Jerry, Thanks for the reply. I am using pam_winbind with my Active Directory or Kerberos credentials to login. I have an existing UNIX (NIS) infrastructure. We are being forced to join our Linux boxes to AD. This creates a problem with unix permissions when logging into the machines with AD credemtials since the UID is dynamically assigned from Winbind and not valid against existing Unix permissions.
example [EMAIL PROTECTED] which translates to DOMAIN\joe_montana. The desired UNIX user id is jmontana. The username map does not work in the case of logging into the box, but does work correctly when accessing shares on the box. I am sure this is the expected behavior of the username map. I have always used the username map for accessing shares and not logging in. What I want to know is in the case of logging into the box via ssh or telnet or locally, can I control the Unix UID that Winbind assigns? Can Winbind be configured to map my DOMAIN\jmontana AD credentials to a local UNIX or NIS user jmontana instead of the dynamic UID? This would alleviate the issue with permissions when logged into the box. My reading led me to believe that using idmap_ldap made this possible but I am unsure. Please point me in the right direction. Again I appreciate the reply. Thank You James -----Original Message----- From: Gerald (Jerry) Carter [mailto:[EMAIL PROTECTED] Sent: Friday, August 08, 2008 4:46 AM To: Chavez, James R. Cc: samba@lists.samba.org Subject: Re: [Samba] Winbind IDMAP question. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Chavez, James R. wrote: > Hello all, > > I have joined my linux boxes to AD and can authenticate using Active > Directory usernames and passwords using Winbind. > I want to Authenticate to AD but have that user mapped to a local Unix > or NIS ID otherwise the AD authentication is useless and only hinders > with file permissions and such. Are you asking about local login via pam_winbind? or just via smbd? If the latter, then the username map should solve it. If the former, then I could probably do this in in likewise-open using the name alias support and some NSS ordering tricks. PS: The same patches are pending for upstream Samba. I just keep getting distracted everytime I try to prepare then to push. cheers, jerry - -- ===================================================================== Samba ------- http://www.samba.org Likewise Software --------- http://www.likewisesoftware.com "What man is a man who does not make the world better?" --Balian -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFInDHxIR7qMdg1EfYRAuqsAKDbjZTac3IGqhBso75J1BHAO9jSOQCfUHik NvIzOIqM5kOWKae6BjwPKyk= =jK/y -----END PGP SIGNATURE----- CONFIDENTIALITY This e-mail message and any attachments thereto, is intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail message, you are hereby notified that any dissemination, distribution or copying of this e-mail message, and any attachments thereto, is strictly prohibited. If you have received this e-mail message in error, please immediately notify the sender and permanently delete the original and any copies of this email and any prints thereof. ABSENT AN EXPRESS STATEMENT TO THE CONTRARY HEREINABOVE, THIS E-MAIL IS NOT INTENDED AS A SUBSTITUTE FOR A WRITING. Notwithstanding the Uniform Electronic Transactions Act or the applicability of any other law of similar substance and effect, absent an express statement to the contrary hereinabove, this e-mail message its contents, and any attachments hereto are not intended to represent an offer or acceptance to enter into a contract and are not otherwise intended to bind the sender, Sanmina-SCI Corporation (or any of its subsidiaries), or any other person or entity. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba