[Samba] Winbind and nss-ldap

Harry Jede walk2sun at arcor.de
Fri Oct 19 10:09:41 UTC 2018


Am Mittwoch, 3. Oktober 2018, 16:01:29 CEST schrieb Rob Thoman via 
samba:
> Hi Guys,
> 
> Have some issues with winbind and nss-ldap in LDAP based NT4
> BDC/fileserver
> 
> The DC has the LDAP server role and the BDC connects to it for
> authentication.
> 
> smb.conf of the BDC
> 
>     netbios name = TRAC5
>      local master = no
>     domain master = no
>     preferred master = no
>     domain logons = no
MUST be yes. Read: man smb.conf

>  passdb backend = ldapsam:ldap://trac15.ste.com
>   ldap admin dn = cn=admin,dc=ste,d=com
Invalid, should be:
   ldap admin dn = cn=admin,dc=ste,dc=com

>   ldap suffix = dc=ste
Invalid, should be:
   ldap suffix = dc=ste,d=com

>   ldap group suffix = ou=groups
>   ldap machine suffix = ou=computers
>   ldap user suffix = ou=users
>   idmap backend = ldap
Deprecated, rtm

>   ldap idmap suffix = ou=idmap
>   idmap config * : ldap_url = ldap://trac15.ste
Invalid, should be:
   idmap config * : ldap_url = ldap://trac15.ste,dc=com/

>   idmap config * : ldap_base_dn = ou=idmap,dc=ste,dc=com
>   idmap config * : ldap_user_dn = cn=admin,dc=ste,dc=com
>   ldap delete dn = no
>   ldap ssl = start tls
Default

> 
> We've setup libnss-ldap in the servers (both trac15 and trac5)
> 
> When we enable winbind service, we get the following error
>  user 'asmith' (from session setup) not permitted to access this share
> (dataldap). In the actual client when you open the share, it prompts
> for the login creds again and again
> 
> When the winbind is disabled,
> The user is able to login and access the shares. The issue seems to be
> with the folder permissions. The /home drive is setup with 700 as the
> mask and the folder permission in smb.conf. The user can create
> folders but not rename them. They can create a text file but not
> rename them. It comes with the You need permission from a the
> following user to make changes. The SID presented is the SID of the
> user in LDAP
> 
> We have removed and added back the user in the /etc/passwd file in the
> fileserver. If we remove it the getent passwd doesn't recoginse the
> user. Our nsswitch.conf has files ldap
> 
> So basically at this stage we are disabling winbind to get LDAP
> working
> 
> Thank you,
> 
> RT


-- 

Gruss
	Harry Jede


More information about the samba mailing list