Samba as fileserver in an Windows AD Domain
in [Samba]
|
Prev: Samba & LDAP: "Unable to allocate a new user id: bailing out!"
Next: machine 127.0.0.1 rejected the tconX on the IPC$ share. Error was : NT_STATUS_ACCESS_DENIED --SMBPASSWD ERROR
From: Kaspar Wolfram on 29 Oct 2009 20:20 Am Mittwoch, 28. Oktober 2009 19:46:44 schrieb Daniel Bauer: > Hallo, > > I tried to setup a SuSE10.2 with samba 3.0.23d (but the same trouble with > SuSE11.1). > > I got a valid Kerberos Ticket and joined successfully the domain (with net > join). > > Users and group are displayed with wbinfo -u / -g . I could also verify > accounts with wbinfo -a user%pass. > > When I tried to access the shares, the dialog apears to give the > credentials. It doesn't matter what you fill in, there is no access. > > I also could not get users and groups with getent passwd / group. I tried > different configs of > /etc/nsswitch.conf with different results: > > only local accounts will be showed: > passwd: compat > group: compat > > local account and the group BUILTIN > passwd: files winbind > group: files winbind > > here are the local account, the BUILTIN group and a new entry like this: > "+::0:" are displayed > I think there is a problem with matching Windows LDAP with *nix LDAP > passwd: files winbind ldap > group: files winbind ldap > > My /etc/smb.conf: > [global] > workgroup = WIN2003SRV > security = ADS > realm = win2003srv.loc > idmap backend = ad > idmap uid = 10000-20000 > idmap gid = 10000-20000 > template homedir = /home/%D/%U > winbind separator = + > password server = 10.1.2.154 > domain master = No > ldap ssl = no > winbind use default domain = yes > winbind enum users = yes > winbind enum groups = yes > winbind nested groups = yes > encrypt passwords = yes > client use spnego = yes > wins server = 10.1.2.154 > > I see successful logins at the Windows DC. > Do I need LDAP, or is Kerberos enough? > Could somebody tell me what I do wrong? > > Thanks a lot > Daniel > I have the same 'problem' ... kaspar -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
From: Dale Schroeder on 30 Oct 2009 13:30
Daniel Bauer wrote: > Hi Andrew, > > From: "Andrew Masterson" <Andrew.Masterson(a)nuvistaenergy.com> >>> > I tried to setup a SuSE10.2 with samba 3.0.23d (but the same trouble >> with >>> > SuSE11.1). >>> > >>> > I got a valid Kerberos Ticket and joined successfully the domain >> (with net >>> > join). >>> > >>> > Users and group are displayed with wbinfo -u / -g . I could also >> verify >>> > accounts with wbinfo -a user%pass. >>> > >>> > When I tried to access the shares, the dialog apears to give the >>> > credentials. It doesn't matter what you fill in, there is no access. >>> > >>> > I also could not get users and groups with getent passwd / group. I >> tried >>> > different configs of >>> > /etc/nsswitch.conf with different results: >>> > >>> > only local accounts will be showed: >>> > passwd: compat >>> > group: compat >>> > >>> > local account and the group BUILTIN >>> > passwd: files winbind >>> > group: files winbind >>> > >>> > here are the local account, the BUILTIN group and a new entry like >> this: >>> > "+::0:" are displayed >>> > I think there is a problem with matching Windows LDAP with *nix LDAP >>> > passwd: files winbind ldap >>> > group: files winbind ldap >>> > >>> > My /etc/smb.conf: >>> > [global] >>> > workgroup = WIN2003SRV >>> > security = ADS >>> > realm = win2003srv.loc >>> > idmap backend = ad >>> > idmap uid = 10000-20000 >>> > idmap gid = 10000-20000 >>> > template homedir = /home/%D/%U >>> > winbind separator = + >>> > password server = 10.1.2.154 >>> > domain master = No >>> > ldap ssl = no >>> > winbind use default domain = yes >>> > winbind enum users = yes >>> > winbind enum groups = yes >>> > winbind nested groups = yes >>> > encrypt passwords = yes >>> > client use spnego = yes >>> > wins server = 10.1.2.154 >>> > >>> > I see successful logins at the Windows DC. >>> > Do I need LDAP, or is Kerberos enough? >>> > Could somebody tell me what I do wrong? >>> >>> is really nobody able to give me a hint what to look for? >>> >> >> Is nscd running? If so, turn it off. I think the default SUSE installs >> have nscd enabled. > > no I disabled it, because some guys mentioned trouble with nscd. > > Thanks > Daniel The Samba docs indicate that the AD server must be prepared in advance for this backend to work - schema extensions, extra classes, attributes, etc. Quote: "The idmap_ad plugin provides a way for Winbind to read id mappings from an AD server that uses RFC2307/SFU schema extensions. This module implements only the "idmap" API, and is READONLY. Mappings must be provided in advance by the administrator by adding the posixAccount/posixGroup classes and relative attribute/value pairs to the user and group objects in the AD." Do you know if this has been done? Dale -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba |