[Samba] Samba and trusted domains
Michael Gasch
gasch at eva.mpg.de
Mon Jul 3 14:32:24 GMT 2006
if you´re running winbindd there´s no need to run nscd.
it´s a common problem and you should really avoid using it, unless you
have a real reason.
disable it and run id again
greez
Nir Barkan wrote:
> Nscd is running
>
> This is my nsswitch.conf:
>
> # /etc/nsswitch.nis:
> #
> # An example file that could be copied over to /etc/nsswitch.conf; it
> # uses NIS (YP) in conjunction with files.
> #
> # "hosts:" and "services:" in this file are used only if the
> # /etc/netconfig file has a "-" for nametoaddr_libs of "inet" transports.
>
> # the following two lines obviate the "+" entry in /etc/passwd and
> /etc/group.
> passwd: files winbind nis
> group: files winbind nis
>
> # consult /etc "files" only if nis is down.
> hosts: files nis dns
> ipnodes: files
> # Uncomment the following line and comment out the above to resolve
> # both IPv4 and IPv6 addresses from the ipnodes databases. Note that
> # IPv4 addresses are searched in all of the ipnodes databases before
> # searching the hosts databases. Before turning this option on, consult
> # the Network Administration Guide for more details on using IPv6.
> #ipnodes: nis [NOTFOUND=return] files
>
> networks: nis [NOTFOUND=return] files
> protocols: nis [NOTFOUND=return] files
> rpc: nis [NOTFOUND=return] files
> ethers: nis [NOTFOUND=return] files
> netmasks: nis [NOTFOUND=return] files
> bootparams: nis [NOTFOUND=return] files
> publickey: nis [NOTFOUND=return] files
>
> netgroup: nis
>
> automount: files nis
> aliases: files nis
>
> # for efficient getservbyname() avoid nis
> services: files nis
> sendmailvars: files
> printers: user files nis
>
> auth_attr: files nis
> prof_attr: files nis
> project: files nis
> project: files nis
>
> -----Original Message-----
> From: Michael Gasch [mailto:gasch at eva.mpg.de]
> Sent: Monday, July 03, 2006 4:06 PM
> To: Nir Barkan
> Cc: samba at lists.samba.org
> Subject: Re: [Samba] Samba and trusted domains
>
> > When running the id command, nothing written on the winbind debug
> looks like a prob with NSS and winbindd...
> what looks your nsswitch.conf like?
> do you use nscd?
>
> greez
>
> Nir Barkan wrote:
>> id EU15\\test1
>>
>> gives:
>>
>> id: invalid user name: "EU15\test1"
>>
>> When running the id command, nothing written on the winbind debug
>>
>> Nir
>>
>> -----Original Message-----
>> From: Michael Gasch [mailto:gasch at eva.mpg.de]
>> Sent: Monday, July 03, 2006 2:31 PM
>> To: Nir Barkan
>> Cc: samba at lists.samba.org
>> Subject: Re: [Samba] Samba and trusted domains
>>
>> looks good, but the log isn´t very informative.
>>
>> what does now "id EU15\\test1" on the member server say?
>> winbindd has to allocate an uidnumber for this user.
>>
>> greez
>>
>>
>>
>> Nir Barkan wrote:
>>> Now I don't have idmap errors, but the user from the trusted domain still
>>> can't connect, this is what the debug logs when the user from the trusted
>>> domain tries to connect:
>>>
>>> Added domain EU15 wineur.EU15.com
> S-1-5-21-2139401007-2349514585-891123631
>>> [ 0]: request interface version
>>> [ 0]: request location of privileged pipe
>>> [ 0]: domain_info [EU15]
>>> [ 8520]: Get DC name for EU15
>>> cm_get_ipc_userpass: No auth-user defined
>>> Doing spnego session setup (blob length=122)
>>> got OID=1 2 840 48018 1 2 2
>>> got OID=1 2 840 113554 1 2 2
>>> got OID=1 2 840 113554 1 2 2 3
>>> got OID=1 3 6 1 4 1 311 2 2 10
>>> got principal=eur-dc04-lon$@WINEUR.EU15.COM
>>> Doing kerberos session setup
>>> Ticket in ccache[MEMORY:cliconnect] expiration Tue, 04 Jul 2006 00:07:28
>> IDT
>>> rpc_pipe_bind: Remote machine EUR-DC04-LON pipe \lsarpc fnum 0xe bind
>>> request returned ok.
>>> rpc_pipe_bind: Remote machine EUR-DC04-LON pipe \lsarpc fnum 0xf bind
>>> request returned ok.
>>> lsa_io_sec_qos: length c does not match size 8
>>> [ 0]: pam auth crap domain: [EU15] user: test1
>>> [ 8520]: pam auth crap domain: EU15 user: test1
>>> [ 0]: request interface version
>>> [ 0]: request location of privileged pipe
>>> [ 0]: domain_info [EU15]
>>> [ 0]: pam auth crap domain: [EU15] user: test1
>>> [ 8520]: pam auth crap domain: EU15 user: test1
>>> [ 0]: request interface version
>>> [ 0]: request location of privileged pipe
>>> [ 0]: domain_info [EU15]
>>> [ 0]: pam auth crap domain: [EU15] user: test1
>>> [ 8520]: pam auth crap domain: EU15 user: test1
>>> [ 0]: request interface version
>>> [ 0]: request location of privileged pipe
>>> [ 0]: domain_info [EU15]
>>> [ 0]: pam auth crap domain: [EU15] user: test1
>>> [ 8520]: pam auth crap domain: EU15 user: test1
>>> [ 0]: domain_info [EU15]
>>> [ 0]: pam auth crap domain: [EU15] user: test1
>>> [ 8520]: pam auth crap domain: EU15 user: test1
>>>
>>> -----Original Message-----
>>> From: Michael Gasch [mailto:gasch at eva.mpg.de]
>>> Sent: Monday, July 03, 2006 1:19 PM
>>> To: Nir Barkan
>>> Cc: samba at lists.samba.org
>>> Subject: Re: [Samba] Samba and trusted domains
>>>
>>> for trusted domains to work you have to use either tdbsam or ldap
>>> backend. don´t know whether ad works, though.
>>>
>>> this should work for you:
>>> # idmap backend = # please comment out for tdbsam
>>> idmap uid = 10000-100000
>>> idmap gid = 10000-100000
>>> winbind use default domain = Yes # your choice
>>> winbind trusted domains only = no # must
>>> allow trusted domains = yes # must
>>>
>>>
>>> greez
>>>
>>>
>>> Nir Barkan wrote:
>>>> I tried all the combinations on the "idmap backend" line and still have
>>>> errors.
>>>>
>>>> What is the exact "idmap backend" line that I should add to my smb.conf
>>> file
>>>> when "ITGIL" = my domain and "EU15" = my trusted domain?
>>>>
>>>> Thanks,
>>>>
>>>> Nir
>>>>
>>>> -----Original Message-----
>>>> From: Michael Gasch [mailto:gasch at eva.mpg.de]
>>>> Sent: Monday, July 03, 2006 11:22 AM
>>>> To: Nir Barkan
>>>> Cc: samba at lists.samba.org
>>>> Subject: Re: [Samba] Samba and trusted domains
>>>>
>>>> :)
>>>>
>>>> > idmap backend = ITGIL=10000-19999,EU15=20000-30000
>>>> this is not correct semantic ;)
>>>>
>>>> example:
>>>> idmap backend = rid:"BUILTIN=1000-1999,DOMNAME=2000-100000000"
>>>>
>>>> this should work
>>>>
>>>> greez
>>>>
>>>>
>>>> Nir Barkan wrote:
>>>>> I added the idmap backend to my smb.conf as you suggested
>>>>>
>>>>>
>>>>> idmap backend = ITGIL=10000-19999,EU15=20000-30000
>>>>>
>>>>> I get the following (on the winbind debug):
>>>>>
>>>>> idmap_init: using 'ITGIL=10000-19999' as remote backend
>>>>> Error loading module '/opt/local/lib/idmap/ITGIL=10000-19999.so':
>>> ld.so.1:
>>>>> ./winbindd: fatal: /opt/local/lib/idmap/ITGIL=10000-19999.so: open
>>> failed:
>>>>> No such file or directory
>>>>> idmap_init: could not load remote backend 'ITGIL=10000-19999'
>>>>> Could not init idmap -- netlogon proxy only
>>>>>
>>>>> The idmap directory exists; do I need to run something manually?
>>>>>
>>>>> P.S
>>>>>
>>>>> ITGIL = my domain
>>>>> EU15 = my trusted domain
>>>>>
>>>>> Thanks,
>>>>>
>>>>> Nir
>>>>>
>>>>>
>>>>> -----Original Message-----
>>>>> From: Michael Gasch [mailto:gasch at eva.mpg.de]
>>>>> Sent: Sunday, July 02, 2006 9:46 PM
>>>>> To: Nir Barkan
>>>>> Cc: samba at lists.samba.org
>>>>> Subject: Re: [Samba] Samba and trusted domains
>>>>>
>>>>> you should do something like
>>>>>
>>>>> idmap backend =
> "MYDOMAIN=10000-19999,TRUSTEDDOMAINNAME=20000-100000000"
>>>>> as i already wrote in a posting before. this won't work with idmap_rid,
>
>>>>> but with all other backend.
>>>>> i think you can stay with "winbind trusted domains only".
>>>>>
>>>>> you should also run winbindd in interactive mode and debug level 3.
>>>>> then you should see something like "init idmap backend for DOMAIN
>>>>> MYDOMAIN, init idmap backend for DOMAIN TRUSTEDDOMAINNAME"
>>>>>
>>>>> greez
>>>>>
>>>>>
>>>>> Nir Barkan wrote:
>>>>>> Id test1 not working
>>>>>>
>>>>>> Wbinfo -u return DomainName username (EUROPE test1)
>>>>>>
>>>>>> The user is from trusted domain
>>>>>>
>>>>>> I defined idmap uid = 10000-2000 and idmap gid = 10000-20000 on my
>>>>>> smb.conf, Do I need to define something more?
>>>>>>
>>>>>> Thanks,
>>>>>>
>>>>>> Nir
>>>>>>
>>>>>> -----Original Message-----
>>>>>> From: Michael Gasch [mailto:gasch at eva.mpg.de]
>>>>>> Sent: Friday, June 30, 2006 4:12 PM
>>>>>> To: Nir Barkan
>>>>>> Cc: samba at lists.samba.org
>>>>>> Subject: Re: [Samba] Samba and trusted domains
>>>>>>
>>>>>> > Id test1 not working
>>>>>> but wbinfo -u shows it?
>>>>>> if so you have a problem with with mapping samba accounts to unix
>>>>> accounts.
>>>>>> is it a user from a trusted domain (to get back to the thread title)?
>>>>>>
>>>>>> > My dc is windows 2003 DC, do I need to install something on it?
>>>>>> no
>>>>>>
>>>>>> greez
>>>>>>
>>>>>> Nir Barkan wrote:
>>>>>>
>>>>>>> Id test1 not working
>>>>>>>
>>>>>>> I tried without "winbind trusted domains only = Yes" and got the same
>>>>>>> results.
>>>>>>>
>>>>>>> My dc is windows 2003 DC, do I need to install something on it?
>>>>>>>
>>>>>>> P.S
>>>>>>>
>>>>>>> Thanks much for your help :-)
>>>>>>>
>>>>>>> -----Original Message-----
>>>>>>> From: Michael Gasch [mailto:gasch at eva.mpg.de]
>>>>>>> Sent: Thursday, June 29, 2006 1:19 PM
>>>>>>> To: Nir Barkan
>>>>>>> Cc: samba at lists.samba.org
>>>>>>> Subject: Re: [Samba] Samba and trusted domains
>>>>>>>
>>>>>>>
>>>>>>>> "Id <username_from_local_domain_without_prefix_domainname" give me
>> the
>>>>>>> user
>>>>>>>
>>>>>>>> uid and gid.
>>>>>>> good
>>>>>>>
>>>>>>> some further questions:
>>>>>>> - does "id test1" work?
>>>>>>> - why did you set "winbind trusted domains only = Yes"
>>>>>>>
>>>>>>> for trusted domains to work, you have to use winbind on your DC.
>>>>>>> furthermore on each member server you have to specify an idmap range
>>> for
>>>>>>> each domain, like
>>>>>>>
>>>>>>> idmap backend = "MYDOMAIN=10000-19999,TRUSTEDDOMAIN=20000-100000000"
>>>>>>>
>>>>>>> greez
>>>>>>>
>>>>>>>
>>>>>>>
>
--
Michael Gasch
Max Planck Institute for Evolutionary Anthropology
Department of Human Evolution (IT Staff)
Deutscher Platz 6
D-04103 Leipzig
Germany
Phone: 49 (0)341 - 3550 137
49 (0)341 - 3550 374
Fax: 49 (0)341 - 3550 399
More information about the samba
mailing list