Recently, I've spent the last few days trying to get some unix client boxes to authenticate logins via winbind, so all of our unix system accounts can be maintained from active directory. So far, everything is working, and users can authenticate into the system, but they are assigned random uid/gid values, based on the smb.conf as well as the internal winbind_idmap.tdb file.
Anyways, since users' home directories are in NFS, the uid/gid need to be uniform across the network, which is where ldap comes in. So, we added a set of schema to active directory in windows, and now every user has two new fields, uidNumber and gidNumber. The only thing I need to do now is somehow get samba to get this information out of the AD via LDAP, and use it rather than letting samba make its own uid table.
I set up samba with all the relevant details of how to contact our AD server with LDAP (I should note that I can browse the uidNumber and gidNumber fields from a command line in unix with the ldapsearch tool). However, for whatever reason, samba can't seem to authenticate this way, and no information gets dumped to the error logs. Here's the smb.conf I've been working with:
[global]
workgroup = WORKGROUP
security = DOMAIN
log level = 10
log file = /var/adm/samba.log
local master = No
domain master = No
wins server = leviathan
ldap server = zurg
ldap suffix = dc=example,dc=com
ldap user suffix = ou=Employees
ldap group suffix = ou=Groups
ldap filter = (uidNumber=%u)
ldap admin dn = cn=Administrator,cn=Users,dc=example,dc=com
ldap ssl = no
idmap backend = ldap:ldap://zurg
idmap uid = 1000-2000
idmap gid = 600-1000
template primary group = employee
template homedir = /home/%U
template shell = /bin/bash
winbind use default domain = YesHere, zurg is our AD server (running windows 2003 server). The only thing that I can think of that might be bad is that it won't allow anonymous binds... yet I haven't seen any place to put in a bind password for LDAP. Does anyone know how I might be able to get this up and running?
Thanks, Nik
-- // Nik Reiman || [EMAIL PROTECTED] || http://www.aboleo.net \\
-- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
