[Samba] help with AD integration

Gaiseric Vandal gaiseric.vandal at gmail.com
Thu Sep 30 09:16:51 MDT 2010


So to clarify the customer has a Sun Solaris 10 UNIX machine and a Linux 
workstation?

FOR SOLARIS

I had problems with getting nsswitch+winbind working with the samba from 
sunfreeware-  I had to recompile from scratch (major headache.)   In 
hindsight this may not have been necessary for winbind-  although I had 
to recompile anyway for ZFS support.

On solaris, you should have a file called /usr/lib/nss_winbind.so.1 -  
which is the nsswitcher winbind library provided by the samba that sun 
bundles with solaris 10 (but this is samba 3.0.x and too old to be much 
use.)

In /usr/local/samba/lib -  do you see an nss_winbind.so.1 file?    How 
is your PATH and LD_LIBRARY_PATH set-  you want to make sure you are 
using the /usr/local/samba/bin and /usr/local/samba/lib first.

If you run "truss getent passwd | tee log1.txt"  you should see it 
looking for nss_winbind.so.1 -  ideally it will look in 
/usr/local/samba/lib before /usr/lib.  If it uses 
/usr/lib/nss_winbind.so.1 that will probably NOT work.  You may want to 
rename that file just to make sure.






On 09/30/2010 10:57 AM, Ben George wrote:
>
> Sun Solaris 10 (under SPARC)
>
> local users in /etc/passwd
>
> samba 3.4.2 from sunfreeware.com <http://sunfreeware.com>
>
>
> getent passwd
>
> */ramana:x:100:1::/export/home/ramana:/bin/sh
> teju:x:101:1::/export/home/teju:/bin/sh
> user1:x:102:1::/export/home/user1:/bin/sh
> ben:x:103:1::/home/ben:/bin/sh
>
> /*like this*/
>
> /*/
> /Thanks
> Ben.T.George*/
> /*
>
>
>
>
> On Thu, Sep 30, 2010 at 5:45 PM, Gaiseric Vandal 
> <gaiseric.vandal at gmail.com <mailto:gaiseric.vandal at gmail.com>> wrote:
>
>     Then it sounds like you need the AD integration.  If the user's
>     also login to the linux workstation directly  (or via ssh) then
>     you will need to configure winbind and nsswitch to support unix
>     logins.
>
>     Why does nsswitch.conf include ldap?  Is this the only linux/unix
>     machine?  Are local users in ldap or /etc/passwd?
>
>     What version of samba?   What version of linux?
>
>     Ideally "getent passwd" woudl show something like
>
>
>
>     ben:*:10001:10001:Ben George:/export/Home/SRE/ben/:bin/tcsh
>
>     or
>
>     SRE+ben:*:10001:10001:Ben George:/export/Home/SRE/ben:/bin/bash
>
>
>
>     I don't think you need a huge amount of AD experience to make this
>     work but I think you have to have general understanding of what
>     WIndows domains are about.
>
>     You should also review the smb.conf man page for the section on
>     idmap_ad.
>
>
>
>
>
>     On 09/30/2010 09:24 AM, Ben George wrote:
>>
>>
>>     Thanks for your replay..
>>
>>     yes my client told me like this that's Y..and the manager gave
>>     that work to newly joined me.. :(
>>
>>     i don't have any AD and core unix experience..i have only
>>     experience in linux.not much
>>
>>     may this project will affect my job..  :(
>>
>>     my nsswitch.conf
>>
>>     */passwd:     files ldap winbind
>>     group:      files ldap winbind
>>     hosts:      dns files
>>     ipnodes:    dns files/*
>>
>>
>>     "*nsswitch+winbind (which I do) or the smb pam module*"..? :(
>>
>>      i don't know..my client's need is he has a linux machine..also a
>>     ADS..from the unix machine, he want to share secure folder's to
>>     the AD user's..so eash user can only access that particular
>>     shared folder..when the password of user changed in AD, that will
>>     affect to the smbpassword...means without changing that
>>     particular user's smb password in the unix machine..
>>
>>     for this need which method is useful..from your experience
>>
>>     "*Does "getent passwd" show the windows users?*"
>>
>>     please check the output ..i think getent password only shows unix
>>     system password
>>
>>     */bash-3.00# getent passwd
>>     root:x:0:0:Super-User:/:/sbin/sh
>>     daemon:x:1:1::/:
>>     bin:x:2:2::/usr/bin:
>>     sys:x:3:3::/:
>>     adm:x:4:4:Admin:/var/adm:
>>     lp:x:71:8:Line Printer Admin:/usr/spool/lp:
>>     uucp:x:5:5:uucp Admin:/usr/lib/uucp:
>>     nuucp:x:9:9:uucp Admin:/var/spool/uucppublic:/usr/lib/uucp/uucico
>>     smmsp:x:25:25:SendMail Message Submission Program:/:
>>     listen:x:37:4:Network Admin:/usr/net/nls:
>>     gdm:x:50:50:GDM Reserved UID:/:
>>     webservd:x:80:80:WebServer Reserved UID:/:
>>     postgres:x:90:90:PostgreSQL Reserved UID:/:/usr/bin/pfksh
>>     svctag:x:95:12:Service Tag UID:/:
>>     nobody:x:60001:60001:NFS Anonymous Access User:/:
>>     noaccess:x:60002:60002:No Access User:/:
>>     nobody4:x:65534:65534:SunOS 4.x NFS Anonymous Access User:/:
>>     ramana:x:100:1::/export/home/ramana:/bin/sh
>>     teju:x:101:1::/export/home/teju:/bin/sh
>>     user1:x:102:1::/export/home/user1:/bin/sh
>>     ben:x:103:1::/home/ben:/bin/sh/*
>>
>>
>>     "you already have a "unix" ben and a "ADS" ben defined?"
>>
>>     Yes i defined the ben user in Unix and ADS...bcoz i don't have
>>     much knowledge about that sorry
>>
>>     Hope u will help me
>>     Thanks
>>     Ben.T.George
>>
>>
>>     On Thu, Sep 30, 2010 at 3:59 PM, Gaiseric Vandal
>>     <gaiseric.vandal at gmail.com <mailto:gaiseric.vandal at gmail.com>> wrote:
>>
>>
>>         disclaimer: I don't use Samba as an ADS member server.  I use
>>         samba as PDC with trusts to an ADS domain.  So my
>>         observations may not be valuid.
>>
>>         Did you try updating nsswitch.conf
>>
>>
>>            passwd:     files winbind
>>            group:    files winbind
>>
>>
>>         If you are using a Windows domain and have a user defined in
>>         the domain, you generally don't want to add the user as a
>>         local user.   Since the underlying unix OS needs to know
>>         about the domain users you need to either use
>>         nsswitch+winbind (which I do) or the smb pam module (which I
>>         don't use, and not sure if it really is the correct approach.)
>>
>>         If you use nsswitch.conf+winbind you can then also OPTIONALLY
>>         allow "windows" users "unix" access like ssh.    My samba
>>         server is a PDC-  I have a domain trust with windows domains
>>         BUT  the default shell is "/bin/false."    (It is still a
>>         little flaky...)
>>
>>         Does "getent passwd" show the windows users?   It should show
>>         something like
>>
>>         ben:*:10001:10001:Ben George:/home/SRE/ben/bin/false
>>
>>         or
>>
>>         SRE+ben:*:10001:10001:Ben George:/home/SRE/ben/bin/false
>>
>>
>>
>>         It looks like = you already have a "unix" ben and a "ADS" ben
>>         defined?
>>
>>         "wbinfo -s" and "wbinfo -n" are also useful for making sure
>>         that the name-to-sid and sid-to-name mappings are correct for
>>         domain users.
>>
>
>



More information about the samba mailing list