[Samba] [bounce] Problem with pam_winbind

Thu Nov 5 16:31:15 MST 2009

On Thu, Nov 05, 2009 at 03:04:38PM -0600, Robert LeBlanc wrote:
> On Thu, Nov 5, 2009 at 2:32 PM, Alex Samad <alex at samad.com.au> wrote:
> 
> > > I haven't used any of the ldap stuff that you are using so it's beyond me
> > at
> > > this point. I wish I could help more, I know how it is to be in that
> > > position. Is this just a member workstation/server or is it trying to be
> > a
> > > DC? To me if it is just a member, I can't see why you would need all the
> > > LDAP stuff. Security should also probably be ADS as well. Here is my conf
> >
> > not sure what you mean by all that ldap stuff I have, I understand ads
> > is stored in M$ ldap
> >
> >
> Indeed, Active Directory is ldap, but the link on pastbin is much different

My apologies I took the samba from my mail machine and not the machine
in question !!! Below is the correct one, the pastebin is the incorrect
one

> than what you posted here. For most of what I need, I don't have to do LDAP
> stuff. I just finished writing a script to query AD for a user's e-mail
> address and I had to do that over LDAP because winbind dosen't provide it.
> It would be nice to have winbind provide things like that (makes note to
> self when things slow down, to look at patching that in).
> 
> 
> >
> > [global]
> > workgroup = AD
> > server string = %h server
> > dns proxy = no
> > interfaces = 192.168.5.10/24
> > bind interfaces only = yes
> > log file = /var/log/samba/log.%m
> > max log size = 1000
> > syslog = 0
> > panic action = /usr/share/samba/panic-action %d
> > encrypt passwords = true
> > passdb backend = tdbsam
> > obey pam restrictions = yes
> > unix password sync = yes
> > passwd program = /usr/bin/passwd %u
> > passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:*
> > %n\n *password\supdated\ssuccessfully* .
> > pam password change = yes
> > netbios name = bblx01
> > realm =
> > ad.barbarast.samad.com.au
> > security = ADS
> > encrypt passwords = true
> > password server = *
> > winbind separator = +
> > idmap uid = 10000-20000
> > idmap gid = 10000-20000
> > winbind enum users = yes
> > winbind enum groups = yes
> > template homedir = /home/%D/%U
> > template shell = /bin/false
> > winbind use default domain =
> > yes
> > socket options = TCP_NODELAY
> > SO_RCVBUF=8192 SO_SNDBUF=8192
> >
> > So, a couple things that I notice that may/may not help. Your realm is
> lower case, it needs to be uppercase. You are missing an idmap_backend type
> (I'm pretty sure you need this so that winbind knows how to map your users'
> SID to UIDs). You can choose from hash, rid or ads. See my example for hash
> (you don't need ranges ie. idmap uid = 10000-20000). Rid, you need to
> specify the domain (tusted domains may not work, although I think you can
> specify different ranges for different domains) and you will need the ranges
> that you currently have. Ads, needs to have the Active Directory schema
> extended, you don't need the ranges, but the schema will need to be
> populated (I think Samaba can do that for you, but I don't have experience).
> Each one comes with it's pros and cons, if your schema is not extended and
> you don't have other *NIXs that rely on it, I'd suggest using hash, but it
> is only in 3.4.x. Other than that things look ok. Also, if a home directory
> is not created for the user, they probably won't be able to log in due to
> the template shel = /bin/false.

OKay some interesting things for me to follow up. I didn't think I need
to extend the schema as all I am using is the auth capabilities to get
to cyrus mail, I don't need home and other pieces of information.

The thing is, this was working before. and when I am on the machine a

wbinfo -a and -K work.

I will have a look

Thanks

> 
> Robert LeBlanc
> Life Sciences & Undergraduate Education Computer Support
> Brigham Young University

-- 
"I hear the voices, and I read the front page, and I know the speculation, but I’m the decider and I decide what is best. And what’s best is for Don Rumsfeld to remain as secretary of defense."

	- George W. Bush
04/18/2006
Washington, DC
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: Digital signature
URL: <http://lists.samba.org/pipermail/samba/attachments/20091106/cc41cc09/attachment.pgp>