[Samba] How do I get Winbind accounts in LDAP?

Ganguly, Sapan Sapan.Ganguly at thalesgroup.com
Thu Jan 8 16:44:36 GMT 2004

Yep, I've done that, I basically followed the Solaris 9 HOWTO from the main
HOWTO collection that comes with Samba 3.0, the only difference is that I
used an /etc/pam.conf for Solaris 9 posted on the list by Patrik Gustavsson.
I haven't managed to get hold of him, he says he has made it work on Solaris
I also want to get pam_mkhomedir work but I have to get past this bit first.
>From his email signature it looks like he work for Sun in Sweden but even
the Sun helpdesk in the UK hasn't been able to get hold of him yet. 

-----Original Message-----
From: John H Terpstra [mailto:jht at samba.org] 
Sent: 08 January 2004 15:54
To: Ganguly, Sapan 
Cc: 'ww m-pubsyssamba'; 'samba at lists.samba.org'
Subject: RE: [Samba] How do I get Winbind accounts in LDAP?

On Thu, 8 Jan 2004, Ganguly, Sapan  wrote:

> I'm doing the same thing but with NT4 so I'm not using active 
> directory. The only thing you haven't mentioned that I can think of is 
> nsswitch.conf, you should have -
> Passwd: files winbind
> Group: files winbind
> Getent works for me, I'm stuck with getting log ons to the Solaris 
> machine with NT usernames to work.

If you want to log onto the Sun machine using Windows networking credentials
you must configure PAM to support the use of pam_winbind.so. Have you done

- John T.

> They seem to have changed something in Solaris 9, even Sun hasn't been 
> able to help me!
> -----Original Message-----
> From: ww m-pubsyssamba [mailto:pubsyssamba at bbc.co.uk]
> Sent: 08 January 2004 13:45
> To: Ganguly, Sapan ; samba at lists.samba.org
> Subject: RE: [Samba] How do I get Winbind accounts in LDAP?
> Hi Sapan/All,
> 	ok this is all in my test/dev environment. I have a Sun Sparc 
> workstation running Solaris 9 and an Intel server running Windows 2000 
> server acting as a Native mode AD DC. My Sparc system has Samba 3.0.1 
> installed and is successfully joined to the AD domain, I can 
> authenticate via kerberos and wbinfo -u lists domain users etc. All I 
> need LDAP for is centralising the IDMAP mappings across our 
> theoretical Samba server infrastructure.
>   On the same sparc system I also have SunONE DS 5.2 installed, this 
> has the schema for Samba 3.0.1 successfully loaded. I have created the 
> idamap OU in the directory and I have configured my smb.conf to use 
> LDAP for idmap data, file attached. And I have set the LDAP admin 
> account password with "smbpasswd -w". I have also disabled nscd from 
> starting up & installed patch 113476-05 which is required for Solaris 
> 9. I can also see winbindd establishing a connection to Sun LDAP in 
> its access log.
>   As I was writing this mail I have noticed that a getent for users 
> and groups is not displaying any AD users/groups but is exiting with a 
> status 0, this is despite the fact that wbinfo is correctly displaying 
> all my AD users/groups!? I can see from a snoop and truss run on the 
> getent that it is making LDAP calls to the AD DC but it's not 
> returning anything!?! I have had this running on a Solaris 8 system in 
> my test environment successfully and can't think of anything I've done 
> differently.
> If anyone can help I'd greatly appreciate it,
> 	many thanks Andy.
> -----Original Message-----
> From: Ganguly, Sapan [mailto:Sapan.Ganguly at thalesgroup.com]
> Posted At: 07 January 2004 16:44
> Posted To: Samba
> Conversation: [Samba] How do I get Winbind accounts in LDAP?
> Subject: RE: [Samba] How do I get Winbind accounts in LDAP?
> Andy,
> Tell us a bit more, I'm doing a similar thing I think.  I'm not using 
> Sun's LDAP service, I have OpenLDAP running on a Redhat 9.0 box and 
> I'm logging into my Solaris 9.0 machine running winbind, with my NT 
> username and password which creates an idmap in the openldap database 
> on the Redhat box....well, that's what it is supposed to do 
> anyway...it works fine on Redhat, Solaris is proving to be a little 
> more tricky.
> Is this what you are doing?
> -----Original Message-----
> From: ww m-pubsyssamba [mailto:pubsyssamba at bbc.co.uk]
> Sent: 07 January 2004 14:23
> To: samba at lists.samba.org
> Subject: RE: [Samba] How do I get Winbind accounts in LDAP?
> Hi John/List,
> 	I'm attemtpting this (idmap in LDAP) with samba3.0.1 and Sun DS 5.2 
> but without any success. I've tried what John T has suggested below 
> but my idmap OU is still empty (adapted LDAP commnads for Sun DS). I 
> cannot see any errors in either Samba or Sun DS logs, does anyone have 
> any troubleshooting tips to help work out why this isn't working?
> 		many thanks Andy.
> -----Original Message-----
> From: samba-bounces+pubsyssamba=bbc.co.uk at lists.samba.org
> [mailto:samba-bounces+pubsyssamba=bbc.co.uk at lists.samba.org]On Behalf 
> Of John H Terpstra Posted At: 03 January 2004 23:54 Posted To: Samba
> Conversation: [Samba] How do I get Winbind accounts in LDAP?
> Subject: Re: [Samba] How do I get Winbind accounts in LDAP?
> Kent,
> Did you create the container for the ou=Idmap in your LDAP database? 
> The IDMAP entries are automatically added to LDAP - IF the container 
> exists, and so long as Samba can access that database.
> Also, I suggest you store your machine accounts in the Users container 
> and not in the Computers container. Samba does not at this time search 
> the Computers container correctly.
> Execute the following to find out if your LDAP database has an IDMAP
> container:
> 	slapcat | grep -i IDMAP
> If nothing is returned, execute this:
> ldapadd -x -D "cn=admin,dc=tow,dc=net" -w 'password' << EOR
> dn: ou=Idmap,dc=abmas,dc=biz
> objectClass: organizationalunit
> ou: idmap
> structuralObjectClass: organizationalunit
> Now you must stop samba, delete the winbind*tdb files, restart samba,
> run:
> 	wbinfo -u
> And that should automatically populate your LDAP IDMAP database.
> Cheers,
> John T.
> BBCi at http://www.bbc.co.uk/
> This e-mail (and any attachments) is confidential and may contain 
> personal views which are not the views of the BBC unless specifically 
> stated. If you have received it in error, please delete it from your 
> system. Do not use, copy or disclose the information in any way nor 
> act in reliance on it and notify the sender immediately. Please note 
> that the BBC monitors e-mails sent or received. Further communication 
> will signify your consent to this.

John H Terpstra
Email: jht at samba.org

More information about the samba mailing list