[Samba] domain users in local groups with Winbind/Samba/Redhat
Hi all, Sorry to mislead you, but I hope you're on the right track now. No problem.Your answer was the first thing which really helps me on my project. My problem is, my server is in an NT 4 resource domain and I can't create domain global groups with members from account domains in it. I have the same problem Probably it works with NT global groups. But I don't have access to any PDC in my domain. I can't assimilate the domain or even one global group in this domain so that it suit my requirements. I am working on a project which rebuilds an Windows NT Dataserver. Because of cost and stability reasons we had the idea to migrate from Windows NT to Linux/Samba. Unfortunately the guidelines of this project contain things like comfortable administration and a smoothly change between the systems. So after finishing this project non-unix experts have to administrate this system. Without local groups it doesn't seems to be very practical to accomplish this migration. Probably we have to retain Windows NT. Hopefully the local group feature will be available on Samba 3.0 at any time. Thank you very much for your help. This saved me a lot of time. Greetings Matthias -- +++ GMX - Mail, Messaging more http://www.gmx.net +++ Bitte lächeln! Fotogalerie online mit GMX ohne eigene Homepage! -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] domain users in local groups with Winbind/Samba/Redhat
Hello again, at the beginning thank you for your support.Today I had the time to test the various proposals.Finally the gpasswd thing works in that way that I can add any user to local groups.Even domain users... Unfortunately the group members still can not access the shares. I have done it in this way: 1. stop smbd nmbd 2. add winbind use default domain = yes to the smb.conf 3. create a testgroup with groupadd test1 4. add my domain user (without the domain (domain+)) to this group with gpasswd -a rutzki.matthias test1 5. create a share called testshare with valid users = @test1 in smb 6. start smbd nmbd 7. logged in domain on a WIN98 System 8. try to access the testshare 9. System asks me for a password. So, it seems that the samba does not find my user.Same failure when I add my user with gpasswd -a west3+rutzki.matthias test1 to the local group. Here is my winbind log: #access to testshare with valid users = west3+rutzki.matthias (this works perfect): ... [ 8690]: getgroups west3+rutzki.matthias [ 8690]: gid to sid 10250 [ 8690]: gid to sid 11001 [ 8690]: gid to sid 11255 [ 8690]: gid to sid 11257 ... #access to testshare with valid users = @test1 or valid users = +test1(ends in password request): ... [ 8690]: getgroups west3+rutzki.matthias [ 8690]: gid to sid 10250 [ 8690]: gid to sid 11001 [ 8690]: gid to sid 11255 [ 8690]: gid to sid 11257 [ 8690]: getgroups west3+rutzki.matthias [ 8690]: getgroups west3+rutzki.matthias [ 8690]: getgroups west3+rutzki.matthias...(approx.: 30 times this message) ... Has anyone an idea what winbind is doing there? Perhaps you need some other winbind related configuration data: /etc/nsswitch.conf: passwd: files winbind shadow: files winbind group: files winbind /etc/samba/smb.conf: ... security = domain ... winbind separator = + winbind uid = 1-2 winbind gid = 1-2 winbind use default domain = yes winbind cache time = 10 winbind enum users = no #(large domain) winbind enum groups = no #(large domain) template shell = /bin/bash ... [testshare] path = /1 guest ok = no writable = no browseable = yes valid users = @test1 write list = @test1 /etc/pam.d/system-auth: auth required /lib/security/pam_env.so auth sufficient /lib/security/pam_winbind.so auth sufficient /lib/security/pam_unix.so likeauth use_first_pass nullok auth required /lib/security/pam_deny.so accountrequired /lib/security/pam_winbind.so password required /lib/security/pam_cracklib.so retry=3 type= password sufficient /lib/security/pam_unix.so nullok use_authtok md5 shadow passwordrequired /lib/security/pam_deny.so session required /lib/security/pam_limits.so session required /lib/security/pam_unix.so I hope that will help you.Thank you for your help. Greetings Matthias --- David Boynton david.boynton2 at asu.edu wrote: Well, I got this to work once by manually editing the /etc/group file, like adding the line: localgroup:x:gid: domain+user1,domain+user2,etc I don't know if this is a safe thing to do, however. :) I don't believe you can safely manually edit this file, as you would probably also have to edit /etc/gshadow to match. Unix/Linux has a tool called gpasswd that will do this for you: gpasswd -a user group It lets you add users to a group without them existing in /etc/passwd (they don't even have to exist at all). Combine this with winbind use default domain = yes in smb.conf and you're ready to go. For example, in the domain ABC for the user john, do this to add him to a 'local' Unix group called smbusers: gpasswd -a john smbusers With winbind use default domain = yes you don't need to prefix it with your domain. Slick, huh? (: Good luck, /dev/idal -- +++ GMX - Mail, Messaging more http://www.gmx.net +++ Bitte lächeln! Fotogalerie online mit GMX ohne eigene Homepage! -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] domain users in local groups with Winbind/Samba/Redhat
Hi, I am running a Samba 2.2.7a on Redhat 7.3 in a NT domain. For authentication I am using the domainusers.This is done by Winbind 2.2.7a which verifies the existens of the users on the PDC. So I dont't have to create local users (/etc/passwd) for users who want to connect to the shares in the smb.conf. I authorise them by adding valid users = domain+domainuser to the smb.conf. This works very well. Now my problem: By writing valid users = @localgroup or +localgroup I can authorise local groups (/etc/group) to connect to the shares. Now I want to add the domainusers to some local groups.Putting the domainusers in groups should save much time because otherwise I have to add each domainuser for every share seperatly. E.g. valid users = domain1+domainuser domain2+domainuser2 I have tried it with: usermod -g localgroup domain+domainuser which ends in this message: usermod: domain+domainuser not found /etc/passwd I know this is message is right because there is no domainuser in /etc/passwd. But how can I assort the domainusers? Is there a way to use groups of domainusers who are verified by winbind in the smb.conf? Thank you for your efforts. Greetings Matthias -- +++ GMX - Mail, Messaging more http://www.gmx.net +++ Bitte lächeln! Fotogalerie online mit GMX ohne eigene Homepage! -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] domain users in local groups with Winbind/Samba/Redhat
Date: Fri, 14 Feb 2003 11:37:53 +0100 (MET) From: Matthias Rutzki [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: [Samba] domain users in local groups with Winbind/Samba/Redhat Message-ID: [EMAIL PROTECTED] Content-Type: text/plain; charset=iso-8859-1 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Precedence: list Message: 8 Hi, I am running a Samba 2.2.7a on Redhat 7.3 in a NT domain. For authentication I am using the domainusers.This is done by Winbind 2.2.7a which verifies the existens of the users on the PDC. So I dont't have to create local users (/etc/passwd) for users who want to connect to the shares in the smb.conf. I authorise them by adding valid users = domain+domainuser to the smb.conf. This works very well. Now my problem: By writing valid users = @localgroup or +localgroup I can authorise local groups (/etc/group) to connect to the shares. Now I want to add the domainusers to some local groups.Putting the domainusers in groups should save much time because otherwise I have to add each domainuser for every share seperatly. E.g. valid users = domain1+domainuser domain2+domainuser2 I have tried it with: usermod -g localgroup domain+domainuser which ends in this message: usermod: domain+domainuser not found /etc/passwd I know this is message is right because there is no domainuser in /etc/passwd. But how can I assort the domainusers? Is there a way to use groups of domainusers who are verified by winbind in the smb.conf? valid users = @localgroup @'Domain1+group1' -- |--Another happy Mandrake Club member--| Buchan MilneMechanical Engineer, Network Manager Cellphone * Work+27 82 472 2231 * +27 21 8828820x121 Stellenbosch Automotive Engineering http://www.cae.co.za GPG Key http://ranger.dnsalias.com/bgmilne.asc 1024D/60D204A7 2919 E232 5610 A038 87B1 72D6 AC92 BA50 60D2 04A7 -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] domain users in local groups with Winbind/Samba/Redhat
Am 14 Feb 2003 um 15:52 hat Buchan Milne geschrieben: Date: Fri, 14 Feb 2003 11:37:53 +0100 (MET) From: Matthias Rutzki [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: [Samba] domain users in local groups with Winbind/Samba/Redhat Message-ID: [EMAIL PROTECTED] Content-Type: text/plain; charset=iso-8859-1 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Precedence: list Message: 8 Hi, I am running a Samba 2.2.7a on Redhat 7.3 in a NT domain. For authentication I am using the domainusers.This is done by Winbind 2.2.7a which verifies the existens of the users on the PDC. So I dont't have to create local users (/etc/passwd) for users who want to connect to the shares in the smb.conf. I authorise them by adding valid users = domain+domainuser to the smb.conf. This works very well. Now my problem: By writing valid users = @localgroup or +localgroup I can authorise local groups (/etc/group) to connect to the shares. Now I want to add the domainusers to some local groups.Putting the domainusers in groups should save much time because otherwise I have to add each domainuser for every share seperatly. E.g. valid users = domain1+domainuser domain2+domainuser2 I have tried it with: usermod -g localgroup domain+domainuser which ends in this message: usermod: domain+domainuser not found /etc/passwd I know this is message is right because there is no domainuser in /etc/passwd. But how can I assort the domainusers? Is there a way to use groups of domainusers who are verified by winbind in the smb.conf? valid users = @localgroup @'Domain1+group1' My experiences with Samba in domains are not very big. So, what does 'Domain1+group1' mean? Domain1 = any Domain in my Network or the Domain which Samba has joined? group1= any group that exists in Domain1? But thank you for your answer.It seems that this kind problem is poorly documented... -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] domain users in local groups with Winbind/Samba/Redhat
[EMAIL PROTECTED] wrote: Am 14 Feb 2003 um 15:52 hat Buchan Milne geschrieben: valid users = @localgroup @'Domain1+group1' My experiences with Samba in domains are not very big. So, what does 'Domain1+group1' mean? Domain1 = any Domain in my Network or the Domain which Samba has joined? group1= any group that exists in Domain1? Remember that there is not really a distinction between domain groups and local grops on unix. With winbind (assuming you had used + as the domain seperator), winbind will return groups to the system as DOMAIN+username for any domain trusted by the domain winbind is a member of. The use of the quotes protects the string from being mangled by samba (especially where there are spaces in the group name). But thank you for your answer.It seems that this kind problem is poorly documented... I have not run winbind in a mutli-domain setup before, but this is supposed to work. You should try some experiments with $ getent passwd $ getent group $ wbinfo -g $ wbinfo -u to see more. Note that getent is a generic command on unix, and will show any entries that are accessible (from local files, NIS, ldap, winbind etc). wbinfo is specific to winbind. Buchan -- |--Another happy Mandrake Club member--| Buchan MilneMechanical Engineer, Network Manager Cellphone * Work+27 82 472 2231 * +27 21 8828820x121 Stellenbosch Automotive Engineering http://www.cae.co.za GPG Key http://ranger.dnsalias.com/bgmilne.asc 1024D/60D204A7 2919 E232 5610 A038 87B1 72D6 AC92 BA50 60D2 04A7 -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] domain users in local groups with Winbind/Samba/Redhat
Well, I got this to work once by manually editing the /etc/group file, like adding the line: localgroup:x:gid: domain+user1,domain+user2,etc I don't know if this is a safe thing to do, however. :) Dave On Friday 14 February 2003 03:37 am, Matthias Rutzki wrote: Hi, I am running a Samba 2.2.7a on Redhat 7.3 in a NT domain. For authentication I am using the domainusers.This is done by Winbind 2.2.7a which verifies the existens of the users on the PDC. So I dont't have to create local users (/etc/passwd) for users who want to connect to the shares in the smb.conf. I authorise them by adding valid users = domain+domainuser to the smb.conf. This works very well. Now my problem: By writing valid users = @localgroup or +localgroup I can authorise local groups (/etc/group) to connect to the shares. Now I want to add the domainusers to some local groups.Putting the domainusers in groups should save much time because otherwise I have to add each domainuser for every share seperatly. E.g. valid users = domain1+domainuser domain2+domainuser2 I have tried it with: usermod -g localgroup domain+domainuser which ends in this message: usermod: domain+domainuser not found /etc/passwd I know this is message is right because there is no domainuser in /etc/passwd. But how can I assort the domainusers? Is there a way to use groups of domainusers who are verified by winbind in the smb.conf? Thank you for your efforts. Greetings Matthias -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
