Daniel Bauer wrote:
Hi Andrew,
From: "Andrew Masterson" <[email protected]>
> I tried to setup a SuSE10.2 with samba 3.0.23d (but the same trouble
with
> SuSE11.1).
>
> I got a valid Kerberos Ticket and joined successfully the domain
(with net
> join).
>
> Users and group are displayed with wbinfo -u / -g . I could also
verify
> accounts with wbinfo -a user%pass.
>
> When I tried to access the shares, the dialog apears to give the
> credentials. It doesn't matter what you fill in, there is no access.
>
> I also could not get users and groups with getent passwd / group. I
tried
> different configs of
> /etc/nsswitch.conf with different results:
>
> only local accounts will be showed:
> passwd: compat
> group: compat
>
> local account and the group BUILTIN
> passwd: files winbind
> group: files winbind
>
> here are the local account, the BUILTIN group and a new entry like
this:
> "+::0:" are displayed
> I think there is a problem with matching Windows LDAP with *nix LDAP
> passwd: files winbind ldap
> group: files winbind ldap
>
> My /etc/smb.conf:
> [global]
> workgroup = WIN2003SRV
> security = ADS
> realm = win2003srv.loc
> idmap backend = ad
> idmap uid = 10000-20000
> idmap gid = 10000-20000
> template homedir = /home/%D/%U
> winbind separator = +
> password server = 10.1.2.154
> domain master = No
> ldap ssl = no
> winbind use default domain = yes
> winbind enum users = yes
> winbind enum groups = yes
> winbind nested groups = yes
> encrypt passwords = yes
> client use spnego = yes
> wins server = 10.1.2.154
>
> I see successful logins at the Windows DC.
> Do I need LDAP, or is Kerberos enough?
> Could somebody tell me what I do wrong?
is really nobody able to give me a hint what to look for?
Is nscd running? If so, turn it off. I think the default SUSE installs
have nscd enabled.
no I disabled it, because some guys mentioned trouble with nscd.
Thanks
Daniel
The Samba docs indicate that the AD server must be prepared in advance
for this backend to work - schema extensions, extra
classes, attributes, etc.
Quote:
"The idmap_ad plugin provides a way for Winbind to read id mappings from
an AD server that uses RFC2307/SFU schema extensions.
This module implements only the "idmap" API, and is READONLY. Mappings
must be provided in advance by the administrator by
adding the posixAccount/posixGroup classes and relative attribute/value
pairs to the user and group objects in the AD."
Do you know if this has been done?
Dale
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
