[Samba] where is smbgroupedit and differenet other questions to Samba & AD

"Markus Schröder" MSchroeder at dap-pool.com
Tue Jul 6 20:11:41 GMT 2004 

Hello List-Friends ;-)

 
O.K. I am a real beginner, so please don't hurt me ;-)
but im still working since a few days to get it running and google is my best friend.
I also bought O'Reilly 's Samba Book and a lot of other online stuff, but AD-Samba-winbind should be too new.
 

I use Suse 9.1 and Samba 3.0.4 as ADS Member Server.
We have an W2k Advanced Server (and a M$-Admin which don't (want) know anything about linux) in our Company as AD-PDC.

You find my smb.conf / ldap.conf / nsswitch.conf at the end of this Mail !


what should the linux do:
1. webserver -> login for the webpage/folder and/or webDav should be the same as the ActiveDirectory UserName und Password and mapped to the homedir (on linux)
2. add with an CMS (webpage) new AD-User and also delete them.
3. are new users added in the AD i need also a new home folder on the linux, so that they are existing for the samba home share
 
 
First i want to say, that for a linux-beginner it isn't easy to understood the different ways you could use,
and also which .conf file is used by which daemon (seems stupid)... use winbind the ldap.conf ?
 
to hard stuff, so i want to use winbind instead of LDAP. LDAP is much more difficult than winbind...
could test it in a few days with an standalone LDAP server/client solution.

 
What i've done:
w2k: installed ad4unix to get the new sheme there.
installed SSL Cert, ad an AD-user account with the netbiosname as Name, but for logon-name linux .
Then export and transfer the kerberos keytab to the linux.
i could use net ads join without any problems.
 
 
winbind works fine, testet with getent passwd and also wbinfo works.
kerberos works also, i get my tickets with kinit and klist show them.
 
i could reachead and access the shares on the linux without problems.
 
but there are different things i don't understood, some hints would be glad:
 
 
 
 
log.winbind said:
 
1.  [2004/07/06 21:02:34, 1] libsmb/ntlmssp.c:ntlmssp_update(245)
  Failed to parse NTLMSSP packet, could not extract NTLMSSP command

Not any idea for an solution ;-(
 
 

2. [2004/07/06 21:12:07, 1] nsswitch/winbindd_ads.c:ads_cached_connection(81)
  ads_connect for domain DAP failed: Invalid credentials

which username, which password use winbind for kerberos auth ? did it take it from the ldap.conf ?
 

 
3. [2004/07/06 21:15:00, 1] nsswitch/winbindd_group.c:winbindd_getgroups(1032)
  user 'root' does not exist

I thin i had to transfer the users and groups from the linux server to the ActiveDirectory (PDC).
i want to do it with smbgroupedit, but i didn't find it. why it is not in /usr/bin/ ?
 


 
log.smbd said:
 
1. [2004/07/06 18:59:02, 1] smbd/sesssetup.c:reply_spnego_kerberos(174)
  Failed to verify incoming ticket!



2. [2004/07/06 20:00:13, 1] smbd/service.c:make_connection_snum(619)
  192.168.0.208 (192.168.0.208) connect to service dap-intern initially as user DAP+mschroeder (uid=0, gid=10000) (pid 5550)

I don't understood why the uid=0 anf one hour later it show's this (PDC restartet!):

[2004/07/06 21:13:47, 1] smbd/service.c:make_connection_snum(619)
  192.168.0.208 (192.168.0.208) connect to service mschroeder initially as user DAP+mschroeder (uid=10005, gid=10000) (pid 5981)



3. [2004/07/06 20:00:28, 0] rpc_server/srv_util.c:get_domain_user_groups(376)
  get_domain_user_groups: primary gid of user [root] is not a Domain group !
  get_domain_user_groups: You should fix it, NT doesn't like that 

Same as point 3 in the log.winbind


O.k. i hope there is somebody who could help...



Some words in german:

Ich würde mich freuen, jemanden in Deutschland (NRW) kennen zu lernen, der sich mit Linux auskennt, so daß man mal (!!!) drüber telefonieren kann.
Ich suche niemanden der mir meine Probleme löst, sondern nur mal Unklarheiten beseitigen kann. Das geht am Phone halt zügiger als mit Mails. Als PC-Win-Spezi weiß ich natürlich, was es heißt ständig wegen irgendwelchen Kleinigkeiten genervt zu werden.


if i am on the right way, 
 
 
Mit freundlichem Gruß
 
 
Markus Schröder
DAP Deutsche Assekuranz Pool GmbH
IT-Support
 
Berliner Allee 34-36
40212 Düsseldorf
 
Fon: 0211-13065-122
Fax: 0211-13065-230
Email: mschroeder at dap-pool.de
 
Privat: schroeder at aktiv-bar.de
Tel: 0173-4126516




Smb.conf:
# Global parameters
[global]
	workgroup = DAP
	realm = DAP.LOCAL
	security = ADS
	auth methods = winbind
	password server = 192.168.0.3
	disable spoolss = Yes
	show add printer wizard = No
	#ldap ssl = start tls
	idmap uid = 10000-20000
	idmap gid = 10000-20000
	winbind separator = +
	use sendfile = Yes
	winbind uid = 10000
	winbind gid = 10000
	winbind enum users = yes
	winbind enum groups = yes
	template homedir = /home/%U
	#template shell = /bin/bash

[www]
	comment = www-root (@DAP+Domänen-Admins)
	path = /srv/www
	valid users = @DAP+Domänen-Admins
	admin users = @DAP+Domänen-Admins
	force user = root
	force group = root
	read only = No

[homes]
	comment = User Home from %U
	path = /home/%U
	valid users = %S
	read only = No

[root]
	comment = root (@DAP+Domänen-Admins)
	path = /
	valid users = @DAP+Domänen-Admins
	admin users = @DAP+Domänen-Admins
	force user = root
	force group = root
	read only = No

[dap-intern]
	comment = DAP-Mitarbeiter
	path = /home/dap-mitarbeiter/
	valid users = DAP+ at Firma_DAP
	admin users = DAP+ at Firma_DAP
	read only = No
	create mask = 0755

[mschroeder]
	comment = test privat
	path = /home/mschroeder
	valid users = DAP+MSchroeder
	admin users = DAP-MSchroeder
	read only = No






Ldap.conf:

host	192.168.0.3
base	dc=DAP,dc=local
ldap_version	3
binddn CN=linux,DC=DAP,DC=local	
bindpw	xxxx
#port	636
ssl no
scope	sub
nss_base_passwd	DC=DAP,DC=local
nss_base_shadow	DC=DAP,DC=local
nss_base_group	DC=DAP,DC=local

nss_map_objectclass	posixAccount user
nss_map_attribute	uid msSFUName
nss_map_attribute	homeDirectory msSFUHomeDirectory
nss_map_objectclass	posixGroup Group
nss_map_attribute	cn msSFUName
nss_map_attribute	userPassword msSFUPassword
nss_map_attribute	uniqueMember member

pam_filter		objectclass=user
pam_login_attribute	sAMAccountName
pam_password	ads
pam_filter		objectclass=posixAccount
spnego yes



Nsswitch.conf

passwd: 	files winbind	
shadow:	files winbind
group:	files winbind

hosts:	files dns winbind
networks:	files dns

services:	files
protocols:	files
rpc:	files
ethers:	files
netmasks:	files
netgroup:	files
publickey:	files

bootparams:	files
automount:	files nis
aliases:	files




Where is smbgroupedit ???

#> Dir /usr/bin/smb*

-rwxr-xr-x  1 root root 1427807 Jun  3 03:03 smbcacls
-rwxr-xr-x  1 root root  885616 Jun  3 03:03 smbclient
-rwxr-xr-x  1 root root  620491 Jun  3 03:03 smbcontrol
-rwxr-xr-x  1 root root 1343469 Jun  3 03:03 smbcquotas
-rwxr-xr-x  1 root root  723796 Jun  3 03:02 smbfilter
-rwxr-xr-x  1 root root 1405717 Jun  3 03:02 smbget
-rwxr-xr-x  1 root root   11604 Jun  3 03:03 smbmnt
-rwxr-xr-x  1 root root  736870 Jun  3 03:03 smbmount
-rwxr-xr-x  1 root root 1549492 Jun  3 03:03 smbpasswd
-rwxr-xr-x  1 root root    7841 Feb 24 10:56 smbprngenpdf
-rwxr-xr-x  1 root root  464842 Jun  3 03:03 smbsh
-rwxr-xr-x  1 root root  737581 Jun  3 03:03 smbspool
-rwxr-xr-x  1 root root  624005 Jun  3 03:03 smbstatus
-rwxr-xr-x  1 root root    4896 Apr  6 19:42 smbtar
-rwxr-xr-x  1 root root  811183 Jun  3 03:03 smbtree
-rwxr-xr-x  1 root root    8630 Jun  3 03:03 smbumount

More information about the samba mailing list