[Samba] winbind without localuser account

Geoffrey Scott geoffs at guestshire.com
Thu Jan 12 02:21:15 GMT 2006

Paul Matthews wrote:
> [root at fedora pam.d]# wbinfo -g
> builtin\system operators
> builtin\replicators
> builtin\guests
> builtin\power users
> builtin\print operators
> builtin\administrators
> builtin\account operators
> builtin\backup operators
> builtin\users
> domain guests
> domain users
> domain computers
> etc..., etc...

What does the global section look like?

> i'm running fedora core 3

Everyone seems to have probs with selinux that's not in core 3 is it?

> i've never used 'getent' before what do i do there?

getent passwd | less

> but i have a local account called 'pma' with the password 'unix' set 
> locally and the password 'ads' set on active directory, i can set my 
> pam module so i can login with the username 'pma and password 'ads'.
> so i think my winbind is working fine.   

You shouldn't need any local account.  Did you read SBE?  You should have
followed chapter 12.3.1 & 12.3.2 then 7.3.4 I personally use like
this though, (idmap_rid only allows one AD domain):
        workgroup = GUESTSHIRE
        server string = Guests_NSW File & Print server
        security = ADS
        allow trusted domains = No
        syslog = 0
        log file = /var/log/samba/log.%m
        max log size = 1000
        printcap name = CUPS
        panic action = /usr/share/samba/panic-action %d
        idmap backend = idmap_rid:GUESTSHIRE=5000-1000000
        idmap uid = 5000-1000000
        idmap gid = 5000-1000000
        template homedir = /home/%U
        template shell = /bin/bash
        winbind nested groups = Yes
        printer admin = "@GUESTSHIRE\Domain Admins"
        printing = cups
        print command =
        lpq command = %p
        lprm command =

        comment = Home Directories
        path = /home/%U
        valid users = GUESTSHIRE\%S
        admin users = "@GUESTSHIRE\Domain Admins"
        read only = No
        browseable = No

> ps: i tried that pam module below, same thing happened i can login 
> with my ads password, but i need a local account without a local 
> account it wont let me.
> i'm using squirriel mail and '/etc/pam.d/dovecot' to test it out.

So you put those contents in there then?

> Regards Geoff Scott

More information about the samba mailing list