Prev: [Samba] New web look is very sweet!
Next: [Samba] strange error in log.nmbd - packets.c
From: Mike Leone on 8 May 2010 16:40
I got it (almost) working. Finally!

Here's what I found:

1. For Win2003 AD (with SFU), you need

idmap config DACRIB:schema_mode = sfu
winbind nss info = sfu

If you have Win2003 AD R2, you should be using:

idmap config DACRIB:schema_mode = rfc2307
winbind nss info = rfc2307

(I found a forum post that said that; haven't seen it in any official docs)

2. When you install SFU in AD, you get a "Unix Attributes" tab for each
user. On that tab, you *have* to set the UID, shell, home directory and
primary group, for all users you want your Linux box to see. If you
don't set these attributes, Samba won't see those users.

3. Watch out for typos. :-)

Oh, and don't try and over-think the situation. If your distro has
kindly pre-configured PAm for you, go with that. :-)

SO, using :

idmap config DACRIB:backend = ad
idmap config DACRIB:range = 10000 - 20000
idmap config DACRIB:schema_mode = sfu

idmap uid = 10000-20000
idmap gid = 10000-20000

winbind enum users = Yes
winbind enum groups = Yes
winbind use default domain = No
winbind nested groups = Yes
winbind refresh tickets = true
winbind separator = +
winbind nss info = sfu
allow trusted domains = No

AND making sure that the UIDs you specify in point #2 above, must be
within the range specified. If you make a typo and set a UID outside
that range, that user will *not* be seen by Samba.

getent passwd from Dual-Booter:

DACRIB+administrator:*:10002:10000:Administrator:/home/DACRIB/Administrator:/bin/sh

DACRIB+krbtgt:*:10006:10000:krbtgt:/home/DACRIB/krbtgt:/bin/sh
DACRIB+turgon:*:10003:10000:Mike Leone:/home/DACRIB/turgon:/bin/bash
DACRIB+leonem:*:10000:10000:Leone, Mike:/home/DACRIB/LeoneM:/bin/bash
DACRIB+servicerunner:*:10005:10000:ServiceRunner:/home/DACRIB/ServiceRunner:/bin/sh

DACRIB+bearclan:*:10004:10000:Andie Philo:/home/bearclan:/bin/bash
DACRIB+ldap-proxy:*:10001:10000:LDAP Proxy:/home/DACRIB/ldap-proxy:/bin/sh

Those are all the proper UIDs I set in AD.

Now, of course, the *other* Samba server is acting up. I removed it from
the domain, and tried to use the above settings on it. And now "wbinfo
-t" fails for IT.

<SIGH>

Oh, well. Something more to do ...


--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
 | 
Pages: 1
Prev: [Samba] New web look is very sweet!
Next: [Samba] strange error in log.nmbd - packets.c