[Samba] How do I get Winbind accounts in LDAP?

Ganguly, Sapan Sapan.Ganguly at thalesgroup.com
Thu Jan 8 17:39:18 GMT 2004 

John,

Wbinfo -u lists all my NT user and wbinfo -g lists all my NT groups.

Here is a copy of my smb.conf, I took it from a working Redhat 9.0 machine I
built.

[global]

# LDAP stuff for the idmap backend

ldap admin dn = cn=root,dc=uk,dc=trt,dc=thales
ldap suffix = dc=uk,dc=trt,dc=thales
ldap idmap suffix = ou=idmap

# Winbind stuff

winbind separator = -
idmap uid = 10000-20000
winbind uid = 10000-20000
idmap gid = 10000-20000
winbind gid = 10000-20000
winbind enum users = yes
winbind enum groups = yes
winbind use default domain = yes
#template homedir = /home/%D/%U
#template homedir = /home/%U
template homedir = /mnt/spare/%U
template shell = /bin/bash
idmap backend = ldap:ldap://lnxs001

# workgroup = NT-Domain-Name or Workgroup-Name
   workgroup = DOMAIN

# server string is the equivalent of the NT Description field
   server string = SUN001 

# if you want to automatically load your printer list rather
# than setting them up individually then you'll need this
   printcap name = /etc/printcap
   load printers = yes

# this tells Samba to use a separate log file for each machine
# that connects
   log file = /var/log/samba/log.%m

# Put a capping on the size of the log files (in Kb).
   max log size = 50

# Security mode. Most people will want user level security. See
# security_level.txt for details.
   security = user
# Use password server option only with security = server
;   password server = <NT-Server-Name>

# Most people will find that this option gives better performance.
# See speed.txt and the manual pages for details
   socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192

# Browser Control Options:
# set local master to no if you don't want Samba to become a master
# browser on your network. Otherwise the normal election rules apply
   local master = no

# WINS Server - Tells the NMBD components of Samba to be a WINS Client
#	Note: Samba can be either a WINS Server, or a WINS Client, but NOT
both
   wins server = 192.168.224.25 

# DNS Proxy - tells Samba whether or not to try to resolve NetBIOS names
# via DNS nslookups. The built-in default for versions 1.9.17 is yes,
# this has been changed in version 1.9.18 to no.
   dns proxy = no 



Thanks,
Sapan

-----Original Message-----
From: John H Terpstra [mailto:jht at samba.org] 
Sent: 08 January 2004 16:58
To: Ganguly, Sapan 
Cc: 'samba at lists.samba.org'
Subject: RE: [Samba] How do I get Winbind accounts in LDAP?


Sapan,

I recently installed Samba-3 on Solaris 9 and had no problem with PAM and
NSS functionality. Logons using domain users worked well. As I do not have a
Sun box it is a little difficult for me to help you directly.

What output do you get from:
	wbinfo -u
	wbinfo -g

Please send me your smb.conf file so I can see what may be going on.

- John T.

On Thu, 8 Jan 2004, Ganguly, Sapan  wrote:

>
> Yep, I've done that, I basically followed the Solaris 9 HOWTO from the 
> main HOWTO collection that comes with Samba 3.0, the only difference 
> is that I used an /etc/pam.conf for Solaris 9 posted on the list by 
> Patrik Gustavsson. I haven't managed to get hold of him, he says he 
> has made it work on Solaris 9. I also want to get pam_mkhomedir work 
> but I have to get past this bit first.
> >From his email signature it looks like he work for Sun in Sweden but 
> >even
> the Sun helpdesk in the UK hasn't been able to get hold of him yet.
>
> -----Original Message-----
> From: John H Terpstra [mailto:jht at samba.org]
> Sent: 08 January 2004 15:54
> To: Ganguly, Sapan
> Cc: 'ww m-pubsyssamba'; 'samba at lists.samba.org'
> Subject: RE: [Samba] How do I get Winbind accounts in LDAP?
>
>
> On Thu, 8 Jan 2004, Ganguly, Sapan  wrote:
>
> >
> > I'm doing the same thing but with NT4 so I'm not using active 
> > directory. The only thing you haven't mentioned that I can think of 
> > is nsswitch.conf, you should have -
> >
> > Passwd: files winbind
> > Group: files winbind
> >
> > Getent works for me, I'm stuck with getting log ons to the Solaris 
> > machine with NT usernames to work.
>
> If you want to log onto the Sun machine using Windows networking 
> credentials you must configure PAM to support the use of 
> pam_winbind.so. Have you done that?
>
> - John T.
>
>
> > They seem to have changed something in Solaris 9, even Sun hasn't 
> > been able to help me!
> >
> > -----Original Message-----
> > From: ww m-pubsyssamba [mailto:pubsyssamba at bbc.co.uk]
> > Sent: 08 January 2004 13:45
> > To: Ganguly, Sapan ; samba at lists.samba.org
> > Subject: RE: [Samba] How do I get Winbind accounts in LDAP?
> >
> >
> > Hi Sapan/All,
> >
> > 	ok this is all in my test/dev environment. I have a Sun Sparc 
> > workstation running Solaris 9 and an Intel server running Windows 
> > 2000 server acting as a Native mode AD DC. My Sparc system has Samba 
> > 3.0.1 installed and is successfully joined to the AD domain, I can 
> > authenticate via kerberos and wbinfo -u lists domain users etc. All 
> > I need LDAP for is centralising the IDMAP mappings across our 
> > theoretical Samba server infrastructure.
> >
> >   On the same sparc system I also have SunONE DS 5.2 installed, this 
> > has the schema for Samba 3.0.1 successfully loaded. I have created 
> > the idamap OU in the directory and I have configured my smb.conf to 
> > use LDAP for idmap data, file attached. And I have set the LDAP 
> > admin account password with "smbpasswd -w". I have also disabled 
> > nscd from starting up & installed patch 113476-05 which is required 
> > for Solaris 9. I can also see winbindd establishing a connection to 
> > Sun LDAP in its access log.
> >
> >   As I was writing this mail I have noticed that a getent for users 
> > and groups is not displaying any AD users/groups but is exiting with 
> > a status 0, this is despite the fact that wbinfo is correctly 
> > displaying all my AD users/groups!? I can see from a snoop and truss 
> > run on the getent that it is making LDAP calls to the AD DC but it's 
> > not returning anything!?! I have had this running on a Solaris 8 
> > system in my test environment successfully and can't think of 
> > anything I've done differently.
> >
> > If anyone can help I'd greatly appreciate it,
> >
> > 	many thanks Andy.
> >
> > -----Original Message-----
> > From: Ganguly, Sapan [mailto:Sapan.Ganguly at thalesgroup.com]
> > Posted At: 07 January 2004 16:44
> > Posted To: Samba
> > Conversation: [Samba] How do I get Winbind accounts in LDAP?
> > Subject: RE: [Samba] How do I get Winbind accounts in LDAP?
> >
> >
> >
> > Andy,
> >
> > Tell us a bit more, I'm doing a similar thing I think.  I'm not 
> > using Sun's LDAP service, I have OpenLDAP running on a Redhat 9.0 
> > box and I'm logging into my Solaris 9.0 machine running winbind, 
> > with my NT username and password which creates an idmap in the 
> > openldap database on the Redhat box....well, that's what it is 
> > supposed to do anyway...it works fine on Redhat, Solaris is proving 
> > to be a little more tricky.
> >
> > Is this what you are doing?
> >
> > -----Original Message-----
> > From: ww m-pubsyssamba [mailto:pubsyssamba at bbc.co.uk]
> > Sent: 07 January 2004 14:23
> > To: samba at lists.samba.org
> > Subject: RE: [Samba] How do I get Winbind accounts in LDAP?
> >
> >
> > Hi John/List,
> >
> > 	I'm attemtpting this (idmap in LDAP) with samba3.0.1 and Sun DS 5.2 
> > but without any success. I've tried what John T has suggested below 
> > but my idmap OU is still empty (adapted LDAP commnads for Sun DS). I 
> > cannot see any errors in either Samba or Sun DS logs, does anyone 
> > have any troubleshooting tips to help work out why this isn't 
> > working?
> >
> > 		many thanks Andy.
> >
> > -----Original Message-----
> > From: samba-bounces+pubsyssamba=bbc.co.uk at lists.samba.org
> > [mailto:samba-bounces+pubsyssamba=bbc.co.uk at lists.samba.org]On 
> > Behalf Of John H Terpstra Posted At: 03 January 2004 23:54 Posted 
> > To: Samba
> > Conversation: [Samba] How do I get Winbind accounts in LDAP?
> > Subject: Re: [Samba] How do I get Winbind accounts in LDAP?
> >
> >
> > Kent,
> >
> > Did you create the container for the ou=Idmap in your LDAP database? 
> > The IDMAP entries are automatically added to LDAP - IF the container 
> > exists, and so long as Samba can access that database.
> >
> > Also, I suggest you store your machine accounts in the Users 
> > container and not in the Computers container. Samba does not at this 
> > time search the Computers container correctly.
> >
> > Execute the following to find out if your LDAP database has an IDMAP
> > container:
> > 	slapcat | grep -i IDMAP
> >
> >
> > If nothing is returned, execute this:
> >
> > ldapadd -x -D "cn=admin,dc=tow,dc=net" -w 'password' << EOR
> > dn: ou=Idmap,dc=abmas,dc=biz
> > objectClass: organizationalunit
> > ou: idmap
> > structuralObjectClass: organizationalunit
> > EOR
> >
> > Now you must stop samba, delete the winbind*tdb files, restart 
> > samba,
> > run:
> > 	wbinfo -u
> > And that should automatically populate your LDAP IDMAP database.
> >
> > Cheers,
> > John T.
> >
> >
> >
> > BBCi at http://www.bbc.co.uk/
> >
> > This e-mail (and any attachments) is confidential and may contain 
> > personal views which are not the views of the BBC unless 
> > specifically stated. If you have received it in error, please delete 
> > it from your system. Do not use, copy or disclose the information in 
> > any way nor act in reliance on it and notify the sender immediately. 
> > Please note that the BBC monitors e-mails sent or received. Further 
> > communication will signify your consent to this.
> >
>
>

-- 
John H Terpstra
Email: jht at samba.org

More information about the samba mailing list