[Samba] help with AD integration

Ben George bentech4you at gmail.com
Thu Sep 30 08:57:53 MDT 2010


Sun Solaris 10 (under SPARC)

local users in /etc/passwd

samba 3.4.2 from sunfreeware.com


getent passwd

*ramana:x:100:1::/export/home/ramana:/bin/sh
teju:x:101:1::/export/home/teju:/bin/sh
user1:x:102:1::/export/home/user1:/bin/sh
ben:x:103:1::/home/ben:/bin/sh

*like this*

**
*Thanks
Ben.T.George*
*




On Thu, Sep 30, 2010 at 5:45 PM, Gaiseric Vandal
<gaiseric.vandal at gmail.com>wrote:

>  Then it sounds like you need the AD integration.  If the user's also login
> to the linux workstation directly  (or via ssh) then you will need to
> configure winbind and nsswitch to support unix logins.
>
> Why does nsswitch.conf include ldap?  Is this the only linux/unix machine?
> Are local users in ldap or /etc/passwd?
>
> What version of samba?   What version of linux?
>
> Ideally "getent passwd" woudl show something like
>
>
>
> ben:*:10001:10001:Ben George:/export/Home/SRE/ben/:bin/tcsh
>
> or
>
> SRE+ben:*:10001:10001:Ben George:/export/Home/SRE/ben:/bin/bash
>
>
>
> I don't think you need a huge amount of AD experience to make this work but
> I think you have to have general understanding of what WIndows domains are
> about.
>
> You should also review the smb.conf man page for the section on idmap_ad.
>
>
>
>
>
> On 09/30/2010 09:24 AM, Ben George wrote:
>
>
>
> Thanks for your replay..
>
> yes my client told me like this that's Y..and the manager gave that work to
> newly joined me.. :(
>
> i don't have any AD and core unix experience..i have only experience in
> linux.not much
>
> may this project will affect my job..  :(
>
> my nsswitch.conf
>
> *passwd:     files ldap winbind
> group:      files ldap winbind
> hosts:      dns files
> ipnodes:    dns files*
>
>
> "*nsswitch+winbind (which I do) or the smb pam module*"..? :(
>
>  i don't know..my client's need is he has a linux machine..also a ADS..from
> the unix machine, he want to share secure folder's to the AD user's..so eash
> user can only access that particular shared folder..when the password of
> user changed in AD, that will affect to the smbpassword...means without
> changing that particular user's smb password in the unix machine..
>
> for this need which method is useful..from your experience
>
> "*Does "getent passwd" show the windows users?*"
>
> please check the output ..i think getent password only shows unix system
> password
>
> *bash-3.00# getent passwd
> root:x:0:0:Super-User:/:/sbin/sh
> daemon:x:1:1::/:
> bin:x:2:2::/usr/bin:
> sys:x:3:3::/:
> adm:x:4:4:Admin:/var/adm:
> lp:x:71:8:Line Printer Admin:/usr/spool/lp:
> uucp:x:5:5:uucp Admin:/usr/lib/uucp:
> nuucp:x:9:9:uucp Admin:/var/spool/uucppublic:/usr/lib/uucp/uucico
> smmsp:x:25:25:SendMail Message Submission Program:/:
> listen:x:37:4:Network Admin:/usr/net/nls:
> gdm:x:50:50:GDM Reserved UID:/:
> webservd:x:80:80:WebServer Reserved UID:/:
> postgres:x:90:90:PostgreSQL Reserved UID:/:/usr/bin/pfksh
> svctag:x:95:12:Service Tag UID:/:
> nobody:x:60001:60001:NFS Anonymous Access User:/:
> noaccess:x:60002:60002:No Access User:/:
> nobody4:x:65534:65534:SunOS 4.x NFS Anonymous Access User:/:
> ramana:x:100:1::/export/home/ramana:/bin/sh
> teju:x:101:1::/export/home/teju:/bin/sh
> user1:x:102:1::/export/home/user1:/bin/sh
> ben:x:103:1::/home/ben:/bin/sh*
>
>
> "you already have a "unix" ben and a "ADS" ben defined?"
>
> Yes i defined the ben user in Unix and ADS...bcoz i don't have much
> knowledge about that sorry
>
> Hope u will help me
> Thanks
> Ben.T.George
>
>
> On Thu, Sep 30, 2010 at 3:59 PM, Gaiseric Vandal <
> gaiseric.vandal at gmail.com> wrote:
>
>>
>> disclaimer: I don't use Samba as an ADS member server.  I use samba as PDC
>> with trusts to an ADS domain.  So my observations may not be valuid.
>>
>> Did you try updating nsswitch.conf
>>
>>
>>    passwd:     files winbind
>>    group:    files winbind
>>
>>
>> If you are using a Windows domain and have a user defined in the domain,
>> you generally don't want to add the user as a local user.   Since the
>> underlying unix OS needs to know about the domain users you need to either
>> use nsswitch+winbind (which I do) or the smb pam module (which I don't use,
>> and not sure if it really is the correct approach.)
>>
>> If you use nsswitch.conf+winbind you can then also OPTIONALLY allow
>> "windows" users "unix" access like ssh.    My samba server is a PDC-  I have
>> a domain trust with windows domains BUT  the default shell is "/bin/false."
>>    (It is still a little flaky...)
>>
>> Does "getent passwd" show the windows users?   It should show something
>> like
>>
>> ben:*:10001:10001:Ben George:/home/SRE/ben/bin/false
>>
>> or
>>
>> SRE+ben:*:10001:10001:Ben George:/home/SRE/ben/bin/false
>>
>>
>>
>> It looks like = you already have a "unix" ben and a "ADS" ben defined?
>>
>> "wbinfo -s" and "wbinfo -n" are also useful for making sure that the
>> name-to-sid and sid-to-name mappings are correct for domain users.
>>
>
>


More information about the samba mailing list