[Samba] help with AD integration

Ben George bentech4you at gmail.com
Thu Sep 30 07:24:09 MDT 2010


Thanks for your replay..

yes my client told me like this that's Y..and the manager gave that work to
newly joined me.. :(

i don't have any AD and core unix experience..i have only experience in
linux.not much

may this project will affect my job..  :(

my nsswitch.conf

*passwd:     files ldap winbind
group:      files ldap winbind
hosts:      dns files
ipnodes:    dns files*


"*nsswitch+winbind (which I do) or the smb pam module*"..? :(

 i don't know..my client's need is he has a linux machine..also a ADS..from
the unix machine, he want to share secure folder's to the AD user's..so eash
user can only access that particular shared folder..when the password of
user changed in AD, that will affect to the smbpassword...means without
changing that particular user's smb password in the unix machine..

for this need which method is useful..from your experience

"*Does "getent passwd" show the windows users?*"

please check the output ..i think getent password only shows unix system
password

*bash-3.00# getent passwd
root:x:0:0:Super-User:/:/sbin/sh
daemon:x:1:1::/:
bin:x:2:2::/usr/bin:
sys:x:3:3::/:
adm:x:4:4:Admin:/var/adm:
lp:x:71:8:Line Printer Admin:/usr/spool/lp:
uucp:x:5:5:uucp Admin:/usr/lib/uucp:
nuucp:x:9:9:uucp Admin:/var/spool/uucppublic:/usr/lib/uucp/uucico
smmsp:x:25:25:SendMail Message Submission Program:/:
listen:x:37:4:Network Admin:/usr/net/nls:
gdm:x:50:50:GDM Reserved UID:/:
webservd:x:80:80:WebServer Reserved UID:/:
postgres:x:90:90:PostgreSQL Reserved UID:/:/usr/bin/pfksh
svctag:x:95:12:Service Tag UID:/:
nobody:x:60001:60001:NFS Anonymous Access User:/:
noaccess:x:60002:60002:No Access User:/:
nobody4:x:65534:65534:SunOS 4.x NFS Anonymous Access User:/:
ramana:x:100:1::/export/home/ramana:/bin/sh
teju:x:101:1::/export/home/teju:/bin/sh
user1:x:102:1::/export/home/user1:/bin/sh
ben:x:103:1::/home/ben:/bin/sh*


"you already have a "unix" ben and a "ADS" ben defined?"

Yes i defined the ben user in Unix and ADS...bcoz i don't have much
knowledge about that sorry

Hope u will help me
Thanks
Ben.T.George


On Thu, Sep 30, 2010 at 3:59 PM, Gaiseric Vandal
<gaiseric.vandal at gmail.com>wrote:

>
> disclaimer: I don't use Samba as an ADS member server.  I use samba as PDC
> with trusts to an ADS domain.  So my observations may not be valuid.
>
> Did you try updating nsswitch.conf
>
>
>    passwd:     files winbind
>    group:    files winbind
>
>
> If you are using a Windows domain and have a user defined in the domain,
> you generally don't want to add the user as a local user.   Since the
> underlying unix OS needs to know about the domain users you need to either
> use nsswitch+winbind (which I do) or the smb pam module (which I don't use,
> and not sure if it really is the correct approach.)
>
> If you use nsswitch.conf+winbind you can then also OPTIONALLY allow
> "windows" users "unix" access like ssh.    My samba server is a PDC-  I have
> a domain trust with windows domains BUT  the default shell is "/bin/false."
>    (It is still a little flaky...)
>
> Does "getent passwd" show the windows users?   It should show something
> like
>
> ben:*:10001:10001:Ben George:/home/SRE/ben/bin/false
>
> or
>
> SRE+ben:*:10001:10001:Ben George:/home/SRE/ben/bin/false
>
>
>
> It looks like = you already have a "unix" ben and a "ADS" ben defined?
>
> "wbinfo -s" and "wbinfo -n" are also useful for making sure that the
> name-to-sid and sid-to-name mappings are correct for domain users.
>


More information about the samba mailing list