Re: winbind: uid range is ignored

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] 

On 08/08/2012 12:35 AM, Jonathan Buzzard wrote:

steve wrote:

On 07/08/12 16:15, Jonathan Buzzard wrote:

On 07/08/12 15:10, steve wrote:

On 04/08/12 22:06, NdK wrote:

Il 04/08/2012 21:13, steve ha scritto:




Uh? "wide links" seems a bad idea to me... At least from a security
perspective.
Why a single home directory? We have a single NFS share containing
folders for the two domains and inside those a folder for each home.
We are trying to migrate away from that, preferring a '[homes]' share
where users will place the data they want to have available on every PC. 
This way even Firefox should work...


Hi Diego
We have home directories like:
home2/staff
home2/students/7a
home2/students/7b
Winbind allows only one template homedir and all user home folders must 
reside there (or tell me otherwise).

The only way we can have what we want is:
1. use nss-ldapd and store the true uinixHomeDirectory in AD
2. winbind. We have a symlink in template homedir to the real data. For 
that we need wide links.



3. Use winbind to store the true unixHomeDirectory in AD.



Hi
If I store unixHomeDirectory in AD, winbind seems to ignore it. As far as it's concerned, all home directories have to be in template homedir.
How would I use winbind to store it? This is why we tend toward 1. nss-ldapd pulls all of rfc2307 from AD. winbind seems to recognise only uidNumber and gidNumber. It doesn't sem to give you any control over login shell and unixHomeDirectory. Everyone has the same shell and homedir.
Well it's read only, winbind pulls the information from the AD, but take out your template homedir/shell lines from smb.conf and do something like 

    winbind nss info = rfc2307
    winbind expand groups = 2
    winbind nested groups = yes
    winbind enum users = yes
    winbind enum groups = yes
Note you can get nested groups this way, something I don't think nss-ldapd provides. It does work I have it in production for over 1500 users right now with some 900 active SMB sessions. 


Hi Jonathan
Is that with Samba3 or 4? I just tried it with Samba4 with unixHomeDirectory in AD. I removed template homedir =, created the user directory and gave it the correct permissions, but logging in, winbind tries to create the directory: 
 su steve2
Creating directory ''.
Unable to create and initialize directory ''.
su: Permission denied

Cheers,
Steve

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Linux]     [Info Cyrus]     [LARTC]     [Bugtraq]     [Netfilter]     [Internet Dating Forums]     [RAID]     [Yosemite News]     [Photography]

Add to Google Powered by Linux