[Samba] Issues With User Info and Authentication
Wojtak, Greg
GregWojtak at quickenloans.com
Thu Sep 1 07:11:31 MDT 2011
Hello,
I'm new to the list and hope this is the appropriate place to post this
type of question. We've got our environment set up where all of our Unix
and Linux hosts get user information and perform authentication against an
LDAP directory. I am working on a project to migrate these hosts to
instead authenticate against our Active Directory environment (Win 2k8
R2). So far, I've been able to get direct LDAP authentication working
against AD, but I'd like to use winbind instead. I've been working with
our CentOS Linux hosts first. Since the POSIX attributes are already
populated on the AD objects (the ones that need them, anyways), I'd like
to configure winbind to pull that information from AD where available.
CentOS 5 (samba 3.0.33) seems to work as advertised; I'm able to join the
domain and get user information just fine. CentOS 6, however, is giving
me fits. The samba packages installed are version 3.5.4.
Here is the data I've observed:
- Joining to domain works properly
- wbinfo -u brings back a full list of all domain users
- wbinfo -g brings back a full list of all domain groups
- wbinfo -n testerx returns the appropriate SID
- wbinfo -U <numeric uid> returns the same SID
- wbinfo -S <SID> returns the appropriate numeric uid
- wbinfo -i testerx returns 'Could not get info for user testerx'
- getent passwd returns only local accounts
- getent group returns only local groups
- I've verified that winbind is in the nsswitch.conf
I've got the following in my [global] section in my smb.conf:
workgroup = MYDOMAIN
password server = mydc.mydomain.com
realm = MYDOMAIN.COM
security = ads
idmap backend = ad
idmap uid = 1000-2147483647
idmap gid = 1000-2147483647
idmap domains = MYDOMAIN
idmap config MYDOMAIN:backend = ad
idmap config MYDOMAIN:range = 1000-2147483647
idmap config MYDOMAIN:schema_mode = rfc2307
idmap config MYDOMAIN:readonly = yes
winbind nss info = rfc2307
template shell = /bin/bash
winbind use default domain = yes
winbind offline logon = true
winbind enum users = yes
winbind enum groups = yes
winbind nested groups = no
encrypt passwords = yes
log level = 7 passdb:2 auth:10 winbind:10 tdb:10 idmap:10
winbind trusted domains only = no
client use spnego = yes
allow trusted domains = no
I've tried (rather randomly) changing some of the values of the latter
entries as well as the value of the idmap backend parameter to use tdb
while specifying the config for MYDOMAIN to use ad backend. I'm rather
stumped at this point. I've Googled around and it seems I'm not the only
one having issues, but nobody seems to have posted a solution.
Does anyone have any ideas? Am I hitting a bug in the Cent 6 package that
has nothing to do with my config? Is there something potentially screwy
with AD (I've mostly ruled this possibility out due to the fact that the
Cent 5 hosts are working fine)?
Any help is appreciated!
Thanks!
Greg
More information about the samba
mailing list