[Samba] Problems mapping winbind/kerberos usernames and groups
to Linux user and groups.
Buchan Milne
bgmilne at obsidian.co.za
Tue Feb 3 10:22:38 GMT 2004
On Wed, 28 Jan 2004, Dirk Broer wrote:
> Samba 3.0.1 on Mandrake 9.1ish Kerberos version seems to match latest
> stable MIT build.
>
> I can log in via Kerberos authentication and/or winbind. A couple of
> problems though.
>
> 1) telnet with the domain username and password and the telnet session
> doesn’t reader /etc/bashrc. Telnet with local username and it does. bash
> is the shell for both accounts.
How are you creating home directories? If you use pam_mkhomedir, it should
work, if not, you might not be copying a correct ~/.bashrc from /etc/skel.
> 2) The group account is ‘Domain User” – with a guid of 10000. That
> matches the winbind settings but I would like to have a group that both
> local and domain users can belong to. So I don’t have to open all shared
> directories with chmod 777.
You should be able to create a local group entry (you don't say where
Linux users exist ...), or if you are using XFS you can use ACLs instead.
But, it may not be the best idea to have local and winbind accounts that
must have overlapping group memberships ...
>
> I have tried setting up a username map, but the moment I either map a domain
> name to a unix name _or_ have a unix username that is the same as a domain
> name, that user can no longer access the server.
>
> template primary group = users. This seems to have no affect.
>
> I have a CVS directory that for an internal project that I want to protect
> and I don’t want to set permissions to 777. I would also have to set the
> default directory permissions for all the CVS users to 777 as well – or they
> will add directories that only same group members can access.
>
> Should I just change the guid map to point everyone to 100? (guid users=100)
>
Yes, if you can't use ACLs (ie on XFS), that may work.
> Samba was configured with the following options:
> --with-acl-support
> --with-automount
> --with-smbmount
> --with-libsmbclient
> --with-sendfile-support
> --with-smbwrapper
> --with-winbind
Hmm, you may rather want to try rebuilding the source release against your
Kerberos install with the rpm tools, just:
$ cd packaging/Mandrake
$ sh makerpms.sh
>
> PAM wasn’t compiled in.
>
>
>
> # Samba config file created using SWAT
> # from 192.168.0.85 (192.168.0.85)
> # Date: 2004/01/28 17:07:49
>
> # Global parameters
> [global]
> workgroup = MYWORKGROUP
> realm = MYWORKGROUP.COM
> security = DOMAIN
> obey pam restrictions = Yes
> log level = 2
> add user script = /usr/sbin/useradd -s /bin/bash -g 100 %u
> delete user script = /usr/sbin/userdel %u
> preferred master = No
> local master = No
> domain master = No
> dns proxy = No
> ldap ssl = no
> idmap uid = 10000-20000
> idmap gid = 10000-20000
> template primary group = users
> template shell = /bin/bash
> use sendfile = Yes
> case sensitive = Yes
> hide dot files = No
>
> [homes]
> comment = Home directory
> read only = No
> browseable = No
>
> [dirk]
> path = /home/dirk
> valid users = dirk
> read only = No
> guest ok = Yes
>
Regards,
Buchan
More information about the samba
mailing list