[Samba] AD and winbindd madness
Robert Gehr
robert.gehr at baumann-gmbh.de
Wed Mar 18 10:52:40 GMT 2009
Hello all
I tried for a couple of days now to get our samba domain hooked up with
an AD controller. I followed these instructions:
http://www.msadfaq.de/wiki/ActiveDirectory/trust_relationship_samba_ad
I've solved a couple of problems over the years but this is a hard nut
to crack.
The setup is as follows
AD runs the domain BAUMANN (realm: baumann.local)
samba runs the domain BAUMANN-GMBH
The trust relationship has been esatblished, at least so it seems.
What I can do when I fire up winbind on the samba PDC (baadm1)
wbinfo -u: works
wbinfo -g: works
wbinfo -m: works
wbind -t: never returns but spits out no errors
getent passwd/group show the users/groups of the AD BAUMANN domain
I can assign file/group ownership to users/groups from the BAUMANN
domain.
If I don't have winbindd running I can connect to a share located on the
PDC of the samba controlled BAUMANN-GMBH domain, but can not write to
it.
If I run winbindd I can't connect to the share anymore. Same user, same
password. The error winbindd comes up with:
SCHANNEL: schannel_decode seq_num=13 data_len=32
SCHANNEL: schannel_decode seq_num=13 data_len=32
cli_pipe_validate_current_pdu: got pdu len 96, data_len 20, ss_len 12
rpc_api_pipe: got PDU len of 96 at offset 0
rpc_api_pipe: host baad1.baumann.local, pipe \NETLOGON, fnum 0x8006
returned 40 bytes.
netr_LogonSamLogonEx: struct netr_LogonSamLogonEx
out: struct netr_LogonSamLogonEx
validation : *
validation : union netr_Validation(case 3)
sam3 : NULL
authoritative : *
authoritative : 0x01 (1)
flags : *
flags : 0x00000000 (0)
result : NT_STATUS_LOGON_FAILURE
NTLM CRAP authentication for user [BAUMANN]\[gehr] returned
NT_STATUS_LOGON_FAILURE (PAM: 4)
Here the relevant entries of smb.conf on the samba PDC
[global]
dos charset = 850
unix charset = ISO8859-1
display charset = ISO8859-1
workgroup = BAUMANN-GMBH
server string = %h
passdb backend = ldapsam:"ldap://baadm1.baumann-gmbh.de,
ldap://bafs2.baumann-gmbh.de"
username map = /usr/local/samba/lib/user.map
lanman auth = No
socket options = TCP_NODELAY SO_RCVBUF=16384 SO_SNDBUF=16384
add user script = /usr/local/sbin/smbldap-useradd -m "%u"
add group script = /usr/local/sbin/smbldap-groupadd -a -p "%g"
add user to group script = /usr/local/sbin/smbldap-groupmod -m "%u"
"%g"
delete user from group script = /usr/local/sbin/smbldap-groupmod -x
"%u" "%g"
set primary group script = /usr/local/sbin/smbldap-usermod -g "%g" "%
u"
add machine script = /usr/local/sbin/smbldap-useradd -w "%u"
logon path =
domain logons = Yes
os level = 65
domain master = Yes
wins support = Yes
kernel oplocks = No
ldap admin dn = cn=ldap-admin,dc=baumann-gmbh,dc=de
ldap group suffix = ou=groups
ldap idmap suffix = ou=idmap
ldap machine suffix = ou=computers
ldap passwd sync = Yes
ldap suffix = dc=baumann-gmbh,dc=de
ldap ssl = start tls
ldap user suffix = ou=people
#idmap backend = ldap:ldap://baadm1.baumann-gmbh.de
#idmap domains = BAUMANN-GMBH
idmap uid = 10000-20000
idmap gid = 10000-20000
ldapsam:trusted = yes
idmap config BAUMANN-GMBH:ldap_url = ldap://baadm1.baumann-gmbh.de
idmap config BAUMANN-GMBH:ldap_base_dn =
ou=idmap,dc=baumann-gmbh,dc=de
idmap config BAUMANN-GMBH:backend = ldap
idmap config BAUMANN-GMBH:default = yes
Here the conf winbindd gets started with:
[global]
workgroup = baumann
netbios name = baadm1
idmap uid = 30000-40000
idmap gid = 30000-40000
winbind enum users = yes
winbind enum groups = yes
#winbind separator = +
realm = BAUMANN.LOCAL
#winbind use default domain = Yes
security = ADS
domain master = No
encrypt passwords = yes
password server = baad1.baumann.local
client use spnego = yes
winbind trusted domains only = No
Help is greatly appreciated, for it is must that we get this thing
going.
Thanks and regards
Rob
Success is going from failure to failure without loss of enthusiasm.
~ Winston Churchill
--
baumann GmbH
Oskar-von-Miller-Str. 7
92224 Amberg - Deutschland / Germany
GF / CEO: Dr. Georg Baumann, Rudi Neumann, Josef Konrad
HR: Amberg HRB 1067
More information about the samba
mailing list