On Wed, Nov 03, 2010 at 05:05:28PM -0700, James D. Parra wrote: > Well it does if you're using winbindd to map DOMAIN\\groupname > to a group on the box :-). > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > > Thank you Jeremy. What is the best way to do that?
The key tool is nsswitch. Winbind may or may not be necessary, depending on your precise set up. It's the nsswitch libraries and configuration file which tell Linux where to fetch user and group information. If your domain stores its user list in the tdb files on your PDC, then your only option is to use winbind (and the nss_winbind library) to provide user and group information to nsswitch. However, if you are using an LDAP directory as the data backend for your domain, you could use nss_ldap instead, and pull the information straight from LDAP. That's what I do, for several reasons, of which the best two are: 1. It allows me to have a consistent nsswitch configuration across all servers, whether or not they are running Samba, and have domain users able to access services consistently. 2. It simplifies the Samba configuration on servers which are domain members. You have this choice both if your domain controllers are LDAP-backed Samba ones (as mine are), or Windows Active Directory servers - all you have to do is make sure your AD servers have the extension to their schema to support POSIX user/group information. Given the choice, I would always go for the direct LDAP route, with users and groups that have intrinsic, permanent UIDs and GIDs; it's less fragile. I'll happily create those users and groups via Samba/Winbind on the PDC (love the whole "idmap alloc" and ldmapsam:editposix combination), but once they're in the LDAP directory, they're permanent, and available to anything that speaks LDAP. -- Bruce I must admit that the existence of Disneyland (which I know is real) proves that we are not living in Judea in AD 50. -- Philip K. Dick -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba