[Samba] help with AD integration
Gaiseric Vandal
gaiseric.vandal at gmail.com
Thu Sep 30 13:16:09 MDT 2010
Hi
Please clarify the following
- Did you run "truss getent passwd" command and look for lines with
nss_winbind- just in case it is looking for a file with a different
version.
- Why does nsswitch.conf have ldap references- are you using ldap?
You should also look through the samba logs- it may provide some
information.
On 09/30/2010 12:14 PM, Ben George wrote:
>
>
>
> yes client has Solaris and a windows xp machine under the AD domain
>
> yes i exported the paths to the newly installed /usr/local/samba/lib
>
> me using the new packahes and disabled the default packages
>
>
> On Thu, Sep 30, 2010 at 6:16 PM, Gaiseric Vandal
> <gaiseric.vandal at gmail.com <mailto:gaiseric.vandal at gmail.com>> wrote:
>
> So to clarify the customer has a Sun Solaris 10 UNIX machine and a
> Linux workstation?
>
> FOR SOLARIS
>
> I had problems with getting nsswitch+winbind working with the
> samba from sunfreeware- I had to recompile from scratch (major
> headache.) In hindsight this may not have been necessary for
> winbind- although I had to recompile anyway for ZFS support.
>
> On solaris, you should have a file called
> /usr/lib/nss_winbind.so.1 - which is the nsswitcher winbind
> library provided by the samba that sun bundles with solaris 10
> (but this is samba 3.0.x and too old to be much use.)
>
> In /usr/local/samba/lib - do you see an nss_winbind.so.1 file?
> How is your PATH and LD_LIBRARY_PATH set- you want to make sure
> you are using the /usr/local/samba/bin and /usr/local/samba/lib
> first.
>
> If you run "truss getent passwd | tee log1.txt" you should see it
> looking for nss_winbind.so.1 - ideally it will look in
> /usr/local/samba/lib before /usr/lib. If it uses
> /usr/lib/nss_winbind.so.1 that will probably NOT work. You may
> want to rename that file just to make sure.
>
>
>
>
>
>
> On 09/30/2010 10:57 AM, Ben George wrote:
>>
>> Sun Solaris 10 (under SPARC)
>>
>> local users in /etc/passwd
>>
>> samba 3.4.2 from sunfreeware.com <http://sunfreeware.com>
>>
>>
>> getent passwd
>>
>> */ramana:x:100:1::/export/home/ramana:/bin/sh
>> teju:x:101:1::/export/home/teju:/bin/sh
>> user1:x:102:1::/export/home/user1:/bin/sh
>> ben:x:103:1::/home/ben:/bin/sh
>>
>> /*like this*/
>>
>> /*/
>> /Thanks
>> Ben.T.George*/
>> /*
>>
>>
>>
>>
>> On Thu, Sep 30, 2010 at 5:45 PM, Gaiseric Vandal
>> <gaiseric.vandal at gmail.com <mailto:gaiseric.vandal at gmail.com>> wrote:
>>
>> Then it sounds like you need the AD integration. If the
>> user's also login to the linux workstation directly (or via
>> ssh) then you will need to configure winbind and nsswitch to
>> support unix logins.
>>
>> Why does nsswitch.conf include ldap? Is this the only
>> linux/unix machine? Are local users in ldap or /etc/passwd?
>>
>> What version of samba? What version of linux?
>>
>> Ideally "getent passwd" woudl show something like
>>
>>
>>
>> ben:*:10001:10001:Ben George:/export/Home/SRE/ben/:bin/tcsh
>>
>> or
>>
>> SRE+ben:*:10001:10001:Ben George:/export/Home/SRE/ben:/bin/bash
>>
>>
>>
>> I don't think you need a huge amount of AD experience to make
>> this work but I think you have to have general understanding
>> of what WIndows domains are about.
>>
>> You should also review the smb.conf man page for the section
>> on idmap_ad.
>>
>>
>>
>>
>>
>> On 09/30/2010 09:24 AM, Ben George wrote:
>>>
>>>
>>> Thanks for your replay..
>>>
>>> yes my client told me like this that's Y..and the manager
>>> gave that work to newly joined me.. :(
>>>
>>> i don't have any AD and core unix experience..i have only
>>> experience in linux.not much
>>>
>>> may this project will affect my job.. :(
>>>
>>> my nsswitch.conf
>>>
>>> */passwd: files ldap winbind
>>> group: files ldap winbind
>>> hosts: dns files
>>> ipnodes: dns files/*
>>>
>>>
>>> "*nsswitch+winbind (which I do) or the smb pam module*"..? :(
>>>
>>> i don't know..my client's need is he has a linux
>>> machine..also a ADS..from the unix machine, he want to share
>>> secure folder's to the AD user's..so eash user can only
>>> access that particular shared folder..when the password of
>>> user changed in AD, that will affect to the
>>> smbpassword...means without changing that particular user's
>>> smb password in the unix machine..
>>>
>>> for this need which method is useful..from your experience
>>>
>>> "*Does "getent passwd" show the windows users?*"
>>>
>>> please check the output ..i think getent password only shows
>>> unix system password
>>>
>>> */bash-3.00# getent passwd
>>> root:x:0:0:Super-User:/:/sbin/sh
>>> daemon:x:1:1::/:
>>> bin:x:2:2::/usr/bin:
>>> sys:x:3:3::/:
>>> adm:x:4:4:Admin:/var/adm:
>>> lp:x:71:8:Line Printer Admin:/usr/spool/lp:
>>> uucp:x:5:5:uucp Admin:/usr/lib/uucp:
>>> nuucp:x:9:9:uucp
>>> Admin:/var/spool/uucppublic:/usr/lib/uucp/uucico
>>> smmsp:x:25:25:SendMail Message Submission Program:/:
>>> listen:x:37:4:Network Admin:/usr/net/nls:
>>> gdm:x:50:50:GDM Reserved UID:/:
>>> webservd:x:80:80:WebServer Reserved UID:/:
>>> postgres:x:90:90:PostgreSQL Reserved UID:/:/usr/bin/pfksh
>>> svctag:x:95:12:Service Tag UID:/:
>>> nobody:x:60001:60001:NFS Anonymous Access User:/:
>>> noaccess:x:60002:60002:No Access User:/:
>>> nobody4:x:65534:65534:SunOS 4.x NFS Anonymous Access User:/:
>>> ramana:x:100:1::/export/home/ramana:/bin/sh
>>> teju:x:101:1::/export/home/teju:/bin/sh
>>> user1:x:102:1::/export/home/user1:/bin/sh
>>> ben:x:103:1::/home/ben:/bin/sh/*
>>>
>>>
>>> "you already have a "unix" ben and a "ADS" ben defined?"
>>>
>>> Yes i defined the ben user in Unix and ADS...bcoz i don't
>>> have much knowledge about that sorry
>>>
>>> Hope u will help me
>>> Thanks
>>> Ben.T.George
>>>
>>>
>>> On Thu, Sep 30, 2010 at 3:59 PM, Gaiseric Vandal
>>> <gaiseric.vandal at gmail.com
>>> <mailto:gaiseric.vandal at gmail.com>> wrote:
>>>
>>>
>>> disclaimer: I don't use Samba as an ADS member server.
>>> I use samba as PDC with trusts to an ADS domain. So my
>>> observations may not be valuid.
>>>
>>> Did you try updating nsswitch.conf
>>>
>>>
>>> passwd: files winbind
>>> group: files winbind
>>>
>>>
>>> If you are using a Windows domain and have a user
>>> defined in the domain, you generally don't want to add
>>> the user as a local user. Since the underlying unix OS
>>> needs to know about the domain users you need to either
>>> use nsswitch+winbind (which I do) or the smb pam module
>>> (which I don't use, and not sure if it really is the
>>> correct approach.)
>>>
>>> If you use nsswitch.conf+winbind you can then also
>>> OPTIONALLY allow "windows" users "unix" access like ssh.
>>> My samba server is a PDC- I have a domain trust with
>>> windows domains BUT the default shell is "/bin/false."
>>> (It is still a little flaky...)
>>>
>>> Does "getent passwd" show the windows users? It should
>>> show something like
>>>
>>> ben:*:10001:10001:Ben George:/home/SRE/ben/bin/false
>>>
>>> or
>>>
>>> SRE+ben:*:10001:10001:Ben George:/home/SRE/ben/bin/false
>>>
>>>
>>>
>>> It looks like = you already have a "unix" ben and a
>>> "ADS" ben defined?
>>>
>>> "wbinfo -s" and "wbinfo -n" are also useful for making
>>> sure that the name-to-sid and sid-to-name mappings are
>>> correct for domain users.
>>>
>>
>>
>
>
More information about the samba
mailing list