On Thu, Nov 5, 2009 at 2:32 PM, Alex Samad <[email protected]> wrote:
> > I haven't used any of the ldap stuff that you are using so it's beyond me > at > > this point. I wish I could help more, I know how it is to be in that > > position. Is this just a member workstation/server or is it trying to be > a > > DC? To me if it is just a member, I can't see why you would need all the > > LDAP stuff. Security should also probably be ADS as well. Here is my conf > > not sure what you mean by all that ldap stuff I have, I understand ads > is stored in M$ ldap > > Indeed, Active Directory is ldap, but the link on pastbin is much different than what you posted here. For most of what I need, I don't have to do LDAP stuff. I just finished writing a script to query AD for a user's e-mail address and I had to do that over LDAP because winbind dosen't provide it. It would be nice to have winbind provide things like that (makes note to self when things slow down, to look at patching that in). > > [global] > workgroup = AD > server string = %h server > dns proxy = no > interfaces = 192.168.5.10/24 > bind interfaces only = yes > log file = /var/log/samba/log.%m > max log size = 1000 > syslog = 0 > panic action = /usr/share/samba/panic-action %d > encrypt passwords = true > passdb backend = tdbsam > obey pam restrictions = yes > unix password sync = yes > passwd program = /usr/bin/passwd %u > passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* > %n\n *password\supdated\ssuccessfully* . > pam password change = yes > netbios name = bblx01 > realm = > ad.barbarast.samad.com.au > security = ADS > encrypt passwords = true > password server = * > winbind separator = + > idmap uid = 10000-20000 > idmap gid = 10000-20000 > winbind enum users = yes > winbind enum groups = yes > template homedir = /home/%D/%U > template shell = /bin/false > winbind use default domain = > yes > socket options = TCP_NODELAY > SO_RCVBUF=8192 SO_SNDBUF=8192 > > So, a couple things that I notice that may/may not help. Your realm is lower case, it needs to be uppercase. You are missing an idmap_backend type (I'm pretty sure you need this so that winbind knows how to map your users' SID to UIDs). You can choose from hash, rid or ads. See my example for hash (you don't need ranges ie. idmap uid = 10000-20000). Rid, you need to specify the domain (tusted domains may not work, although I think you can specify different ranges for different domains) and you will need the ranges that you currently have. Ads, needs to have the Active Directory schema extended, you don't need the ranges, but the schema will need to be populated (I think Samaba can do that for you, but I don't have experience). Each one comes with it's pros and cons, if your schema is not extended and you don't have other *NIXs that rely on it, I'd suggest using hash, but it is only in 3.4.x. Other than that things look ok. Also, if a home directory is not created for the user, they probably won't be able to log in due to the template shel = /bin/false. Robert LeBlanc Life Sciences & Undergraduate Education Computer Support Brigham Young University -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
