[Samba] help with AD integration
Max León
mleon at wirewatchers.com
Mon Oct 4 10:35:15 MDT 2010
You need to ensure that pam is allowing ssh or telnet access, not sure
in Solaris but in RedHat based sistems is inside /etc/pam.d
You will have to allow access through pam only enabled accounts since
usually the access is restricted to shadow by default.
On 10/4/10 7:11 AM, Gaiseric Vandal wrote:
> According to your page
>
> "getent passwd" is showing the domain users.
>
>
> If you try to ssh into your linux machine as "ben", with the way
> nsswitch.conf is configured, it will try to authenticated you as the
> "ben" in /etc/passwd not the one in the AD domain.
>
> I suggest you try the following
> comment out "ben" from /etc/passwd and /etc/shadow.
>
> Make sure that the /export/Home/ben directory is owned by the SRE+ben
> user. See if you can ssh into linux as "ben." (I think you can
> specify "ben" and not "SRE+ben" for the ssh user.) Keep an eye on the
> log files e.g in /var/samba/log or /var/log/samba.
>
> You have still not clarified why nsswitch.conf has entries for ldap.
>
>
>
>
> On 10/04/2010 05:17 AM, Ben George wrote:
>>
>> please check this link
>>
>> http://bentgeorge.com/samba/
>> all are mentioned here
>>
>>
>> Thanks
>> Ben.T.George
>>
>>
>>
>> On Thu, Sep 30, 2010 at 10:16 PM, Gaiseric Vandal
>> <gaiseric.vandal at gmail.com <mailto:gaiseric.vandal at gmail.com>> wrote:
>>
>> Hi
>>
>> Please clarify the following
>> - Did you run "truss getent passwd" command and look for lines
>> with nss_winbind- just in case it is looking for a file with a
>> different version.
>> - Why does nsswitch.conf have ldap references- are you using ldap?
>>
>>
>> You should also look through the samba logs- it may provide some
>> information.
>>
>>
>>
>> On 09/30/2010 12:14 PM, Ben George wrote:
>>>
>>>
>>>
>>> yes client has Solaris and a windows xp machine under the AD domain
>>>
>>> yes i exported the paths to the newly installed
>>> /usr/local/samba/lib
>>>
>>> me using the new packahes and disabled the default packages
>>>
>>>
>>> On Thu, Sep 30, 2010 at 6:16 PM, Gaiseric Vandal
>>> <gaiseric.vandal at gmail.com <mailto:gaiseric.vandal at gmail.com>> wrote:
>>>
>>> So to clarify the customer has a Sun Solaris 10 UNIX machine
>>> and a Linux workstation?
>>>
>>> FOR SOLARIS
>>>
>>> I had problems with getting nsswitch+winbind working with the
>>> samba from sunfreeware- I had to recompile from scratch
>>> (major headache.) In hindsight this may not have been
>>> necessary for winbind- although I had to recompile anyway
>>> for ZFS support.
>>>
>>> On solaris, you should have a file called
>>> /usr/lib/nss_winbind.so.1 - which is the nsswitcher winbind
>>> library provided by the samba that sun bundles with solaris
>>> 10 (but this is samba 3.0.x and too old to be much use.)
>>>
>>> In /usr/local/samba/lib - do you see an nss_winbind.so.1
>>> file? How is your PATH and LD_LIBRARY_PATH set- you want
>>> to make sure you are using the /usr/local/samba/bin and
>>> /usr/local/samba/lib first.
>>>
>>> If you run "truss getent passwd | tee log1.txt" you should
>>> see it looking for nss_winbind.so.1 - ideally it will look
>>> in /usr/local/samba/lib before /usr/lib. If it uses
>>> /usr/lib/nss_winbind.so.1 that will probably NOT work. You
>>> may want to rename that file just to make sure.
>>>
>>>
>>>
>>>
>>>
>>>
>>> On 09/30/2010 10:57 AM, Ben George wrote:
>>>>
>>>> Sun Solaris 10 (under SPARC)
>>>>
>>>> local users in /etc/passwd
>>>>
>>>> samba 3.4.2 from sunfreeware.com <http://sunfreeware.com>
>>>>
>>>>
>>>> getent passwd
>>>>
>>>> */ramana:x:100:1::/export/home/ramana:/bin/sh
>>>> teju:x:101:1::/export/home/teju:/bin/sh
>>>> user1:x:102:1::/export/home/user1:/bin/sh
>>>> ben:x:103:1::/home/ben:/bin/sh
>>>>
>>>> /*like this*/
>>>>
>>>> /*/
>>>> /Thanks
>>>> Ben.T.George*/
>>>> /*
>>>>
>>>>
>>>>
>>>>
>>>> On Thu, Sep 30, 2010 at 5:45 PM, Gaiseric Vandal
>>>> <gaiseric.vandal at gmail.com
>>>> <mailto:gaiseric.vandal at gmail.com>> wrote:
>>>>
>>>> Then it sounds like you need the AD integration. If the
>>>> user's also login to the linux workstation directly (or
>>>> via ssh) then you will need to configure winbind and
>>>> nsswitch to support unix logins.
>>>>
>>>> Why does nsswitch.conf include ldap? Is this the only
>>>> linux/unix machine? Are local users in ldap or
>>>> /etc/passwd?
>>>>
>>>> What version of samba? What version of linux?
>>>>
>>>> Ideally "getent passwd" woudl show something like
>>>>
>>>>
>>>>
>>>> ben:*:10001:10001:Ben
>>>> George:/export/Home/SRE/ben/:bin/tcsh
>>>>
>>>> or
>>>>
>>>> SRE+ben:*:10001:10001:Ben
>>>> George:/export/Home/SRE/ben:/bin/bash
>>>>
>>>>
>>>>
>>>> I don't think you need a huge amount of AD experience to
>>>> make this work but I think you have to have general
>>>> understanding of what WIndows domains are about.
>>>>
>>>> You should also review the smb.conf man page for the
>>>> section on idmap_ad.
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> On 09/30/2010 09:24 AM, Ben George wrote:
>>>>>
>>>>>
>>>>> Thanks for your replay..
>>>>>
>>>>> yes my client told me like this that's Y..and the
>>>>> manager gave that work to newly joined me.. :(
>>>>>
>>>>> i don't have any AD and core unix experience..i have
>>>>> only experience in linux.not much
>>>>>
>>>>> may this project will affect my job.. :(
>>>>>
>>>>> my nsswitch.conf
>>>>>
>>>>> */passwd: files ldap winbind
>>>>> group: files ldap winbind
>>>>> hosts: dns files
>>>>> ipnodes: dns files/*
>>>>>
>>>>>
>>>>> "*nsswitch+winbind (which I do) or the smb pam
>>>>> module*"..? :(
>>>>>
>>>>> i don't know..my client's need is he has a linux
>>>>> machine..also a ADS..from the unix machine, he want to
>>>>> share secure folder's to the AD user's..so eash user
>>>>> can only access that particular shared folder..when the
>>>>> password of user changed in AD, that will affect to the
>>>>> smbpassword...means without changing that particular
>>>>> user's smb password in the unix machine..
>>>>>
>>>>> for this need which method is useful..from your
>>>>> experience
>>>>>
>>>>> "*Does "getent passwd" show the windows users?*"
>>>>>
>>>>> please check the output ..i think getent password only
>>>>> shows unix system password
>>>>>
>>>>> */bash-3.00# getent passwd
>>>>> root:x:0:0:Super-User:/:/sbin/sh
>>>>> daemon:x:1:1::/:
>>>>> bin:x:2:2::/usr/bin:
>>>>> sys:x:3:3::/:
>>>>> adm:x:4:4:Admin:/var/adm:
>>>>> lp:x:71:8:Line Printer Admin:/usr/spool/lp:
>>>>> uucp:x:5:5:uucp Admin:/usr/lib/uucp:
>>>>> nuucp:x:9:9:uucp
>>>>> Admin:/var/spool/uucppublic:/usr/lib/uucp/uucico
>>>>> smmsp:x:25:25:SendMail Message Submission Program:/:
>>>>> listen:x:37:4:Network Admin:/usr/net/nls:
>>>>> gdm:x:50:50:GDM Reserved UID:/:
>>>>> webservd:x:80:80:WebServer Reserved UID:/:
>>>>> postgres:x:90:90:PostgreSQL Reserved UID:/:/usr/bin/pfksh
>>>>> svctag:x:95:12:Service Tag UID:/:
>>>>> nobody:x:60001:60001:NFS Anonymous Access User:/:
>>>>> noaccess:x:60002:60002:No Access User:/:
>>>>> nobody4:x:65534:65534:SunOS 4.x NFS Anonymous Access
>>>>> User:/:
>>>>> ramana:x:100:1::/export/home/ramana:/bin/sh
>>>>> teju:x:101:1::/export/home/teju:/bin/sh
>>>>> user1:x:102:1::/export/home/user1:/bin/sh
>>>>> ben:x:103:1::/home/ben:/bin/sh/*
>>>>>
>>>>>
>>>>> "you already have a "unix" ben and a "ADS" ben defined?"
>>>>>
>>>>> Yes i defined the ben user in Unix and ADS...bcoz i
>>>>> don't have much knowledge about that sorry
>>>>>
>>>>> Hope u will help me
>>>>> Thanks
>>>>> Ben.T.George
>>>>>
>>>>>
>>>>> On Thu, Sep 30, 2010 at 3:59 PM, Gaiseric Vandal
>>>>> <gaiseric.vandal at gmail.com
>>>>> <mailto:gaiseric.vandal at gmail.com>> wrote:
>>>>>
>>>>>
>>>>> disclaimer: I don't use Samba as an ADS member
>>>>> server. I use samba as PDC with trusts to an ADS
>>>>> domain. So my observations may not be valuid.
>>>>>
>>>>> Did you try updating nsswitch.conf
>>>>>
>>>>>
>>>>> passwd: files winbind
>>>>> group: files winbind
>>>>>
>>>>>
>>>>> If you are using a Windows domain and have a user
>>>>> defined in the domain, you generally don't want to
>>>>> add the user as a local user. Since the
>>>>> underlying unix OS needs to know about the domain
>>>>> users you need to either use nsswitch+winbind
>>>>> (which I do) or the smb pam module (which I don't
>>>>> use, and not sure if it really is the correct
>>>>> approach.)
>>>>>
>>>>> If you use nsswitch.conf+winbind you can then also
>>>>> OPTIONALLY allow "windows" users "unix" access like
>>>>> ssh. My samba server is a PDC- I have a domain
>>>>> trust with windows domains BUT the default shell
>>>>> is "/bin/false." (It is still a little flaky...)
>>>>>
>>>>> Does "getent passwd" show the windows users? It
>>>>> should show something like
>>>>>
>>>>> ben:*:10001:10001:Ben George:/home/SRE/ben/bin/false
>>>>>
>>>>> or
>>>>>
>>>>> SRE+ben:*:10001:10001:Ben
>>>>> George:/home/SRE/ben/bin/false
>>>>>
>>>>>
>>>>>
>>>>> It looks like = you already have a "unix" ben and a
>>>>> "ADS" ben defined?
>>>>>
>>>>> "wbinfo -s" and "wbinfo -n" are also useful for
>>>>> making sure that the name-to-sid and sid-to-name
>>>>> mappings are correct for domain users.
>>>>>
>>>>
>>>>
>>>
>>>
>>
>>
>
--
Max León
Systems Director
Wire Watchers : enterprise : technology : genius
------------------------------------------------------------------------------------------------------------------
Avenida 11 y Calle 7-9, Barrio Amón, San José, Costa Rica
cel: +(506) 8364-6261 | fax: +(506) 2258-3695
email: mleon at wirewatchers.com <mailto:mleon at wirewatchers.com> |
www.wirewatchers.com <http://www.wirewatchers.com>
------------------------------------------------------------------------------------------------------------------
More information about the samba
mailing list