[Samba] Samba PDC+LDAP+Winbind+Virtual Users/Groups Success
Clay
clayway at excite.com
Wed Jan 28 03:14:33 GMT 2004
Hello All,
I want to thank everyone who reads and responds to this group. You have all
been an invaluable help to me.
I now have a working Samba 3.0.1 LDAP PDC and domain member server using
winbind (both servers are running Slackware 9.1).
I also have virtual users and groups using nss_ldap from www.padl.com,
without pam or users/groups in /etc/passwd or /etc/group only in the LDAP
backend....
Everything works great
getent passwd lists the ldap users, getent group lists the groups, wbinfo -u
works, wbinfo -g works...
My only questions are
1. On my domain member server, I have to set the passdb backend = smbpasswd
otherwise if passdb backend = ldapsam:ldap://frodo, then winbindd won't
start...
FYI on the domain member server running winbindd, the smbpasswd file is 0kb
so nothing is being stored there...???
2. Also I have also read about a parameter idmap backend, which works to
ensure the correct user/group id mappings across different servers
running winbind....(please correct me if I am wrong about this)
but if i add this parameter in the my smb.conf file like
idmap backend = ldap:ldap://frodo/ the log seems to complain about not
finding a file called ldap.so
and winbindd will again fail to start...
Am I supposed to be running winbindd on the PDC also or just on domain
member server....??
Do I need all the LDAP entries on the domain member server....like on the
PDC??
the results for me anyway are the same in either case ...just curious...
If anyone has any clues into where I am going wrong, please let me know
Below are my two smb.conf files for the PDC and the domain member server....
Once again..thanks for all the help and great work Samba team
Clay
Below is the smb file from the PDC.....
#======================= Global Settings
=====================================
[global]
workgroup = HELMSDEEP
netbios name = FRODO
server string = Samba LDAP Server
log file = /usr/local/samba3/var/%m.log
max log size = 50
log level = 2
; username map =/etc/samba/usermap
; hosts allow = 10.1.41.0/255.255.255.0
######Printer Stuff
load printers = yes
printing = cups
printcap name = cups
######LDAP Stuff
ldap suffix = dc=hharchitects,dc=com
ldap user suffix = ou=People
ldap machine suffix = ou=People
; ldap machine suffix = ou=Computers
ldap group suffix = ou=Groups
ldap ssl = off
ldap admin dn = cn=Manager,dc=hharchitects,dc=com
ldap delete dn = no
ldap filter = (uid=%u)
ldap idmap suffix = ou=Idmap
idmap backend = ldap:ldap://localhost
idmap uid = 20000-30000
idmap gid = 20000-30000
winbind separator = +
######Domain Stuff
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
logon path =
logon drive = H:
logon home = \\%L\%U
local master = yes
domain master = yes
domain logons = yes
dns proxy = no
logon script = \\%L\netlogon\logon.bat
os level = 33
security = user
preferred master = yes
#######Password stuff
passdb backend = ldapsam:ldap://localhost
; unix password sync = yes
passwd chat debug = Yes
; passwd program =/usr/local/sbin/smbldap-passwd.pl -o %u
; passwd chat = *new*password* %n\n *new*password:* %n\ *successfully*
passwd program = /usr/bin/passwd %u
passwd chat = *New*UNIX*password* %n\n *ReType*new*UNIX*password*
%n\n *passwd:*all*authentication*tokens*updated*successfully*
encrypt passwords = yes
######################################################################
######################User Add Scripts################################
; add machine script = /usr/local/sbin/smbldap-useradd.pl -a -w "%m"
add machine script = /usr/sbin/useradd -s /bin/false -d /dev/null -g
machines %u
add user script = /usr/local/sbin/smbldap-useradd.pl -a "%u"
delete user script = /usr/local/sbin/smbldap-useradd.pl -d "%u"
add group script = /usr/local/sbin/smbldap-useradd.pl -a -g "%g"
delete group script = /usr/local/sbin/smbldap-useradd.pl -d -g "%g"
add user to group script = /usr/local/sbin/smbldap-useradd.pl -j -u
"%u" -g "%g"
delete user from group script =
/usr/local/sbin/smbldap-useradd.pl -j -u "%u" -g "%g"
set primary group script = /usr/local/sbin/smbldap-useradd.pl -m -u
"%u" -gid "%g"
#####################################################################
[homes]
comment = Home Directories
browseable = no
writable = yes
# Un-comment the following and create the netlogon directory for Domain
Logons
[netlogon]
comment = Network Logon Service
path = /home/netlogon
guest ok = yes
writable = no
share modes = no
[printers]
comment = All Printers
path = /var/spool/samba
browseable = no
public = yes
guest ok = yes
writable = no
printable = yes
printer admin = @admins
[public]
comment = Public Stuff
path = /mnt/data
public = yes
writable = yes
inherit permissions = yes
printable = no
write list = @everyone
This is the smb file from the winbind domain member server
# 11.22.03 cbk - remarked winbind templates
# Global parameters
[global]
workgroup = HELMSDEEP
netbios name = WINBINDTEST
passwd program = /usr/bin/passwd %u
; unix password sync = Yes
;trying 01.09.03
passdb backend = smbpasswd
; passdb backend = ldapsam:ldap://frodo;smbpasswd
passwd chat = *New*UNIX*password* %n\n *Retype*new*UNIX*password*
%n\n *Enter*new*UNIX*password* %n\n *Retype*new*UNIX*password* %n\n *passwd:
*all*authentication*tokens*updated*successfully*
update encrypted = Yes
; name resolve order = wins bcast hosts lmhosts
encrypt passwords = Yes
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
; wins server = 10.1.41.2
max log size = 50
passwd chat debug = Yes
server string = Samba Server %v
log level = 10
log file = /usr/local/samba/var/log.%m
security = domain
password server = *
nt acl support = yes
winbind use default domain = Yes
dos filetimes = yes
######LDAP Stuff
ldap suffix = dc=hharchitects,dc=com
ldap user suffix = ou=People
ldap machine suffix = ou=People
; ldap machine suffix = ou=Computers
ldap group suffix = ou=Groups
ldap ssl = off
ldap admin dn = cn=Manager,dc=hharchitects,dc=com
ldap delete dn = no
ldap filter = (uid=%u)
ldap idmap suffix = ou=Idmap
##Winbind Information
# separate domain and username with '+', like DOMAIN+username
winbind separator = +
; idmap backend = ldap:ldap://10.1.41.102/
idmap uid = 20000-30000
idmap gid = 20000-30000
# use uids from 10000 to 20000 for domain users
;winbind uid = 20000-30000
# use gids from 10000 to 20000 for domain groups
;winbind gid = 20000-30000
# allow enumeration of winbind users and groups
# might need to disable these next two for performance
# reasons on the winbindd host
winbind enum users = yes
winbind enum groups = yes
# give winbind users a real shell (only needed if they have
telnet/sshd/etc... access)
template homedir = /home/%D/%U
template shell = /bin/bash
[jobs]
comment = Project Directory
path = /mnt/test
read only = no
nt acl support = yes
inherit permissions = yes
; veto oplock files = /*.mdb/*.MDB/
; oplocks = No
; level2 oplocks = No
---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.554 / Virus Database: 346 - Release Date: 12/20/2003
More information about the samba
mailing list