[Samba] idmap backend, LDAP & Windows AD
Yanick Quirion
YQuirion at tranzyme.com
Thu Feb 9 14:09:32 GMT 2006
Dear all,
Since couple of weeks, I'm trying to configure Samba to get UID & GID
from Windows 2003 AD. I read samba documentation & how to, but it still
not working.
Here are the tasks I've perform:
- I installed SFU on my Windows 2003 Server
- I configure /etc/samba/smb.conf:
# Global parameters
[global]
workgroup = TOTO
netbios name = VENUS
encrypt passwords = yes
obey pam restrictions = No
pam password change = No
interfaces = eth0 10.1.0.0/16
wins server = 10.1.2.4
domain master = no
local master = no
preferred master = no
server string = VENUS Samba Services
lock directory = /var/lib/samba
load printers = no
socket options = TCP_NODELAY SO_SNDBUF=8192 SO_RCVBUF=8192
username map = /etc/samba/smbusers
admin users = @"Domain Admins"
#### ACTIVE DIRECTORY
realm = TOTO.COM
security = ADS
log level = 1 ads:10 auth:10 sam:10 rpc:10
winbind separator = +
ldap admin dn = cn=Administrator,dc=TOTO,dc=COM
ldap idmap suffix = ou=Idmap
ldap passwd sync = yes
ldap suffix = dc=TOTO,dc=COM
idmap backend = ldap:ldap://ads-tst.toto.com <-- THIS IS THE IP
OF
MY WINDOWS 2003
SRV
10.1.3.9
idmap uid = 150000-550000
idmap gid = 150000-550000
#idmap backend = ldap:ldap://127.0.0.1
# ldap user suffix = ou=Sherbrooke
# ldap machine suffix = ou=Computers
winbind enum users = yes
winbind enum groups = yes
winbind nested groups = yes
winbind use default domain = Yes
winbind nss info = template, sfu
#winbind use default domain = yes
template shell = /bin/bash
template homedir = /u/%D/%U
winbind cache time = 5
- I configured /etc/krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = TOTO.COM
dns_lookup_realm = false
dns_lookup_kdc = true
[realms]
TOTO.COM = {
kdc = ads-tst.toto.com <-- THIS IS THE NAME OF MY WINDOWS SERVER
(10.1.3.9)
default_domain = toto.com
}
[domain_realm]
.toto.com = TOTO.COM
toto.com = TOTO.COM
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
- I configured /etc/ldap.conf
host 10.1.3.9 <-- THIS THE IP OF MY WINDOWS SERVER 2003
base dc=toto,dc=com
binddn cn=Administrator,dc=toto,dc=com
bindpw password
pam_password exop
nss_base_passwd ou=People,dc=toto,dc=com?one
nss_base_shadow ou=People,dc=toto,dc=com?one
nss_base_group ou=Groups,dc=toto,dc=com?one
ssl no
- I configured nss_ldap-248 and install it
./configure --enable-rfc2307bis --enable-schema-mapping
make install
- I joined my samba to my Windows 2003 server (It worked fine)
root# net ads join -UAdministrator%password
Using short domain name -- TOTO
Joined 'VENUS' to realm 'TOTO.COM'
- I modified file /etc/nsswitch.conf as follow:
passwd: files ldap
shadow: files ldap
group: files ldap
- I stored the LDAP password (Windows 2003) info secret.tdb file:
smbpasswd -w password
Now when I'm starting winbind, I'm getting the following error:
Feb 9 08:58:29 venus winbindd[21018]: [2006/02/09 08:58:29, 0]
lib/debug.c:debug_lookup_classname(352)
Feb 9 08:58:29 venus winbindd[21018]: debug_lookup_classname(ads):
Unknown class
Feb 9 08:58:29 venus winbindd[21018]: [2006/02/09 08:58:29, 0]
lib/debug.c:debug_lookup_classname(352)
Feb 9 08:58:29 venus winbindd[21018]: debug_lookup_classname(rpc):
Unknown class
Feb 9 08:58:30 venus winbindd[21018]: [2006/02/09 08:58:30, 0]
lib/smbldap.c:smbldap_connect_system(890)
Feb 9 08:58:30 venus winbindd[21018]: failed to bind to server
ldap://ads-tst.toto.com with dn="cn=Administrator,dc=TOTO,dc=COM" Error:
Invalid credentials
Feb 9 08:58:30 venus winbindd[21018]: 80090308: LdapErr:
DSID-0C090334, comment: AcceptSecurityContext error, data 525, vece
Feb 9 08:58:45 venus winbindd[21018]: [2006/02/09 08:58:45, 0]
sam/idmap.c:idmap_init(146)
Feb 9 08:58:45 venus winbindd[21018]: idmap_init: failed to
initialize remote backend!
If I'm doing a wbinfo -u and wbinfo -g I get the list from AD:
Administrator
Guest
SUPPORT_388945a0
ADS-TST$
krbtgt
yquirion
toto
venus$
[venus]:/# wbinfo -g
Domain Computers
Domain Controllers
Schema Admins
Enterprise Admins
Domain Admins
Domain Users
Domain Guests
Group Policy Creator Owners
sinfsyst
If I tried this command: chown toto nss_ldap-248/
chown: `toto': invalid user
If I tried getent passwd, I got following error in syslog:
Feb 9 09:03:57 venus getent: nss_ldap: failed to bind to LDAP server
ldap://10.32.3.9: Invalid credentials
Feb 9 09:03:57 venus getent: nss_ldap: failed to bind to LDAP server
ldap://10.32.3.9: Invalid credentials
Feb 9 09:03:57 venus getent: nss_ldap: reconnecting to LDAP server
(sleeping 4 seconds)...
Feb 9 09:04:01 venus getent: nss_ldap: failed to bind to LDAP server
ldap://10.32.3.9: Invalid credentials
Feb 9 09:04:01 venus getent: nss_ldap: reconnecting to LDAP server
(sleeping 8 seconds)...
Feb 9 09:04:09 venus getent: nss_ldap: failed to bind to LDAP server
ldap://10.32.3.9: Invalid credentials
Feb 9 09:04:09 venus getent: nss_ldap: reconnecting to LDAP server
(sleeping 16 seconds)...
Is somebody can tell me what's I'm doing bad? My first goal is to have
the same UID & GID from my active directory with all my Linux/Samba
system.
Thank you everybody for your help.
Best Regards,
Yanick
More information about the samba
mailing list