Nik Reiman wrote:
Hello,
Recently, I've spent the last few days trying to get some unix client boxes to authenticate logins via winbind, so all of our unix system accounts can be maintained from active directory. So far, everything is working, and users can authenticate into the system, but they are assigned random uid/gid values, based on the smb.conf as well as the internal winbind_idmap.tdb file.
Anyways, since users' home directories are in NFS, the uid/gid need to be uniform across the network, which is where ldap comes in. So, we added a set of schema to active directory in windows, and now every user has two new fields, uidNumber and gidNumber. The only thing I need to do now is somehow get samba to get this information out of the AD via LDAP, and use it rather than letting samba make its own uid table.
I set up samba with all the relevant details of how to contact our AD server with LDAP (I should note that I can browse the uidNumber and gidNumber fields from a command line in unix with the ldapsearch tool). However, for whatever reason, samba can't seem to authenticate this way, and no information gets dumped to the error logs. Here's the smb.conf I've been working with:
[global] workgroup = WORKGROUP security = DOMAIN log level = 10 log file = /var/adm/samba.log local master = No domain master = No wins server = leviathan ldap server = zurg ldap suffix = dc=example,dc=com ldap user suffix = ou=Employees ldap group suffix = ou=Groups ldap filter = (uidNumber=%u) ldap admin dn = cn=Administrator,cn=Users,dc=example,dc=com ldap ssl = no idmap backend = ldap:ldap://zurg idmap uid = 1000-2000 idmap gid = 600-1000 template primary group = employee template homedir = /home/%U template shell = /bin/bash winbind use default domain = Yes
Here, zurg is our AD server (running windows 2003 server). The only thing that I can think of that might be bad is that it won't allow anonymous binds... yet I haven't seen any place to put in a bind password for LDAP. Does anyone know how I might be able to get this up and running?
To do that part you issue a
smbpasswd -w <passwordstring>
on the command line of your samba box to set the bind password to associate with the ldap admin dn.
Have you tried storing your winbind idmap on an openldap (or other ldap) server? You could either manually pull the SIDs from the windows directory and then sync them with uids with a script, or you could change the uid stored in the idmap database to match the uid manually as the users connect. I suppose you could store that in your AD server as well, no real reason you couldn't. This wouldn't be reinventing the wheel quite as much and samba will work out of the box with that idmap data.
Thanks, Nik
-- // Nik Reiman || [EMAIL PROTECTED] || http://www.aboleo.net \\
-- Paul Gienger Office: 701-281-1884 Applied Engineering Inc. Cell: 701-306-6254 Information Systems Consultant Fax: 701-281-1322 URL: www.ae-solutions.com mailto:[EMAIL PROTECTED]
-- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
