[Samba] domain users in local groups with Winbind/Samba/Redhat
Matthias Rutzki
mrutzki at gmx.de
Thu Feb 20 09:51:22 GMT 2003
Hello again,
at the beginning thank you for your support.Today I had the time to test the
various proposals.Finally the "gpasswd thing" works in that way that I can
add any user to local groups.Even domain users...
Unfortunately the group members still can not access the shares.
I have done it in this way:
1. stop smbd & nmbd
2. add "winbind use default domain = yes" to the smb.conf
3. create a testgroup with "groupadd test1"
4. add my domain user (without the domain (domain+)) to this group with
"gpasswd -a rutzki.matthias test1"
5. create a share called testshare with "valid users = @test1" in smb
6. start smbd nmbd
7. logged in domain on a WIN98 System
8. try to access the testshare
9. System asks me for a password.....
So, it seems that the samba does not find my user.Same failure when I add my
user with
"gpasswd -a west3+rutzki.matthias test1" to the local group.
Here is my winbind log:
#access to testshare with "valid users = west3+rutzki.matthias" (this works
perfect):
...
[ 8690]: getgroups west3+rutzki.matthias
[ 8690]: gid to sid 10250
[ 8690]: gid to sid 11001
[ 8690]: gid to sid 11255
[ 8690]: gid to sid 11257
...
#access to testshare with "valid users = @test1" or "valid users =
+test1"(ends in password request):
...
[ 8690]: getgroups west3+rutzki.matthias
[ 8690]: gid to sid 10250
[ 8690]: gid to sid 11001
[ 8690]: gid to sid 11255
[ 8690]: gid to sid 11257
[ 8690]: getgroups west3+rutzki.matthias
[ 8690]: getgroups west3+rutzki.matthias
[ 8690]: getgroups west3+rutzki.matthias...(approx.: 30 times this message)
...
Has anyone an idea what winbind is doing there? Perhaps you need some other
winbind related configuration data:
/etc/nsswitch.conf:
passwd: files winbind
shadow: files winbind
group: files winbind
/etc/samba/smb.conf:
...
security = domain
...
winbind separator = +
winbind uid = 10000-20000
winbind gid = 10000-20000
winbind use default domain = yes
winbind cache time = 10
winbind enum users = no #(large domain)
winbind enum groups = no #(large domain)
template shell = /bin/bash
...
[testshare]
path = /1
guest ok = no
writable = no
browseable = yes
valid users = @test1
write list = @test1
/etc/pam.d/system-auth:
auth required /lib/security/pam_env.so
auth sufficient /lib/security/pam_winbind.so
auth sufficient /lib/security/pam_unix.so likeauth
use_first_pass nullok
auth required /lib/security/pam_deny.so
account required /lib/security/pam_winbind.so
password required /lib/security/pam_cracklib.so retry=3 type=
password sufficient /lib/security/pam_unix.so nullok use_authtok md5
shadow
password required /lib/security/pam_deny.so
session required /lib/security/pam_limits.so
session required /lib/security/pam_unix.so
I hope that will help you.Thank you for your help.
Greetings
Matthias
>--- David Boynton <david.boynton2 at asu.edu> wrote:
>> Well, I got this to work once by manually editing
>> the /etc/group file, like
>> adding the line:
>>
>> localgroup:x:<gid>: domain+user1,domain+user2,etc
>>
>> I don't know if this is a safe thing to do, however.
>> :)
>
>I don't believe you can safely manually edit this
>file, as you would probably also have to edit
>/etc/gshadow to match. Unix/Linux has a tool called
>gpasswd that will do this for you:
>gpasswd -a <user> <group>
>
>It lets you add users to a group without them existing
>in /etc/passwd (they don't even have to exist at all).
>Combine this with "winbind use default domain = yes"
>in smb.conf and you're ready to go.
>
>For example, in the domain ABC for the user john, do
>this to add him to a 'local' Unix group called
>smbusers:
>
>gpasswd -a john smbusers
>
>With "winbind use default domain = yes" you don't need
>to prefix it with your domain. Slick, huh? (:
>
>Good luck,
>/dev/idal
--
+++ GMX - Mail, Messaging & more http://www.gmx.net +++
Bitte lächeln! Fotogalerie online mit GMX ohne eigene Homepage!
More information about the samba
mailing list