On 05/22/2012 3:17 PM, Newman, John W wrote:
Which version of Samba are you using?
Samba version 3.5.11
What does the idmap backend configuration for winbind look like?
Well.. I'm not really sure what that is (I inherited this project). In
smb.conf all he has here is: idmap uid = 10000-20000 idmap gid=10000-20000
.... I don't see idmap backend = set at all in here. That is probably a big
part of the problem isn't it?
It would be using the default tdb backend. You could do a testparm -sv
and grep for idmap and winbind to see all the parameters that are
available. Better still, if you have SWAT and samba-doc installed, you
can easily see the options available for each parameter.
Does testparm yield any errors?
ERROR: the 'winbind separator' parameter must be a single character. Hmm.. I
just changed that to a single \ , and our existing authentication service still
works fine, but the share behaves no differently. The extra \ was probably in
error from this file being edited with sed.
Do getent group and wbinfo -g return the expected results?
getent group shows all of the local linux groups on this machine - no AD
groups. Is that expected?
If you have winbind enum groups = Yes, then they should show, otherwise
not. Domains with large numbers of users usually leave this as No (also
winbind enum users).
wbinfo -g shows the windows groups fine, the only thing that's odd is is all of
the groups on this domain show in lower case.
That's normal for winbind.
They may or may not be that way in their AD, I can't see for sure. (We are
forcing a linux machine into someones windows network.... )
Are nsswitch.conf and PAM configured for authentication?
For what kind of authentication? /etc/nsswitch and /etc/pam/* are untouched
from the defaults.
In nsswitch.conf, you will need to add winbind to the passwd and group
entries. The article I previously linked (below) has an example PAM
config (/etc/pam.d/login) for winbind.
For completeness, you might also want to look at this:
http://www.enterprisenetworkingplanet.com/netos/article.php/3487081/Join-Samba-3-to-Your--Active-Directory-Domain.htm
All that has really been setup so far is an apache service that uses
mod_auth_ntlm_winbind to authenticate users of a webpage to their DC. We are
now trying to expand that samba/winbind stack over into sharing a folder. So,
we probably do need to look at modifying those files, and id mapping, to have a
samba share authenticate against the DC. Right? For some reason I figured
this part would just work since the join already happened.
A domain can be joined without winbind, but there are steps to take to
actually use it.
Thanks again!
-----Original Message-----
From: Dale Schroeder [mailto:[email protected]]
Sent: Tuesday, May 22, 2012 14:51
To: Newman, John W
Cc: [email protected]
Subject: Re:[Samba] Grant only one AD group to samba share ?
A few questions that might narrow things -
Which version of Samba are you using?
What does the idmap backend configuration for winbind look like?
Does testparm yield any errors?
Do getent group and wbinfo -g return the expected results?
Are nsswitch.conf and PAM configured for authentication?
http://www.enterprisenetworkingplanet.com/netsysm/article.php/3502441/Join-Linux-to-Active-Directory-With-Winbind.htm
On 05/22/2012 1:01 PM, Newman, John W wrote:
Thanks..
Unfortunately neither suggestion worked
chgrp still just says "invalid group"
valid users = @"DOMAIN\\My Group" behaves the same as I described in the OP.
Valid credentials = access denied ; invalid credentials = invalid name or bad password.
I already tried all sorts of things in valid users, but nothing is the magic string I
need.
Any other ideas?
Thanks for the help so far, much appreciated!!
-----Original Message-----
From: [email protected]
[mailto:[email protected]] On Behalf Of steve
Sent: Tuesday, May 22, 2012 04:59
To: [email protected]
Subject: Re: [Samba] Grant only one AD group to samba share ?
On 21/05/12 23:36, Dale Schroeder wrote:
On 05/21/2012 3:42 PM, Newman, John W wrote:
Thanks for the suggestion, but .. that doesn't work ...
chgrp My\ Group /media/share
chgrp: invalid group: `My Group'
"My Group" is a windows AD group, not a local linux group. The
machine is "joined" to the windows domain through "net ads join",
but I don't think the security is that tightly integrated. I don't
have windows groups mapped to linux groups I've created or anything like that.
chgrp is expecting a linux group. Right?
Probably I am missing something, or you guys need more information.
Any thoughts?
Hi
Sorry. I forgot about winbind (we use nss-pam-ldapd). With winbind running that
should read:
chgrp MYDAOMAIN\\My\ Group /media/share
Cheers,
Steve
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
