[Samba] samba-3.0.0 and Active Directory

Vladimir Levijev vl at iati.ee
Sun Nov 16 14:49:36 GMT 2003


Hi everybody,

Shortly, I want my Active Directory users to be able to use Linux samba
file server.

The network is: Win XP and w2k clients, an AD server (w2k) and Linux samba
file server (RedHat 7.1).

The services on Linux box (imap, ftp, ssh) are configured to use pam_ldap
and nss_ldap, so 'getent passwd' works fine and gets accounts from both
/etc/passwd (root and a couple of accounts) and AD using LDAPS (Active
Directory schema is extended with AD4Unix, so each user in AD has a valid
'Unix setting': uid/gid (1000-10000) and a '/home/%u' for a shell).

I tried to configure samba to talk to AD, specifying the ldap server and
'ldap admin dn' and it even connects to AD server when I execute
'smbclient' locally on Linux (one.two.com is an AD server):

[clip]
[2003/11/15 19:53:25, 10] lib/smbldap.c:smbldap_open_connection(527)
  smbldap_open_connection: ldaps://one.two.com:636
[2003/11/15 19:53:25, 2] lib/smbldap.c:smbldap_open_connection(623)
  smbldap_open_connection: connection opened
[2003/11/15 19:53:25, 10] lib/smbldap.c:smbldap_connect_system(749)
  ldap_connect_system: Binding to ldap server ldaps://one.two.com:636
        as "cn=ldapquery, cn=Users, dc=two, dc=com"
[2003/11/15 19:53:25, 3] lib/smbldap.c:smbldap_connect_system(785)
  ldap_connect_system: succesful connection to the LDAP server
[2003/11/15 19:53:25, 4] lib/smbldap.c:smbldap_open(836)
  The LDAP server is succesful connected
[clip]

but then, instead of fetching the account of a user I specified with '-U'
to smbclient, it searches for 501 SID:

[clip]
[2003/11/15 19:53:25, 4] passdb/pdb_ldap.c:ldapsam_getsampwsid(1098)
  ldapsam_getsampwsid: Unable to locate SID
	[S-1-5-21-22154274-3529046950-2477786524-501] count=0
[2003/11/15 19:53:25, 10] passdb/pdb_get_set.c:pdb_set_username(584)
  pdb_set_username: setting username nobody, was
[clip]

Why is it always searching for SID 501 no matter with what user I try to
connect and how can I determine who that user is?

And some other questions:

How is it possible to allow AD users to use samba file server's shares
(their home dirs) so that current Linux configuration (nss+pam+ldap) will
still work?

Do I certainly need kerberos for that?

If I need to extend my AD with samba schema, how can I do that?

Thank you in advance,

-- 
[vl at dimir]#




More information about the samba mailing list