HP CIFS Server Administrator's Guide Version A.03.01.01 (5900-1282, May 2011)

ManualsBrandsHP ManualsSoftwareHP-UX Common Internet File System (CIFS) Client/Server Software

101

102

103

104

105

106

107

108

109

110

Winbind uses the blocking, synchronous behavior when enumerating users and groups. Set both

winbind enum users and winbind enum groups to No to force winbind to suppress the

enumeration of users and groups.

When and How to Deploy Winbind

Commonly Asked Questions

The section describes a couple of common questions asked when deciding to use winbind as

follows:

How do I control the access that all these winbind generated identities have?

The most common ways to control access to resources are as follows:

• Control access to the HP CIFS shares by using the valid users = [user/group name

list] parameter in the smb.conf file.

• Use standard UNIX group and ownership permissions on directories and files to further limit

access.

• Use ACLs on files and directories as needed.

What can I do so native UNIX users can automatically access files created by their windows

account?

Windows users including winbind users can be mapped to a specific UID using the

username.map utility. When this is done with a winbind user name, the winbind uid is still

mapped and reported using the wbinfo tool. This allows the native UNIX user and windows or

winbind user to have the same UID belonging to all of the same UNIX groups. When gaining

access to the system through the HP CIFS Server, the user is no longer allowed access to resources

based on any Windows group permission that Windows user belongs to. Files or directories

created will be owned by the UNIX user name and primary group of the UNIX user name. This

type of user name mapping can be automatically implemented through the username map script

to minimize administration of a user name map file.

How can I provide selective permission to a group with some native UNIX users and some

windows users?

This is a problem because HP-UX does not allow Windows or winbind users as members of a

UNIX group. There is no way to add native UNIX users to Windows or winbind groups.

There is a solution that you can create a group with some native UNIX members and some windows

or winbind members, but it requires that you perform the following administration tasks:

• Map one or more winbind users or groups to a UNIX user.

• Assign the mapped UNIX user to a native UNIX group.

• Assign the selective native UNIX users to the same group.

The following are some drawbacks that you need to take into consideration if you use the above

solution:

• Windows groups that are not assigned GIDs by winbind may not be mapped to a UNIX

user. You must use Winbind if you want to assign specific windows groups to a UNIX user

name.

• Once mapped, the session of the mapped user does not belong to the Windows groups of

the original Windows user. The user no longer gains access to resources through the windows

groups on the mapped server.

• If the UNIX user is mapped from a number of Windows, winbind users or groups, all files

of all mapped users will be created with the same owner and primary group names. You

When and How to Deploy Winbind 101