Hello List-Friends ;-)
O.K. I am a real beginner, so please don't hurt me ;-)
but im still working since a few days to get it running and google is my best friend.
I also bought O'Reilly 's Samba Book and a lot of other online stuff, but
AD-Samba-winbind should be too new.
I use Suse 9.1 and Samba 3.0.4 as ADS Member Server.
We have an W2k Advanced Server (and a M$-Admin which don't (want) know anything about
linux) in our Company as AD-PDC.
You find my smb.conf / ldap.conf / nsswitch.conf at the end of this Mail !
what should the linux do:
1. webserver -> login for the webpage/folder and/or webDav should be the same as the
ActiveDirectory UserName und Password and mapped to the homedir (on linux)
2. add with an CMS (webpage) new AD-User and also delete them.
3. are new users added in the AD i need also a new home folder on the linux, so that
they are existing for the samba home share
First i want to say, that for a linux-beginner it isn't easy to understood the
different ways you could use,
and also which .conf file is used by which daemon (seems stupid)... use winbind the
ldap.conf ?
to hard stuff, so i want to use winbind instead of LDAP. LDAP is much more difficult
than winbind...
could test it in a few days with an standalone LDAP server/client solution.
What i've done:
w2k: installed ad4unix to get the new sheme there.
installed SSL Cert, ad an AD-user account with the netbiosname as Name, but for
logon-name linux .
Then export and transfer the kerberos keytab to the linux.
i could use net ads join without any problems.
winbind works fine, testet with getent passwd and also wbinfo works.
kerberos works also, i get my tickets with kinit and klist show them.
i could reachead and access the shares on the linux without problems.
but there are different things i don't understood, some hints would be glad:
log.winbind said:
1. [2004/07/06 21:02:34, 1] libsmb/ntlmssp.c:ntlmssp_update(245)
Failed to parse NTLMSSP packet, could not extract NTLMSSP command
Not any idea for an solution ;-(
2. [2004/07/06 21:12:07, 1] nsswitch/winbindd_ads.c:ads_cached_connection(81)
ads_connect for domain DAP failed: Invalid credentials
which username, which password use winbind for kerberos auth ? did it take it from the
ldap.conf ?
3. [2004/07/06 21:15:00, 1] nsswitch/winbindd_group.c:winbindd_getgroups(1032)
user 'root' does not exist
I thin i had to transfer the users and groups from the linux server to the
ActiveDirectory (PDC).
i want to do it with smbgroupedit, but i didn't find it. why it is not in /usr/bin/ ?
log.smbd said:
1. [2004/07/06 18:59:02, 1] smbd/sesssetup.c:reply_spnego_kerberos(174)
Failed to verify incoming ticket!
2. [2004/07/06 20:00:13, 1] smbd/service.c:make_connection_snum(619)
192.168.0.208 (192.168.0.208) connect to service dap-intern initially as user
DAP+mschroeder (uid=0, gid=10000) (pid 5550)
I don't understood why the uid=0 anf one hour later it show's this (PDC restartet!):
[2004/07/06 21:13:47, 1] smbd/service.c:make_connection_snum(619)
192.168.0.208 (192.168.0.208) connect to service mschroeder initially as user
DAP+mschroeder (uid=10005, gid=10000) (pid 5981)
3. [2004/07/06 20:00:28, 0] rpc_server/srv_util.c:get_domain_user_groups(376)
get_domain_user_groups: primary gid of user [root] is not a Domain group !
get_domain_user_groups: You should fix it, NT doesn't like that
Same as point 3 in the log.winbind
O.k. i hope there is somebody who could help...
Some words in german:
Ich w�rde mich freuen, jemanden in Deutschland (NRW) kennen zu lernen, der sich mit
Linux auskennt, so da� man mal (!!!) dr�ber telefonieren kann.
Ich suche niemanden der mir meine Probleme l�st, sondern nur mal Unklarheiten
beseitigen kann. Das geht am Phone halt z�giger als mit Mails. Als PC-Win-Spezi wei�
ich nat�rlich, was es hei�t st�ndig wegen irgendwelchen Kleinigkeiten genervt zu
werden.
if i am on the right way,
Mit freundlichem Gru�
Markus Schr�der
DAP Deutsche Assekuranz Pool GmbH
IT-Support
Berliner Allee 34-36
40212 D�sseldorf
Fon: 0211-13065-122
Fax: 0211-13065-230
Email: [EMAIL PROTECTED]
Privat: [EMAIL PROTECTED]
Tel: 0173-4126516
Smb.conf:
# Global parameters
[global]
workgroup = DAP
realm = DAP.LOCAL
security = ADS
auth methods = winbind
password server = 192.168.0.3
disable spoolss = Yes
show add printer wizard = No
#ldap ssl = start tls
idmap uid = 10000-20000
idmap gid = 10000-20000
winbind separator = +
use sendfile = Yes
winbind uid = 10000
winbind gid = 10000
winbind enum users = yes
winbind enum groups = yes
template homedir = /home/%U
#template shell = /bin/bash
[www]
comment = www-root (@DAP+Domänen-Admins)
path = /srv/www
valid users = @DAP+Domänen-Admins
admin users = @DAP+Domänen-Admins
force user = root
force group = root
read only = No
[homes]
comment = User Home from %U
path = /home/%U
valid users = %S
read only = No
[root]
comment = root (@DAP+Domänen-Admins)
path = /
valid users = @DAP+Domänen-Admins
admin users = @DAP+Domänen-Admins
force user = root
force group = root
read only = No
[dap-intern]
comment = DAP-Mitarbeiter
path = /home/dap-mitarbeiter/
valid users = [EMAIL PROTECTED]
admin users = [EMAIL PROTECTED]
read only = No
create mask = 0755
[mschroeder]
comment = test privat
path = /home/mschroeder
valid users = DAP+MSchroeder
admin users = DAP-MSchroeder
read only = No
Ldap.conf:
host 192.168.0.3
base dc=DAP,dc=local
ldap_version 3
binddn CN=linux,DC=DAP,DC=local
bindpw xxxx
#port 636
ssl no
scope sub
nss_base_passwd DC=DAP,DC=local
nss_base_shadow DC=DAP,DC=local
nss_base_group DC=DAP,DC=local
nss_map_objectclass posixAccount user
nss_map_attribute uid msSFUName
nss_map_attribute homeDirectory msSFUHomeDirectory
nss_map_objectclass posixGroup Group
nss_map_attribute cn msSFUName
nss_map_attribute userPassword msSFUPassword
nss_map_attribute uniqueMember member
pam_filter objectclass=user
pam_login_attribute sAMAccountName
pam_password ads
pam_filter objectclass=posixAccount
spnego yes
Nsswitch.conf
passwd: files winbind
shadow: files winbind
group: files winbind
hosts: files dns winbind
networks: files dns
services: files
protocols: files
rpc: files
ethers: files
netmasks: files
netgroup: files
publickey: files
bootparams: files
automount: files nis
aliases: files
Where is smbgroupedit ???
#> Dir /usr/bin/smb*
-rwxr-xr-x 1 root root 1427807 Jun 3 03:03 smbcacls
-rwxr-xr-x 1 root root 885616 Jun 3 03:03 smbclient
-rwxr-xr-x 1 root root 620491 Jun 3 03:03 smbcontrol
-rwxr-xr-x 1 root root 1343469 Jun 3 03:03 smbcquotas
-rwxr-xr-x 1 root root 723796 Jun 3 03:02 smbfilter
-rwxr-xr-x 1 root root 1405717 Jun 3 03:02 smbget
-rwxr-xr-x 1 root root 11604 Jun 3 03:03 smbmnt
-rwxr-xr-x 1 root root 736870 Jun 3 03:03 smbmount
-rwxr-xr-x 1 root root 1549492 Jun 3 03:03 smbpasswd
-rwxr-xr-x 1 root root 7841 Feb 24 10:56 smbprngenpdf
-rwxr-xr-x 1 root root 464842 Jun 3 03:03 smbsh
-rwxr-xr-x 1 root root 737581 Jun 3 03:03 smbspool
-rwxr-xr-x 1 root root 624005 Jun 3 03:03 smbstatus
-rwxr-xr-x 1 root root 4896 Apr 6 19:42 smbtar
-rwxr-xr-x 1 root root 811183 Jun 3 03:03 smbtree
-rwxr-xr-x 1 root root 8630 Jun 3 03:03 smbumount
--
To unsubscribe from this list go to the following URL and read the
instructions: http://lists.samba.org/mailman/listinfo/samba
