[Samba] help with AD integration

Gaiseric Vandal gaiseric.vandal at gmail.com
Thu Sep 30 13:16:09 MDT 2010


Hi

Please clarify the following
  -  Did you run "truss getent passwd" command and look for lines with 
nss_winbind-  just in case it is looking for a file with a different 
version.
  - Why does nsswitch.conf have ldap references-  are you using ldap?


You should also look through the samba logs-  it may provide some 
information.


On 09/30/2010 12:14 PM, Ben George wrote:
>
>
>
> yes client has Solaris and a windows xp machine under the AD domain
>
> yes i exported the paths to the newly installed /usr/local/samba/lib
>
> me using the new packahes and disabled the default packages
>
>
> On Thu, Sep 30, 2010 at 6:16 PM, Gaiseric Vandal 
> <gaiseric.vandal at gmail.com <mailto:gaiseric.vandal at gmail.com>> wrote:
>
>     So to clarify the customer has a Sun Solaris 10 UNIX machine and a
>     Linux workstation?
>
>     FOR SOLARIS
>
>     I had problems with getting nsswitch+winbind working with the
>     samba from sunfreeware-  I had to recompile from scratch (major
>     headache.)   In hindsight this may not have been necessary for
>     winbind-  although I had to recompile anyway for ZFS support.
>
>     On solaris, you should have a file called
>     /usr/lib/nss_winbind.so.1 -  which is the nsswitcher winbind
>     library provided by the samba that sun bundles with solaris 10
>     (but this is samba 3.0.x and too old to be much use.)
>
>     In /usr/local/samba/lib -  do you see an nss_winbind.so.1 file?   
>     How is your PATH and LD_LIBRARY_PATH set-  you want to make sure
>     you are using the /usr/local/samba/bin and /usr/local/samba/lib
>     first.
>
>     If you run "truss getent passwd | tee log1.txt"  you should see it
>     looking for nss_winbind.so.1 -  ideally it will look in
>     /usr/local/samba/lib before /usr/lib.  If it uses
>     /usr/lib/nss_winbind.so.1 that will probably NOT work.  You may
>     want to rename that file just to make sure.
>
>
>
>
>
>
>     On 09/30/2010 10:57 AM, Ben George wrote:
>>
>>     Sun Solaris 10 (under SPARC)
>>
>>     local users in /etc/passwd
>>
>>     samba 3.4.2 from sunfreeware.com <http://sunfreeware.com>
>>
>>
>>     getent passwd
>>
>>     */ramana:x:100:1::/export/home/ramana:/bin/sh
>>     teju:x:101:1::/export/home/teju:/bin/sh
>>     user1:x:102:1::/export/home/user1:/bin/sh
>>     ben:x:103:1::/home/ben:/bin/sh
>>
>>     /*like this*/
>>
>>     /*/
>>     /Thanks
>>     Ben.T.George*/
>>     /*
>>
>>
>>
>>
>>     On Thu, Sep 30, 2010 at 5:45 PM, Gaiseric Vandal
>>     <gaiseric.vandal at gmail.com <mailto:gaiseric.vandal at gmail.com>> wrote:
>>
>>         Then it sounds like you need the AD integration.  If the
>>         user's also login to the linux workstation directly  (or via
>>         ssh) then you will need to configure winbind and nsswitch to
>>         support unix logins.
>>
>>         Why does nsswitch.conf include ldap?  Is this the only
>>         linux/unix machine?  Are local users in ldap or /etc/passwd?
>>
>>         What version of samba?   What version of linux?
>>
>>         Ideally "getent passwd" woudl show something like
>>
>>
>>
>>         ben:*:10001:10001:Ben George:/export/Home/SRE/ben/:bin/tcsh
>>
>>         or
>>
>>         SRE+ben:*:10001:10001:Ben George:/export/Home/SRE/ben:/bin/bash
>>
>>
>>
>>         I don't think you need a huge amount of AD experience to make
>>         this work but I think you have to have general understanding
>>         of what WIndows domains are about.
>>
>>         You should also review the smb.conf man page for the section
>>         on idmap_ad.
>>
>>
>>
>>
>>
>>         On 09/30/2010 09:24 AM, Ben George wrote:
>>>
>>>
>>>         Thanks for your replay..
>>>
>>>         yes my client told me like this that's Y..and the manager
>>>         gave that work to newly joined me.. :(
>>>
>>>         i don't have any AD and core unix experience..i have only
>>>         experience in linux.not much
>>>
>>>         may this project will affect my job..  :(
>>>
>>>         my nsswitch.conf
>>>
>>>         */passwd:     files ldap winbind
>>>         group:      files ldap winbind
>>>         hosts:      dns files
>>>         ipnodes:    dns files/*
>>>
>>>
>>>         "*nsswitch+winbind (which I do) or the smb pam module*"..? :(
>>>
>>>          i don't know..my client's need is he has a linux
>>>         machine..also a ADS..from the unix machine, he want to share
>>>         secure folder's to the AD user's..so eash user can only
>>>         access that particular shared folder..when the password of
>>>         user changed in AD, that will affect to the
>>>         smbpassword...means without changing that particular user's
>>>         smb password in the unix machine..
>>>
>>>         for this need which method is useful..from your experience
>>>
>>>         "*Does "getent passwd" show the windows users?*"
>>>
>>>         please check the output ..i think getent password only shows
>>>         unix system password
>>>
>>>         */bash-3.00# getent passwd
>>>         root:x:0:0:Super-User:/:/sbin/sh
>>>         daemon:x:1:1::/:
>>>         bin:x:2:2::/usr/bin:
>>>         sys:x:3:3::/:
>>>         adm:x:4:4:Admin:/var/adm:
>>>         lp:x:71:8:Line Printer Admin:/usr/spool/lp:
>>>         uucp:x:5:5:uucp Admin:/usr/lib/uucp:
>>>         nuucp:x:9:9:uucp
>>>         Admin:/var/spool/uucppublic:/usr/lib/uucp/uucico
>>>         smmsp:x:25:25:SendMail Message Submission Program:/:
>>>         listen:x:37:4:Network Admin:/usr/net/nls:
>>>         gdm:x:50:50:GDM Reserved UID:/:
>>>         webservd:x:80:80:WebServer Reserved UID:/:
>>>         postgres:x:90:90:PostgreSQL Reserved UID:/:/usr/bin/pfksh
>>>         svctag:x:95:12:Service Tag UID:/:
>>>         nobody:x:60001:60001:NFS Anonymous Access User:/:
>>>         noaccess:x:60002:60002:No Access User:/:
>>>         nobody4:x:65534:65534:SunOS 4.x NFS Anonymous Access User:/:
>>>         ramana:x:100:1::/export/home/ramana:/bin/sh
>>>         teju:x:101:1::/export/home/teju:/bin/sh
>>>         user1:x:102:1::/export/home/user1:/bin/sh
>>>         ben:x:103:1::/home/ben:/bin/sh/*
>>>
>>>
>>>         "you already have a "unix" ben and a "ADS" ben defined?"
>>>
>>>         Yes i defined the ben user in Unix and ADS...bcoz i don't
>>>         have much knowledge about that sorry
>>>
>>>         Hope u will help me
>>>         Thanks
>>>         Ben.T.George
>>>
>>>
>>>         On Thu, Sep 30, 2010 at 3:59 PM, Gaiseric Vandal
>>>         <gaiseric.vandal at gmail.com
>>>         <mailto:gaiseric.vandal at gmail.com>> wrote:
>>>
>>>
>>>             disclaimer: I don't use Samba as an ADS member server.
>>>              I use samba as PDC with trusts to an ADS domain.  So my
>>>             observations may not be valuid.
>>>
>>>             Did you try updating nsswitch.conf
>>>
>>>
>>>                passwd:     files winbind
>>>                group:    files winbind
>>>
>>>
>>>             If you are using a Windows domain and have a user
>>>             defined in the domain, you generally don't want to add
>>>             the user as a local user.   Since the underlying unix OS
>>>             needs to know about the domain users you need to either
>>>             use nsswitch+winbind (which I do) or the smb pam module
>>>             (which I don't use, and not sure if it really is the
>>>             correct approach.)
>>>
>>>             If you use nsswitch.conf+winbind you can then also
>>>             OPTIONALLY allow "windows" users "unix" access like ssh.
>>>                My samba server is a PDC-  I have a domain trust with
>>>             windows domains BUT  the default shell is "/bin/false."
>>>                (It is still a little flaky...)
>>>
>>>             Does "getent passwd" show the windows users?   It should
>>>             show something like
>>>
>>>             ben:*:10001:10001:Ben George:/home/SRE/ben/bin/false
>>>
>>>             or
>>>
>>>             SRE+ben:*:10001:10001:Ben George:/home/SRE/ben/bin/false
>>>
>>>
>>>
>>>             It looks like = you already have a "unix" ben and a
>>>             "ADS" ben defined?
>>>
>>>             "wbinfo -s" and "wbinfo -n" are also useful for making
>>>             sure that the name-to-sid and sid-to-name mappings are
>>>             correct for domain users.
>>>
>>
>>
>
>



More information about the samba mailing list