[Samba] help with AD integration
Gaiseric Vandal
gaiseric.vandal at gmail.com
Mon Oct 4 07:11:10 MDT 2010
According to your page
"getent passwd" is showing the domain users.
If you try to ssh into your linux machine as "ben", with the way
nsswitch.conf is configured, it will try to authenticated you as the
"ben" in /etc/passwd not the one in the AD domain.
I suggest you try the following
comment out "ben" from /etc/passwd and /etc/shadow.
Make sure that the /export/Home/ben directory is owned by the SRE+ben
user. See if you can ssh into linux as "ben." (I think you can
specify "ben" and not "SRE+ben" for the ssh user.) Keep an eye on the
log files e.g in /var/samba/log or /var/log/samba.
You have still not clarified why nsswitch.conf has entries for ldap.
On 10/04/2010 05:17 AM, Ben George wrote:
>
> please check this link
>
> http://bentgeorge.com/samba/
> all are mentioned here
>
>
> Thanks
> Ben.T.George
>
>
>
> On Thu, Sep 30, 2010 at 10:16 PM, Gaiseric Vandal
> <gaiseric.vandal at gmail.com <mailto:gaiseric.vandal at gmail.com>> wrote:
>
> Hi
>
> Please clarify the following
> - Did you run "truss getent passwd" command and look for lines
> with nss_winbind- just in case it is looking for a file with a
> different version.
> - Why does nsswitch.conf have ldap references- are you using ldap?
>
>
> You should also look through the samba logs- it may provide some
> information.
>
>
>
> On 09/30/2010 12:14 PM, Ben George wrote:
>>
>>
>>
>> yes client has Solaris and a windows xp machine under the AD domain
>>
>> yes i exported the paths to the newly installed /usr/local/samba/lib
>>
>> me using the new packahes and disabled the default packages
>>
>>
>> On Thu, Sep 30, 2010 at 6:16 PM, Gaiseric Vandal
>> <gaiseric.vandal at gmail.com <mailto:gaiseric.vandal at gmail.com>> wrote:
>>
>> So to clarify the customer has a Sun Solaris 10 UNIX machine
>> and a Linux workstation?
>>
>> FOR SOLARIS
>>
>> I had problems with getting nsswitch+winbind working with the
>> samba from sunfreeware- I had to recompile from scratch
>> (major headache.) In hindsight this may not have been
>> necessary for winbind- although I had to recompile anyway
>> for ZFS support.
>>
>> On solaris, you should have a file called
>> /usr/lib/nss_winbind.so.1 - which is the nsswitcher winbind
>> library provided by the samba that sun bundles with solaris
>> 10 (but this is samba 3.0.x and too old to be much use.)
>>
>> In /usr/local/samba/lib - do you see an nss_winbind.so.1
>> file? How is your PATH and LD_LIBRARY_PATH set- you want
>> to make sure you are using the /usr/local/samba/bin and
>> /usr/local/samba/lib first.
>>
>> If you run "truss getent passwd | tee log1.txt" you should
>> see it looking for nss_winbind.so.1 - ideally it will look
>> in /usr/local/samba/lib before /usr/lib. If it uses
>> /usr/lib/nss_winbind.so.1 that will probably NOT work. You
>> may want to rename that file just to make sure.
>>
>>
>>
>>
>>
>>
>> On 09/30/2010 10:57 AM, Ben George wrote:
>>>
>>> Sun Solaris 10 (under SPARC)
>>>
>>> local users in /etc/passwd
>>>
>>> samba 3.4.2 from sunfreeware.com <http://sunfreeware.com>
>>>
>>>
>>> getent passwd
>>>
>>> */ramana:x:100:1::/export/home/ramana:/bin/sh
>>> teju:x:101:1::/export/home/teju:/bin/sh
>>> user1:x:102:1::/export/home/user1:/bin/sh
>>> ben:x:103:1::/home/ben:/bin/sh
>>>
>>> /*like this*/
>>>
>>> /*/
>>> /Thanks
>>> Ben.T.George*/
>>> /*
>>>
>>>
>>>
>>>
>>> On Thu, Sep 30, 2010 at 5:45 PM, Gaiseric Vandal
>>> <gaiseric.vandal at gmail.com
>>> <mailto:gaiseric.vandal at gmail.com>> wrote:
>>>
>>> Then it sounds like you need the AD integration. If the
>>> user's also login to the linux workstation directly (or
>>> via ssh) then you will need to configure winbind and
>>> nsswitch to support unix logins.
>>>
>>> Why does nsswitch.conf include ldap? Is this the only
>>> linux/unix machine? Are local users in ldap or
>>> /etc/passwd?
>>>
>>> What version of samba? What version of linux?
>>>
>>> Ideally "getent passwd" woudl show something like
>>>
>>>
>>>
>>> ben:*:10001:10001:Ben George:/export/Home/SRE/ben/:bin/tcsh
>>>
>>> or
>>>
>>> SRE+ben:*:10001:10001:Ben
>>> George:/export/Home/SRE/ben:/bin/bash
>>>
>>>
>>>
>>> I don't think you need a huge amount of AD experience to
>>> make this work but I think you have to have general
>>> understanding of what WIndows domains are about.
>>>
>>> You should also review the smb.conf man page for the
>>> section on idmap_ad.
>>>
>>>
>>>
>>>
>>>
>>> On 09/30/2010 09:24 AM, Ben George wrote:
>>>>
>>>>
>>>> Thanks for your replay..
>>>>
>>>> yes my client told me like this that's Y..and the
>>>> manager gave that work to newly joined me.. :(
>>>>
>>>> i don't have any AD and core unix experience..i have
>>>> only experience in linux.not much
>>>>
>>>> may this project will affect my job.. :(
>>>>
>>>> my nsswitch.conf
>>>>
>>>> */passwd: files ldap winbind
>>>> group: files ldap winbind
>>>> hosts: dns files
>>>> ipnodes: dns files/*
>>>>
>>>>
>>>> "*nsswitch+winbind (which I do) or the smb pam
>>>> module*"..? :(
>>>>
>>>> i don't know..my client's need is he has a linux
>>>> machine..also a ADS..from the unix machine, he want to
>>>> share secure folder's to the AD user's..so eash user
>>>> can only access that particular shared folder..when the
>>>> password of user changed in AD, that will affect to the
>>>> smbpassword...means without changing that particular
>>>> user's smb password in the unix machine..
>>>>
>>>> for this need which method is useful..from your experience
>>>>
>>>> "*Does "getent passwd" show the windows users?*"
>>>>
>>>> please check the output ..i think getent password only
>>>> shows unix system password
>>>>
>>>> */bash-3.00# getent passwd
>>>> root:x:0:0:Super-User:/:/sbin/sh
>>>> daemon:x:1:1::/:
>>>> bin:x:2:2::/usr/bin:
>>>> sys:x:3:3::/:
>>>> adm:x:4:4:Admin:/var/adm:
>>>> lp:x:71:8:Line Printer Admin:/usr/spool/lp:
>>>> uucp:x:5:5:uucp Admin:/usr/lib/uucp:
>>>> nuucp:x:9:9:uucp
>>>> Admin:/var/spool/uucppublic:/usr/lib/uucp/uucico
>>>> smmsp:x:25:25:SendMail Message Submission Program:/:
>>>> listen:x:37:4:Network Admin:/usr/net/nls:
>>>> gdm:x:50:50:GDM Reserved UID:/:
>>>> webservd:x:80:80:WebServer Reserved UID:/:
>>>> postgres:x:90:90:PostgreSQL Reserved UID:/:/usr/bin/pfksh
>>>> svctag:x:95:12:Service Tag UID:/:
>>>> nobody:x:60001:60001:NFS Anonymous Access User:/:
>>>> noaccess:x:60002:60002:No Access User:/:
>>>> nobody4:x:65534:65534:SunOS 4.x NFS Anonymous Access
>>>> User:/:
>>>> ramana:x:100:1::/export/home/ramana:/bin/sh
>>>> teju:x:101:1::/export/home/teju:/bin/sh
>>>> user1:x:102:1::/export/home/user1:/bin/sh
>>>> ben:x:103:1::/home/ben:/bin/sh/*
>>>>
>>>>
>>>> "you already have a "unix" ben and a "ADS" ben defined?"
>>>>
>>>> Yes i defined the ben user in Unix and ADS...bcoz i
>>>> don't have much knowledge about that sorry
>>>>
>>>> Hope u will help me
>>>> Thanks
>>>> Ben.T.George
>>>>
>>>>
>>>> On Thu, Sep 30, 2010 at 3:59 PM, Gaiseric Vandal
>>>> <gaiseric.vandal at gmail.com
>>>> <mailto:gaiseric.vandal at gmail.com>> wrote:
>>>>
>>>>
>>>> disclaimer: I don't use Samba as an ADS member
>>>> server. I use samba as PDC with trusts to an ADS
>>>> domain. So my observations may not be valuid.
>>>>
>>>> Did you try updating nsswitch.conf
>>>>
>>>>
>>>> passwd: files winbind
>>>> group: files winbind
>>>>
>>>>
>>>> If you are using a Windows domain and have a user
>>>> defined in the domain, you generally don't want to
>>>> add the user as a local user. Since the
>>>> underlying unix OS needs to know about the domain
>>>> users you need to either use nsswitch+winbind
>>>> (which I do) or the smb pam module (which I don't
>>>> use, and not sure if it really is the correct
>>>> approach.)
>>>>
>>>> If you use nsswitch.conf+winbind you can then also
>>>> OPTIONALLY allow "windows" users "unix" access like
>>>> ssh. My samba server is a PDC- I have a domain
>>>> trust with windows domains BUT the default shell
>>>> is "/bin/false." (It is still a little flaky...)
>>>>
>>>> Does "getent passwd" show the windows users? It
>>>> should show something like
>>>>
>>>> ben:*:10001:10001:Ben George:/home/SRE/ben/bin/false
>>>>
>>>> or
>>>>
>>>> SRE+ben:*:10001:10001:Ben
>>>> George:/home/SRE/ben/bin/false
>>>>
>>>>
>>>>
>>>> It looks like = you already have a "unix" ben and a
>>>> "ADS" ben defined?
>>>>
>>>> "wbinfo -s" and "wbinfo -n" are also useful for
>>>> making sure that the name-to-sid and sid-to-name
>>>> mappings are correct for domain users.
>>>>
>>>
>>>
>>
>>
>
>
More information about the samba
mailing list