[Samba] Samba from Sunfreeware and nss_winbind.so

Gaiseric Vandal gaiseric.vandal at gmail.com
Fri Dec 4 07:59:06 MST 2009 

On 12/03/09 17:42, Gaiseric Vandal wrote:
> Sunfreeware.com has compiled packages of Samba 3.4.2 with kerberos and 
> ldap support included (if you also install the ldap and kerberos 
> packages from sunfreeware.)   However it does not include the 
> nss_winbind.so.*  or libnss_winbind.so.* files.
>
>
> Solaris does include nss_winbind.so already (since it is included with 
> Samba 3.0.x) or I could compile it from the 3.4.x source code.   But 
> then I am not sure if either of these would be compatible with 
> Sunfreeware samba.
>
> I am using winbind in /etc/nsswitch.conf for supporting users in a 
> trusted domain.    under samba 3.0.x "getent passwd" did return users 
> from a trusted domain.   On 3.4 it is not, although "wbinfo -u" is 
> working.
>
>
> Thanks
>
>
>

I copied the nss_winbind.so  file I compiled to /usr/local/samba/lib.   
Samba will use that in preference to any files in /usr/lib so I didn't 
need to delete or move Sun provided nss_winbind.so file.


I added the following to smb.conf  (they had not been required in samba 
3.0.x.)

idmap uid = 30000-39999
idmap gid = 30000-39999


The following entries already exisited in smb.conf (and had been sufficient


idmap config TRUSTEDWINDOMAIN:backend = ldap
#idmap config TRUSTEDWINDOMAIN:readonly = no
idmap config TRUSTEDWINDOMAIN:readonly = yes
idmap config TRUSTEDWINDOMAIN:default=no
idmap config TRUSTEDWINDOMAIN:ldap_base_dn = 
ou=administration,ou=idmap,o=domain.com
idmap config TRUSTEDWINDOMAIN:ldap_user_dn = cn=Directory Manager
idmap config TRUSTEDWINDOMAIN:ldap_url = ldap://ldapserver1.domain.com
idmap config TRUSTEDWINDOMAIN:range = 30000-39999



idmap alloc backend = ldap
idmap alloc config:ldap_base_dn = ou=alloc,ou=idmap,o=domain.com
idmap alloc config:ldap_user_dn = cn=Directory Manager
idmap alloc config:ldap_url = ldap://ldapserver1.domain.com
idmap alloc config:range = 30000-39999



I also needed to add  the following line to smb.conf

client schannel = no

This resolved "cm_get_ipc_userpass: No auth-user defined " error 
messages in winbindd.log.    I suspect this may be need to be set on the 
PDC  to resolve some other domain trust issues.  The trusted domain is 
Windows 2003 in mixed mode.


Ideally Sun will one day  provide their own build of Samba 3.4.x.

More information about the samba mailing list