winbind trusted domains only = yes
to force resolution of domain user & groups to be only the defined user & groups.
I run NIS & I'll migrate to LDAP at some future point.
Regards, Doug
[EMAIL PROTECTED] wrote:
I sent this the other day, but did not get any replies, can anyone help?
Hi All, I have a sparc solaris 8 server running samba 2.2.11 (which i complied with winbind). The server has been running for years and has about 20 local users setup using local files for openssh and rexec logins, and samba shares. They each use samba to map to their home directory and a common shared folder. They also use rexec and openssh to login on the command line.
4 users are in a special group called "sap" and only those 4 have write access to the shared folder, the rest are in a group called "dataentry" and only have read access to the shared folder.
I now have a requirement to have the unix server get its passwords for these users from our win2000 active directory server. I used this guide to try and set this up:
http://us3.samba.org/samba/ftp/docs/textdocs/Solaris-Winbind-HOWTO.txt
I am now able to map to the samba share using winbind, but i have some problems:
1) When the users login using ssh or rexec, they get the local UID, but when they map with samba they get the UID from samba and active directory. These do not match and im having permission problems. Also when they login local, they get their group "sap" or "dataentry" but when they use winbind/AD to map they are in a group called "domain users", so the permissions are wrong here also. Is there a way to have them keep their UID's and GID's that im now using from local files when i switch to winbind and AD? The users have different groups for unix local files and AD. If not I have to change the perms on thousands of files.
2) I only want these 20 users to be able to map to the samba share, but it seems that anyone in the windows active directory can now map to this share. How do i only allow the 20 users to map?
3) I am trying to setup logins with rexec and openssh to use winbind and active directory, but its not working for me. I think my pam.conf is setup wrong. How can i fix this? Do i need to delete their entries from the local passwd, shadow and group files when i switch to AD?
Thank you in advance gurus!
Here is my pam.conf and my smb.conf:
[EMAIL PROTECTED]:/export# cat /etc/pam.conf # # ident "@(#)pam.conf 1.19 03/01/10 SMI" # # Copyright 1996-2002 Sun Microsystems, Inc. All rights reserved. # Use is subject to license terms. # # PAM configuration # # Unless explicitly defined, all services use the modules # defined in the "other" section. # # Modules are defined with relative pathnames, i.e., they are # relative to /usr/lib/security/$ISA. Absolute path names, as # present in this file in previous releases are still acceptable. # # Authentication management # # login service (explicit because of pam_dial_auth) # login auth required /usr/lib/security/pam_winbind.so login auth requisite pam_authtok_get.so.1 login auth required pam_dhkeys.so.1 login auth required pam_unix_auth.so.1 login auth required pam_dial_auth.so.1 # # rlogin service (explicit because of pam_rhost_auth) # rlogin auth sufficient /usr/lib/security/pam_winbind.so rlogin auth sufficient pam_rhosts_auth.so.1 rlogin auth requisite pam_authtok_get.so.1 rlogin auth required pam_dhkeys.so.1 rlogin auth required pam_unix_auth.so.1 # # rsh service (explicit because of pam_rhost_auth, # and pam_unix_auth for meaningful pam_setcred) # rsh auth sufficient pam_rhosts_auth.so.1 rsh auth required pam_unix_auth.so.1 # # PPP service (explicit because of pam_dial_auth) # ppp auth requisite pam_authtok_get.so.1 ppp auth required pam_dhkeys.so.1 ppp auth required pam_unix_auth.so.1 ppp auth required pam_dial_auth.so.1 # # Default definitions for Authentication management # Used when service name is not explicitly mentioned for authenctication # other account sufficient /usr/lib/security/pam_winbind.so other auth requisite pam_authtok_get.so.1 other auth required pam_dhkeys.so.1 other auth required pam_unix_auth.so.1 # # passwd command (explicit because of a different authentication module) # passwd auth required pam_passwd_auth.so.1 # # cron service (explicit because of non-usage of pam_roles.so.1) # cron account required pam_projects.so.1 cron account required pam_unix_account.so.1 # # Default definition for Account management # Used when service name is not explicitly mentioned for account management # other account requisite pam_roles.so.1 other account required pam_projects.so.1 other account required pam_unix_account.so.1 # # Default definition for Session management # Used when service name is not explicitly mentioned for session management # other session required pam_unix_session.so.1 # # Default definition for Password management # Used when service name is not explicitly mentioned for password management # other password required pam_dhkeys.so.1 other password requisite pam_authtok_get.so.1 other password requisite pam_authtok_check.so.1 other password required pam_authtok_store.so.1 # # Support for Kerberos V5 authentication (uncomment to use Kerberos) # #rlogin auth optional pam_krb5.so.1 try_first_pass #login auth optional pam_krb5.so.1 try_first_pass #other auth optional pam_krb5.so.1 try_first_pass #cron account optional pam_krb5.so.1 #other account optional pam_krb5.so.1 #other session optional pam_krb5.so.1 #other password optional pam_krb5.so.1 try_first_pass
[EMAIL PROTECTED]:/usr/local/samba/lib# cat smb.conf [Global] parameters workgroup = ego netbios name = egotest1 wins support = Yes #security = share security = domain hosts allow = all encrypt passwords = Yes unix password sync = Yes passwd program = /usr/bin/passwd %u update encrypted = No lm announce = true log file = /var/adm/messages.smb # winbind # use uids from 10000 to 20000 for domain users winbind uid = 10000-20000 # use gids from 10000 to 20000 for domain groups winbind gid = 10000-20000 # allow enumeration of winbind users and groups winbind enum users = yes winbind enum groups = yes # give winbind users a real shell (only needed if # they have telnet access) #template homedir = /home/winnt/%D/%U template homedir = /export/%U template shell = /bin/bash [export] path = /export comment = export browseable = yes writable = yes read only = No public = No
____________________________________ This e-mail message is for the sole use of the intended recipient(s) and may contain proprietary, confidential and/or privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient (or an employee or agent responsible to deliver it to the intended recipient), you may not copy or deliver this message to anyone. In such case, you should destroy this message and kindly notify the sender by reply e-mail. ____________________________________ This e-mail message is for the sole use of the intended recipient(s) and may contain proprietary, confidential and/or privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient (or an employee or agent responsible to deliver it to the intended recipient), you may not copy or deliver this message to anyone. In such case, you should destroy this message and kindly notify the sender by reply e-mail.
-- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
