Hi, I have been trying to join a Samba Domain member server to the AD and use LDAP for IDMAP storage. I have run into many strange issues and I was hoping someone can please take time to clarify things for me. I have read quite a bit (I own both the Samba books by Terpstra) and done a lot of Google searching. I think part of my problem is the unusual setup I have, as all the examples in the book/net assume user will have a very small AD and have full control of it.
We are a small division and the AD is hosted by our corporate IT. I do have Domain Admin access to our branch of the AD, but not the whole tree. The entire tree has over 8000+ users. My goals: [1] Using winbind authenticate users on Linux servers/workstations - ACCOMPLISHED [2] Using Kerberos so that users are not prompted for login and password when accessing Domain shares - ACCOMPLISHED but still has some issues. [3] Rather than each Linux host maintaining its own idmap db, store everything on a OpenLDAP server - FAILED Here is what I have done so far: [1] OpenLDAP server with three OU's - People, Groups, Idmap [2] Joined a Linux server to AD (net ads join ...) [3] Confirmed that I get list of users when I do wbinfo -u (or getent passwd). - However I do not get ALL the users. As a matter of fact I get many other domains in AD (ex. SA, EU, AP), but not my own Domain (NA). Does anyone know why this would be? Due to this I am unable to test user login, since I do not have account access for another domain. [4] On the OpenLDAP server there seems to be no change in the Idmap, I don't understand why it is not getting populated. If I do a manual ldapsearch, I can access the ldap server and query the directory. I also made sure that the smbpasswd -w <my ldap user password> is correct. Here is my smb.conf file: [global] workgroup = NA netbios name = SPDUSLISHNODE01 realm = NA.NET.MYCOMPANY.COM <http://NA.NET.MYCOMPANY.COM> server string = Queue Headnode security = ADS log level = 1 ads:10 passdb:5 auth:10 winbind:8 sam:10 rpc:10 ldap admin dn = cn=spd.ldapadmin,o=mycompany ldap idmap suffix = ou=Idmap ldap suffix = o=mycompany idmap uid = 150000-550000 idmap gid = 150000-550000 template shell = /bin/bash template homedir = /home/%U winbind use default domain = yes encrypt passwords = yes password server = SPDUSLISDC010 winbind separator = / socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 dns proxy = no wins server = 10.55.56.4 <http://10.55.56.4> name resolve order = wins lmhosts bcast My krb5.conf file is similar to the one in Samba-Guide (and I knwo this works since I can join the Linux host to AD directory) Thanks, Vijay Avarachen -- "Knowledge is the only wealth that grows as you spend it, and diminishes as you save it." -- ancient Sanskrit saying -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
