[Samba] Winbind - Windows 2000 AD group filtering
James Sweet
James.Sweet at fone-logistics.co.uk
Thu Feb 16 17:09:40 GMT 2006
Hey all
I'm currently trying to use squid and samba/winbind to filter internet access based on groups in a windows 2000 active directory domain. Im running Mandrake 10.1 Community and samba 3.0.10 installed from rpm.
Following the directions in the samba manual for setting up winbind I have:
- configured nsswitch.conf
- checked to see if the libnss_winbind.so library is there
- checked to see if the symbolic link was there
- added relevent lines to the smb.conf as described in the manual
- Joined domain successfully
I can use wbinfo to check the shared secret and get a listing of users and groups from the domain. But when I use getent passwd and getent groups it only shows local users and groups on the Linux machine and not those from the windows domain as well. Is there a command I have to use to synchronise users and groups so I can get a unified listing on the linux box.
********************************************
My Smb.conf
[Global]
Workgroup = MYDOMAIN
netbiosname = squidtest
security = DOMAIN
# Domain Stuff
winbind separator = \
idmap uid = 30000-40000
idmap gid = 30000-40000
winbind enum users = yes
winbind enum groups = yes
template homedir = /home/MYDOMAIN/%U
winbind use default domain = yes
obey pam restrictions = yes
password server = MYPASSWORDSERVER
encrypt passwords = yes
[Share 1]
path = /home/jim
comment = Jim's Home Folder
public = yes
**********************************************
Also this appears in my /var/log/samba/log.winbindd log everytime i start samba/winbind.
[2006/02/10 11:06:35, 1] nsswitch/winbindd.c:main(864)
winbindd version 3.0.10 started.
Copyright The Samba Team 2000-2004
[2006/02/10 11:06:35, 0] nsswitch/winbindd_util.c:winbindd_param_init(560)
winbindd: idmap uid range missing or invalid
[2006/02/10 11:06:35, 0] nsswitch/winbindd_util.c:winbindd_param_init(561)
winbindd: cannot continue, exiting.
[2006/02/10 11:06:35, 1] nsswitch/winbindd.c:main(897)
Could not init idmap -- netlogon proxy only
I have also noted that from messing about with wbinfo switches i can get listings of groups for a particular user on the domain. I then remove that user from one of the groups they belong to on the domain controller and run the same command again and it doesnt show a different list of groups. I am confused as this must mean its looking at user and group data locally on the linux box as it shows old data but when i run getent passwd and getent group it still comes back with only the linux users and groups.
Is there any configuration options i have not set up in my smb.comf or am i missing something else?
Thanks in advance
James
_____________________________________________________________________
This transmission and any attachments are confidential and are intended solely for the named addressee (s). If you are not the addressee, please do not read, copy, use or disclose this transmission and please notify us immediately by telephone on
+44 (0) 1670 594848 or by reply. Please then delete this transmission from your system.
Although we have taken steps to ensure that this email and attachments are free from viruses, we advise that in keeping with good computing practice the recipient must ensure that they in fact are virus free.
No contracts may be concluded on behalf of Fone Logistics LTD by means of email communications.
More information about the samba
mailing list