[Samba-it] Join di un dominio AD e integrazione gruppi ed utenti

Davide D'Amico davide.damico at gmail.com
Wed Jan 2 06:11:58 MST 2008


Salve (e buon 2008).
Sto facendo 'joinare' una macchina freebsd 7 con samba 3.0.28 ad un dominio
AD W2k3 pre R2
utilizzando questo smb.conf:
[global]
netbios name = MONITOR
server string = Monitor
workgroup = TVAS08
realm = TELEVAS.LOCAL
password server = activedomain.televas.local
security = ads
#use kerberos keytab = Yes
allow trusted domains = No
idmap backend = ad
idmap uid = 10000-100000
idmap gid = 10000-100000
log level = 10
template shell = /bin/false
winbind cache time = 3600
winbind enum users = Yes
winbind enum groups = Yes
winbind nested groups = Yes
winbind nss info = sfu
winbind offline logon = Yes
winbind refresh tickets = True
winbind use default domain = Yes
winbind nested groups = Yes

[shares]
  path = /usr/local/shares
  writable = yes
  browseable = yes
  read only = no
  preserve case = yes
  short preserve case = yes

[homes]
     comment = Home Directories
     browseable = no
     writeable = yes

Il comando net join ads -U Administrator va a buon fine e lo stesso dicasi
per wbinfo -g e wbinfo -u
ma se provo a dare pw groupshow -a e pw usershow -a visualizzo solo i gruppi
locali.
Inoltre se 'navigo' dal PDC tra le risorse di rete, non riesco ad accedere a
MONITOR poiché (dai log)
si evince che l'utente che specifico (TVAS08\Administrator) non esiste così
ho pensato fosse
un problema legato alla 'visibilità' dei gruppi ed utenti del dominio.

Ho configurato così nsswitch e krb:
nsswitch.conf:
group: files winbind
group_compat: nis
hosts: files dns
networks: files
passwd: files winbind
passwd_compat: nis
shells: files
services: compat
services_compat: nis
protocols: files
rpc: files

krb5.conf:
[libdefaults]
  clockskew = 300
  default_realm = TELEVAS.LOCAL
  dns_lookup_realm = false
  dns_lookup_kdc = false

[realms]
TELEVAS.LOCAL = {
  kdc = 192.168.0.167:88
  admin_server = activedomain.televas.local:749
  default_domain = TELEVAS.LOCAL
}

[domain_realm]
  .TELEVAS.LOCAL = TELEVAS.LOCAL

[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf

/var/kerberos/krb5kdc/kdc.conf:
[kdcdefaults]
 acl_file = /var/kerberos/krb5kdc/kadm5.acl
 dict_file = /usr/share/dict/words
 admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
 v4_mode = nopreauth

[realms]
 TELEVAS.LOCAL = {
  master_key_type = des-cbc-crc
  supported_enctypes = des3-cbc-raw:normal des3-cbc-raw:norealm \
    des3-cbc-raw:onlyrealm des3-cbc-sha1:normal des3-cbc-sha1:norealm \
    des3-cbc-sha1:onlyrealm des-cbc-crc:v4 des-cbc-crc:afs3 \
    des-cbc-crc:normal des-cbc-crc:norealm des-cbc-crc:onlyrealm \
    des-cbc-md4:v4 des-cbc-md4:afs3 des-cbc-md4:normal des-cbc-md4:norealm \
    des-cbc-md4:onlyrealm des-cbc-md5:v4 des-cbc-md5:afs3 des-cbc-md5:normal
\
    des-cbc-md5:norealm des-cbc-md5:onlyrealm des-cbc-raw:v4
des-cbc-raw:afs3 \
    des-cbc-raw:normal des-cbc-raw:norealm des-cbc-raw:onlyrealm \
    des-cbc-sha1:v4 des-cbc-sha1:afs3 des-cbc-sha1:normal \
    des-cbc-sha1:norealm des-cbc-sha1:onlyrealm

Inoltre il /var/log/samba/log.winbindd si riempie di:
[2008/01/02 14:10:00, 1] nsswitch/winbindd_group.c:winbindd_getgrent(1011)
  could not look up gid for group DnsUpdateProxy
[2008/01/02 14:10:00, 10] nsswitch/winbindd_group.c:winbindd_getgrent(961)
  entry_index = 9, num_entries = 9
[2008/01/02 14:10:00, 10] nsswitch/winbindd_group.c:winbindd_getgrent(968)
  freeing state info for domain TVAS08
[2008/01/02 14:10:00, 4]
nsswitch/winbindd_group.c:get_sam_group_entries(854)
  get_sam_group_entries: BUILTIN or local domain; enumerating local groups
as well
[2008/01/02 14:10:00, 3]
nsswitch/winbindd_group.c:get_sam_group_entries(859)
  get_sam_group_entries: Failed to enumerate domain local groups!
[2008/01/02 14:10:00, 10] nsswitch/winbindd_group.c:winbindd_getgrent(968)
  freeing state info for domain MONITOR


Idee?

Grazie in anticipo,
dave
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.samba.org/pipermail/samba-it/attachments/20080102/495e4ac6/attachment.html>


More information about the samba-it mailing list