Re: [Samba] winbind: uid range is ignored

Wed, 08 Aug 2012 08:42:16 -0700 

On 08/08/12 10:40, Jonathan Buzzard wrote:

On 08/08/12 08:49, steve wrote:

On 08/08/2012 12:35 AM, Jonathan Buzzard wrote:

steve wrote:

On 07/08/12 16:15, Jonathan Buzzard wrote:

On 07/08/12 15:10, steve wrote:

On 04/08/12 22:06, NdK wrote:

Il 04/08/2012 21:13, steve ha scritto:




Uh? "wide links" seems a bad idea to me... At least from a security
perspective.
Why a single home directory? We have a single NFS share containing
folders for the two domains and inside those a folder for each home.
We are trying to migrate away from that, preferring a '[homes]'
share
where users will place the data they want to have available on
every PC.
This way even Firefox should work...


Hi Diego
We have home directories like:
home2/staff
home2/students/7a
home2/students/7b

Winbind allows only one template homedir and all user home folders
must
reside there (or tell me otherwise).

The only way we can have what we want is:
1. use nss-ldapd and store the true uinixHomeDirectory in AD
2. winbind. We have a symlink in template homedir to the real data.
For
that we need wide links.



3. Use winbind to store the true unixHomeDirectory in AD.



Hi
If I store unixHomeDirectory in AD, winbind seems to ignore it. As
far as it's concerned, all home directories have to be in template
homedir.

How would I use winbind to store it? This is why we tend toward 1.
nss-ldapd pulls all of rfc2307 from AD. winbind seems to recognise
only uidNumber and gidNumber. It doesn't sem to give you any control
over login shell and unixHomeDirectory. Everyone has the same shell
and homedir.



Well it's read only, winbind pulls the information from the AD, but
take out your template homedir/shell lines from smb.conf and do
something like

winbind nss info = rfc2307
winbind expand groups = 2
winbind nested groups = yes
winbind enum users = yes
winbind enum groups = yes


Thanks Jonathan
I got it working. It needed a schema_mode line:
idmap config MYDOMAIN:schema_mode = rfc2307

I can now finally remove wide links = Yes :-)
nss-winbind seems slow. You can see the results of getent passwd appearing one at a time. With nss-ldapd, the second time you do a getent, it's instantaneous. Is there perhaps a cache I'm missing for winbind? (I have nscd turned off) 

Cheers,
Steve

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Reply via email to