[Samba] Windows AD w/ Windows Services for Unix?

[Doug VanLeuven]

Jason Gerfen wrote:
> Doug VanLeuven wrote:
> 
>> Jason Gerfen wrote:
>>
>>> I can authenticate users on a default setup of Windows 2000 using 
>>> 'Security = ADS'.  However if I install Windows Services for Unix 
>>> (http://www.microsoft.com/windowsserversystem/sfu/productinfo/features/default.mspx) 
>>> I am not able to authenticate or view users from different 
>>> Organizational Units in the default domain.  ???
>>>
>>
>> With a 2000 or 2003 Windows AD controller, I've run SFU 3.0 & 3.5 on both
>> client and server without side effects.
>> I use:
>> winbind nss info = template sfu
>> security = ADS
>> winbind trusted domains only = yes
>> idmap backend = ad
>>
>> on the samba member servers.
>>
>> Perhaps you mean you're running samba PDC and using SFU on a client
>> workstation?  In that case, I would assume, for it to work, you
>> would need to run an ldap backend and extend the schema for SFU.
>> Then fill out the unix values.
>>
>> Anyone ever done that?
>>
>> Regards, Doug
> 
> 
> Odd, I attempted your suggestions:
> 
> %>  testparm
> Load smb config files from /etc/samba/smb.conf
> Unknown parameter encountered: "winbind nss info"
> Ignoring unknown parameter "winbind nss info"

You must be using an older version of samba.  I don't recall exactly when
that was introduced.  Somewhere around 3.0.14 maybe.  Probably wouldn't
find the "ad" loadable module either.  They came in at the same time.

> The first scenario is correct, a ROLE_DOMAIN_MEMBER that authenticates 
> file shares using nsswitch and winbind against the Windows 2000 domain.

Prior to the XAD idmap_ad being pushed into samba, I compiled it and
included it myself on older versions (and had to patch it too).
Prior to samba 3.0 I was using SFU to export NFS shares on windows
servers using user and group mapping.  Unix had NIS then LDAP for auth.
Only way I made the SFU/NIS/LDAP work with samba.  You'll need to get current.

Regards, Doug