the ones that run samba.

    John
    --
    To unsubscribe from this list go to the following URL and read the
    instructions: https://lists.samba.org/mailman/listinfo/samba

+ Reply to Thread