[Samba] Samba + Winbind + Windows 2003 AD
Michael Lyon
mjlyon at gmail.com
Mon Jul 19 10:22:15 MDT 2010
In all honesty, this is my first time using a binary samba package (I am a
native slackware user that converted to Fedora simply because it was easier
from start-to-finish FWIW)
[]# smbd -V
Version 3.4.7-58.fc12
Here's my smb.conf global section:
[global]
workgroup = WORKGROUPNAME
realm = ad.university.edu
server string = Samba Server Version %v
netbios name = vm-srvname
security = ADS
password server = *
passdb backend = tdbsam
admin users = @"WORKGROUPNAME+Domain Admins"
log level = 2
log file = /var/log/samba/log.%m
max log size = 5000
interfaces = eth0 lo
socket options = TCP_NODELAY IPTOS_LOWDELAY SO_RCVBUF=524288
SO_SNDBUF=524288
load printers = No
#printing =
printcap name = /etc/printcap
client use spnego = yes
client ntlmv2 auth = yes
winbind use default domain = yes
winbind separator = +
winbind nested groups = Yes
winbind enum users = yes
winbind enum groups = yes
winbind nss info = rfc2307
allow trusted domains = yes
idmap uid = 10000-99999
idmap gid = 10000-99999
#idmap backend = ad
idmap domains = WORKGROUPNAME
idmap config WORKGROUPNAME:backend = ad
idmap config WORKGROUPNAME:schema_mode = rfc2307
idmap config WORKGROUPNAME:range = 1000-75999
#template shell = /bin/bash
#template homedir = /home/share
#server signing = enabled
;dead time = 15
getwd cache = yes
nt acl support = yes
acl map full control = no
store dos attributes = yes
map acl inherit = yes
local master = yes
master browser = no
dns proxy = no
unix extensions = no
guest account = nobody
Mike
On Mon, Jul 19, 2010 at 11:09 AM, Mucke, Tobias, FCI4 <
tobias.mucke at mbda-systems.de> wrote:
> Hi Michael,
>
> which version of Samba do you have?
>
> Are you able to post your Samba configuration?
>
> Thank you.
>
> Tobias
>
>
> Mit freundlichen Grüßen
>
> Tobias Mucke
>
>
>
> LFK-Lenkflugkörpersysteme GmbH
> Serverpool, FCI4
> Landshuter Straße 26, 85716 Unterschleißheim, GERMANY
> Phone: +49 89 3179 8438
> Fax: +49 89 3179 8927
> Mobile: +49 170 635 3830
> E-Mail: tobias.mucke at mbda-systems.de
>
> http://www.mbda.net
>
> Chairman of the Supervisory Board: Antoine Bouvier
> Managing Director: Werner Kaltenegger
> Registered Office: Schrobenhausen
> Commercial Register: Amtsgericht Ingolstadt, HRB 4365
>
> Message sent from handheld via BlackBerry Server.
>
> ________________________________
>
> Von: Michael Lyon <mjlyon at gmail.com>
> An: Mucke, Tobias, FCI4; samba at lists.samba.org <samba at lists.samba.org>
> Gesendet: Mon Jul 19 14:22:37 2010
> Betreff: Re: [Samba] Samba + Winbind + Windows 2003 AD
>
>
> I'm in a 2k8 r2 domain with SFU and home shells managed through the ADUC
> console. I'm using Samba/WInbind and use samba shares as user home
> directories that are mounted at login-time on Windows 7 machines.
>
> This is a first attempt as we migrated to Windows 2k8r2 in order to have
> better support for Win7 clients, as we had too many issues with Samba as our
> PDC.
>
> Mike
>
>
>
> On Mon, Jul 19, 2010 at 3:08 AM, Mucke, Tobias, FCI4 <
> tobias.mucke at mbda-systems.de> wrote:
>
>
> Hi,
>
> I'am afraid this is a general issue with Winbind. I am experiencing
> the same problems and my logs look quite similar to Henrik's logs. I am
> using Samba 3.5.4 and tried to resolve this issue without luck. In fact I
> have a working lab environment with Winbind 3.5.4, AD based on Windows
> Server 2008 R2 with IDMU. I set idmap backend = ad and winbind nss info =
> rfc2307. Unfortunately I was not able to port this setup back to the actual
> production environment with Winbind 3.5.4 and AD based on Windows Server
> 2003 with SFU 3.5.
> Besides AD "versions" there is another large difference between the
> production and the lab. In production the domain structure is far more
> complex ...
> Actually I am deploying a lab more close to the actual production
> environment.
>
> Another important thing to me would be a configuration example of
> somebody out there using Winbind in an actual version 3.5.x with backend ad
> and SFU for Shell and Home Directories. Anybody?
>
> Thank you.
>
> Tobias
>
>
>
> LFK-Lenkflugkörpersysteme GmbH
> Serverpool, FCI4
> Landshuter Straße 26, 85716 Unterschleißheim, GERMANY
> Phone: +49 89 3179 8438
> Fax: +49 89 3179 8927
> Mobile: +49 170 635 3830
> E-Mail: tobias.mucke at mbda-systems.de
>
> http://www.mbda.net
>
> Chairman of the Supervisory Board: Antoine Bouvier
> Managing Director: Werner Kaltenegger
> Registered Office: Schrobenhausen
> Commercial Register: Amtsgericht Ingolstadt, HRB 4365
>
> -----Ursprüngliche Nachricht-----
> Von: samba-bounces at lists.samba.org [mailto:
> samba-bounces at lists.samba.org] Im Auftrag von Necos Secon
> Gesendet: Montag, 19. Juli 2010 01:50
> An: samba at lists.samba.org
> Betreff: Re: [Samba] Samba + Winbind + Windows 2003 AD
>
>
> I accidentally deleted the first set of messages in my email for
> this thread, but does your DNS resolve properly? What does your resolv.conf
> look like? Also, what do these files look like:
>
> krb5.conf
> smb.conf
>
> There's an option in smb.conf, winbind enum users, which needs to be
> set in order for getent to function properly. There is a corresponding
> option for groups as well. Look at them and let us know.
>
> > Date: Mon, 19 Jul 2010 01:12:41 +0200
> > From: hds at semark.dk
> > To: esiotrot at gmail.com
> > CC: samba at lists.samba.org
> > Subject: Re: [Samba] Samba + Winbind + Windows 2003 AD
> >
> > Hi Micheal
> >
> > Sorry for not sending that information in the first place, but I
> > though that it was so basic that it wasn't necessary.
> >
> > My nsswitch.conf:
> > # cat /etc/nsswitch.conf
> > # /etc/nsswitch.conf
> > #
> > # Example configuration of GNU Name Service Switch functionality.
> > # If you have the `glibc-doc-reference' and `info' packages
> installed, try:
> > # `info libc "Name Service Switch"' for information about this
> file.
> >
> > passwd: compat winbind
> > group: compat winbind
> > shadow: compat winbind
> >
> > hosts: files mdns4_minimal [NOTFOUND=return] dns mdns4
> > networks: files
> >
> > services: db files
> > ethers: db files
> > protocols: db files
> > rpc: db files
> >
> > netgroup: nis
> >
> > I will mean that it is the way to do this (and it works just fine
> on
> > the UNIX servers that run there own Domain Controller)
> >
> > Med Venlig Hilsen / Best Regards
> > Henrik Dige Semark
> >
> > Den 18-07-2010 17:03, Michael Wood skrev:
> > > On 18 July 2010 01:34, Henrik Dige Semark<hds at semark.dk>
> wrote:
> > >
> > >> Hey out there.
> > >>
> > >> I have to join my UNIX server with an existing Win2k3 AD
> network.
> > >>
> > >> My system info:
> > >> Debian Lenny
> > >> Samba - 3.4.8
> > >> Winbind - 3.4.8
> > >>
> > >> Windows Server 2003 with 2000-style-AD
> > >>
> > >> My problem is that, I have en UNIX server that have to run auth
> up
> > >> against our existing windows 2003 AD.
> > >>
> > >> I have successfully joined my UNIX server to the AD, without
> problems.
> > >> # net ads join -U Administrator
> > >> Enter Administrator's password:
> > >> Using short domain name -- TEST
> > >> Joined 'MAIL' to realm 'TEST.LOCAL'
> > >>
> > >> My Samba config: http://pastebin.com/ZqaA0Ypn
> > >>
> > >> After the join I'm able to lookup peoples with # wbinfo -u
> > >>
> > > [...]
> > >
> > >> # wbinfo -g
> > >>
> > > [...]
> > >
> > >> Now the problem, getent only returns the local users and not
> the
> > >> users from the AD The funny thing is that if a user is local on
> the
> > >> UNIX and in the AD, I can login with the password from both
> local
> > >> and AD, so I know that it can lookup people and passwords
> > >>
> > >> # getent passwd hs ; echo $?
> > >> 2
> > >>
> > >> When I debug on getent it returns 2, witch means that it can't
> find
> > >> the user.
> > >>
> > > Do you have winbind specified in your nsswitch.conf file as
> mentioned here:
> > >
> > >
> http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/winbind.h
> > > tml#id2654732
> > >
> > >
>
> _________________________________________________________________
> The New Busy is not the old busy. Search, chat and e-mail from your
> inbox.
>
> http://www.windowslive.com/campaign/thenewbusy?ocid=PID28326::T:WLMTAGL:ON:WL:en-US:WM_HMP:042010_3
> --
>
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
More information about the samba
mailing list