Samba + Winbind + Windows 2003 AD
in [Samba]
|
From: Mucke, Tobias, FCI4 on 19 Jul 2010 12:10 Hi Michael, which version of Samba do you have? Are you able to post your Samba configuration? Thank you. Tobias Mit freundlichen GrüÃen Tobias Mucke LFK-Lenkflugkörpersysteme GmbH Serverpool, FCI4 Landshuter StraÃe 26, 85716 UnterschleiÃheim, GERMANY Phone: +49 89 3179 8438 Fax: +49 89 3179 8927 Mobile: +49 170 635 3830 E-Mail: tobias.mucke(a)mbda-systems.de http://www.mbda.net Chairman of the Supervisory Board: Antoine Bouvier Managing Director: Werner Kaltenegger Registered Office: Schrobenhausen Commercial Register: Amtsgericht Ingolstadt, HRB 4365 Message sent from handheld via BlackBerry Server. ________________________________ Von: Michael Lyon <mjlyon(a)gmail.com> An: Mucke, Tobias, FCI4; samba(a)lists.samba.org <samba(a)lists.samba.org> Gesendet: Mon Jul 19 14:22:37 2010 Betreff: Re: [Samba] Samba + Winbind + Windows 2003 AD I'm in a 2k8 r2 domain with SFU and home shells managed through the ADUC console. I'm using Samba/WInbind and use samba shares as user home directories that are mounted at login-time on Windows 7 machines. This is a first attempt as we migrated to Windows 2k8r2 in order to have better support for Win7 clients, as we had too many issues with Samba as our PDC. Mike On Mon, Jul 19, 2010 at 3:08 AM, Mucke, Tobias, FCI4 <tobias.mucke(a)mbda-systems.de> wrote: Hi, I'am afraid this is a general issue with Winbind. I am experiencing the same problems and my logs look quite similar to Henrik's logs. I am using Samba 3.5.4 and tried to resolve this issue without luck. In fact I have a working lab environment with Winbind 3.5.4, AD based on Windows Server 2008 R2 with IDMU. I set idmap backend = ad and winbind nss info = rfc2307. Unfortunately I was not able to port this setup back to the actual production environment with Winbind 3.5.4 and AD based on Windows Server 2003 with SFU 3.5. Besides AD "versions" there is another large difference between the production and the lab. In production the domain structure is far more complex ... Actually I am deploying a lab more close to the actual production environment. Another important thing to me would be a configuration example of somebody out there using Winbind in an actual version 3.5.x with backend ad and SFU for Shell and Home Directories. Anybody? Thank you. Tobias LFK-Lenkflugkörpersysteme GmbH Serverpool, FCI4 Landshuter StraÃe 26, 85716 UnterschleiÃheim, GERMANY Phone: +49 89 3179 8438 Fax: +49 89 3179 8927 Mobile: +49 170 635 3830 E-Mail: tobias.mucke(a)mbda-systems.de http://www.mbda.net Chairman of the Supervisory Board: Antoine Bouvier Managing Director: Werner Kaltenegger Registered Office: Schrobenhausen Commercial Register: Amtsgericht Ingolstadt, HRB 4365 -----Ursprüngliche Nachricht----- Von: samba-bounces(a)lists.samba.org [mailto:samba-bounces(a)lists.samba.org] Im Auftrag von Necos Secon Gesendet: Montag, 19. Juli 2010 01:50 An: samba(a)lists.samba.org Betreff: Re: [Samba] Samba + Winbind + Windows 2003 AD I accidentally deleted the first set of messages in my email for this thread, but does your DNS resolve properly? What does your resolv.conf look like? Also, what do these files look like: krb5.conf smb.conf There's an option in smb.conf, winbind enum users, which needs to be set in order for getent to function properly. There is a corresponding option for groups as well. Look at them and let us know. > Date: Mon, 19 Jul 2010 01:12:41 +0200 > From: hds(a)semark.dk > To: esiotrot(a)gmail.com > CC: samba(a)lists.samba.org > Subject: Re: [Samba] Samba + Winbind + Windows 2003 AD > > Hi Micheal > > Sorry for not sending that information in the first place, but I > though that it was so basic that it wasn't necessary. > > My nsswitch.conf: > # cat /etc/nsswitch.conf > # /etc/nsswitch.conf > # > # Example configuration of GNU Name Service Switch functionality. > # If you have the `glibc-doc-reference' and `info' packages installed, try: > # `info libc "Name Service Switch"' for information about this file. > > passwd: compat winbind > group: compat winbind > shadow: compat winbind > > hosts: files mdns4_minimal [NOTFOUND=return] dns mdns4 > networks: files > > services: db files > ethers: db files > protocols: db files > rpc: db files > > netgroup: nis > > I will mean that it is the way to do this (and it works just fine on > the UNIX servers that run there own Domain Controller) > > Med Venlig Hilsen / Best Regards > Henrik Dige Semark > > Den 18-07-2010 17:03, Michael Wood skrev: > > On 18 July 2010 01:34, Henrik Dige Semark<hds(a)semark.dk> wrote: > > > >> Hey out there. > >> > >> I have to join my UNIX server with an existing Win2k3 AD network. > >> > >> My system info: > >> Debian Lenny > >> Samba - 3.4.8 > >> Winbind - 3.4.8 > >> > >> Windows Server 2003 with 2000-style-AD > >> > >> My problem is that, I have en UNIX server that have to run auth up > >> against our existing windows 2003 AD. > >> > >> I have successfully joined my UNIX server to the AD, without problems. > >> # net ads join -U Administrator > >> Enter Administrator's password: > >> Using short domain name -- TEST > >> Joined 'MAIL' to realm 'TEST.LOCAL' > >> > >> My Samba config: http://pastebin.com/ZqaA0Ypn > >> > >> After the join I'm able to lookup peoples with # wbinfo -u > >> > > [...] > > > >> # wbinfo -g > >> > > [...] > > > >> Now the problem, getent only returns the local users and not the > >> users from the AD The funny thing is that if a user is local on the > >> UNIX and in the AD, I can login with the password from both local > >> and AD, so I know that it can lookup people and passwords > >> > >> # getent passwd hs ; echo $? > >> 2 > >> > >> When I debug on getent it returns 2, witch means that it can't find > >> the user. > >> > > Do you have winbind specified in your nsswitch.conf file as mentioned here: > > > > http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/winbind.h > > tml#id2654732 > > > > _________________________________________________________________ The New Busy is not the old busy. Search, chat and e-mail from your inbox. http://www.windowslive.com/campaign/thenewbusy?ocid=PID28326::T:WLMTAGL:ON:WL:en-US:WM_HMP:042010_3 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
From: Michael Lyon on 19 Jul 2010 12:30 In all honesty, this is my first time using a binary samba package (I am a native slackware user that converted to Fedora simply because it was easier from start-to-finish FWIW) []# smbd -V Version 3.4.7-58.fc12 Here's my smb.conf global section: [global] workgroup = WORKGROUPNAME realm = ad.university.edu server string = Samba Server Version %v netbios name = vm-srvname security = ADS password server = * passdb backend = tdbsam admin users = @"WORKGROUPNAME+Domain Admins" log level = 2 log file = /var/log/samba/log.%m max log size = 5000 interfaces = eth0 lo socket options = TCP_NODELAY IPTOS_LOWDELAY SO_RCVBUF=524288 SO_SNDBUF=524288 load printers = No #printing = printcap name = /etc/printcap client use spnego = yes client ntlmv2 auth = yes winbind use default domain = yes winbind separator = + winbind nested groups = Yes winbind enum users = yes winbind enum groups = yes winbind nss info = rfc2307 allow trusted domains = yes idmap uid = 10000-99999 idmap gid = 10000-99999 #idmap backend = ad idmap domains = WORKGROUPNAME idmap config WORKGROUPNAME:backend = ad idmap config WORKGROUPNAME:schema_mode = rfc2307 idmap config WORKGROUPNAME:range = 1000-75999 #template shell = /bin/bash #template homedir = /home/share #server signing = enabled ;dead time = 15 getwd cache = yes nt acl support = yes acl map full control = no store dos attributes = yes map acl inherit = yes local master = yes master browser = no dns proxy = no unix extensions = no guest account = nobody Mike On Mon, Jul 19, 2010 at 11:09 AM, Mucke, Tobias, FCI4 < tobias.mucke(a)mbda-systems.de> wrote: > Hi Michael, > > which version of Samba do you have? > > Are you able to post your Samba configuration? > > Thank you. > > Tobias > > > Mit freundlichen Grüßen > > Tobias Mucke > > > > LFK-Lenkflugkörpersysteme GmbH > Serverpool, FCI4 > Landshuter Straße 26, 85716 Unterschleißheim, GERMANY > Phone: +49 89 3179 8438 > Fax: +49 89 3179 8927 > Mobile: +49 170 635 3830 > E-Mail: tobias.mucke(a)mbda-systems.de > > http://www.mbda.net > > Chairman of the Supervisory Board: Antoine Bouvier > Managing Director: Werner Kaltenegger > Registered Office: Schrobenhausen > Commercial Register: Amtsgericht Ingolstadt, HRB 4365 > > Message sent from handheld via BlackBerry Server. > > ________________________________ > > Von: Michael Lyon <mjlyon(a)gmail.com> > An: Mucke, Tobias, FCI4; samba(a)lists.samba.org <samba(a)lists.samba.org> > Gesendet: Mon Jul 19 14:22:37 2010 > Betreff: Re: [Samba] Samba + Winbind + Windows 2003 AD > > > I'm in a 2k8 r2 domain with SFU and home shells managed through the ADUC > console. I'm using Samba/WInbind and use samba shares as user home > directories that are mounted at login-time on Windows 7 machines. > > This is a first attempt as we migrated to Windows 2k8r2 in order to have > better support for Win7 clients, as we had too many issues with Samba as our > PDC. > > Mike > > > > On Mon, Jul 19, 2010 at 3:08 AM, Mucke, Tobias, FCI4 < > tobias.mucke(a)mbda-systems.de> wrote: > > > Hi, > > I'am afraid this is a general issue with Winbind. I am experiencing > the same problems and my logs look quite similar to Henrik's logs. I am > using Samba 3.5.4 and tried to resolve this issue without luck. In fact I > have a working lab environment with Winbind 3.5.4, AD based on Windows > Server 2008 R2 with IDMU. I set idmap backend = ad and winbind nss info = > rfc2307. Unfortunately I was not able to port this setup back to the actual > production environment with Winbind 3.5.4 and AD based on Windows Server > 2003 with SFU 3.5. > Besides AD "versions" there is another large difference between the > production and the lab. In production the domain structure is far more > complex ... > Actually I am deploying a lab more close to the actual production > environment. > > Another important thing to me would be a configuration example of > somebody out there using Winbind in an actual version 3.5.x with backend ad > and SFU for Shell and Home Directories. Anybody? > > Thank you. > > Tobias > > > > LFK-Lenkflugkörpersysteme GmbH > Serverpool, FCI4 > Landshuter Straße 26, 85716 Unterschleißheim, GERMANY > Phone: +49 89 3179 8438 > Fax: +49 89 3179 8927 > Mobile: +49 170 635 3830 > E-Mail: tobias.mucke(a)mbda-systems.de > > http://www.mbda.net > > Chairman of the Supervisory Board: Antoine Bouvier > Managing Director: Werner Kaltenegger > Registered Office: Schrobenhausen > Commercial Register: Amtsgericht Ingolstadt, HRB 4365 > > -----Ursprüngliche Nachricht----- > Von: samba-bounces(a)lists.samba.org [mailto: > samba-bounces(a)lists.samba.org] Im Auftrag von Necos Secon > Gesendet: Montag, 19. Juli 2010 01:50 > An: samba(a)lists.samba.org > Betreff: Re: [Samba] Samba + Winbind + Windows 2003 AD > > > I accidentally deleted the first set of messages in my email for > this thread, but does your DNS resolve properly? What does your resolv.conf > look like? Also, what do these files look like: > > krb5.conf > smb.conf > > There's an option in smb.conf, winbind enum users, which needs to be > set in order for getent to function properly. There is a corresponding > option for groups as well. Look at them and let us know. > > > Date: Mon, 19 Jul 2010 01:12:41 +0200 > > From: hds(a)semark.dk > > To: esiotrot(a)gmail.com > > CC: samba(a)lists.samba.org > > Subject: Re: [Samba] Samba + Winbind + Windows 2003 AD > > > > Hi Micheal > > > > Sorry for not sending that information in the first place, but I > > though that it was so basic that it wasn't necessary. > > > > My nsswitch.conf: > > # cat /etc/nsswitch.conf > > # /etc/nsswitch.conf > > # > > # Example configuration of GNU Name Service Switch functionality. > > # If you have the `glibc-doc-reference' and `info' packages > installed, try: > > # `info libc "Name Service Switch"' for information about this > file. > > > > passwd: compat winbind > > group: compat winbind > > shadow: compat winbind > > > > hosts: files mdns4_minimal [NOTFOUND=return] dns mdns4 > > networks: files > > > > services: db files > > ethers: db files > > protocols: db files > > rpc: db files > > > > netgroup: nis > > > > I will mean that it is the way to do this (and it works just fine > on > > the UNIX servers that run there own Domain Controller) > > > > Med Venlig Hilsen / Best Regards > > Henrik Dige Semark > > > > Den 18-07-2010 17:03, Michael Wood skrev: > > > On 18 July 2010 01:34, Henrik Dige Semark<hds(a)semark.dk> > wrote: > > > > > >> Hey out there. > > >> > > >> I have to join my UNIX server with an existing Win2k3 AD > network. > > >> > > >> My system info: > > >> Debian Lenny > > >> Samba - 3.4.8 > > >> Winbind - 3.4.8 > > >> > > >> Windows Server 2003 with 2000-style-AD > > >> > > >> My problem is that, I have en UNIX server that have to run auth > up > > >> against our existing windows 2003 AD. > > >> > > >> I have successfully joined my UNIX server to the AD, without > problems. > > >> # net ads join -U Administrator > > >> Enter Administrator's password: > > >> Using short domain name -- TEST > > >> Joined 'MAIL' to realm 'TEST.LOCAL' > > >> > > >> My Samba config: http://pastebin.com/ZqaA0Ypn > > >> > > >> After the join I'm able to lookup peoples with # wbinfo -u > > >> > > > [...] > > > > > >> # wbinfo -g > > >> > > > [...] > > > > > >> Now the problem, getent only returns the local users and not > the > > >> users from the AD The funny thing is that if a user is local on > the > > >> UNIX and in the AD, I can login with the password from both > local > > >> and AD, so I know that it can lookup people and passwords > > >> > > >> # getent passwd hs ; echo $? > > >> 2 > > >> > > >> When I debug on getent it returns 2, witch means that it can't > find > > >> the user. > > >> > > > Do you have winbind specified in your nsswitch.conf file as > mentioned here: > > > > > > > http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/winbind.h > > > tml#id2654732 > > > > > > > > _________________________________________________________________ > The New Busy is not the old busy. Search, chat and e-mail from your > inbox. > > http://www.windowslive.com/campaign/thenewbusy?ocid=PID28326::T:WLMTAGL:ON:WL:en-US:WM_HMP:042010_3 > -- > > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
From: Necos Secon on 19 Jul 2010 23:20 Ah, I'm a Slackware user myself (and I still do sometimes use their binaries for samba when I don't need AD support). I'm not sure if the Fedora package is compiled with AD support, but an ldd `which smbd` will answer that question. You do have the proper options that I mentioned enabled, so this might be an issue elsewhere. Have you tried reinitializing the kerberos ticket with kinit? The other thing to be sure to check is the clock skew. By default, it's 5 minutes in Windows 2003 and higher (not sure about other versions off-hand). Use an ntpdate script (or some other method) to keep the clocks in sync. Hopefully, that helps some. > Date: Mon, 19 Jul 2010 11:22:15 -0500 > From: mjlyon(a)gmail.com > To: samba(a)lists.samba.org > Subject: Re: [Samba] Samba + Winbind + Windows 2003 AD > > In all honesty, this is my first time using a binary samba package (I am a > native slackware user that converted to Fedora simply because it was easier > from start-to-finish FWIW) > > []# smbd -V > Version 3.4.7-58.fc12 > > Here's my smb.conf global section: > > [global] > workgroup = WORKGROUPNAME > realm = ad.university.edu > server string = Samba Server Version %v > netbios name = vm-srvname > security = ADS > password server = * > passdb backend = tdbsam > admin users = @"WORKGROUPNAME+Domain Admins" > log level = 2 > log file = /var/log/samba/log.%m > max log size = 5000 > interfaces = eth0 lo > socket options = TCP_NODELAY IPTOS_LOWDELAY SO_RCVBUF=524288 > SO_SNDBUF=524288 > load printers = No > #printing = > printcap name = /etc/printcap > client use spnego = yes > client ntlmv2 auth = yes > winbind use default domain = yes > winbind separator = + > winbind nested groups = Yes > winbind enum users = yes > winbind enum groups = yes > winbind nss info = rfc2307 > allow trusted domains = yes > idmap uid = 10000-99999 > idmap gid = 10000-99999 > #idmap backend = ad > idmap domains = WORKGROUPNAME > idmap config WORKGROUPNAME:backend = ad > idmap config WORKGROUPNAME:schema_mode = rfc2307 > idmap config WORKGROUPNAME:range = 1000-75999 > #template shell = /bin/bash > #template homedir = /home/share > #server signing = enabled > ;dead time = 15 > getwd cache = yes > nt acl support = yes > acl map full control = no > store dos attributes = yes > map acl inherit = yes > local master = yes > master browser = no > dns proxy = no > unix extensions = no > guest account = nobody > > > Mike > > > On Mon, Jul 19, 2010 at 11:09 AM, Mucke, Tobias, FCI4 < > tobias.mucke(a)mbda-systems.de> wrote: > > > Hi Michael, > > > > which version of Samba do you have? > > > > Are you able to post your Samba configuration? > > > > Thank you. > > > > Tobias > > > > > > Mit freundlichen Grüßen > > > > Tobias Mucke > > > > > > > > LFK-Lenkflugkörpersysteme GmbH > > Serverpool, FCI4 > > Landshuter Straße 26, 85716 Unterschleißheim, GERMANY > > Phone: +49 89 3179 8438 > > Fax: +49 89 3179 8927 > > Mobile: +49 170 635 3830 > > E-Mail: tobias.mucke(a)mbda-systems.de > > > > http://www.mbda.net > > > > Chairman of the Supervisory Board: Antoine Bouvier > > Managing Director: Werner Kaltenegger > > Registered Office: Schrobenhausen > > Commercial Register: Amtsgericht Ingolstadt, HRB 4365 > > > > Message sent from handheld via BlackBerry Server. > > > > ________________________________ > > > > Von: Michael Lyon <mjlyon(a)gmail.com> > > An: Mucke, Tobias, FCI4; samba(a)lists.samba.org <samba(a)lists.samba.org> > > Gesendet: Mon Jul 19 14:22:37 2010 > > Betreff: Re: [Samba] Samba + Winbind + Windows 2003 AD > > > > > > I'm in a 2k8 r2 domain with SFU and home shells managed through the ADUC > > console. I'm using Samba/WInbind and use samba shares as user home > > directories that are mounted at login-time on Windows 7 machines. > > > > This is a first attempt as we migrated to Windows 2k8r2 in order to have > > better support for Win7 clients, as we had too many issues with Samba as our > > PDC. > > > > Mike > > > > > > > > On Mon, Jul 19, 2010 at 3:08 AM, Mucke, Tobias, FCI4 < > > tobias.mucke(a)mbda-systems.de> wrote: > > > > > > Hi, > > > > I'am afraid this is a general issue with Winbind. I am experiencing > > the same problems and my logs look quite similar to Henrik's logs. I am > > using Samba 3.5.4 and tried to resolve this issue without luck. In fact I > > have a working lab environment with Winbind 3.5.4, AD based on Windows > > Server 2008 R2 with IDMU. I set idmap backend = ad and winbind nss info = > > rfc2307. Unfortunately I was not able to port this setup back to the actual > > production environment with Winbind 3.5.4 and AD based on Windows Server > > 2003 with SFU 3.5. > > Besides AD "versions" there is another large difference between the > > production and the lab. In production the domain structure is far more > > complex ... > > Actually I am deploying a lab more close to the actual production > > environment. > > > > Another important thing to me would be a configuration example of > > somebody out there using Winbind in an actual version 3.5.x with backend ad > > and SFU for Shell and Home Directories. Anybody? > > > > Thank you. > > > > Tobias > > > > > > > > LFK-Lenkflugkörpersysteme GmbH > > Serverpool, FCI4 > > Landshuter Straße 26, 85716 Unterschleißheim, GERMANY > > Phone: +49 89 3179 8438 > > Fax: +49 89 3179 8927 > > Mobile: +49 170 635 3830 > > E-Mail: tobias.mucke(a)mbda-systems.de > > > > http://www.mbda.net > > > > Chairman of the Supervisory Board: Antoine Bouvier > > Managing Director: Werner Kaltenegger > > Registered Office: Schrobenhausen > > Commercial Register: Amtsgericht Ingolstadt, HRB 4365 > > > > -----Ursprüngliche Nachricht----- > > Von: samba-bounces(a)lists.samba.org [mailto: > > samba-bounces(a)lists.samba.org] Im Auftrag von Necos Secon > > Gesendet: Montag, 19. Juli 2010 01:50 > > An: samba(a)lists.samba.org > > Betreff: Re: [Samba] Samba + Winbind + Windows 2003 AD > > > > > > I accidentally deleted the first set of messages in my email for > > this thread, but does your DNS resolve properly? What does your resolv.conf > > look like? Also, what do these files look like: > > > > krb5.conf > > smb.conf > > > > There's an option in smb.conf, winbind enum users, which needs to be > > set in order for getent to function properly. There is a corresponding > > option for groups as well. Look at them and let us know. > > > > > Date: Mon, 19 Jul 2010 01:12:41 +0200 > > > From: hds(a)semark.dk > > > To: esiotrot(a)gmail.com > > > CC: samba(a)lists.samba.org > > > Subject: Re: [Samba] Samba + Winbind + Windows 2003 AD > > > > > > Hi Micheal > > > > > > Sorry for not sending that information in the first place, but I > > > though that it was so basic that it wasn't necessary. > > > > > > My nsswitch.conf: > > > # cat /etc/nsswitch.conf > > > # /etc/nsswitch.conf > > > # > > > # Example configuration of GNU Name Service Switch functionality. > > > # If you have the `glibc-doc-reference' and `info' packages > > installed, try: > > > # `info libc "Name Service Switch"' for information about this > > file. > > > > > > passwd: compat winbind > > > group: compat winbind > > > shadow: compat winbind > > > > > > hosts: files mdns4_minimal [NOTFOUND=return] dns mdns4 > > > networks: files > > > > > > services: db files > > > ethers: db files > > > protocols: db files > > > rpc: db files > > > > > > netgroup: nis > > > > > > I will mean that it is the way to do this (and it works just fine > > on > > > the UNIX servers that run there own Domain Controller) > > > > > > Med Venlig Hilsen / Best Regards > > > Henrik Dige Semark > > > > > > Den 18-07-2010 17:03, Michael Wood skrev: > > > > On 18 July 2010 01:34, Henrik Dige Semark<hds(a)semark.dk> > > wrote: > > > > > > > >> Hey out there. > > > >> > > > >> I have to join my UNIX server with an existing Win2k3 AD > > network. > > > >> > > > >> My system info: > > > >> Debian Lenny > > > >> Samba - 3.4.8 > > > >> Winbind - 3.4.8 > > > >> > > > >> Windows Server 2003 with 2000-style-AD > > > >> > > > >> My problem is that, I have en UNIX server that have to run auth > > up > > > >> against our existing windows 2003 AD. > > > >> > > > >> I have successfully joined my UNIX server to the AD, without > > problems. > > > >> # net ads join -U Administrator > > > >> Enter Administrator's password: > > > >> Using short domain name -- TEST > > > >> Joined 'MAIL' to realm 'TEST.LOCAL' > > > >> > > > >> My Samba config: http://pastebin.com/ZqaA0Ypn > > > >> > > > >> After the join I'm able to lookup peoples with # wbinfo -u > > > >> > > > > [...] > > > > > > > >> # wbinfo -g > > > >> > > > > [...] > > > > > > > >> Now the problem, getent only returns the local users and not > > the > > > >> users from the AD The funny thing is that if a user is local on > > the > > > >> UNIX and in the AD, I can login with the password from both > > local > > > >> and AD, so I know that it can lookup people and passwords > > > >> > > > >> # getent passwd hs ; echo $? > > > >> 2 > > > >> > > > >> When I debug on getent it returns 2, witch means that it can't > > find > > > >> the user. > > > >> > > > > Do you have winbind specified in your nsswitch.conf file as > > mentioned here: > > > > > > > > > > http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/winbind.h > > > > tml#id2654732 > > > > > > > > > > > > _________________________________________________________________ > > The New Busy is not the old busy. Search, chat and e-mail from your > > inbox. > > > > http://www.windowslive.com/campaign/thenewbusy?ocid=PID28326::T:WLMTAGL:ON:WL:en-US:WM_HMP:042010_3 > > -- > > > > To unsubscribe from this list go to the following URL and read the > > instructions: https://lists.samba.org/mailman/options/samba > > -- > > To unsubscribe from this list go to the following URL and read the > > instructions: https://lists.samba.org/mailman/options/samba > > > > > > > > -- > > To unsubscribe from this list go to the following URL and read the > > instructions: https://lists.samba.org/mailman/options/samba > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba _________________________________________________________________ The New Busy is not the old busy. Search, chat and e-mail from your inbox. http://www.windowslive.com/campaign/thenewbusy?ocid=PID28326::T:WLMTAGL:ON:WL:en-US:WM_HMP:042010_3 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
From: Mucke, Tobias, FCI4 on 27 Jul 2010 01:00 Hi, I found a working Winbind version which is 3.4.7 coming with SLES-11 SP1. I managed to configure Winbind with backend AD to authenticate and authorize users based on Winbind and SFU3.5. Thanks for this Opensoure product. Tobias Mit freundlichen GrüÃen Tobias Mucke LFK-Lenkflugkörpersysteme GmbH Serverpool, FCI4 Landshuter StraÃe 26, 85716 UnterschleiÃheim, GERMANY Phone: +49 89 3179 8438 Fax: +49 89 3179 8927 Mobile: +49 170 635 3830 E-Mail: tobias.mucke(a)mbda-systems.de http://www.mbda.net Chairman of the Supervisory Board: Antoine Bouvier Managing Director: Werner Kaltenegger Registered Office: Schrobenhausen Commercial Register: Amtsgericht Ingolstadt, HRB 4365 Message sent from handheld via BlackBerry Server. ________________________________ Von: Mucke, Tobias, FCI4 An: 'samba(a)lists.samba.org' <samba(a)lists.samba.org> Gesendet: Mon Jul 19 18:09:24 2010 Betreff: AW: Re: [Samba] Samba + Winbind + Windows 2003 AD Hi Michael, which version of Samba do you have? Are you able to post your Samba configuration? Thank you. Tobias Mit freundlichen GrüÃen Tobias Mucke LFK-Lenkflugkörpersysteme GmbH Serverpool, FCI4 Landshuter StraÃe 26, 85716 UnterschleiÃheim, GERMANY Phone: +49 89 3179 8438 Fax: +49 89 3179 8927 Mobile: +49 170 635 3830 E-Mail: tobias.mucke(a)mbda-systems.de http://www.mbda.net Chairman of the Supervisory Board: Antoine Bouvier Managing Director: Werner Kaltenegger Registered Office: Schrobenhausen Commercial Register: Amtsgericht Ingolstadt, HRB 4365 Message sent from handheld via BlackBerry Server. ________________________________ Von: Michael Lyon <mjlyon(a)gmail.com> An: Mucke, Tobias, FCI4; samba(a)lists.samba.org <samba(a)lists.samba.org> Gesendet: Mon Jul 19 14:22:37 2010 Betreff: Re: [Samba] Samba + Winbind + Windows 2003 AD I'm in a 2k8 r2 domain with SFU and home shells managed through the ADUC console. I'm using Samba/WInbind and use samba shares as user home directories that are mounted at login-time on Windows 7 machines. This is a first attempt as we migrated to Windows 2k8r2 in order to have better support for Win7 clients, as we had too many issues with Samba as our PDC. Mike On Mon, Jul 19, 2010 at 3:08 AM, Mucke, Tobias, FCI4 <tobias.mucke(a)mbda-systems.de> wrote: Hi, I'am afraid this is a general issue with Winbind. I am experiencing the same problems and my logs look quite similar to Henrik's logs. I am using Samba 3.5.4 and tried to resolve this issue without luck. In fact I have a working lab environment with Winbind 3.5.4, AD based on Windows Server 2008 R2 with IDMU. I set idmap backend = ad and winbind nss info = rfc2307. Unfortunately I was not able to port this setup back to the actual production environment with Winbind 3.5.4 and AD based on Windows Server 2003 with SFU 3.5. Besides AD "versions" there is another large difference between the production and the lab. In production the domain structure is far more complex ... Actually I am deploying a lab more close to the actual production environment. Another important thing to me would be a configuration example of somebody out there using Winbind in an actual version 3.5.x with backend ad and SFU for Shell and Home Directories. Anybody? Thank you. Tobias LFK-Lenkflugkörpersysteme GmbH Serverpool, FCI4 Landshuter StraÃe 26, 85716 UnterschleiÃheim, GERMANY Phone: +49 89 3179 8438 Fax: +49 89 3179 8927 Mobile: +49 170 635 3830 E-Mail: tobias.mucke(a)mbda-systems.de http://www.mbda.net Chairman of the Supervisory Board: Antoine Bouvier Managing Director: Werner Kaltenegger Registered Office: Schrobenhausen Commercial Register: Amtsgericht Ingolstadt, HRB 4365 -----Ursprüngliche Nachricht----- Von: samba-bounces(a)lists.samba.org [mailto:samba-bounces(a)lists.samba.org] Im Auftrag von Necos Secon Gesendet: Montag, 19. Juli 2010 01:50 An: samba(a)lists.samba.org Betreff: Re: [Samba] Samba + Winbind + Windows 2003 AD I accidentally deleted the first set of messages in my email for this thread, but does your DNS resolve properly? What does your resolv.conf look like? Also, what do these files look like: krb5.conf smb.conf There's an option in smb.conf, winbind enum users, which needs to be set in order for getent to function properly. There is a corresponding option for groups as well. Look at them and let us know. > Date: Mon, 19 Jul 2010 01:12:41 +0200 > From: hds(a)semark.dk > To: esiotrot(a)gmail.com > CC: samba(a)lists.samba.org > Subject: Re: [Samba] Samba + Winbind + Windows 2003 AD > > Hi Micheal > > Sorry for not sending that information in the first place, but I > though that it was so basic that it wasn't necessary. > > My nsswitch.conf: > # cat /etc/nsswitch.conf > # /etc/nsswitch.conf > # > # Example configuration of GNU Name Service Switch functionality. > # If you have the `glibc-doc-reference' and `info' packages installed, try: > # `info libc "Name Service Switch"' for information about this file. > > passwd: compat winbind > group: compat winbind > shadow: compat winbind > > hosts: files mdns4_minimal [NOTFOUND=return] dns mdns4 > networks: files > > services: db files > ethers: db files > protocols: db files > rpc: db files > > netgroup: nis > > I will mean that it is the way to do this (and it works just fine on > the UNIX servers that run there own Domain Controller) > > Med Venlig Hilsen / Best Regards > Henrik Dige Semark > > Den 18-07-2010 17:03, Michael Wood skrev: > > On 18 July 2010 01:34, Henrik Dige Semark<hds(a)semark.dk> wrote: > > > >> Hey out there. > >> > >> I have to join my UNIX server with an existing Win2k3 AD network. > >> > >> My system info: > >> Debian Lenny > >> Samba - 3.4.8 > >> Winbind - 3.4.8 > >> > >> Windows Server 2003 with 2000-style-AD > >> > >> My problem is that, I have en UNIX server that have to run auth up > >> against our existing windows 2003 AD. > >> > >> I have successfully joined my UNIX server to the AD, without problems. > >> # net ads join -U Administrator > >> Enter Administrator's password: > >> Using short domain name -- TEST > >> Joined 'MAIL' to realm 'TEST.LOCAL' > >> > >> My Samba config: http://pastebin.com/ZqaA0Ypn > >> > >> After the join I'm able to lookup peoples with # wbinfo -u > >> > > [...] > > > >> # wbinfo -g > >> > > [...] > > > >> Now the problem, getent only returns the local users and not the > >> users from the AD The funny thing is that if a user is local on the > >> UNIX and in the AD, I can login with the password from both local > >> and AD, so I know that it can lookup people and passwords > >> > >> # getent passwd hs ; echo $? > >> 2 > >> > >> When I debug on getent it returns 2, witch means that it can't find > >> the user. > >> > > Do you have winbind specified in your nsswitch.conf file as mentioned here: > > > > http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/winbind.h > > tml#id2654732 > > > > _________________________________________________________________ The New Busy is not the old busy. Search, chat and e-mail from your inbox. http://www.windowslive.com/campaign/thenewbusy?ocid=PID28326::T:WLMTAGL:ON:WL:en-US:WM_HMP:042010_3 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
First
|
Prev
|
Pages: 1 2 Prev: [Samba] Access from an AD group Next: User security and public shares |