[Samba] help with AD integration

Ben George bentech4you at gmail.com
Thu Sep 30 10:14:23 MDT 2010


yes client has Solaris and a windows xp machine under the AD domain

yes i exported the paths to the newly installed /usr/local/samba/lib

me using the new packahes and disabled the default packages


On Thu, Sep 30, 2010 at 6:16 PM, Gaiseric Vandal
<gaiseric.vandal at gmail.com>wrote:

>  So to clarify the customer has a Sun Solaris 10 UNIX machine and a Linux
> workstation?
>
> FOR SOLARIS
>
> I had problems with getting nsswitch+winbind working with the samba from
> sunfreeware-  I had to recompile from scratch (major headache.)   In
> hindsight this may not have been necessary for winbind-  although I had to
> recompile anyway for ZFS support.
>
> On solaris, you should have a file called /usr/lib/nss_winbind.so.1 -
> which is the nsswitcher winbind library provided by the samba that sun
> bundles with solaris 10 (but this is samba 3.0.x and too old to be much
> use.)
>
> In /usr/local/samba/lib -  do you see an nss_winbind.so.1 file?    How is
> your PATH and LD_LIBRARY_PATH set-  you want to make sure you are using the
> /usr/local/samba/bin and /usr/local/samba/lib first.
>
> If you run "truss getent passwd | tee log1.txt"  you should see it looking
> for nss_winbind.so.1 -  ideally it will look in /usr/local/samba/lib before
> /usr/lib.  If it uses /usr/lib/nss_winbind.so.1 that will probably NOT
> work.  You may want to rename that file just to make sure.
>
>
>
>
>
>
> On 09/30/2010 10:57 AM, Ben George wrote:
>
>
> Sun Solaris 10 (under SPARC)
>
> local users in /etc/passwd
>
> samba 3.4.2 from sunfreeware.com
>
>
> getent passwd
>
> *ramana:x:100:1::/export/home/ramana:/bin/sh
> teju:x:101:1::/export/home/teju:/bin/sh
> user1:x:102:1::/export/home/user1:/bin/sh
> ben:x:103:1::/home/ben:/bin/sh
>
> *like this*
>
> **
> *Thanks
> Ben.T.George*
> *
>
>
>
>
> On Thu, Sep 30, 2010 at 5:45 PM, Gaiseric Vandal <
> gaiseric.vandal at gmail.com> wrote:
>
>> Then it sounds like you need the AD integration.  If the user's also login
>> to the linux workstation directly  (or via ssh) then you will need to
>> configure winbind and nsswitch to support unix logins.
>>
>> Why does nsswitch.conf include ldap?  Is this the only linux/unix
>> machine?  Are local users in ldap or /etc/passwd?
>>
>> What version of samba?   What version of linux?
>>
>> Ideally "getent passwd" woudl show something like
>>
>>
>>
>> ben:*:10001:10001:Ben George:/export/Home/SRE/ben/:bin/tcsh
>>
>> or
>>
>> SRE+ben:*:10001:10001:Ben George:/export/Home/SRE/ben:/bin/bash
>>
>>
>>
>> I don't think you need a huge amount of AD experience to make this work
>> but I think you have to have general understanding of what WIndows domains
>> are about.
>>
>> You should also review the smb.conf man page for the section on idmap_ad.
>>
>>
>>
>>
>>
>>
>> On 09/30/2010 09:24 AM, Ben George wrote:
>>
>>
>>
>> Thanks for your replay..
>>
>> yes my client told me like this that's Y..and the manager gave that work
>> to newly joined me.. :(
>>
>> i don't have any AD and core unix experience..i have only experience in
>> linux.not much
>>
>> may this project will affect my job..  :(
>>
>> my nsswitch.conf
>>
>> *passwd:     files ldap winbind
>> group:      files ldap winbind
>> hosts:      dns files
>> ipnodes:    dns files*
>>
>>
>> "*nsswitch+winbind (which I do) or the smb pam module*"..? :(
>>
>>  i don't know..my client's need is he has a linux machine..also a
>> ADS..from the unix machine, he want to share secure folder's to the AD
>> user's..so eash user can only access that particular shared folder..when the
>> password of user changed in AD, that will affect to the smbpassword...means
>> without changing that particular user's smb password in the unix machine..
>>
>> for this need which method is useful..from your experience
>>
>> "*Does "getent passwd" show the windows users?*"
>>
>> please check the output ..i think getent password only shows unix system
>> password
>>
>> *bash-3.00# getent passwd
>> root:x:0:0:Super-User:/:/sbin/sh
>> daemon:x:1:1::/:
>> bin:x:2:2::/usr/bin:
>> sys:x:3:3::/:
>> adm:x:4:4:Admin:/var/adm:
>> lp:x:71:8:Line Printer Admin:/usr/spool/lp:
>> uucp:x:5:5:uucp Admin:/usr/lib/uucp:
>> nuucp:x:9:9:uucp Admin:/var/spool/uucppublic:/usr/lib/uucp/uucico
>> smmsp:x:25:25:SendMail Message Submission Program:/:
>> listen:x:37:4:Network Admin:/usr/net/nls:
>> gdm:x:50:50:GDM Reserved UID:/:
>> webservd:x:80:80:WebServer Reserved UID:/:
>> postgres:x:90:90:PostgreSQL Reserved UID:/:/usr/bin/pfksh
>> svctag:x:95:12:Service Tag UID:/:
>> nobody:x:60001:60001:NFS Anonymous Access User:/:
>> noaccess:x:60002:60002:No Access User:/:
>> nobody4:x:65534:65534:SunOS 4.x NFS Anonymous Access User:/:
>> ramana:x:100:1::/export/home/ramana:/bin/sh
>> teju:x:101:1::/export/home/teju:/bin/sh
>> user1:x:102:1::/export/home/user1:/bin/sh
>> ben:x:103:1::/home/ben:/bin/sh*
>>
>>
>> "you already have a "unix" ben and a "ADS" ben defined?"
>>
>> Yes i defined the ben user in Unix and ADS...bcoz i don't have much
>> knowledge about that sorry
>>
>> Hope u will help me
>> Thanks
>> Ben.T.George
>>
>>
>> On Thu, Sep 30, 2010 at 3:59 PM, Gaiseric Vandal <
>> gaiseric.vandal at gmail.com> wrote:
>>
>>>
>>> disclaimer: I don't use Samba as an ADS member server.  I use samba as
>>> PDC with trusts to an ADS domain.  So my observations may not be valuid.
>>>
>>> Did you try updating nsswitch.conf
>>>
>>>
>>>    passwd:     files winbind
>>>    group:    files winbind
>>>
>>>
>>> If you are using a Windows domain and have a user defined in the domain,
>>> you generally don't want to add the user as a local user.   Since the
>>> underlying unix OS needs to know about the domain users you need to either
>>> use nsswitch+winbind (which I do) or the smb pam module (which I don't use,
>>> and not sure if it really is the correct approach.)
>>>
>>> If you use nsswitch.conf+winbind you can then also OPTIONALLY allow
>>> "windows" users "unix" access like ssh.    My samba server is a PDC-  I have
>>> a domain trust with windows domains BUT  the default shell is "/bin/false."
>>>    (It is still a little flaky...)
>>>
>>> Does "getent passwd" show the windows users?   It should show something
>>> like
>>>
>>> ben:*:10001:10001:Ben George:/home/SRE/ben/bin/false
>>>
>>> or
>>>
>>> SRE+ben:*:10001:10001:Ben George:/home/SRE/ben/bin/false
>>>
>>>
>>>
>>> It looks like = you already have a "unix" ben and a "ADS" ben defined?
>>>
>>> "wbinfo -s" and "wbinfo -n" are also useful for making sure that the
>>> name-to-sid and sid-to-name mappings are correct for domain users.
>>>
>>
>>
>
>


More information about the samba mailing list