[Samba] How do I get Winbind accounts in LDAP?

John H Terpstra jht at samba.org
Thu Jan 8 15:53:56 GMT 2004


On Thu, 8 Jan 2004, Ganguly, Sapan  wrote:

>
> I'm doing the same thing but with NT4 so I'm not using active directory.
> The only thing you haven't mentioned that I can think of is nsswitch.conf,
> you should have -
>
> Passwd: files winbind
> Group: files winbind
>
> Getent works for me, I'm stuck with getting log ons to the Solaris machine
> with NT usernames to work.

If you want to log onto the Sun machine using Windows networking
credentials you must configure PAM to support the use of pam_winbind.so.
Have you done that?

- John T.


> They seem to have changed something in Solaris 9, even Sun hasn't been able
> to help me!
>
> -----Original Message-----
> From: ww m-pubsyssamba [mailto:pubsyssamba at bbc.co.uk]
> Sent: 08 January 2004 13:45
> To: Ganguly, Sapan ; samba at lists.samba.org
> Subject: RE: [Samba] How do I get Winbind accounts in LDAP?
>
>
> Hi Sapan/All,
>
> 	ok this is all in my test/dev environment. I have a Sun Sparc
> workstation running Solaris 9 and an Intel server running Windows 2000
> server acting as a Native mode AD DC. My Sparc system has Samba 3.0.1
> installed and is successfully joined to the AD domain, I can authenticate
> via kerberos and wbinfo -u lists domain users etc. All I need LDAP for is
> centralising the IDMAP mappings across our theoretical Samba server
> infrastructure.
>
>   On the same sparc system I also have SunONE DS 5.2 installed, this has the
> schema for Samba 3.0.1 successfully loaded. I have created the idamap OU in
> the directory and I have configured my smb.conf to use LDAP for idmap data,
> file attached. And I have set the LDAP admin account password with
> "smbpasswd -w". I have also disabled nscd from starting up & installed patch
> 113476-05 which is required for Solaris 9. I can also see winbindd
> establishing a connection to Sun LDAP in its access log.
>
>   As I was writing this mail I have noticed that a getent for users and
> groups is not displaying any AD users/groups but is exiting with a status 0,
> this is despite the fact that wbinfo is correctly displaying all my AD
> users/groups!? I can see from a snoop and truss run on the getent that it is
> making LDAP calls to the AD DC but it's not returning anything!?! I have had
> this running on a Solaris 8 system in my test environment successfully and
> can't think of anything I've done differently.
>
> If anyone can help I'd greatly appreciate it,
>
> 	many thanks Andy.
>
> -----Original Message-----
> From: Ganguly, Sapan [mailto:Sapan.Ganguly at thalesgroup.com]
> Posted At: 07 January 2004 16:44
> Posted To: Samba
> Conversation: [Samba] How do I get Winbind accounts in LDAP?
> Subject: RE: [Samba] How do I get Winbind accounts in LDAP?
>
>
>
> Andy,
>
> Tell us a bit more, I'm doing a similar thing I think.  I'm not using Sun's
> LDAP service, I have OpenLDAP running on a Redhat 9.0 box and I'm logging
> into my Solaris 9.0 machine running winbind, with my NT username and
> password which creates an idmap in the openldap database on the Redhat
> box....well, that's what it is supposed to do anyway...it works fine on
> Redhat, Solaris is proving to be a little more tricky.
>
> Is this what you are doing?
>
> -----Original Message-----
> From: ww m-pubsyssamba [mailto:pubsyssamba at bbc.co.uk]
> Sent: 07 January 2004 14:23
> To: samba at lists.samba.org
> Subject: RE: [Samba] How do I get Winbind accounts in LDAP?
>
>
> Hi John/List,
>
> 	I'm attemtpting this (idmap in LDAP) with samba3.0.1 and Sun DS 5.2
> but without any success. I've tried what John T has suggested below but my
> idmap OU is still empty (adapted LDAP commnads for Sun DS). I cannot see any
> errors in either Samba or Sun DS logs, does anyone have any troubleshooting
> tips to help work out why this isn't working?
>
> 		many thanks Andy.
>
> -----Original Message-----
> From: samba-bounces+pubsyssamba=bbc.co.uk at lists.samba.org
> [mailto:samba-bounces+pubsyssamba=bbc.co.uk at lists.samba.org]On Behalf Of
> John H Terpstra Posted At: 03 January 2004 23:54 Posted To: Samba
> Conversation: [Samba] How do I get Winbind accounts in LDAP?
> Subject: Re: [Samba] How do I get Winbind accounts in LDAP?
>
>
> Kent,
>
> Did you create the container for the ou=Idmap in your LDAP database? The
> IDMAP entries are automatically added to LDAP - IF the container exists, and
> so long as Samba can access that database.
>
> Also, I suggest you store your machine accounts in the Users container and
> not in the Computers container. Samba does not at this time search the
> Computers container correctly.
>
> Execute the following to find out if your LDAP database has an IDMAP
> container:
> 	slapcat | grep -i IDMAP
>
>
> If nothing is returned, execute this:
>
> ldapadd -x -D "cn=admin,dc=tow,dc=net" -w 'password' << EOR
> dn: ou=Idmap,dc=abmas,dc=biz
> objectClass: organizationalunit
> ou: idmap
> structuralObjectClass: organizationalunit
> EOR
>
> Now you must stop samba, delete the winbind*tdb files, restart samba,
> run:
> 	wbinfo -u
> And that should automatically populate your LDAP IDMAP database.
>
> Cheers,
> John T.
>
>
>
> BBCi at http://www.bbc.co.uk/
>
> This e-mail (and any attachments) is confidential and may contain personal
> views which are not the views of the BBC unless specifically stated. If you
> have received it in error, please delete it from your system. Do not use,
> copy or disclose the information in any way nor act in reliance on it and
> notify the sender immediately. Please note that the BBC monitors e-mails
> sent or received. Further communication will signify your consent to this.
>

-- 
John H Terpstra
Email: jht at samba.org


More information about the samba mailing list