[Samba] Winbind help

Buchan Milne bgmilne at cae.co.za
Mon Sep 30 12:47:29 GMT 2002


> Message: 4
> From: "Simeonidis, Steve" <simes at cpgen.cpg.com.au>
> Reply-To: SteveSimeonidis at spherion.com
> To: samba at lists.samba.org
> Date: Mon, 30 Sep 2002 16:48:52 +1000
> Subject: [Samba] Winbind help
> 
> Hi everyone,
> 
> I've been trying to use winbind in order to 
> connect to WinNT PDC for authenticating user and
> also mapping user/group ids.
> 
> We are using RH 7.3 Samba 2.2.3a
> 
> I've followed the instruction provided in the document
> "Unified Logons between WindowsNT and UNIX using Winbind"
> 
> We only want to authenticate SAMBA users so I've skipped the
> /etc/pam.d/* changes.
> 
> This is the "impertant" entries of my smb.conf file
>    workgroup = groupserv_melb
>    netbios name = linux-smb
>    netbios aliases = linux-test
> 
>    winbind separator = +
>    winbind uid = 10000-20000
>    winbind gid = 10000-20000
>    winbind enum users = yes
>    winbind enum groups = yes
>    template homedir = /home/winnt/%D/%U
>    template shell = /bin/bash
> 
>    password server = 138.79.130.20

Rather use 'password server = *' for winbind

>    encrypt passwords = yes
>    smb passwd file = /etc/samba/smbpasswd
>    unix password sync = Yes
>    passwd program = /usr/bin/passwd %u
> 
>    add user script = /usr/sbin/useradd -d /home/winnt/%D/%U -s /bin/false -M 
> %U

Don't use this.

> 
> The domain has been joined using smbpasswd 
> 
> Here are my questions:
> Everytime I enable domain logons on SAMBA and try the
> "wbinfo -t" I get Bad secret
> When the domain logons is disabled then the secret is good.

You shouldn't have domain logons enabled with winbind in 2.2.x.

> 
> if I type "wbinfo -u" I get all the domain users not a problem
> the same with the "wbinfo -g" for groups.

Even when wbinfo -t doesn't work?

> 
> 
> Using the "add user script =" parameter trying to access the domain
> using smbclient eg.
> "smbclient //linux-smb/homes  -W groupserv_melb -I 138.79.161.225 -U 
> tst-steve" 
> The home directory doesn't get created properly. The %D option is EMPTY.
> The user gets created in passwd/group/shadow but the HOME directory
> DOESN'T??
> 
> I get something like 
> tst-steve:x:10058:10058::/home/winnt//tst-steve:/bin/false
> in the passwd file (with 2 // instead of the DOMAIN Name).

Rather use pam_mkhomedir, and enable pam session support in smb.conf to 
force samba to use pam_mkhomedir.

> 
> Also winbindd log file complains about port 445 on the PDC
> [2002/09/30 16:02:24, 2] lib/util_sock.c:open_socket_out(858)
>   error connecting to 138.79.130.20:445 (Connection refused)
> What does that port do?
> 

This isn't relevant to your problem AFAIK.

> 
> So what is the best way to do it if I want to authenticate the users from the
> WindowsNT PDC and also give them access to SAMBA shares using the Windows
> NT permissions?

Install Mandrake 9.0 using a network install, you can join the domain 
during installation. If you can't do a network install, you may need to 
do some stuff manually. ACLs are supported on XFS and ext2/ext3 (but, 
you must choose 'acl' as a mount option for them before it will work).

If you can't get 9.0, 8.2 with the Mandrake RPMs from ftp.samba.org will 
get you about the same place as a non-network install of 9.0, except 
only ACLs on XFS.

To get ACLs on RH7.x, you need to get the install ISO from SGI's XFS 
site, or rebuild the kernel and samba yourselfwith acl support. I am not 
sure about 8.0.

You will find some relevant files in either samba CVS or Mandrake CVS, 
with examples for using pam_mkhomedir etc.

Some of this is covered in 
http://ranger.dnsalias.com/mandrake/muo/connect/csamba5.html#winbind

Regards,
Buchan

-- 
|----------------Registered Linux User #182071-----------------|
Buchan Milne                Mechanical Engineer, Network Manager
Cellphone * Work            +27 82 472 2231 * +27 21 8828820x121
Stellenbosch Automotive Engineering         http://www.cae.co.za
GPG Key                   http://ranger.dnsalias.com/bgmilne.asc
1024D/60D204A7 2919 E232 5610 A038 87B1 72D6 AC92 BA50 60D2 04A7




More information about the samba mailing list