[Samba] How do I get Winbind accounts in LDAP?

John H Terpstra jht at samba.org
Thu Jan 8 16:57:52 GMT 2004 

Sapan,

I recently installed Samba-3 on Solaris 9 and had no problem with PAM and
NSS functionality. Logons using domain users worked well. As I do not have
a Sun box it is a little difficult for me to help you directly.

What output do you get from:
	wbinfo -u
	wbinfo -g

Please send me your smb.conf file so I can see what may be going on.

- John T.

On Thu, 8 Jan 2004, Ganguly, Sapan  wrote:

>
> Yep, I've done that, I basically followed the Solaris 9 HOWTO from the main
> HOWTO collection that comes with Samba 3.0, the only difference is that I
> used an /etc/pam.conf for Solaris 9 posted on the list by Patrik Gustavsson.
> I haven't managed to get hold of him, he says he has made it work on Solaris
> 9.
> I also want to get pam_mkhomedir work but I have to get past this bit first.
> >From his email signature it looks like he work for Sun in Sweden but even
> the Sun helpdesk in the UK hasn't been able to get hold of him yet.
>
> -----Original Message-----
> From: John H Terpstra [mailto:jht at samba.org]
> Sent: 08 January 2004 15:54
> To: Ganguly, Sapan
> Cc: 'ww m-pubsyssamba'; 'samba at lists.samba.org'
> Subject: RE: [Samba] How do I get Winbind accounts in LDAP?
>
>
> On Thu, 8 Jan 2004, Ganguly, Sapan  wrote:
>
> >
> > I'm doing the same thing but with NT4 so I'm not using active
> > directory. The only thing you haven't mentioned that I can think of is
> > nsswitch.conf, you should have -
> >
> > Passwd: files winbind
> > Group: files winbind
> >
> > Getent works for me, I'm stuck with getting log ons to the Solaris
> > machine with NT usernames to work.
>
> If you want to log onto the Sun machine using Windows networking credentials
> you must configure PAM to support the use of pam_winbind.so. Have you done
> that?
>
> - John T.
>
>
> > They seem to have changed something in Solaris 9, even Sun hasn't been
> > able to help me!
> >
> > -----Original Message-----
> > From: ww m-pubsyssamba [mailto:pubsyssamba at bbc.co.uk]
> > Sent: 08 January 2004 13:45
> > To: Ganguly, Sapan ; samba at lists.samba.org
> > Subject: RE: [Samba] How do I get Winbind accounts in LDAP?
> >
> >
> > Hi Sapan/All,
> >
> > 	ok this is all in my test/dev environment. I have a Sun Sparc
> > workstation running Solaris 9 and an Intel server running Windows 2000
> > server acting as a Native mode AD DC. My Sparc system has Samba 3.0.1
> > installed and is successfully joined to the AD domain, I can
> > authenticate via kerberos and wbinfo -u lists domain users etc. All I
> > need LDAP for is centralising the IDMAP mappings across our
> > theoretical Samba server infrastructure.
> >
> >   On the same sparc system I also have SunONE DS 5.2 installed, this
> > has the schema for Samba 3.0.1 successfully loaded. I have created the
> > idamap OU in the directory and I have configured my smb.conf to use
> > LDAP for idmap data, file attached. And I have set the LDAP admin
> > account password with "smbpasswd -w". I have also disabled nscd from
> > starting up & installed patch 113476-05 which is required for Solaris
> > 9. I can also see winbindd establishing a connection to Sun LDAP in
> > its access log.
> >
> >   As I was writing this mail I have noticed that a getent for users
> > and groups is not displaying any AD users/groups but is exiting with a
> > status 0, this is despite the fact that wbinfo is correctly displaying
> > all my AD users/groups!? I can see from a snoop and truss run on the
> > getent that it is making LDAP calls to the AD DC but it's not
> > returning anything!?! I have had this running on a Solaris 8 system in
> > my test environment successfully and can't think of anything I've done
> > differently.
> >
> > If anyone can help I'd greatly appreciate it,
> >
> > 	many thanks Andy.
> >
> > -----Original Message-----
> > From: Ganguly, Sapan [mailto:Sapan.Ganguly at thalesgroup.com]
> > Posted At: 07 January 2004 16:44
> > Posted To: Samba
> > Conversation: [Samba] How do I get Winbind accounts in LDAP?
> > Subject: RE: [Samba] How do I get Winbind accounts in LDAP?
> >
> >
> >
> > Andy,
> >
> > Tell us a bit more, I'm doing a similar thing I think.  I'm not using
> > Sun's LDAP service, I have OpenLDAP running on a Redhat 9.0 box and
> > I'm logging into my Solaris 9.0 machine running winbind, with my NT
> > username and password which creates an idmap in the openldap database
> > on the Redhat box....well, that's what it is supposed to do
> > anyway...it works fine on Redhat, Solaris is proving to be a little
> > more tricky.
> >
> > Is this what you are doing?
> >
> > -----Original Message-----
> > From: ww m-pubsyssamba [mailto:pubsyssamba at bbc.co.uk]
> > Sent: 07 January 2004 14:23
> > To: samba at lists.samba.org
> > Subject: RE: [Samba] How do I get Winbind accounts in LDAP?
> >
> >
> > Hi John/List,
> >
> > 	I'm attemtpting this (idmap in LDAP) with samba3.0.1 and Sun DS 5.2
> > but without any success. I've tried what John T has suggested below
> > but my idmap OU is still empty (adapted LDAP commnads for Sun DS). I
> > cannot see any errors in either Samba or Sun DS logs, does anyone have
> > any troubleshooting tips to help work out why this isn't working?
> >
> > 		many thanks Andy.
> >
> > -----Original Message-----
> > From: samba-bounces+pubsyssamba=bbc.co.uk at lists.samba.org
> > [mailto:samba-bounces+pubsyssamba=bbc.co.uk at lists.samba.org]On Behalf
> > Of John H Terpstra Posted At: 03 January 2004 23:54 Posted To: Samba
> > Conversation: [Samba] How do I get Winbind accounts in LDAP?
> > Subject: Re: [Samba] How do I get Winbind accounts in LDAP?
> >
> >
> > Kent,
> >
> > Did you create the container for the ou=Idmap in your LDAP database?
> > The IDMAP entries are automatically added to LDAP - IF the container
> > exists, and so long as Samba can access that database.
> >
> > Also, I suggest you store your machine accounts in the Users container
> > and not in the Computers container. Samba does not at this time search
> > the Computers container correctly.
> >
> > Execute the following to find out if your LDAP database has an IDMAP
> > container:
> > 	slapcat | grep -i IDMAP
> >
> >
> > If nothing is returned, execute this:
> >
> > ldapadd -x -D "cn=admin,dc=tow,dc=net" -w 'password' << EOR
> > dn: ou=Idmap,dc=abmas,dc=biz
> > objectClass: organizationalunit
> > ou: idmap
> > structuralObjectClass: organizationalunit
> > EOR
> >
> > Now you must stop samba, delete the winbind*tdb files, restart samba,
> > run:
> > 	wbinfo -u
> > And that should automatically populate your LDAP IDMAP database.
> >
> > Cheers,
> > John T.
> >
> >
> >
> > BBCi at http://www.bbc.co.uk/
> >
> > This e-mail (and any attachments) is confidential and may contain
> > personal views which are not the views of the BBC unless specifically
> > stated. If you have received it in error, please delete it from your
> > system. Do not use, copy or disclose the information in any way nor
> > act in reliance on it and notify the sender immediately. Please note
> > that the BBC monitors e-mails sent or received. Further communication
> > will signify your consent to this.
> >
>
>

-- 
John H Terpstra
Email: jht at samba.org

More information about the samba mailing list