[Samba] Help needed. Samba 3.2.0rc2 - IDMAP - Windows 2008 Server - ADS Integration - Winbind

Marcos mczueira at yahoo.com.br
Thu Jul 3 17:20:18 GMT 2008 

Hi,

did you try using nis instead of winbind ???
i'm saying that because you are using MS Identity Management for Unix and this provides a nis server. this would provide you the same UIDs and GIDs on all machines.

Marcos.


--- Em sex, 27/6/08, Samba-Liste <samba at admindu.de> escreveu:

> De: Samba-Liste <samba at admindu.de>
> Assunto: [Samba] Help needed. Samba 3.2.0rc2 - IDMAP - Windows 2008 Server - ADS Integration - Winbind
> Para: "samba" <samba at lists.samba.org>
> Data: Sexta-feira, 27 de Junho de 2008, 8:31
> Hi,
> 
> I read at least 100 different documentations during the
> last week and
> didn't get it. So I decided to ask the list for help :)
> 
> Unfortunately we have to move to a Windows 2008 Server ADS
> in our
> company as this is required for some other projects. But we
> want to 
> keep our nice 5+ samba-server providing fast 50TB+ of
> storage.
> 
> So we have to find a way to nicely integrate the storage
> with the new
> ADS installed. Therefor I installed a Testlab consisting of
> 2 debian
> etch storage-servers with each 12TB lvm-based storage
> attached. Also we
> have 2 MS 2008 Server SP1 as PDC and BDC. Further we have
> some Windows
> XP 32 and 64 Bit clients as workstations for testing.
> 
> Now we setup everything and decided to use samba 3.2.0 as
> there are some
> bugs related to W2k8 server are solved. So I build debian
> packages from
> experimental for etch an installed them. Then I set up
> kerberos and
> samba using "security = ads". Everythings works
> great. I can get a
> kerberos ticket with kinit also I can join the ADS with
> "net ads join
> -Uadministrator". I set up /etc/nssswitch to use
> winbind and I can
> request user information successfully.
> 
> But now I have to set up shared IDMAP for my samba servers
> to have the
> same UIDs and GIDs on all machines. As it would be nice to
> have all that
> on the ADS server I tried the following for days without
> success and
> that is where I need help:
> 
> - I installed the "MS Identity Management for
> Unix"
> - I added UID, Homedir, Shell and "Default Group"
> to the AD User
> - I set "Unix Attr" for my groups
> - I configured samba to as followed:
> 
> ----- snip -----
> 
> [global]
> workgroup = TESTLAB
> realm = TESTLAB.COMPANY.COM
> netbios name = filesrv001
> server string = Samba Storage Fileserver 001 (%v)
> security = ADS
> idmap domains = BUILTIN, TESTLAB
> idmap config TESTLAB:backend = ad
> idmap config TESTLAB:default = yes
> idmap config TESTLAB:schema_mode = rfc2307
> idmap config BUILTIN:backend            = tdb
> idmap config BUILTIN:base_rid           = 800
> idmap config BUILTIN:range              = 800-999
> winbind nss info = rfc2307
> winbind use default domain = yes
> winbind nested groups = Yes
> password server = WIN-RXYDW1KO5DH.testlab.company.com
> wins server = WIN-RXYDW1KO5DH.testlab.company.com
> socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
> hide unreadable = yes
> hide dot files = yes
> unix charset = LOCALE
> log level = 5
> 
> [big_data]
> comment = Very Big Share
> path =  /SERV
> browseable = yes
> guest ok = no
> valid users = "@STGT\entenhausen"
> create mask = 660
> directory mode = 770
> writeable = yes
> readonly = no
> force group = "STGT\entenhausen"
> 
> ----- snip -----
> 
> - I cleaned /var/run/samba, /var/log/samba, /var/lib/samba
> - I delete the Join on the ADS
> - Then I rebooted the Linux-Server, re-joined the ADS
> - And I can retrieve the user with getent and it has IT UID
> 
> filesrv001:/var/log/samba# getent passwd tic.tic
> tic.tic:*:20007:10001::/home/STGT/tic.tic:/bin/false
> 
> - But the default group, the home-dir and the shell is not
> right
> - seems like the values are not retrieved correctly from
> ADS
> - also strange: I set up the second storage with the same
> configs
> - only changed names
> - if I retrieve the user-information there
> - it looks like this
> 
> getent passwd tic.tic
> tic.tic:*:20007:10000:Tic Tic:/home/STGT/tic.tic:/bin/false
> 
> - so the default-group is changing 
> - but its still not the value listed in the ADS
> 
> Any ideas on that? Did I get something completely wrong?
> I'll now take a
> closer look to the Win 2008 logfiles and I'll check the
> communication
> with tcpdump. But I'm mostly stuck and really could
> need some hints.
> Or should I try another solution? IDMAP-RID cannot be used
> as we are
> planning a "trust domain" setup
> 
> Thank you and best regards
> 
>                  Daniel
> 
> -- 
> To unsubscribe from this list go to the following URL and
> read the
> instructions: 
> https://lists.samba.org/mailman/listinfo/samba


      Novos endereços, o Yahoo! que você conhece. Crie um email novo com a sua cara @ymail.com ou @rocketmail.com.
http://br.new.mail.yahoo.com/addresses

More information about the samba mailing list