[Samba] How do I get Winbind accounts in LDAP?
Ganguly, Sapan
Sapan.Ganguly at thalesgroup.com
Thu Jan 8 17:39:18 GMT 2004
John,
Wbinfo -u lists all my NT user and wbinfo -g lists all my NT groups.
Here is a copy of my smb.conf, I took it from a working Redhat 9.0 machine I
built.
[global]
# LDAP stuff for the idmap backend
ldap admin dn = cn=root,dc=uk,dc=trt,dc=thales
ldap suffix = dc=uk,dc=trt,dc=thales
ldap idmap suffix = ou=idmap
# Winbind stuff
winbind separator = -
idmap uid = 10000-20000
winbind uid = 10000-20000
idmap gid = 10000-20000
winbind gid = 10000-20000
winbind enum users = yes
winbind enum groups = yes
winbind use default domain = yes
#template homedir = /home/%D/%U
#template homedir = /home/%U
template homedir = /mnt/spare/%U
template shell = /bin/bash
idmap backend = ldap:ldap://lnxs001
# workgroup = NT-Domain-Name or Workgroup-Name
workgroup = DOMAIN
# server string is the equivalent of the NT Description field
server string = SUN001
# if you want to automatically load your printer list rather
# than setting them up individually then you'll need this
printcap name = /etc/printcap
load printers = yes
# this tells Samba to use a separate log file for each machine
# that connects
log file = /var/log/samba/log.%m
# Put a capping on the size of the log files (in Kb).
max log size = 50
# Security mode. Most people will want user level security. See
# security_level.txt for details.
security = user
# Use password server option only with security = server
; password server = <NT-Server-Name>
# Most people will find that this option gives better performance.
# See speed.txt and the manual pages for details
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
# Browser Control Options:
# set local master to no if you don't want Samba to become a master
# browser on your network. Otherwise the normal election rules apply
local master = no
# WINS Server - Tells the NMBD components of Samba to be a WINS Client
# Note: Samba can be either a WINS Server, or a WINS Client, but NOT
both
wins server = 192.168.224.25
# DNS Proxy - tells Samba whether or not to try to resolve NetBIOS names
# via DNS nslookups. The built-in default for versions 1.9.17 is yes,
# this has been changed in version 1.9.18 to no.
dns proxy = no
Thanks,
Sapan
-----Original Message-----
From: John H Terpstra [mailto:jht at samba.org]
Sent: 08 January 2004 16:58
To: Ganguly, Sapan
Cc: 'samba at lists.samba.org'
Subject: RE: [Samba] How do I get Winbind accounts in LDAP?
Sapan,
I recently installed Samba-3 on Solaris 9 and had no problem with PAM and
NSS functionality. Logons using domain users worked well. As I do not have a
Sun box it is a little difficult for me to help you directly.
What output do you get from:
wbinfo -u
wbinfo -g
Please send me your smb.conf file so I can see what may be going on.
- John T.
On Thu, 8 Jan 2004, Ganguly, Sapan wrote:
>
> Yep, I've done that, I basically followed the Solaris 9 HOWTO from the
> main HOWTO collection that comes with Samba 3.0, the only difference
> is that I used an /etc/pam.conf for Solaris 9 posted on the list by
> Patrik Gustavsson. I haven't managed to get hold of him, he says he
> has made it work on Solaris 9. I also want to get pam_mkhomedir work
> but I have to get past this bit first.
> >From his email signature it looks like he work for Sun in Sweden but
> >even
> the Sun helpdesk in the UK hasn't been able to get hold of him yet.
>
> -----Original Message-----
> From: John H Terpstra [mailto:jht at samba.org]
> Sent: 08 January 2004 15:54
> To: Ganguly, Sapan
> Cc: 'ww m-pubsyssamba'; 'samba at lists.samba.org'
> Subject: RE: [Samba] How do I get Winbind accounts in LDAP?
>
>
> On Thu, 8 Jan 2004, Ganguly, Sapan wrote:
>
> >
> > I'm doing the same thing but with NT4 so I'm not using active
> > directory. The only thing you haven't mentioned that I can think of
> > is nsswitch.conf, you should have -
> >
> > Passwd: files winbind
> > Group: files winbind
> >
> > Getent works for me, I'm stuck with getting log ons to the Solaris
> > machine with NT usernames to work.
>
> If you want to log onto the Sun machine using Windows networking
> credentials you must configure PAM to support the use of
> pam_winbind.so. Have you done that?
>
> - John T.
>
>
> > They seem to have changed something in Solaris 9, even Sun hasn't
> > been able to help me!
> >
> > -----Original Message-----
> > From: ww m-pubsyssamba [mailto:pubsyssamba at bbc.co.uk]
> > Sent: 08 January 2004 13:45
> > To: Ganguly, Sapan ; samba at lists.samba.org
> > Subject: RE: [Samba] How do I get Winbind accounts in LDAP?
> >
> >
> > Hi Sapan/All,
> >
> > ok this is all in my test/dev environment. I have a Sun Sparc
> > workstation running Solaris 9 and an Intel server running Windows
> > 2000 server acting as a Native mode AD DC. My Sparc system has Samba
> > 3.0.1 installed and is successfully joined to the AD domain, I can
> > authenticate via kerberos and wbinfo -u lists domain users etc. All
> > I need LDAP for is centralising the IDMAP mappings across our
> > theoretical Samba server infrastructure.
> >
> > On the same sparc system I also have SunONE DS 5.2 installed, this
> > has the schema for Samba 3.0.1 successfully loaded. I have created
> > the idamap OU in the directory and I have configured my smb.conf to
> > use LDAP for idmap data, file attached. And I have set the LDAP
> > admin account password with "smbpasswd -w". I have also disabled
> > nscd from starting up & installed patch 113476-05 which is required
> > for Solaris 9. I can also see winbindd establishing a connection to
> > Sun LDAP in its access log.
> >
> > As I was writing this mail I have noticed that a getent for users
> > and groups is not displaying any AD users/groups but is exiting with
> > a status 0, this is despite the fact that wbinfo is correctly
> > displaying all my AD users/groups!? I can see from a snoop and truss
> > run on the getent that it is making LDAP calls to the AD DC but it's
> > not returning anything!?! I have had this running on a Solaris 8
> > system in my test environment successfully and can't think of
> > anything I've done differently.
> >
> > If anyone can help I'd greatly appreciate it,
> >
> > many thanks Andy.
> >
> > -----Original Message-----
> > From: Ganguly, Sapan [mailto:Sapan.Ganguly at thalesgroup.com]
> > Posted At: 07 January 2004 16:44
> > Posted To: Samba
> > Conversation: [Samba] How do I get Winbind accounts in LDAP?
> > Subject: RE: [Samba] How do I get Winbind accounts in LDAP?
> >
> >
> >
> > Andy,
> >
> > Tell us a bit more, I'm doing a similar thing I think. I'm not
> > using Sun's LDAP service, I have OpenLDAP running on a Redhat 9.0
> > box and I'm logging into my Solaris 9.0 machine running winbind,
> > with my NT username and password which creates an idmap in the
> > openldap database on the Redhat box....well, that's what it is
> > supposed to do anyway...it works fine on Redhat, Solaris is proving
> > to be a little more tricky.
> >
> > Is this what you are doing?
> >
> > -----Original Message-----
> > From: ww m-pubsyssamba [mailto:pubsyssamba at bbc.co.uk]
> > Sent: 07 January 2004 14:23
> > To: samba at lists.samba.org
> > Subject: RE: [Samba] How do I get Winbind accounts in LDAP?
> >
> >
> > Hi John/List,
> >
> > I'm attemtpting this (idmap in LDAP) with samba3.0.1 and Sun DS 5.2
> > but without any success. I've tried what John T has suggested below
> > but my idmap OU is still empty (adapted LDAP commnads for Sun DS). I
> > cannot see any errors in either Samba or Sun DS logs, does anyone
> > have any troubleshooting tips to help work out why this isn't
> > working?
> >
> > many thanks Andy.
> >
> > -----Original Message-----
> > From: samba-bounces+pubsyssamba=bbc.co.uk at lists.samba.org
> > [mailto:samba-bounces+pubsyssamba=bbc.co.uk at lists.samba.org]On
> > Behalf Of John H Terpstra Posted At: 03 January 2004 23:54 Posted
> > To: Samba
> > Conversation: [Samba] How do I get Winbind accounts in LDAP?
> > Subject: Re: [Samba] How do I get Winbind accounts in LDAP?
> >
> >
> > Kent,
> >
> > Did you create the container for the ou=Idmap in your LDAP database?
> > The IDMAP entries are automatically added to LDAP - IF the container
> > exists, and so long as Samba can access that database.
> >
> > Also, I suggest you store your machine accounts in the Users
> > container and not in the Computers container. Samba does not at this
> > time search the Computers container correctly.
> >
> > Execute the following to find out if your LDAP database has an IDMAP
> > container:
> > slapcat | grep -i IDMAP
> >
> >
> > If nothing is returned, execute this:
> >
> > ldapadd -x -D "cn=admin,dc=tow,dc=net" -w 'password' << EOR
> > dn: ou=Idmap,dc=abmas,dc=biz
> > objectClass: organizationalunit
> > ou: idmap
> > structuralObjectClass: organizationalunit
> > EOR
> >
> > Now you must stop samba, delete the winbind*tdb files, restart
> > samba,
> > run:
> > wbinfo -u
> > And that should automatically populate your LDAP IDMAP database.
> >
> > Cheers,
> > John T.
> >
> >
> >
> > BBCi at http://www.bbc.co.uk/
> >
> > This e-mail (and any attachments) is confidential and may contain
> > personal views which are not the views of the BBC unless
> > specifically stated. If you have received it in error, please delete
> > it from your system. Do not use, copy or disclose the information in
> > any way nor act in reliance on it and notify the sender immediately.
> > Please note that the BBC monitors e-mails sent or received. Further
> > communication will signify your consent to this.
> >
>
>
--
John H Terpstra
Email: jht at samba.org
More information about the samba
mailing list