[Samba] Samba in Active-Drirector environements with centralized
sid to uid mapping
Kreitz, Christopher
christopher.kreitz at lbf.fraunhofer.de
Thu Apr 10 08:06:08 GMT 2008
Hello list!
We have some problems while trying to integrate a group of linux-servers into our Active Directory.
Our plan is, to connect these Machies via winbindto the AD.
Our usere should be able to login on these machines with their windows credentials.
We want the AD to do the mapping between windows SID and linux UID/GID
For this purposes, we installed SFU 3.5 at our AD, and activated the UIDs for all allowed users.
We successfully connected these machines (client0 up to client9) to the AD, wbinfo -u and wbinfo -g lists all domain members and all domain groups.
We edited /etc/nsswitch.conf and enabled winbind
passwd: files winbind ldap
group: files winbind ldap
shadow: files winbind ldap
Note: The ldap-entries are made previously, to enable a LDAP-logon, but we want to replace the LDAP-logon with winbind/AD logon, to centralize the user-managenent.
Now, the troubles begun.
Our problems are:
1) if i want to check the uid of a user, not all servers act identically
eg. Id kreitz
server0: uid=32821(kreitz) gid=32002 groups=32001,32005,32003,32002
server1: uid=32821(kreitz) gid=32002 groups=32001,32002
server2: uid=32821(kreitz) gid=32002 groups=32000,32001,32002
...
2) we tried to stop winbind, clear the winbind-cache /var/cache/idmap_cache.tdb and restart winbind
id: kreitz: No such user
I did not know, how to debug winbind, to find the problems in my configuration.
Here some Informations about my systems:
Linux: RHEL4
Samba: 3.0.25b-1.el4_6.4
Winbind: 3.0.25b-1.el4_6.4
My Configs (some)
/etc/samba/smb.conf
[global]
workgroup = <SHORT-DOMAIN> # anonymized
netbios name = client0
realm = <DOMAIN> # anonymized
idmap uid = 10000-640000
idmap gid = 10000-640000
idmap backend = ad
winbind separator = +
winbind use default domain = Yes
security = ADS
encrypt passwords = yes
password server = <AD-Server> # anonymized
client use spnego = yes
winbind enum users = yes
winbind enum groups = yes
unix password sync = yes
template shell = /bin/bash
winbind nss info = sfu
/etc/nsswitch.conf
passwd: files winbind ldap
group: files winbind ldap
shadow: files winbind ldap
hosts: files dns
networks: files dns
services: files db
protocols: files db
rpc: files db
ethers: files db
netmasks: files
netgroup: files
publickey: files
bootparams: files
automount: ldap
aliases: files
/etc/krb5.conf
[libdefaults]
default_realm = <domain>
clockskew = 300
[realms]
<domain> = {
kdc = <AD-Server>
}
[domain_realm]
.<domain> = <DOMAIN>
<domain> = <DOMAIN>
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/kdc.log
kadmind = FILE:/var/log/kadmind.log
[appdefaults]
pam = {
ticket_lifetime = 1d
renew_lifetime = 1d
forwardable = true
proxiable = false
retain_after_close = false
minimum_uid = 0
debug = false
}
Greetings
Christopher Kreitz
More information about the samba
mailing list