RE: [Samba] How do I get Winbind accounts in LDAP?
John, What options did you compile samba with on Solaris 9? Maybe that's where I went wrong? I don't suppose you have copies of the pam.conf from when you did it do you? -Original Message- From: Ganguly, Sapan Sent: 14 January 2004 13:40 To: 'John H Terpstra'; Ganguly, Sapan Cc: '[EMAIL PROTECTED]' Subject: RE: [Samba] How do I get Winbind accounts in LDAP? John, OK, I took out the winbind uid and winbind gid lines. Here is what I have in /lib, how do I know which is the appropriate version name? I've tried these ones. -rwxr-xr-x 1 root other 751048 Dec 11 13:36 libnss_winbind.so lrwxrwxrwx 1 root other 17 Dec 4 14:20 libnss_winbind.so.1 - libnss_winbind.so lrwxrwxrwx 1 root other 17 Dec 4 14:19 libnss_winbind.so.2 - libnss_winbind.so lrwxrwxrwx 1 root other 17 Dec 4 14:20 nss_winbind.so.1 - libnss_winbind.so lrwxrwxrwx 1 root other 17 Dec 4 14:21 nss_winbind.so.2 - libnss_winbind.so I've done everything else too but my login still hangs at the password: prompt after I have typed the password in. Although when I did a 'getent group' it did pause for a few seconds several times during the listing, that may just be because we have a lot of NT groups. 'getent passwd' worked fine and listed all the unix users as well as all the NT users in a split second. My /etc/nsswitch.conf is configured and I have done the 'smbpasswd -w' command to put my LDAP password into secets.tdb. Here is what I get in my pamlog, as you can see, it does say access granted on the last line. I think the first line is me killing the telnet session of a previous attempt. Jan 14 13:29:55 sun001 pam_winbind[15352]: [ID 571141 auth.debug] libpam_winbind:pam_sm_close_sessio n handler Jan 14 13:29:59 sun001 login: [ID 634615 auth.debug] pam_authtok_get:pam_sm_authenticate: flags = 0 Jan 14 13:30:05 sun001 login: [ID 378613 auth.debug] pam_dhkeys: user ganguly not found Jan 14 13:30:05 sun001 login: [ID 896952 auth.debug] pam_unix_auth: entering pam_sm_authenticate() Jan 14 13:30:05 sun001 login: [ID 219349 auth.debug] pam_unix_auth: user ganguly not found Jan 14 13:30:05 sun001 pam_winbind[15369]: [ID 572310 auth.info] Verify user `ganguly' Jan 14 13:30:05 sun001 pam_winbind[15369]: [ID 614614 auth.notice] user 'ganguly' granted acces Jan 14 13:30:05 sun001 login[15369]: [ID 509786 auth.debug] roles pam_sm_authenticate, service = tel net user = ganguly ruser = not set rhost = 192.168.224.90 Does anyone have any ideas on what the problem could be? According to this log access is granted right? So why does it just sit there at password:? Thanks, Sapan -Original Message- From: John H Terpstra [mailto:[EMAIL PROTECTED] Sent: 13 January 2004 16:39 To: Ganguly, Sapan Cc: '[EMAIL PROTECTED]' Subject: RE: [Samba] How do I get Winbind accounts in LDAP? On Tue, 13 Jan 2004, Ganguly, Sapan wrote: John, Any ideas? When I try to log in it seems to get past the PAM stuff but then it just sits there, I don't get a prompt. I've enabled debug on all the modules in pam.conf, should I post the log files? You should get rid of the winbind uid and winbind gid parameters as they have been superceded by idmap uid and idmap gid. Did you install the libnss_winbind.so module you built (it's in the ~samba/sources/nsswitch directory) as /lib/nss_winbind.so and link it to the appropriate version name? Have you modified in /etc/nsswitch.conf the following: passwd: files winbind group: files winbind Do you obtain correct domain account information from: getent passwd and getent group You will need to install the LDAP admin password into your Samba secrets.tdb file. The command that does that is: smbpasswd -w 'secret_password' PAM provides authentication, NSS (name service switch) does Identity resolution. It is the instrument that will permit the LDAP database to be populated via winbind. I hope this helps. Cheers, John T. Sapan -Original Message- From: Ganguly, Sapan Sent: 08 January 2004 17:39 To: 'John H Terpstra'; Ganguly, Sapan Cc: '[EMAIL PROTECTED]' Subject: RE: [Samba] How do I get Winbind accounts in LDAP? John, Wbinfo -u lists all my NT user and wbinfo -g lists all my NT groups. Here is a copy of my smb.conf, I took it from a working Redhat 9.0 machine I built. [global] # LDAP stuff for the idmap backend ldap admin dn = cn=root,dc=uk,dc=trt,dc=thales ldap suffix = dc=uk,dc=trt,dc=thales ldap idmap suffix = ou=idmap # Winbind stuff winbind separator = - idmap uid = 1-2 winbind uid = 1-2 idmap gid = 1-2 winbind gid = 1-2 winbind enum users = yes winbind enum groups = yes winbind use default domain = yes #template homedir = /home/%D/%U #template homedir = /home/%U template homedir = /mnt/spare/%U template shell = /bin/bash idmap backend = ldap:ldap://lnxs001 # workgroup = NT-Domain-Name or Workgroup-Name workgroup
RE: [Samba] How do I get Winbind accounts in LDAP?
If you're interested, Sun has told me that there is some kind of bug with the way nsswitch.conf is dealt with in Solaris 9 but since nsswitch.conf is not a pubic interface...blah blah blah they are still deciding whether they should deal with it or not. In the mean time I'm still wondering how anyone else got this to work, this bug can't only be affecting me?! Does anyone have a working winbind pam.conf from Solaris 9 that I can look at? Thanks, Sap -Original Message- From: John H Terpstra [mailto:[EMAIL PROTECTED] Sent: 13 January 2004 16:39 To: Ganguly, Sapan Cc: '[EMAIL PROTECTED]' Subject: RE: [Samba] How do I get Winbind accounts in LDAP? On Tue, 13 Jan 2004, Ganguly, Sapan wrote: John, Any ideas? When I try to log in it seems to get past the PAM stuff but then it just sits there, I don't get a prompt. I've enabled debug on all the modules in pam.conf, should I post the log files? You should get rid of the winbind uid and winbind gid parameters as they have been superceded by idmap uid and idmap gid. Did you install the libnss_winbind.so module you built (it's in the ~samba/sources/nsswitch directory) as /lib/nss_winbind.so and link it to the appropriate version name? Have you modified in /etc/nsswitch.conf the following: passwd: files winbind group: files winbind Do you obtain correct domain account information from: getent passwd and getent group You will need to install the LDAP admin password into your Samba secrets.tdb file. The command that does that is: smbpasswd -w 'secret_password' PAM provides authentication, NSS (name service switch) does Identity resolution. It is the instrument that will permit the LDAP database to be populated via winbind. I hope this helps. Cheers, John T. Sapan -Original Message- From: Ganguly, Sapan Sent: 08 January 2004 17:39 To: 'John H Terpstra'; Ganguly, Sapan Cc: '[EMAIL PROTECTED]' Subject: RE: [Samba] How do I get Winbind accounts in LDAP? John, Wbinfo -u lists all my NT user and wbinfo -g lists all my NT groups. Here is a copy of my smb.conf, I took it from a working Redhat 9.0 machine I built. [global] # LDAP stuff for the idmap backend ldap admin dn = cn=root,dc=uk,dc=trt,dc=thales ldap suffix = dc=uk,dc=trt,dc=thales ldap idmap suffix = ou=idmap # Winbind stuff winbind separator = - idmap uid = 1-2 winbind uid = 1-2 idmap gid = 1-2 winbind gid = 1-2 winbind enum users = yes winbind enum groups = yes winbind use default domain = yes #template homedir = /home/%D/%U #template homedir = /home/%U template homedir = /mnt/spare/%U template shell = /bin/bash idmap backend = ldap:ldap://lnxs001 # workgroup = NT-Domain-Name or Workgroup-Name workgroup = DOMAIN # server string is the equivalent of the NT Description field server string = SUN001 # if you want to automatically load your printer list rather # than setting them up individually then you'll need this printcap name = /etc/printcap load printers = yes # this tells Samba to use a separate log file for each machine # that connects log file = /var/log/samba/log.%m # Put a capping on the size of the log files (in Kb). max log size = 50 # Security mode. Most people will want user level security. See # security_level.txt for details. security = user # Use password server option only with security = server ; password server = NT-Server-Name # Most people will find that this option gives better performance. # See speed.txt and the manual pages for details socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 # Browser Control Options: # set local master to no if you don't want Samba to become a master # browser on your network. Otherwise the normal election rules apply local master = no # WINS Server - Tells the NMBD components of Samba to be a WINS Client # Note: Samba can be either a WINS Server, or a WINS Client, but NOT both wins server = 192.168.224.25 # DNS Proxy - tells Samba whether or not to try to resolve NetBIOS names # via DNS nslookups. The built-in default for versions 1.9.17 is yes, # this has been changed in version 1.9.18 to no. dns proxy = no Thanks, Sapan -Original Message- From: John H Terpstra [mailto:[EMAIL PROTECTED] Sent: 08 January 2004 16:58 To: Ganguly, Sapan Cc: '[EMAIL PROTECTED]' Subject: RE: [Samba] How do I get Winbind accounts in LDAP? Sapan, I recently installed Samba-3 on Solaris 9 and had no problem with PAM and NSS functionality. Logons using domain users worked well. As I do not have a Sun box it is a little difficult for me to help you directly. What output do you get from: wbinfo -u wbinfo -g Please send me your smb.conf file so I can see what may be going on. - John T. On Thu, 8 Jan 2004, Ganguly, Sapan wrote: Yep, I've done that, I basically followed the Solaris 9 HOWTO
RE: [Samba] How do I get Winbind accounts in LDAP?
John, OK, I took out the winbind uid and winbind gid lines. Here is what I have in /lib, how do I know which is the appropriate version name? I've tried these ones. -rwxr-xr-x 1 root other 751048 Dec 11 13:36 libnss_winbind.so lrwxrwxrwx 1 root other 17 Dec 4 14:20 libnss_winbind.so.1 - libnss_winbind.so lrwxrwxrwx 1 root other 17 Dec 4 14:19 libnss_winbind.so.2 - libnss_winbind.so lrwxrwxrwx 1 root other 17 Dec 4 14:20 nss_winbind.so.1 - libnss_winbind.so lrwxrwxrwx 1 root other 17 Dec 4 14:21 nss_winbind.so.2 - libnss_winbind.so I've done everything else too but my login still hangs at the password: prompt after I have typed the password in. Although when I did a 'getent group' it did pause for a few seconds several times during the listing, that may just be because we have a lot of NT groups. 'getent passwd' worked fine and listed all the unix users as well as all the NT users in a split second. My /etc/nsswitch.conf is configured and I have done the 'smbpasswd -w' command to put my LDAP password into secets.tdb. Here is what I get in my pamlog, as you can see, it does say access granted on the last line. I think the first line is me killing the telnet session of a previous attempt. Jan 14 13:29:55 sun001 pam_winbind[15352]: [ID 571141 auth.debug] libpam_winbind:pam_sm_close_sessio n handler Jan 14 13:29:59 sun001 login: [ID 634615 auth.debug] pam_authtok_get:pam_sm_authenticate: flags = 0 Jan 14 13:30:05 sun001 login: [ID 378613 auth.debug] pam_dhkeys: user ganguly not found Jan 14 13:30:05 sun001 login: [ID 896952 auth.debug] pam_unix_auth: entering pam_sm_authenticate() Jan 14 13:30:05 sun001 login: [ID 219349 auth.debug] pam_unix_auth: user ganguly not found Jan 14 13:30:05 sun001 pam_winbind[15369]: [ID 572310 auth.info] Verify user `ganguly' Jan 14 13:30:05 sun001 pam_winbind[15369]: [ID 614614 auth.notice] user 'ganguly' granted acces Jan 14 13:30:05 sun001 login[15369]: [ID 509786 auth.debug] roles pam_sm_authenticate, service = tel net user = ganguly ruser = not set rhost = 192.168.224.90 Does anyone have any ideas on what the problem could be? According to this log access is granted right? So why does it just sit there at password:? Thanks, Sapan -Original Message- From: John H Terpstra [mailto:[EMAIL PROTECTED] Sent: 13 January 2004 16:39 To: Ganguly, Sapan Cc: '[EMAIL PROTECTED]' Subject: RE: [Samba] How do I get Winbind accounts in LDAP? On Tue, 13 Jan 2004, Ganguly, Sapan wrote: John, Any ideas? When I try to log in it seems to get past the PAM stuff but then it just sits there, I don't get a prompt. I've enabled debug on all the modules in pam.conf, should I post the log files? You should get rid of the winbind uid and winbind gid parameters as they have been superceded by idmap uid and idmap gid. Did you install the libnss_winbind.so module you built (it's in the ~samba/sources/nsswitch directory) as /lib/nss_winbind.so and link it to the appropriate version name? Have you modified in /etc/nsswitch.conf the following: passwd: files winbind group: files winbind Do you obtain correct domain account information from: getent passwd and getent group You will need to install the LDAP admin password into your Samba secrets.tdb file. The command that does that is: smbpasswd -w 'secret_password' PAM provides authentication, NSS (name service switch) does Identity resolution. It is the instrument that will permit the LDAP database to be populated via winbind. I hope this helps. Cheers, John T. Sapan -Original Message- From: Ganguly, Sapan Sent: 08 January 2004 17:39 To: 'John H Terpstra'; Ganguly, Sapan Cc: '[EMAIL PROTECTED]' Subject: RE: [Samba] How do I get Winbind accounts in LDAP? John, Wbinfo -u lists all my NT user and wbinfo -g lists all my NT groups. Here is a copy of my smb.conf, I took it from a working Redhat 9.0 machine I built. [global] # LDAP stuff for the idmap backend ldap admin dn = cn=root,dc=uk,dc=trt,dc=thales ldap suffix = dc=uk,dc=trt,dc=thales ldap idmap suffix = ou=idmap # Winbind stuff winbind separator = - idmap uid = 1-2 winbind uid = 1-2 idmap gid = 1-2 winbind gid = 1-2 winbind enum users = yes winbind enum groups = yes winbind use default domain = yes #template homedir = /home/%D/%U #template homedir = /home/%U template homedir = /mnt/spare/%U template shell = /bin/bash idmap backend = ldap:ldap://lnxs001 # workgroup = NT-Domain-Name or Workgroup-Name workgroup = DOMAIN # server string is the equivalent of the NT Description field server string = SUN001 # if you want to automatically load your printer list rather # than setting them up individually then you'll need this printcap name = /etc/printcap load printers = yes # this tells Samba to use a separate log file for each machine # that connects log file
RE: [Samba] How do I get Winbind accounts in LDAP?
John, Any ideas? When I try to log in it seems to get past the PAM stuff but then it just sits there, I don't get a prompt. I've enabled debug on all the modules in pam.conf, should I post the log files? Sapan -Original Message- From: Ganguly, Sapan Sent: 08 January 2004 17:39 To: 'John H Terpstra'; Ganguly, Sapan Cc: '[EMAIL PROTECTED]' Subject: RE: [Samba] How do I get Winbind accounts in LDAP? John, Wbinfo -u lists all my NT user and wbinfo -g lists all my NT groups. Here is a copy of my smb.conf, I took it from a working Redhat 9.0 machine I built. [global] # LDAP stuff for the idmap backend ldap admin dn = cn=root,dc=uk,dc=trt,dc=thales ldap suffix = dc=uk,dc=trt,dc=thales ldap idmap suffix = ou=idmap # Winbind stuff winbind separator = - idmap uid = 1-2 winbind uid = 1-2 idmap gid = 1-2 winbind gid = 1-2 winbind enum users = yes winbind enum groups = yes winbind use default domain = yes #template homedir = /home/%D/%U #template homedir = /home/%U template homedir = /mnt/spare/%U template shell = /bin/bash idmap backend = ldap:ldap://lnxs001 # workgroup = NT-Domain-Name or Workgroup-Name workgroup = DOMAIN # server string is the equivalent of the NT Description field server string = SUN001 # if you want to automatically load your printer list rather # than setting them up individually then you'll need this printcap name = /etc/printcap load printers = yes # this tells Samba to use a separate log file for each machine # that connects log file = /var/log/samba/log.%m # Put a capping on the size of the log files (in Kb). max log size = 50 # Security mode. Most people will want user level security. See # security_level.txt for details. security = user # Use password server option only with security = server ; password server = NT-Server-Name # Most people will find that this option gives better performance. # See speed.txt and the manual pages for details socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 # Browser Control Options: # set local master to no if you don't want Samba to become a master # browser on your network. Otherwise the normal election rules apply local master = no # WINS Server - Tells the NMBD components of Samba to be a WINS Client # Note: Samba can be either a WINS Server, or a WINS Client, but NOT both wins server = 192.168.224.25 # DNS Proxy - tells Samba whether or not to try to resolve NetBIOS names # via DNS nslookups. The built-in default for versions 1.9.17 is yes, # this has been changed in version 1.9.18 to no. dns proxy = no Thanks, Sapan -Original Message- From: John H Terpstra [mailto:[EMAIL PROTECTED] Sent: 08 January 2004 16:58 To: Ganguly, Sapan Cc: '[EMAIL PROTECTED]' Subject: RE: [Samba] How do I get Winbind accounts in LDAP? Sapan, I recently installed Samba-3 on Solaris 9 and had no problem with PAM and NSS functionality. Logons using domain users worked well. As I do not have a Sun box it is a little difficult for me to help you directly. What output do you get from: wbinfo -u wbinfo -g Please send me your smb.conf file so I can see what may be going on. - John T. On Thu, 8 Jan 2004, Ganguly, Sapan wrote: Yep, I've done that, I basically followed the Solaris 9 HOWTO from the main HOWTO collection that comes with Samba 3.0, the only difference is that I used an /etc/pam.conf for Solaris 9 posted on the list by Patrik Gustavsson. I haven't managed to get hold of him, he says he has made it work on Solaris 9. I also want to get pam_mkhomedir work but I have to get past this bit first. From his email signature it looks like he work for Sun in Sweden but even the Sun helpdesk in the UK hasn't been able to get hold of him yet. -Original Message- From: John H Terpstra [mailto:[EMAIL PROTECTED] Sent: 08 January 2004 15:54 To: Ganguly, Sapan Cc: 'ww m-pubsyssamba'; '[EMAIL PROTECTED]' Subject: RE: [Samba] How do I get Winbind accounts in LDAP? On Thu, 8 Jan 2004, Ganguly, Sapan wrote: I'm doing the same thing but with NT4 so I'm not using active directory. The only thing you haven't mentioned that I can think of is nsswitch.conf, you should have - Passwd: files winbind Group: files winbind Getent works for me, I'm stuck with getting log ons to the Solaris machine with NT usernames to work. If you want to log onto the Sun machine using Windows networking credentials you must configure PAM to support the use of pam_winbind.so. Have you done that? - John T. They seem to have changed something in Solaris 9, even Sun hasn't been able to help me! -Original Message- From: ww m-pubsyssamba [mailto:[EMAIL PROTECTED] Sent: 08 January 2004 13:45 To: Ganguly, Sapan ; [EMAIL PROTECTED] Subject: RE: [Samba] How do I get Winbind accounts in LDAP? Hi Sapan/All, ok this is all in my test/dev environment. I have a Sun Sparc
RE: [Samba] How do I get Winbind accounts in LDAP?
On Tue, 13 Jan 2004, Ganguly, Sapan wrote: John, Any ideas? When I try to log in it seems to get past the PAM stuff but then it just sits there, I don't get a prompt. I've enabled debug on all the modules in pam.conf, should I post the log files? You should get rid of the winbind uid and winbind gid parameters as they have been superceded by idmap uid and idmap gid. Did you install the libnss_winbind.so module you built (it's in the ~samba/sources/nsswitch directory) as /lib/nss_winbind.so and link it to the appropriate version name? Have you modified in /etc/nsswitch.conf the following: passwd: files winbind group: files winbind Do you obtain correct domain account information from: getent passwd and getent group You will need to install the LDAP admin password into your Samba secrets.tdb file. The command that does that is: smbpasswd -w 'secret_password' PAM provides authentication, NSS (name service switch) does Identity resolution. It is the instrument that will permit the LDAP database to be populated via winbind. I hope this helps. Cheers, John T. Sapan -Original Message- From: Ganguly, Sapan Sent: 08 January 2004 17:39 To: 'John H Terpstra'; Ganguly, Sapan Cc: '[EMAIL PROTECTED]' Subject: RE: [Samba] How do I get Winbind accounts in LDAP? John, Wbinfo -u lists all my NT user and wbinfo -g lists all my NT groups. Here is a copy of my smb.conf, I took it from a working Redhat 9.0 machine I built. [global] # LDAP stuff for the idmap backend ldap admin dn = cn=root,dc=uk,dc=trt,dc=thales ldap suffix = dc=uk,dc=trt,dc=thales ldap idmap suffix = ou=idmap # Winbind stuff winbind separator = - idmap uid = 1-2 winbind uid = 1-2 idmap gid = 1-2 winbind gid = 1-2 winbind enum users = yes winbind enum groups = yes winbind use default domain = yes #template homedir = /home/%D/%U #template homedir = /home/%U template homedir = /mnt/spare/%U template shell = /bin/bash idmap backend = ldap:ldap://lnxs001 # workgroup = NT-Domain-Name or Workgroup-Name workgroup = DOMAIN # server string is the equivalent of the NT Description field server string = SUN001 # if you want to automatically load your printer list rather # than setting them up individually then you'll need this printcap name = /etc/printcap load printers = yes # this tells Samba to use a separate log file for each machine # that connects log file = /var/log/samba/log.%m # Put a capping on the size of the log files (in Kb). max log size = 50 # Security mode. Most people will want user level security. See # security_level.txt for details. security = user # Use password server option only with security = server ; password server = NT-Server-Name # Most people will find that this option gives better performance. # See speed.txt and the manual pages for details socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 # Browser Control Options: # set local master to no if you don't want Samba to become a master # browser on your network. Otherwise the normal election rules apply local master = no # WINS Server - Tells the NMBD components of Samba to be a WINS Client # Note: Samba can be either a WINS Server, or a WINS Client, but NOT both wins server = 192.168.224.25 # DNS Proxy - tells Samba whether or not to try to resolve NetBIOS names # via DNS nslookups. The built-in default for versions 1.9.17 is yes, # this has been changed in version 1.9.18 to no. dns proxy = no Thanks, Sapan -Original Message- From: John H Terpstra [mailto:[EMAIL PROTECTED] Sent: 08 January 2004 16:58 To: Ganguly, Sapan Cc: '[EMAIL PROTECTED]' Subject: RE: [Samba] How do I get Winbind accounts in LDAP? Sapan, I recently installed Samba-3 on Solaris 9 and had no problem with PAM and NSS functionality. Logons using domain users worked well. As I do not have a Sun box it is a little difficult for me to help you directly. What output do you get from: wbinfo -u wbinfo -g Please send me your smb.conf file so I can see what may be going on. - John T. On Thu, 8 Jan 2004, Ganguly, Sapan wrote: Yep, I've done that, I basically followed the Solaris 9 HOWTO from the main HOWTO collection that comes with Samba 3.0, the only difference is that I used an /etc/pam.conf for Solaris 9 posted on the list by Patrik Gustavsson. I haven't managed to get hold of him, he says he has made it work on Solaris 9. I also want to get pam_mkhomedir work but I have to get past this bit first. From his email signature it looks like he work for Sun in Sweden but even the Sun helpdesk in the UK hasn't been able to get hold of him yet. -Original Message- From: John H Terpstra [mailto:[EMAIL PROTECTED] Sent: 08 January 2004 15:54 To: Ganguly, Sapan Cc: 'ww m-pubsyssamba'; '[EMAIL PROTECTED]' Subject: RE: [Samba] How do I
RE: [Samba] How do I get Winbind accounts in LDAP?
I'm doing the same thing but with NT4 so I'm not using active directory. The only thing you haven't mentioned that I can think of is nsswitch.conf, you should have - Passwd: files winbind Group: files winbind Getent works for me, I'm stuck with getting log ons to the Solaris machine with NT usernames to work. They seem to have changed something in Solaris 9, even Sun hasn't been able to help me! -Original Message- From: ww m-pubsyssamba [mailto:[EMAIL PROTECTED] Sent: 08 January 2004 13:45 To: Ganguly, Sapan ; [EMAIL PROTECTED] Subject: RE: [Samba] How do I get Winbind accounts in LDAP? Hi Sapan/All, ok this is all in my test/dev environment. I have a Sun Sparc workstation running Solaris 9 and an Intel server running Windows 2000 server acting as a Native mode AD DC. My Sparc system has Samba 3.0.1 installed and is successfully joined to the AD domain, I can authenticate via kerberos and wbinfo -u lists domain users etc. All I need LDAP for is centralising the IDMAP mappings across our theoretical Samba server infrastructure. On the same sparc system I also have SunONE DS 5.2 installed, this has the schema for Samba 3.0.1 successfully loaded. I have created the idamap OU in the directory and I have configured my smb.conf to use LDAP for idmap data, file attached. And I have set the LDAP admin account password with smbpasswd -w. I have also disabled nscd from starting up installed patch 113476-05 which is required for Solaris 9. I can also see winbindd establishing a connection to Sun LDAP in its access log. As I was writing this mail I have noticed that a getent for users and groups is not displaying any AD users/groups but is exiting with a status 0, this is despite the fact that wbinfo is correctly displaying all my AD users/groups!? I can see from a snoop and truss run on the getent that it is making LDAP calls to the AD DC but it's not returning anything!?! I have had this running on a Solaris 8 system in my test environment successfully and can't think of anything I've done differently. If anyone can help I'd greatly appreciate it, many thanks Andy. -Original Message- From: Ganguly, Sapan [mailto:[EMAIL PROTECTED] Posted At: 07 January 2004 16:44 Posted To: Samba Conversation: [Samba] How do I get Winbind accounts in LDAP? Subject: RE: [Samba] How do I get Winbind accounts in LDAP? Andy, Tell us a bit more, I'm doing a similar thing I think. I'm not using Sun's LDAP service, I have OpenLDAP running on a Redhat 9.0 box and I'm logging into my Solaris 9.0 machine running winbind, with my NT username and password which creates an idmap in the openldap database on the Redhat boxwell, that's what it is supposed to do anyway...it works fine on Redhat, Solaris is proving to be a little more tricky. Is this what you are doing? -Original Message- From: ww m-pubsyssamba [mailto:[EMAIL PROTECTED] Sent: 07 January 2004 14:23 To: [EMAIL PROTECTED] Subject: RE: [Samba] How do I get Winbind accounts in LDAP? Hi John/List, I'm attemtpting this (idmap in LDAP) with samba3.0.1 and Sun DS 5.2 but without any success. I've tried what John T has suggested below but my idmap OU is still empty (adapted LDAP commnads for Sun DS). I cannot see any errors in either Samba or Sun DS logs, does anyone have any troubleshooting tips to help work out why this isn't working? many thanks Andy. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of John H Terpstra Posted At: 03 January 2004 23:54 Posted To: Samba Conversation: [Samba] How do I get Winbind accounts in LDAP? Subject: Re: [Samba] How do I get Winbind accounts in LDAP? Kent, Did you create the container for the ou=Idmap in your LDAP database? The IDMAP entries are automatically added to LDAP - IF the container exists, and so long as Samba can access that database. Also, I suggest you store your machine accounts in the Users container and not in the Computers container. Samba does not at this time search the Computers container correctly. Execute the following to find out if your LDAP database has an IDMAP container: slapcat | grep -i IDMAP If nothing is returned, execute this: ldapadd -x -D cn=admin,dc=tow,dc=net -w 'password' EOR dn: ou=Idmap,dc=abmas,dc=biz objectClass: organizationalunit ou: idmap structuralObjectClass: organizationalunit EOR Now you must stop samba, delete the winbind*tdb files, restart samba, run: wbinfo -u And that should automatically populate your LDAP IDMAP database. Cheers, John T. BBCi at http://www.bbc.co.uk/ This e-mail (and any attachments) is confidential and may contain personal views which are not the views of the BBC unless specifically stated. If you have received it in error, please delete it from your system. Do not use, copy or disclose the information in any way nor act in reliance on it and notify the sender immediately. Please note that the BBC monitors e-mails sent
RE: [Samba] How do I get Winbind accounts in LDAP?
Hi Sapan/All, yes I have already correctly configured my nsswitch.conf and it is not working for getent?! Anyone fancy giving me a clue? cheers Andy. PS I agree Sun seem to have changed a few things in Solaris 9 which are catching out third party software developers and end users alike. -Original Message- From: Ganguly, Sapan [mailto:[EMAIL PROTECTED] Posted At: 08 January 2004 14:25 Posted To: Samba Conversation: [Samba] How do I get Winbind accounts in LDAP? Subject: RE: [Samba] How do I get Winbind accounts in LDAP? I'm doing the same thing but with NT4 so I'm not using active directory. The only thing you haven't mentioned that I can think of is nsswitch.conf, you should have - Passwd: files winbind Group: files winbind Getent works for me, I'm stuck with getting log ons to the Solaris machine with NT usernames to work. They seem to have changed something in Solaris 9, even Sun hasn't been able to help me! -Original Message- From: ww m-pubsyssamba [mailto:[EMAIL PROTECTED] Sent: 08 January 2004 13:45 To: Ganguly, Sapan ; [EMAIL PROTECTED] Subject: RE: [Samba] How do I get Winbind accounts in LDAP? Hi Sapan/All, ok this is all in my test/dev environment. I have a Sun Sparc workstation running Solaris 9 and an Intel server running Windows 2000 server acting as a Native mode AD DC. My Sparc system has Samba 3.0.1 installed and is successfully joined to the AD domain, I can authenticate via kerberos and wbinfo -u lists domain users etc. All I need LDAP for is centralising the IDMAP mappings across our theoretical Samba server infrastructure. On the same sparc system I also have SunONE DS 5.2 installed, this has the schema for Samba 3.0.1 successfully loaded. I have created the idamap OU in the directory and I have configured my smb.conf to use LDAP for idmap data, file attached. And I have set the LDAP admin account password with smbpasswd -w. I have also disabled nscd from starting up installed patch 113476-05 which is required for Solaris 9. I can also see winbindd establishing a connection to Sun LDAP in its access log. As I was writing this mail I have noticed that a getent for users and groups is not displaying any AD users/groups but is exiting with a status 0, this is despite the fact that wbinfo is correctly displaying all my AD users/groups!? I can see from a snoop and truss run on the getent that it is making LDAP calls to the AD DC but it's not returning anything!?! I have had this running on a Solaris 8 system in my test environment successfully and can't think of anything I've done differently. If anyone can help I'd greatly appreciate it, many thanks Andy. BBCi at http://www.bbc.co.uk/ This e-mail (and any attachments) is confidential and may contain personal views which are not the views of the BBC unless specifically stated. If you have received it in error, please delete it from your system. Do not use, copy or disclose the information in any way nor act in reliance on it and notify the sender immediately. Please note that the BBC monitors e-mails sent or received. Further communication will signify your consent to this. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
RE: [Samba] How do I get Winbind accounts in LDAP?
On Thu, 8 Jan 2004, Ganguly, Sapan wrote: I'm doing the same thing but with NT4 so I'm not using active directory. The only thing you haven't mentioned that I can think of is nsswitch.conf, you should have - Passwd: files winbind Group: files winbind Getent works for me, I'm stuck with getting log ons to the Solaris machine with NT usernames to work. If you want to log onto the Sun machine using Windows networking credentials you must configure PAM to support the use of pam_winbind.so. Have you done that? - John T. They seem to have changed something in Solaris 9, even Sun hasn't been able to help me! -Original Message- From: ww m-pubsyssamba [mailto:[EMAIL PROTECTED] Sent: 08 January 2004 13:45 To: Ganguly, Sapan ; [EMAIL PROTECTED] Subject: RE: [Samba] How do I get Winbind accounts in LDAP? Hi Sapan/All, ok this is all in my test/dev environment. I have a Sun Sparc workstation running Solaris 9 and an Intel server running Windows 2000 server acting as a Native mode AD DC. My Sparc system has Samba 3.0.1 installed and is successfully joined to the AD domain, I can authenticate via kerberos and wbinfo -u lists domain users etc. All I need LDAP for is centralising the IDMAP mappings across our theoretical Samba server infrastructure. On the same sparc system I also have SunONE DS 5.2 installed, this has the schema for Samba 3.0.1 successfully loaded. I have created the idamap OU in the directory and I have configured my smb.conf to use LDAP for idmap data, file attached. And I have set the LDAP admin account password with smbpasswd -w. I have also disabled nscd from starting up installed patch 113476-05 which is required for Solaris 9. I can also see winbindd establishing a connection to Sun LDAP in its access log. As I was writing this mail I have noticed that a getent for users and groups is not displaying any AD users/groups but is exiting with a status 0, this is despite the fact that wbinfo is correctly displaying all my AD users/groups!? I can see from a snoop and truss run on the getent that it is making LDAP calls to the AD DC but it's not returning anything!?! I have had this running on a Solaris 8 system in my test environment successfully and can't think of anything I've done differently. If anyone can help I'd greatly appreciate it, many thanks Andy. -Original Message- From: Ganguly, Sapan [mailto:[EMAIL PROTECTED] Posted At: 07 January 2004 16:44 Posted To: Samba Conversation: [Samba] How do I get Winbind accounts in LDAP? Subject: RE: [Samba] How do I get Winbind accounts in LDAP? Andy, Tell us a bit more, I'm doing a similar thing I think. I'm not using Sun's LDAP service, I have OpenLDAP running on a Redhat 9.0 box and I'm logging into my Solaris 9.0 machine running winbind, with my NT username and password which creates an idmap in the openldap database on the Redhat boxwell, that's what it is supposed to do anyway...it works fine on Redhat, Solaris is proving to be a little more tricky. Is this what you are doing? -Original Message- From: ww m-pubsyssamba [mailto:[EMAIL PROTECTED] Sent: 07 January 2004 14:23 To: [EMAIL PROTECTED] Subject: RE: [Samba] How do I get Winbind accounts in LDAP? Hi John/List, I'm attemtpting this (idmap in LDAP) with samba3.0.1 and Sun DS 5.2 but without any success. I've tried what John T has suggested below but my idmap OU is still empty (adapted LDAP commnads for Sun DS). I cannot see any errors in either Samba or Sun DS logs, does anyone have any troubleshooting tips to help work out why this isn't working? many thanks Andy. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of John H Terpstra Posted At: 03 January 2004 23:54 Posted To: Samba Conversation: [Samba] How do I get Winbind accounts in LDAP? Subject: Re: [Samba] How do I get Winbind accounts in LDAP? Kent, Did you create the container for the ou=Idmap in your LDAP database? The IDMAP entries are automatically added to LDAP - IF the container exists, and so long as Samba can access that database. Also, I suggest you store your machine accounts in the Users container and not in the Computers container. Samba does not at this time search the Computers container correctly. Execute the following to find out if your LDAP database has an IDMAP container: slapcat | grep -i IDMAP If nothing is returned, execute this: ldapadd -x -D cn=admin,dc=tow,dc=net -w 'password' EOR dn: ou=Idmap,dc=abmas,dc=biz objectClass: organizationalunit ou: idmap structuralObjectClass: organizationalunit EOR Now you must stop samba, delete the winbind*tdb files, restart samba, run: wbinfo -u And that should automatically populate your LDAP IDMAP database. Cheers, John T. BBCi at http://www.bbc.co.uk/ This e-mail (and any attachments) is confidential and may contain personal views
RE: [Samba] How do I get Winbind accounts in LDAP?
Yep, I've done that, I basically followed the Solaris 9 HOWTO from the main HOWTO collection that comes with Samba 3.0, the only difference is that I used an /etc/pam.conf for Solaris 9 posted on the list by Patrik Gustavsson. I haven't managed to get hold of him, he says he has made it work on Solaris 9. I also want to get pam_mkhomedir work but I have to get past this bit first. From his email signature it looks like he work for Sun in Sweden but even the Sun helpdesk in the UK hasn't been able to get hold of him yet. -Original Message- From: John H Terpstra [mailto:[EMAIL PROTECTED] Sent: 08 January 2004 15:54 To: Ganguly, Sapan Cc: 'ww m-pubsyssamba'; '[EMAIL PROTECTED]' Subject: RE: [Samba] How do I get Winbind accounts in LDAP? On Thu, 8 Jan 2004, Ganguly, Sapan wrote: I'm doing the same thing but with NT4 so I'm not using active directory. The only thing you haven't mentioned that I can think of is nsswitch.conf, you should have - Passwd: files winbind Group: files winbind Getent works for me, I'm stuck with getting log ons to the Solaris machine with NT usernames to work. If you want to log onto the Sun machine using Windows networking credentials you must configure PAM to support the use of pam_winbind.so. Have you done that? - John T. They seem to have changed something in Solaris 9, even Sun hasn't been able to help me! -Original Message- From: ww m-pubsyssamba [mailto:[EMAIL PROTECTED] Sent: 08 January 2004 13:45 To: Ganguly, Sapan ; [EMAIL PROTECTED] Subject: RE: [Samba] How do I get Winbind accounts in LDAP? Hi Sapan/All, ok this is all in my test/dev environment. I have a Sun Sparc workstation running Solaris 9 and an Intel server running Windows 2000 server acting as a Native mode AD DC. My Sparc system has Samba 3.0.1 installed and is successfully joined to the AD domain, I can authenticate via kerberos and wbinfo -u lists domain users etc. All I need LDAP for is centralising the IDMAP mappings across our theoretical Samba server infrastructure. On the same sparc system I also have SunONE DS 5.2 installed, this has the schema for Samba 3.0.1 successfully loaded. I have created the idamap OU in the directory and I have configured my smb.conf to use LDAP for idmap data, file attached. And I have set the LDAP admin account password with smbpasswd -w. I have also disabled nscd from starting up installed patch 113476-05 which is required for Solaris 9. I can also see winbindd establishing a connection to Sun LDAP in its access log. As I was writing this mail I have noticed that a getent for users and groups is not displaying any AD users/groups but is exiting with a status 0, this is despite the fact that wbinfo is correctly displaying all my AD users/groups!? I can see from a snoop and truss run on the getent that it is making LDAP calls to the AD DC but it's not returning anything!?! I have had this running on a Solaris 8 system in my test environment successfully and can't think of anything I've done differently. If anyone can help I'd greatly appreciate it, many thanks Andy. -Original Message- From: Ganguly, Sapan [mailto:[EMAIL PROTECTED] Posted At: 07 January 2004 16:44 Posted To: Samba Conversation: [Samba] How do I get Winbind accounts in LDAP? Subject: RE: [Samba] How do I get Winbind accounts in LDAP? Andy, Tell us a bit more, I'm doing a similar thing I think. I'm not using Sun's LDAP service, I have OpenLDAP running on a Redhat 9.0 box and I'm logging into my Solaris 9.0 machine running winbind, with my NT username and password which creates an idmap in the openldap database on the Redhat boxwell, that's what it is supposed to do anyway...it works fine on Redhat, Solaris is proving to be a little more tricky. Is this what you are doing? -Original Message- From: ww m-pubsyssamba [mailto:[EMAIL PROTECTED] Sent: 07 January 2004 14:23 To: [EMAIL PROTECTED] Subject: RE: [Samba] How do I get Winbind accounts in LDAP? Hi John/List, I'm attemtpting this (idmap in LDAP) with samba3.0.1 and Sun DS 5.2 but without any success. I've tried what John T has suggested below but my idmap OU is still empty (adapted LDAP commnads for Sun DS). I cannot see any errors in either Samba or Sun DS logs, does anyone have any troubleshooting tips to help work out why this isn't working? many thanks Andy. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of John H Terpstra Posted At: 03 January 2004 23:54 Posted To: Samba Conversation: [Samba] How do I get Winbind accounts in LDAP? Subject: Re: [Samba] How do I get Winbind accounts in LDAP? Kent, Did you create the container for the ou=Idmap in your LDAP database? The IDMAP entries are automatically added to LDAP - IF the container exists, and so long as Samba can access that database. Also, I suggest
RE: [Samba] How do I get Winbind accounts in LDAP?
Sapan, I recently installed Samba-3 on Solaris 9 and had no problem with PAM and NSS functionality. Logons using domain users worked well. As I do not have a Sun box it is a little difficult for me to help you directly. What output do you get from: wbinfo -u wbinfo -g Please send me your smb.conf file so I can see what may be going on. - John T. On Thu, 8 Jan 2004, Ganguly, Sapan wrote: Yep, I've done that, I basically followed the Solaris 9 HOWTO from the main HOWTO collection that comes with Samba 3.0, the only difference is that I used an /etc/pam.conf for Solaris 9 posted on the list by Patrik Gustavsson. I haven't managed to get hold of him, he says he has made it work on Solaris 9. I also want to get pam_mkhomedir work but I have to get past this bit first. From his email signature it looks like he work for Sun in Sweden but even the Sun helpdesk in the UK hasn't been able to get hold of him yet. -Original Message- From: John H Terpstra [mailto:[EMAIL PROTECTED] Sent: 08 January 2004 15:54 To: Ganguly, Sapan Cc: 'ww m-pubsyssamba'; '[EMAIL PROTECTED]' Subject: RE: [Samba] How do I get Winbind accounts in LDAP? On Thu, 8 Jan 2004, Ganguly, Sapan wrote: I'm doing the same thing but with NT4 so I'm not using active directory. The only thing you haven't mentioned that I can think of is nsswitch.conf, you should have - Passwd: files winbind Group: files winbind Getent works for me, I'm stuck with getting log ons to the Solaris machine with NT usernames to work. If you want to log onto the Sun machine using Windows networking credentials you must configure PAM to support the use of pam_winbind.so. Have you done that? - John T. They seem to have changed something in Solaris 9, even Sun hasn't been able to help me! -Original Message- From: ww m-pubsyssamba [mailto:[EMAIL PROTECTED] Sent: 08 January 2004 13:45 To: Ganguly, Sapan ; [EMAIL PROTECTED] Subject: RE: [Samba] How do I get Winbind accounts in LDAP? Hi Sapan/All, ok this is all in my test/dev environment. I have a Sun Sparc workstation running Solaris 9 and an Intel server running Windows 2000 server acting as a Native mode AD DC. My Sparc system has Samba 3.0.1 installed and is successfully joined to the AD domain, I can authenticate via kerberos and wbinfo -u lists domain users etc. All I need LDAP for is centralising the IDMAP mappings across our theoretical Samba server infrastructure. On the same sparc system I also have SunONE DS 5.2 installed, this has the schema for Samba 3.0.1 successfully loaded. I have created the idamap OU in the directory and I have configured my smb.conf to use LDAP for idmap data, file attached. And I have set the LDAP admin account password with smbpasswd -w. I have also disabled nscd from starting up installed patch 113476-05 which is required for Solaris 9. I can also see winbindd establishing a connection to Sun LDAP in its access log. As I was writing this mail I have noticed that a getent for users and groups is not displaying any AD users/groups but is exiting with a status 0, this is despite the fact that wbinfo is correctly displaying all my AD users/groups!? I can see from a snoop and truss run on the getent that it is making LDAP calls to the AD DC but it's not returning anything!?! I have had this running on a Solaris 8 system in my test environment successfully and can't think of anything I've done differently. If anyone can help I'd greatly appreciate it, many thanks Andy. -Original Message- From: Ganguly, Sapan [mailto:[EMAIL PROTECTED] Posted At: 07 January 2004 16:44 Posted To: Samba Conversation: [Samba] How do I get Winbind accounts in LDAP? Subject: RE: [Samba] How do I get Winbind accounts in LDAP? Andy, Tell us a bit more, I'm doing a similar thing I think. I'm not using Sun's LDAP service, I have OpenLDAP running on a Redhat 9.0 box and I'm logging into my Solaris 9.0 machine running winbind, with my NT username and password which creates an idmap in the openldap database on the Redhat boxwell, that's what it is supposed to do anyway...it works fine on Redhat, Solaris is proving to be a little more tricky. Is this what you are doing? -Original Message- From: ww m-pubsyssamba [mailto:[EMAIL PROTECTED] Sent: 07 January 2004 14:23 To: [EMAIL PROTECTED] Subject: RE: [Samba] How do I get Winbind accounts in LDAP? Hi John/List, I'm attemtpting this (idmap in LDAP) with samba3.0.1 and Sun DS 5.2 but without any success. I've tried what John T has suggested below but my idmap OU is still empty (adapted LDAP commnads for Sun DS). I cannot see any errors in either Samba or Sun DS logs, does anyone have any troubleshooting tips to help work out why this isn't working? many thanks Andy. -Original Message
RE: [Samba] How do I get Winbind accounts in LDAP?
John, Wbinfo -u lists all my NT user and wbinfo -g lists all my NT groups. Here is a copy of my smb.conf, I took it from a working Redhat 9.0 machine I built. [global] # LDAP stuff for the idmap backend ldap admin dn = cn=root,dc=uk,dc=trt,dc=thales ldap suffix = dc=uk,dc=trt,dc=thales ldap idmap suffix = ou=idmap # Winbind stuff winbind separator = - idmap uid = 1-2 winbind uid = 1-2 idmap gid = 1-2 winbind gid = 1-2 winbind enum users = yes winbind enum groups = yes winbind use default domain = yes #template homedir = /home/%D/%U #template homedir = /home/%U template homedir = /mnt/spare/%U template shell = /bin/bash idmap backend = ldap:ldap://lnxs001 # workgroup = NT-Domain-Name or Workgroup-Name workgroup = DOMAIN # server string is the equivalent of the NT Description field server string = SUN001 # if you want to automatically load your printer list rather # than setting them up individually then you'll need this printcap name = /etc/printcap load printers = yes # this tells Samba to use a separate log file for each machine # that connects log file = /var/log/samba/log.%m # Put a capping on the size of the log files (in Kb). max log size = 50 # Security mode. Most people will want user level security. See # security_level.txt for details. security = user # Use password server option only with security = server ; password server = NT-Server-Name # Most people will find that this option gives better performance. # See speed.txt and the manual pages for details socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 # Browser Control Options: # set local master to no if you don't want Samba to become a master # browser on your network. Otherwise the normal election rules apply local master = no # WINS Server - Tells the NMBD components of Samba to be a WINS Client # Note: Samba can be either a WINS Server, or a WINS Client, but NOT both wins server = 192.168.224.25 # DNS Proxy - tells Samba whether or not to try to resolve NetBIOS names # via DNS nslookups. The built-in default for versions 1.9.17 is yes, # this has been changed in version 1.9.18 to no. dns proxy = no Thanks, Sapan -Original Message- From: John H Terpstra [mailto:[EMAIL PROTECTED] Sent: 08 January 2004 16:58 To: Ganguly, Sapan Cc: '[EMAIL PROTECTED]' Subject: RE: [Samba] How do I get Winbind accounts in LDAP? Sapan, I recently installed Samba-3 on Solaris 9 and had no problem with PAM and NSS functionality. Logons using domain users worked well. As I do not have a Sun box it is a little difficult for me to help you directly. What output do you get from: wbinfo -u wbinfo -g Please send me your smb.conf file so I can see what may be going on. - John T. On Thu, 8 Jan 2004, Ganguly, Sapan wrote: Yep, I've done that, I basically followed the Solaris 9 HOWTO from the main HOWTO collection that comes with Samba 3.0, the only difference is that I used an /etc/pam.conf for Solaris 9 posted on the list by Patrik Gustavsson. I haven't managed to get hold of him, he says he has made it work on Solaris 9. I also want to get pam_mkhomedir work but I have to get past this bit first. From his email signature it looks like he work for Sun in Sweden but even the Sun helpdesk in the UK hasn't been able to get hold of him yet. -Original Message- From: John H Terpstra [mailto:[EMAIL PROTECTED] Sent: 08 January 2004 15:54 To: Ganguly, Sapan Cc: 'ww m-pubsyssamba'; '[EMAIL PROTECTED]' Subject: RE: [Samba] How do I get Winbind accounts in LDAP? On Thu, 8 Jan 2004, Ganguly, Sapan wrote: I'm doing the same thing but with NT4 so I'm not using active directory. The only thing you haven't mentioned that I can think of is nsswitch.conf, you should have - Passwd: files winbind Group: files winbind Getent works for me, I'm stuck with getting log ons to the Solaris machine with NT usernames to work. If you want to log onto the Sun machine using Windows networking credentials you must configure PAM to support the use of pam_winbind.so. Have you done that? - John T. They seem to have changed something in Solaris 9, even Sun hasn't been able to help me! -Original Message- From: ww m-pubsyssamba [mailto:[EMAIL PROTECTED] Sent: 08 January 2004 13:45 To: Ganguly, Sapan ; [EMAIL PROTECTED] Subject: RE: [Samba] How do I get Winbind accounts in LDAP? Hi Sapan/All, ok this is all in my test/dev environment. I have a Sun Sparc workstation running Solaris 9 and an Intel server running Windows 2000 server acting as a Native mode AD DC. My Sparc system has Samba 3.0.1 installed and is successfully joined to the AD domain, I can authenticate via kerberos and wbinfo -u lists domain users etc. All I need LDAP for is centralising the IDMAP mappings across our theoretical Samba server infrastructure. On the same sparc
RE: [Samba] How do I get Winbind accounts in LDAP?
Hi John/List, I'm attemtpting this (idmap in LDAP) with samba3.0.1 and Sun DS 5.2 but without any success. I've tried what John T has suggested below but my idmap OU is still empty (adapted LDAP commnads for Sun DS). I cannot see any errors in either Samba or Sun DS logs, does anyone have any troubleshooting tips to help work out why this isn't working? many thanks Andy. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of John H Terpstra Posted At: 03 January 2004 23:54 Posted To: Samba Conversation: [Samba] How do I get Winbind accounts in LDAP? Subject: Re: [Samba] How do I get Winbind accounts in LDAP? Kent, Did you create the container for the ou=Idmap in your LDAP database? The IDMAP entries are automatically added to LDAP - IF the container exists, and so long as Samba can access that database. Also, I suggest you store your machine accounts in the Users container and not in the Computers container. Samba does not at this time search the Computers container correctly. Execute the following to find out if your LDAP database has an IDMAP container: slapcat | grep -i IDMAP If nothing is returned, execute this: ldapadd -x -D cn=admin,dc=tow,dc=net -w 'password' EOR dn: ou=Idmap,dc=abmas,dc=biz objectClass: organizationalunit ou: idmap structuralObjectClass: organizationalunit EOR Now you must stop samba, delete the winbind*tdb files, restart samba, run: wbinfo -u And that should automatically populate your LDAP IDMAP database. Cheers, John T. BBCi at http://www.bbc.co.uk/ This e-mail (and any attachments) is confidential and may contain personal views which are not the views of the BBC unless specifically stated. If you have received it in error, please delete it from your system. Do not use, copy or disclose the information in any way nor act in reliance on it and notify the sender immediately. Please note that the BBC monitors e-mails sent or received. Further communication will signify your consent to this. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] How do I get Winbind accounts in LDAP?
Kent, Did you create the container for the ou=Idmap in your LDAP database? The IDMAP entries are automatically added to LDAP - IF the container exists, and so long as Samba can access that database. Also, I suggest you store your machine accounts in the Users container and not in the Computers container. Samba does not at this time search the Computers container correctly. Execute the following to find out if your LDAP database has an IDMAP container: slapcat | grep -i IDMAP If nothing is returned, execute this: ldapadd -x -D cn=admin,dc=tow,dc=net -w 'password' EOR dn: ou=Idmap,dc=abmas,dc=biz objectClass: organizationalunit ou: idmap structuralObjectClass: organizationalunit EOR Now you must stop samba, delete the winbind*tdb files, restart samba, run: wbinfo -u And that should automatically populate your LDAP IDMAP database. Cheers, John T. On Sat, 3 Jan 2004, Kent L. Nasveschuk wrote: I've seen this posting before but I need to get a grasp on this. I am using winbindd for users that don't have a local account on a Linux box. I thought that placing the entries below in the smb.conf would create users in ou=Idmap. Instead the ou=Idmap increments the uidNumber with every user that is added,but the user ID mappings are stored in /usr/local/var/locks/winbindd_idmap.tdb. What entry in smb.conf will change this. These are the applicable portions of smb.conf. ldap suffix = dc=tow,dc=net ldap machine suffix = ou=Computers ldap user suffix = ou=Users ldap group suffix = ou=Groups ldap admin dn = cn=admin,dc=tow,dc=net ldap ssl = no idmap backend = ldap:ldap://127.0.0.1 ldap idmap suffix = ou=Idmap winbind separator = + idmap uid = 4-5 idmap gid = 4-5 winbind enum users = yes winbind enum groups = yes template homedir = /accounts/default/%D/%U template shell = /bin/bash winbind use default domain = yes winbind cache time = 15 obey pam restrictions = yes So I use wbinfo -c username. This returns a RID number. User can now login or use smbclient -L localhost -U username password and get available shares on this BDC. In LDAP directory is incremented by 1, but there are no entries. How do I move the entries that are stored in /usr/local/var/locks/winbindd_idmap.tdb to the LDAP directory? What I've omitted in all this is that pam and pam_winbind is setup correctly, which I believe it is. -- John H Terpstra Email: [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
