[Samba] Windows 2000 AD group filtering with winbind

Mon Feb 20 10:37:31 GMT 2006

Hey all
I'm currently trying to use squid and winbind to filter internet access based on groups in a windows 2000 active directory domain. Im running Mandrake 10.1 Community and samba 3.0.10 installed from rpm.

Following the directions in the samba manual for setting up winbind I have:

- configured nsswitch.conf

- checked to see if the libnss_winbind.so library is there

- checked to see if the symbolic link was there

- added relevent lines to the smb.conf as described in the manual

- Joined domain successfully

I can use wbinfo to check the shared secret and get a listing of users and groups from the domain. But when I use getent passwd and getent groups it only shows local users and groups on the Linux machine and not those from the windows domain as well. Is there a command I have to use to synchronise users and groups so I can get a unified listing on the linux box.

********************************************
My Smb.conf

[Global]

        Workgroup = MYDOMAIN
        netbiosname = squidtest
        security = DOMAIN

#       Domain Stuff

        winbind separator = \
        idmap uid = 30000-40000
        idmap gid = 30000-40000
        winbind enum users = yes
        winbind enum groups = yes
        template homedir = /home/MYDOMAIN/%U

        winbind use default domain = yes
        obey pam restrictions = yes
        password server = MYPASSWORDSERVER
        encrypt passwords = yes

[Share 1]

        path = /home/jim
        comment = Jim's Home Folder
        public = yes

**********************************************

Also this appears in my /var/log/samba/log.winbindd log everytime i start samba/winbind.

[2006/02/10 11:06:35, 1] nsswitch/winbindd.c:main(864)
  winbindd version 3.0.10 started.
  Copyright The Samba Team 2000-2004
[2006/02/10 11:06:35, 0] nsswitch/winbindd_util.c:winbindd_param_init(560)
  winbindd: idmap uid range missing or invalid
[2006/02/10 11:06:35, 0] nsswitch/winbindd_util.c:winbindd_param_init(561)
  winbindd: cannot continue, exiting.
[2006/02/10 11:06:35, 1] nsswitch/winbindd.c:main(897)
  Could not init idmap -- netlogon proxy only

I have also noted that from messing about with wbinfo switches i can get listings of groups for a particular user on the domain. I then remove that user from one of the groups they belong to on the domain controller and run the same command again and it doesnt show a different list of groups. I am confused as this must mean its looking at user and group data locally on the linux box as it shows old data but when i run getent passwd and getent group it still comes back with only the linux users and groups.

Is there any configuration options i have not set up in my smb.comf or am i missing something else?

Thanks in advance
James

_____________________________________________________________________
This transmission and any attachments are confidential and are intended solely for the named addressee (s). If you are not the addressee, please do not read, copy, use or disclose this transmission and please notify us immediately by telephone on 
+44 (0) 1670 594848 or by reply.  Please then delete this transmission from your system.

Although we have taken steps to ensure that this email and attachments are free from viruses, we advise that in keeping with good computing practice the recipient must ensure that they in fact are virus free.

No contracts may be concluded on behalf of Fone Logistics LTD by means of email communications.