[Samba] idmap with w2k3 active directory ldap supported?
Aaron Darling
darling at cs.wisc.edu
Wed Jun 2 08:07:03 GMT 2004
Hi folks,
I'm trying to integrate a group of linux clients into a windows 2003
active directory system using winbind and an ldap idmap backend.
Whenever I start up winbindd it reports the following to log.winbindd:
[2004/06/02 01:41:45, 1] nsswitch/winbindd_util.c:add_trusted_domain(166)
Added domain GEL gel.local S-1-5-21-1287777321-1459595337-1044068293
[2004/06/02 02:39:56, 1] libsmb/clikrb5.c:ads_krb5_mk_req(269)
krb5_cc_get_principal failed (No such file or directory)
wbinfo -u correctly prints the list of domain users, but getent passwd
shows only local unix users. Furthermore, in my log.winbindd I get a
statement like this for every AD user:
[2004/06/02 02:40:51, 1] nsswitch/winbindd_user.c:winbindd_fill_pwent(50)
error getting user id for sid
S-1-5-21-1287777321-1459595337-1044068293-502
[2004/06/02 02:40:51, 1] nsswitch/winbindd_user.c:winbindd_getpwent(563)
could not lookup domain user darling
Do I need to create a special Idmap structure in my win2003 active
directory somehow or should winbindd create it automatically? Nothing
containing the text idmap currently appears in my win2k3 ldap.
Also, another strange thing I've noticed is that I can't successfully
remove the machine account from the domain using net ads leave.
Any help getting this problem worked out would be greatly
appreciated--I've searched google and the mailing lists to no avail.
Thanks,
Aaron Darling
darling(at)cs.wisc.edu
Details of my setup:
SuSE 9.1, kernel 2.6.4, Samba 3.0.2a, heimdal 0.6.1rc3, windows 2003 PDC
#
# /etc/nsswitch.conf
#
passwd: files winbind
shadow: files
group: files winbind
hosts: files dns
networks: files dns
services: files
protocols: files
rpc: files
ethers: files
netmasks: files
netgroup: files
publickey: files
bootparams: files
automount: files nis
aliases: files
# smb.conf is the main Samba configuration file. You find a full commented
# version at /usr/share/doc/packages/samba/examples/smb.conf.SuSE
# Date: 2004-04-06
[global]
workgroup = GEL
interfaces = 127.0.0.1 192.168.168.120/24
#begin added by AED
ldap admin dn = cn=Administrator,cn=Users,dc=gel,dc=local
# ldap ssl = start tls
ldap user suffix = ou=Pernalab_site_users,dc=gel,dc=local
# ldap group suffix = cn=Users
ldap machine suffix = cn=Computers
# password server = 192.168.168.50
realm = gel.local
netbios name = mamba
security = ADS
idmap backend = ldap:ldap://192.168.168.50/
ldap idmap suffix = ou=Idmap,dc=gel,dc=local
idmap uid = 10000-20000
idmap gid = 10000-20000
# winbind params
winbind separator = +
winbind enum users = yes
winbind enum groups = yes
template homedir = /home/?U
template shell = /bin/bash
# winbind use default domain = yes
winbind enable local accounts = no
wins server = 192.168.168.50
#end added by AED
bind interfaces only = true
printing = cups
printcap name = cups
printer admin = @ntadmin, root, administrator
map to guest = Bad User
#
# /etc/krb5.conf
#
[libdefaults]
clockskew = 300
default_realm = GEL.LOCAL
dns_lookup_realm = true
dns_lookup_kdc = true
[realms]
= {
kdc =
kpasswd_server =
}
GEL.LOCAL = {
kdc = 192.168.168.50
admin_server = 192.168.168.50
default_domain = GEL.LOCAL
}
[domain_realm]
.gel.local = GEL.LOCAL
gel.local = GEL.LOCAL
[logging]
default = SYSLOG:NOTICE:DAEMON
kdc = FILE:/var/log/kdc.log
kadmind = FILE:/var/log/kadmind.log
More information about the samba
mailing list