[Samba] Windows server 2003 SP2, SFU 3.5 and Samba 3.0.28
Petteri Heinonen
petteri.heinonen at sasken.com
Sat Mar 21 21:09:26 GMT 2009
Hello list users,
I have been struggling with this combination in the subject field couple
of days now, so I decided to ask for some advice here. Hopefully someone
can point me to a right direction. The ultimate goal for me is to
authenticate users using AD, so that the UID/GID values configured for
users with SFU would also be in use in all our Linux machines. My
understanding is that using correctly configured winbind + pam +
nsswitch should produce the desired result.
I have been able to join a Linux box to our Windows server 2003 hosted
domain, but getting user/group info out of AD seems to cause some
trouble. I have been mostly experimenting with wbinfo tool. Running
"wbinfo -i someuser" results in "Could not get info for user someuser",
with logs as below.
One specific question which has been troubling me is that what should be
the value in for winbind nss info? Googling has revealed that the two
possibilities are "sfu" and "rfc2307". But I haven't been able to find
any decent documentation about when sfu should be used and when rfc2307.
Are these somehow related to what SFU version is in use at the AD side?
- Regards, Petteri Heinonen
log.winbindd:
[2009/03/21 22:59:04, 6] nsswitch/winbindd.c:new_connection(628)
accepted socket 18
[2009/03/21 22:59:04, 3]
nsswitch/winbindd_misc.c:winbindd_interface_version(491)
[ 1876]: request interface version
[2009/03/21 22:59:04, 3]
nsswitch/winbindd_misc.c:winbindd_priv_pipe_dir(524)
[ 1876]: request location of privileged pipe
[2009/03/21 22:59:04, 6] nsswitch/winbindd.c:new_connection(628)
accepted socket 19
[2009/03/21 22:59:04, 3] nsswitch/winbindd_user.c:winbindd_getpwnam(346)
[ 1876]: getpwnam someuser
[2009/03/21 22:59:05, 5]
nsswitch/winbindd_async.c:winbindd_sid2uid_recv(347)
sid2uid returned an error
[2009/03/21 22:59:05, 5]
nsswitch/winbindd_user.c:getpwsid_sid2uid_recv(266)
Could not query uid for user DOMAIN\someuser
log.winbindd-idmap:
[2009/03/21 22:59:04, 4]
nsswitch/winbindd_dual.c:fork_domain_child(1065)
child daemon request 48
[2009/03/21 22:59:04, 3]
nsswitch/winbindd_async.c:winbindd_dual_sid2uid(374)
[ 1862]: sid to uid S-1-5-21-2285760618-1546780000-830142390-7708
[2009/03/21 22:59:04, 7]
nsswitch/idmap_ad.c:ad_idmap_cached_connection_internal(77)
Current tickets expire in 35425 seconds (at 1237704569, time is now
1237669144)
[2009/03/21 22:59:05, 5]
libads/ldap_utils.c:ads_do_search_retry_internal(64)
Search for
(|(attributeId=1.3.6.1.1.1.1.0)(attributeId=1.3.6.1.1.1.1.1)(attributeId
=1.3.6.1.1.1.1.3)(attributeId=1.3.6.1.1.1.1.4)(attributeId=1.3.6.1.1.1.1
.2)) in <CN=Schema,CN=Configuration,DC=bothi,DC=fi> gave 0 replies
[2009/03/21 22:59:05, 3]
libads/ldap_schema.c:ads_check_posix_schema_mapping(243)
ads_check_posix_schema_mapping: failed NT_STATUS_NONE_MAPPED
[2009/03/21 22:59:05, 2]
nsswitch/idmap_ad.c:ad_idmap_cached_connection(152)
ad_idmap_cached_connection: Failed to obtain schema details!
[2009/03/21 22:59:05, 1]
nsswitch/idmap_ad.c:idmap_ad_sids_to_unixids(514)
ADS uninitialized
[2009/03/21 22:59:05, 2]
nsswitch/idmap.c:idmap_backends_sids_to_unixids(1163)
ERROR: NTSTATUS = 0xc0000001
smb.conf:
[global]
# general part
security = ADS
interfaces = eth0
realm = DOMAIN.FI
workgroup = DOMAIN
netbios name = LUPUS
domain master = no
local master = no
preferred master = no
server string = %h
encrypt passwords = yes
wins support = no
wins server = ad1.domain.fi
use kerberos keytab = yes
password server = ad1.domain.fi
# logging
log level = 8
log file = /var/log/samba/log.%m
max log size = 1000
syslog = 0
# disable printing
load printers = no
printing = bsd
printcap name = /dev/null
show add printer wizard = no
disable spoolss = yes
#winbind
winbind enum users = no
winbind enum groups = no
winbind use default domain = yes
winbind nested groups = yes
winbind separator = +
winbind nss info = rfc2307
winbind cache time = 120
idmap backend = ad
idmap uid = 2000-20000
idmap gid = 2000-20000
template shell = /bin/bash
template homedir = /home/%D/%U
client use spnego = yes
SASKEN BUSINESS DISCLAIMER
-------------------------
This message may contain confidential, proprietary or legally privileged information. In
case you are not the original intended Recipient of the message, you must not, directly or
indirectly, use, Disclose, distribute, print, or copy any part of this message and you are
requested to delete it and inform the sender. Any views expressed in this message are
those of the individual sender unless otherwise stated. Nothing contained in this message
shall be construed as an offer or acceptance of any offer by Sasken Communication
Technologies Limited ("Sasken") unless sent with that express intent and with due
authority of Sasken. Sasken has taken enough precautions to prevent the spread of
viruses. However the company accepts no liability for any damage caused by any virus
transmitted by this email
More information about the samba
mailing list