[Samba] where is smbgroupedit and differenet other questions to
Samba & AD
"Markus Schröder"
MSchroeder at dap-pool.com
Tue Jul 6 20:11:41 GMT 2004
Hello List-Friends ;-)
O.K. I am a real beginner, so please don't hurt me ;-)
but im still working since a few days to get it running and google is my best friend.
I also bought O'Reilly 's Samba Book and a lot of other online stuff, but AD-Samba-winbind should be too new.
I use Suse 9.1 and Samba 3.0.4 as ADS Member Server.
We have an W2k Advanced Server (and a M$-Admin which don't (want) know anything about linux) in our Company as AD-PDC.
You find my smb.conf / ldap.conf / nsswitch.conf at the end of this Mail !
what should the linux do:
1. webserver -> login for the webpage/folder and/or webDav should be the same as the ActiveDirectory UserName und Password and mapped to the homedir (on linux)
2. add with an CMS (webpage) new AD-User and also delete them.
3. are new users added in the AD i need also a new home folder on the linux, so that they are existing for the samba home share
First i want to say, that for a linux-beginner it isn't easy to understood the different ways you could use,
and also which .conf file is used by which daemon (seems stupid)... use winbind the ldap.conf ?
to hard stuff, so i want to use winbind instead of LDAP. LDAP is much more difficult than winbind...
could test it in a few days with an standalone LDAP server/client solution.
What i've done:
w2k: installed ad4unix to get the new sheme there.
installed SSL Cert, ad an AD-user account with the netbiosname as Name, but for logon-name linux .
Then export and transfer the kerberos keytab to the linux.
i could use net ads join without any problems.
winbind works fine, testet with getent passwd and also wbinfo works.
kerberos works also, i get my tickets with kinit and klist show them.
i could reachead and access the shares on the linux without problems.
but there are different things i don't understood, some hints would be glad:
log.winbind said:
1. [2004/07/06 21:02:34, 1] libsmb/ntlmssp.c:ntlmssp_update(245)
Failed to parse NTLMSSP packet, could not extract NTLMSSP command
Not any idea for an solution ;-(
2. [2004/07/06 21:12:07, 1] nsswitch/winbindd_ads.c:ads_cached_connection(81)
ads_connect for domain DAP failed: Invalid credentials
which username, which password use winbind for kerberos auth ? did it take it from the ldap.conf ?
3. [2004/07/06 21:15:00, 1] nsswitch/winbindd_group.c:winbindd_getgroups(1032)
user 'root' does not exist
I thin i had to transfer the users and groups from the linux server to the ActiveDirectory (PDC).
i want to do it with smbgroupedit, but i didn't find it. why it is not in /usr/bin/ ?
log.smbd said:
1. [2004/07/06 18:59:02, 1] smbd/sesssetup.c:reply_spnego_kerberos(174)
Failed to verify incoming ticket!
2. [2004/07/06 20:00:13, 1] smbd/service.c:make_connection_snum(619)
192.168.0.208 (192.168.0.208) connect to service dap-intern initially as user DAP+mschroeder (uid=0, gid=10000) (pid 5550)
I don't understood why the uid=0 anf one hour later it show's this (PDC restartet!):
[2004/07/06 21:13:47, 1] smbd/service.c:make_connection_snum(619)
192.168.0.208 (192.168.0.208) connect to service mschroeder initially as user DAP+mschroeder (uid=10005, gid=10000) (pid 5981)
3. [2004/07/06 20:00:28, 0] rpc_server/srv_util.c:get_domain_user_groups(376)
get_domain_user_groups: primary gid of user [root] is not a Domain group !
get_domain_user_groups: You should fix it, NT doesn't like that
Same as point 3 in the log.winbind
O.k. i hope there is somebody who could help...
Some words in german:
Ich würde mich freuen, jemanden in Deutschland (NRW) kennen zu lernen, der sich mit Linux auskennt, so daß man mal (!!!) drüber telefonieren kann.
Ich suche niemanden der mir meine Probleme löst, sondern nur mal Unklarheiten beseitigen kann. Das geht am Phone halt zügiger als mit Mails. Als PC-Win-Spezi weiß ich natürlich, was es heißt ständig wegen irgendwelchen Kleinigkeiten genervt zu werden.
if i am on the right way,
Mit freundlichem Gruß
Markus Schröder
DAP Deutsche Assekuranz Pool GmbH
IT-Support
Berliner Allee 34-36
40212 Düsseldorf
Fon: 0211-13065-122
Fax: 0211-13065-230
Email: mschroeder at dap-pool.de
Privat: schroeder at aktiv-bar.de
Tel: 0173-4126516
Smb.conf:
# Global parameters
[global]
workgroup = DAP
realm = DAP.LOCAL
security = ADS
auth methods = winbind
password server = 192.168.0.3
disable spoolss = Yes
show add printer wizard = No
#ldap ssl = start tls
idmap uid = 10000-20000
idmap gid = 10000-20000
winbind separator = +
use sendfile = Yes
winbind uid = 10000
winbind gid = 10000
winbind enum users = yes
winbind enum groups = yes
template homedir = /home/%U
#template shell = /bin/bash
[www]
comment = www-root (@DAP+Domänen-Admins)
path = /srv/www
valid users = @DAP+Domänen-Admins
admin users = @DAP+Domänen-Admins
force user = root
force group = root
read only = No
[homes]
comment = User Home from %U
path = /home/%U
valid users = %S
read only = No
[root]
comment = root (@DAP+Domänen-Admins)
path = /
valid users = @DAP+Domänen-Admins
admin users = @DAP+Domänen-Admins
force user = root
force group = root
read only = No
[dap-intern]
comment = DAP-Mitarbeiter
path = /home/dap-mitarbeiter/
valid users = DAP+ at Firma_DAP
admin users = DAP+ at Firma_DAP
read only = No
create mask = 0755
[mschroeder]
comment = test privat
path = /home/mschroeder
valid users = DAP+MSchroeder
admin users = DAP-MSchroeder
read only = No
Ldap.conf:
host 192.168.0.3
base dc=DAP,dc=local
ldap_version 3
binddn CN=linux,DC=DAP,DC=local
bindpw xxxx
#port 636
ssl no
scope sub
nss_base_passwd DC=DAP,DC=local
nss_base_shadow DC=DAP,DC=local
nss_base_group DC=DAP,DC=local
nss_map_objectclass posixAccount user
nss_map_attribute uid msSFUName
nss_map_attribute homeDirectory msSFUHomeDirectory
nss_map_objectclass posixGroup Group
nss_map_attribute cn msSFUName
nss_map_attribute userPassword msSFUPassword
nss_map_attribute uniqueMember member
pam_filter objectclass=user
pam_login_attribute sAMAccountName
pam_password ads
pam_filter objectclass=posixAccount
spnego yes
Nsswitch.conf
passwd: files winbind
shadow: files winbind
group: files winbind
hosts: files dns winbind
networks: files dns
services: files
protocols: files
rpc: files
ethers: files
netmasks: files
netgroup: files
publickey: files
bootparams: files
automount: files nis
aliases: files
Where is smbgroupedit ???
#> Dir /usr/bin/smb*
-rwxr-xr-x 1 root root 1427807 Jun 3 03:03 smbcacls
-rwxr-xr-x 1 root root 885616 Jun 3 03:03 smbclient
-rwxr-xr-x 1 root root 620491 Jun 3 03:03 smbcontrol
-rwxr-xr-x 1 root root 1343469 Jun 3 03:03 smbcquotas
-rwxr-xr-x 1 root root 723796 Jun 3 03:02 smbfilter
-rwxr-xr-x 1 root root 1405717 Jun 3 03:02 smbget
-rwxr-xr-x 1 root root 11604 Jun 3 03:03 smbmnt
-rwxr-xr-x 1 root root 736870 Jun 3 03:03 smbmount
-rwxr-xr-x 1 root root 1549492 Jun 3 03:03 smbpasswd
-rwxr-xr-x 1 root root 7841 Feb 24 10:56 smbprngenpdf
-rwxr-xr-x 1 root root 464842 Jun 3 03:03 smbsh
-rwxr-xr-x 1 root root 737581 Jun 3 03:03 smbspool
-rwxr-xr-x 1 root root 624005 Jun 3 03:03 smbstatus
-rwxr-xr-x 1 root root 4896 Apr 6 19:42 smbtar
-rwxr-xr-x 1 root root 811183 Jun 3 03:03 smbtree
-rwxr-xr-x 1 root root 8630 Jun 3 03:03 smbumount
More information about the samba
mailing list