[Samba] AD Integration woes - rfc2307 data not being honored
Andreas Zickner
andreas at zickner.de
Wed Oct 14 01:40:11 MDT 2009
Hi,
thanks, this works for me too. But I do not get the nss info using 'id
<user>' or with 'getent passwd'. Is this working for you?
thx Andreas
Matthew J. Salerno wrote:
> ----- Original Message ----
> From: Andreas Zickner <andreas at zickner.de>
> To: Matthew J. Salerno <Vagabond_king at yahoo.com>
> Cc: samba at lists.samba.org
> Sent: Sun, October 11, 2009 8:23:06 AM
> Subject: Re: [Samba] AD Integration woes - rfc2307 data not being honored
>
> Hi,
>
> I tired with Linux rh54 2.6.18-164.el5 smbd
> Version 3.0.33-3.14.el5 using your settings. With the same result. I looked at the ldap communication and from there I can't see any things that are related to the rfc2307 / sfu attributes! So from the past I often found that it is a mapping issue. Here winbind /smb does not even search for the extended attributes!
> I will do a second test with an own compiled version 3.4.2 later.
>
> regards,
> Andreas
>
>
> Matthew J. Salerno wrote:
>> Actually, the schema I am working with has been extended for both
>> methods! (Before I arrived). The plan is to use rfc2307 - win2k3r2. Regarding where I got those settings, I have read countless man pages, howto's,
>> wiki's and forum threads to put it all together. The main issue is the fact that I am using
>> an oldish version of samba, and since the release of 3.3.x I believe
>> things have gotten much easier, have you tried adex?. Check out:
>> http://samba.org/samba/docs/man/manpages-3/idmap_adex.8.html
>>
>> Other points of reference:
>> http://samba.org/samba/docs/man/manpages-3/idmap_ad.8.html
>>
>> The only issue I have with having to use the ldap backend is the fact that I would need to hardcode the ldap server. With winbind, all you need to supply is the realm & domain, then winbind takes care of which server to connect to, so it wont be limited to 1 server.
>>
>> Let me know if you make any progress.
>>
>> Thanks
>
>
>
> I was able to get it working with the following configs:
>
> # /etc/samba/smb.conf
> [global]
> workgroup = TESTDOMAIN
> realm = TESTDOMAIN.NET
> server string = Samba file and print server
> security = ADS
> log level = 1
> max log size = 4192
> printcap name = cups
> preferred master = No
> idmap backend = tdb
> idmap alloc backend = tdb
> idmap alloc config:range = 5000 - 9999
> idmap cache time = 1800
> template shell = /bin/bash
> winbind separator = +
> winbind enum users = Yes
> winbind enum groups = Yes
> winbind nss info = rfc2307
> winbind refresh tickets = Yes
> idmap config TESTDOMAINN:cache time = 1800
> idmap config TESTDOMAIN:range = 20000-999999
> idmap config TESTDOMAIN:backend = ad
> idmap config TESTDOMAIN:schema_mode = rfc2307
> idmap domains = TESTDOMAIN
> idmap config TESTDOMAIN:default = yes
> [homes]
> comment = Home Directories
> valid users = %S
> read only = No
> browseable = No
> [printers]
> comment = All Printers
> guest ok = Yes
> printable = Yes
> browseable = No
> available = No
>
> #/etc/krb5.conf
>
> [logging]
> default = FILE:/var/log/krb5libs.log
> kdc = FILE:/var/log/krb5kdc.log
> admin_server = FILE:/var/log/kadmind.log
> [libdefaults]
> default_realm = TESTDOMAIN.NET
> dns_lookup_realm = true
> dns_lookup_kdc = true
> ticket_lifetime = 36000
> forwardable = yes
> [realms]
> TESTDOMAIN.NET = {
> kdc = *
> kdc = TESTDOMAIN.NET
> default_domain = TESTDOMAIN.NET
> }
> [domain_realm]
> .TESTDOMAIN.net = TESTDOMAIN.NET
> TESTDOMAIN.net = TESTDOMAIN.NET
> [appdefaults]
> pam = {
> debug = false
> ticket_lifetime = 36000
> renew_lifetime = 36000
> forwardable = true
> krb4_convert = false
> }
>
More information about the samba
mailing list