[Samba] help with AD integration
Gaiseric Vandal
gaiseric.vandal at gmail.com
Thu Sep 30 09:16:51 MDT 2010
So to clarify the customer has a Sun Solaris 10 UNIX machine and a Linux
workstation?
FOR SOLARIS
I had problems with getting nsswitch+winbind working with the samba from
sunfreeware- I had to recompile from scratch (major headache.) In
hindsight this may not have been necessary for winbind- although I had
to recompile anyway for ZFS support.
On solaris, you should have a file called /usr/lib/nss_winbind.so.1 -
which is the nsswitcher winbind library provided by the samba that sun
bundles with solaris 10 (but this is samba 3.0.x and too old to be much
use.)
In /usr/local/samba/lib - do you see an nss_winbind.so.1 file? How
is your PATH and LD_LIBRARY_PATH set- you want to make sure you are
using the /usr/local/samba/bin and /usr/local/samba/lib first.
If you run "truss getent passwd | tee log1.txt" you should see it
looking for nss_winbind.so.1 - ideally it will look in
/usr/local/samba/lib before /usr/lib. If it uses
/usr/lib/nss_winbind.so.1 that will probably NOT work. You may want to
rename that file just to make sure.
On 09/30/2010 10:57 AM, Ben George wrote:
>
> Sun Solaris 10 (under SPARC)
>
> local users in /etc/passwd
>
> samba 3.4.2 from sunfreeware.com <http://sunfreeware.com>
>
>
> getent passwd
>
> */ramana:x:100:1::/export/home/ramana:/bin/sh
> teju:x:101:1::/export/home/teju:/bin/sh
> user1:x:102:1::/export/home/user1:/bin/sh
> ben:x:103:1::/home/ben:/bin/sh
>
> /*like this*/
>
> /*/
> /Thanks
> Ben.T.George*/
> /*
>
>
>
>
> On Thu, Sep 30, 2010 at 5:45 PM, Gaiseric Vandal
> <gaiseric.vandal at gmail.com <mailto:gaiseric.vandal at gmail.com>> wrote:
>
> Then it sounds like you need the AD integration. If the user's
> also login to the linux workstation directly (or via ssh) then
> you will need to configure winbind and nsswitch to support unix
> logins.
>
> Why does nsswitch.conf include ldap? Is this the only linux/unix
> machine? Are local users in ldap or /etc/passwd?
>
> What version of samba? What version of linux?
>
> Ideally "getent passwd" woudl show something like
>
>
>
> ben:*:10001:10001:Ben George:/export/Home/SRE/ben/:bin/tcsh
>
> or
>
> SRE+ben:*:10001:10001:Ben George:/export/Home/SRE/ben:/bin/bash
>
>
>
> I don't think you need a huge amount of AD experience to make this
> work but I think you have to have general understanding of what
> WIndows domains are about.
>
> You should also review the smb.conf man page for the section on
> idmap_ad.
>
>
>
>
>
> On 09/30/2010 09:24 AM, Ben George wrote:
>>
>>
>> Thanks for your replay..
>>
>> yes my client told me like this that's Y..and the manager gave
>> that work to newly joined me.. :(
>>
>> i don't have any AD and core unix experience..i have only
>> experience in linux.not much
>>
>> may this project will affect my job.. :(
>>
>> my nsswitch.conf
>>
>> */passwd: files ldap winbind
>> group: files ldap winbind
>> hosts: dns files
>> ipnodes: dns files/*
>>
>>
>> "*nsswitch+winbind (which I do) or the smb pam module*"..? :(
>>
>> i don't know..my client's need is he has a linux machine..also a
>> ADS..from the unix machine, he want to share secure folder's to
>> the AD user's..so eash user can only access that particular
>> shared folder..when the password of user changed in AD, that will
>> affect to the smbpassword...means without changing that
>> particular user's smb password in the unix machine..
>>
>> for this need which method is useful..from your experience
>>
>> "*Does "getent passwd" show the windows users?*"
>>
>> please check the output ..i think getent password only shows unix
>> system password
>>
>> */bash-3.00# getent passwd
>> root:x:0:0:Super-User:/:/sbin/sh
>> daemon:x:1:1::/:
>> bin:x:2:2::/usr/bin:
>> sys:x:3:3::/:
>> adm:x:4:4:Admin:/var/adm:
>> lp:x:71:8:Line Printer Admin:/usr/spool/lp:
>> uucp:x:5:5:uucp Admin:/usr/lib/uucp:
>> nuucp:x:9:9:uucp Admin:/var/spool/uucppublic:/usr/lib/uucp/uucico
>> smmsp:x:25:25:SendMail Message Submission Program:/:
>> listen:x:37:4:Network Admin:/usr/net/nls:
>> gdm:x:50:50:GDM Reserved UID:/:
>> webservd:x:80:80:WebServer Reserved UID:/:
>> postgres:x:90:90:PostgreSQL Reserved UID:/:/usr/bin/pfksh
>> svctag:x:95:12:Service Tag UID:/:
>> nobody:x:60001:60001:NFS Anonymous Access User:/:
>> noaccess:x:60002:60002:No Access User:/:
>> nobody4:x:65534:65534:SunOS 4.x NFS Anonymous Access User:/:
>> ramana:x:100:1::/export/home/ramana:/bin/sh
>> teju:x:101:1::/export/home/teju:/bin/sh
>> user1:x:102:1::/export/home/user1:/bin/sh
>> ben:x:103:1::/home/ben:/bin/sh/*
>>
>>
>> "you already have a "unix" ben and a "ADS" ben defined?"
>>
>> Yes i defined the ben user in Unix and ADS...bcoz i don't have
>> much knowledge about that sorry
>>
>> Hope u will help me
>> Thanks
>> Ben.T.George
>>
>>
>> On Thu, Sep 30, 2010 at 3:59 PM, Gaiseric Vandal
>> <gaiseric.vandal at gmail.com <mailto:gaiseric.vandal at gmail.com>> wrote:
>>
>>
>> disclaimer: I don't use Samba as an ADS member server. I use
>> samba as PDC with trusts to an ADS domain. So my
>> observations may not be valuid.
>>
>> Did you try updating nsswitch.conf
>>
>>
>> passwd: files winbind
>> group: files winbind
>>
>>
>> If you are using a Windows domain and have a user defined in
>> the domain, you generally don't want to add the user as a
>> local user. Since the underlying unix OS needs to know
>> about the domain users you need to either use
>> nsswitch+winbind (which I do) or the smb pam module (which I
>> don't use, and not sure if it really is the correct approach.)
>>
>> If you use nsswitch.conf+winbind you can then also OPTIONALLY
>> allow "windows" users "unix" access like ssh. My samba
>> server is a PDC- I have a domain trust with windows domains
>> BUT the default shell is "/bin/false." (It is still a
>> little flaky...)
>>
>> Does "getent passwd" show the windows users? It should show
>> something like
>>
>> ben:*:10001:10001:Ben George:/home/SRE/ben/bin/false
>>
>> or
>>
>> SRE+ben:*:10001:10001:Ben George:/home/SRE/ben/bin/false
>>
>>
>>
>> It looks like = you already have a "unix" ben and a "ADS" ben
>> defined?
>>
>> "wbinfo -s" and "wbinfo -n" are also useful for making sure
>> that the name-to-sid and sid-to-name mappings are correct for
>> domain users.
>>
>
>
More information about the samba
mailing list