[Samba] Samba + Winbind + Windows 2003 AD

Michael Lyon mjlyon at gmail.com
Mon Jul 19 10:22:15 MDT 2010 

In all honesty, this is my first time using a binary samba package (I am a
native slackware user that converted to Fedora simply because it was easier
from start-to-finish FWIW)

[]# smbd -V
Version 3.4.7-58.fc12

Here's my smb.conf global section:

[global]
       workgroup = WORKGROUPNAME
       realm = ad.university.edu
       server string = Samba Server Version %v
       netbios name = vm-srvname
       security = ADS
       password server = *
       passdb backend = tdbsam
       admin users = @"WORKGROUPNAME+Domain Admins"
       log level = 2
       log file = /var/log/samba/log.%m
       max log size = 5000
       interfaces = eth0 lo
       socket options = TCP_NODELAY IPTOS_LOWDELAY SO_RCVBUF=524288
SO_SNDBUF=524288
       load printers = No
       #printing =
       printcap name = /etc/printcap
       client use spnego = yes
       client ntlmv2 auth = yes
       winbind use default domain = yes
       winbind separator = +
       winbind nested groups = Yes
       winbind enum users = yes
       winbind enum groups = yes
       winbind nss info = rfc2307
       allow trusted domains = yes
       idmap uid = 10000-99999
       idmap gid = 10000-99999
       #idmap backend = ad
       idmap domains = WORKGROUPNAME
       idmap config WORKGROUPNAME:backend = ad
       idmap config WORKGROUPNAME:schema_mode = rfc2307
       idmap config WORKGROUPNAME:range = 1000-75999
       #template shell = /bin/bash
       #template homedir = /home/share
       #server signing = enabled
       ;dead time = 15
       getwd cache = yes
       nt acl support = yes
       acl map full control = no
       store dos attributes = yes
       map acl inherit = yes
       local master = yes
       master browser = no
       dns proxy =  no
       unix extensions = no
       guest account = nobody


Mike


On Mon, Jul 19, 2010 at 11:09 AM, Mucke, Tobias, FCI4 <
tobias.mucke at mbda-systems.de> wrote:

> Hi Michael,
>
> which version of Samba do you have?
>
> Are you able to post your Samba configuration?
>
> Thank you.
>
> Tobias
>
>
> Mit freundlichen Grüßen
>
> Tobias Mucke
>
>
>
> LFK-Lenkflugkörpersysteme GmbH
> Serverpool, FCI4
> Landshuter Straße 26, 85716 Unterschleißheim, GERMANY
> Phone: +49 89 3179 8438
> Fax: +49 89 3179 8927
> Mobile: +49 170 635 3830
> E-Mail: tobias.mucke at mbda-systems.de
>
> http://www.mbda.net
>
> Chairman of the Supervisory Board: Antoine Bouvier
> Managing Director: Werner Kaltenegger
> Registered Office: Schrobenhausen
> Commercial Register: Amtsgericht Ingolstadt, HRB 4365
>
> Message sent from handheld via BlackBerry Server.
>
> ________________________________
>
> Von: Michael Lyon <mjlyon at gmail.com>
> An: Mucke, Tobias, FCI4; samba at lists.samba.org <samba at lists.samba.org>
> Gesendet: Mon Jul 19 14:22:37 2010
> Betreff: Re: [Samba] Samba + Winbind + Windows 2003 AD
>
>
> I'm in a 2k8 r2 domain with SFU and home shells managed through the ADUC
> console.  I'm using Samba/WInbind and use samba shares as user home
> directories that are mounted at login-time on Windows 7 machines.
>
> This is a first attempt as we migrated to Windows 2k8r2 in order to have
> better support for Win7 clients, as we had too many issues with Samba as our
> PDC.
>
> Mike
>
>
>
> On Mon, Jul 19, 2010 at 3:08 AM, Mucke, Tobias, FCI4 <
> tobias.mucke at mbda-systems.de> wrote:
>
>
>        Hi,
>
>        I'am afraid this is a general issue with Winbind. I am experiencing
> the same problems and my logs look quite similar to Henrik's logs. I am
> using Samba 3.5.4 and tried to resolve this issue without luck. In fact I
> have a working lab environment with Winbind 3.5.4, AD based on Windows
> Server 2008 R2 with IDMU. I set idmap backend = ad and winbind nss info =
> rfc2307. Unfortunately I was not able to port this setup back to the actual
> production environment with Winbind 3.5.4 and AD based on Windows Server
> 2003 with SFU 3.5.
>        Besides AD "versions" there is another large difference between the
> production and the lab. In production the domain structure is far more
> complex ...
>        Actually I am deploying a lab more close to the actual production
> environment.
>
>        Another important thing to me would be a configuration example of
> somebody out there using Winbind in an actual version 3.5.x with backend ad
> and SFU for Shell and Home Directories. Anybody?
>
>        Thank you.
>
>        Tobias
>
>
>
>        LFK-Lenkflugkörpersysteme GmbH
>        Serverpool, FCI4
>        Landshuter Straße 26, 85716 Unterschleißheim, GERMANY
>        Phone: +49 89 3179 8438
>        Fax: +49 89 3179 8927
>        Mobile: +49 170 635 3830
>        E-Mail: tobias.mucke at mbda-systems.de
>
>        http://www.mbda.net
>
>        Chairman of the Supervisory Board: Antoine Bouvier
>        Managing Director: Werner Kaltenegger
>        Registered Office: Schrobenhausen
>        Commercial Register: Amtsgericht Ingolstadt, HRB 4365
>
>        -----Ursprüngliche Nachricht-----
>        Von: samba-bounces at lists.samba.org [mailto:
> samba-bounces at lists.samba.org] Im Auftrag von Necos Secon
>        Gesendet: Montag, 19. Juli 2010 01:50
>        An: samba at lists.samba.org
>        Betreff: Re: [Samba] Samba + Winbind + Windows 2003 AD
>
>
>        I accidentally deleted the first set of messages in my email for
> this thread, but does your DNS resolve properly? What does your resolv.conf
> look like? Also, what do these files look like:
>
>        krb5.conf
>        smb.conf
>
>        There's an option in smb.conf, winbind enum users, which needs to be
> set in order for getent to function properly. There is a corresponding
> option for groups as well. Look at them and let us know.
>
>        > Date: Mon, 19 Jul 2010 01:12:41 +0200
>        > From: hds at semark.dk
>        > To: esiotrot at gmail.com
>        > CC: samba at lists.samba.org
>        > Subject: Re: [Samba] Samba + Winbind + Windows 2003 AD
>        >
>        > Hi Micheal
>        >
>        > Sorry for not sending that information in the first place, but I
>        > though that it was so basic that it wasn't necessary.
>        >
>        > My nsswitch.conf:
>        > # cat /etc/nsswitch.conf
>        > # /etc/nsswitch.conf
>        > #
>        > # Example configuration of GNU Name Service Switch functionality.
>        > # If you have the `glibc-doc-reference' and `info' packages
> installed, try:
>        > # `info libc "Name Service Switch"' for information about this
> file.
>        >
>        > passwd:         compat winbind
>        > group:          compat winbind
>        > shadow:         compat winbind
>        >
>        > hosts:          files mdns4_minimal [NOTFOUND=return] dns mdns4
>        > networks:       files
>        >
>        > services:       db files
>        > ethers:         db files
>        > protocols:      db files
>        > rpc:            db files
>        >
>        > netgroup:       nis
>        >
>        > I will mean that it is the way to do this (and it works just fine
> on
>        > the UNIX servers that run there own Domain Controller)
>        >
>        > Med Venlig Hilsen / Best Regards
>        > Henrik Dige Semark
>        >
>        > Den 18-07-2010 17:03, Michael Wood skrev:
>        > > On 18 July 2010 01:34, Henrik Dige Semark<hds at semark.dk>
>  wrote:
>        > >
>        > >> Hey out there.
>        > >>
>        > >> I have to join my UNIX server with an existing Win2k3 AD
> network.
>        > >>
>        > >> My system info:
>        > >> Debian Lenny
>        > >> Samba   - 3.4.8
>        > >> Winbind - 3.4.8
>        > >>
>        > >> Windows Server 2003 with 2000-style-AD
>        > >>
>        > >> My problem is that, I have en UNIX server that have to run auth
> up
>        > >> against our existing windows 2003 AD.
>        > >>
>        > >> I have successfully joined my UNIX server to the AD, without
> problems.
>        > >> # net ads join -U Administrator
>        > >> Enter Administrator's password:
>        > >> Using short domain name -- TEST
>        > >> Joined 'MAIL' to realm 'TEST.LOCAL'
>        > >>
>        > >> My Samba config: http://pastebin.com/ZqaA0Ypn
>        > >>
>        > >> After the join I'm able to lookup peoples with # wbinfo -u
>        > >>
>        > > [...]
>        > >
>        > >> # wbinfo -g
>        > >>
>        > > [...]
>        > >
>        > >> Now the problem, getent only returns the local users and not
> the
>        > >> users from the AD The funny thing is that if a user is local on
> the
>        > >> UNIX and in the AD, I can login with the password from both
> local
>        > >> and AD, so I know that it can lookup people and passwords
>        > >>
>        > >> # getent passwd hs ; echo $?
>        > >> 2
>        > >>
>        > >> When I debug on getent it returns 2, witch means that it can't
> find
>        > >> the user.
>        > >>
>        > > Do you have winbind specified in your nsswitch.conf file as
> mentioned here:
>        > >
>        > >
> http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/winbind.h
>        > > tml#id2654732
>        > >
>        > >
>
>        _________________________________________________________________
>        The New Busy is not the old busy. Search, chat and e-mail from your
> inbox.
>
> http://www.windowslive.com/campaign/thenewbusy?ocid=PID28326::T:WLMTAGL:ON:WL:en-US:WM_HMP:042010_3
>        --
>
>        To unsubscribe from this list go to the following URL and read the
>        instructions:  https://lists.samba.org/mailman/options/samba
>        --
>        To unsubscribe from this list go to the following URL and read the
>        instructions:  https://lists.samba.org/mailman/options/samba
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

More information about the samba mailing list