Nscd is running This is my nsswitch.conf:
# /etc/nsswitch.nis: # # An example file that could be copied over to /etc/nsswitch.conf; it # uses NIS (YP) in conjunction with files. # # "hosts:" and "services:" in this file are used only if the # /etc/netconfig file has a "-" for nametoaddr_libs of "inet" transports. # the following two lines obviate the "+" entry in /etc/passwd and /etc/group. passwd: files winbind nis group: files winbind nis # consult /etc "files" only if nis is down. hosts: files nis dns ipnodes: files # Uncomment the following line and comment out the above to resolve # both IPv4 and IPv6 addresses from the ipnodes databases. Note that # IPv4 addresses are searched in all of the ipnodes databases before # searching the hosts databases. Before turning this option on, consult # the Network Administration Guide for more details on using IPv6. #ipnodes: nis [NOTFOUND=return] files networks: nis [NOTFOUND=return] files protocols: nis [NOTFOUND=return] files rpc: nis [NOTFOUND=return] files ethers: nis [NOTFOUND=return] files netmasks: nis [NOTFOUND=return] files bootparams: nis [NOTFOUND=return] files publickey: nis [NOTFOUND=return] files netgroup: nis automount: files nis aliases: files nis # for efficient getservbyname() avoid nis services: files nis sendmailvars: files printers: user files nis auth_attr: files nis prof_attr: files nis project: files nis project: files nis -----Original Message----- From: Michael Gasch [mailto:[EMAIL PROTECTED] Sent: Monday, July 03, 2006 4:06 PM To: Nir Barkan Cc: [email protected] Subject: Re: [Samba] Samba and trusted domains > When running the id command, nothing written on the winbind debug looks like a prob with NSS and winbindd... what looks your nsswitch.conf like? do you use nscd? greez Nir Barkan wrote: > id EU15\\test1 > > gives: > > id: invalid user name: "EU15\test1" > > When running the id command, nothing written on the winbind debug > > Nir > > -----Original Message----- > From: Michael Gasch [mailto:[EMAIL PROTECTED] > Sent: Monday, July 03, 2006 2:31 PM > To: Nir Barkan > Cc: [email protected] > Subject: Re: [Samba] Samba and trusted domains > > looks good, but the log isn´t very informative. > > what does now "id EU15\\test1" on the member server say? > winbindd has to allocate an uidnumber for this user. > > greez > > > > Nir Barkan wrote: >> Now I don't have idmap errors, but the user from the trusted domain still >> can't connect, this is what the debug logs when the user from the trusted >> domain tries to connect: >> >> Added domain EU15 wineur.EU15.com S-1-5-21-2139401007-2349514585-891123631 >> [ 0]: request interface version >> [ 0]: request location of privileged pipe >> [ 0]: domain_info [EU15] >> [ 8520]: Get DC name for EU15 >> cm_get_ipc_userpass: No auth-user defined >> Doing spnego session setup (blob length=122) >> got OID=1 2 840 48018 1 2 2 >> got OID=1 2 840 113554 1 2 2 >> got OID=1 2 840 113554 1 2 2 3 >> got OID=1 3 6 1 4 1 311 2 2 10 >> got [EMAIL PROTECTED] >> Doing kerberos session setup >> Ticket in ccache[MEMORY:cliconnect] expiration Tue, 04 Jul 2006 00:07:28 > IDT >> rpc_pipe_bind: Remote machine EUR-DC04-LON pipe \lsarpc fnum 0xe bind >> request returned ok. >> rpc_pipe_bind: Remote machine EUR-DC04-LON pipe \lsarpc fnum 0xf bind >> request returned ok. >> lsa_io_sec_qos: length c does not match size 8 >> [ 0]: pam auth crap domain: [EU15] user: test1 >> [ 8520]: pam auth crap domain: EU15 user: test1 >> [ 0]: request interface version >> [ 0]: request location of privileged pipe >> [ 0]: domain_info [EU15] >> [ 0]: pam auth crap domain: [EU15] user: test1 >> [ 8520]: pam auth crap domain: EU15 user: test1 >> [ 0]: request interface version >> [ 0]: request location of privileged pipe >> [ 0]: domain_info [EU15] >> [ 0]: pam auth crap domain: [EU15] user: test1 >> [ 8520]: pam auth crap domain: EU15 user: test1 >> [ 0]: request interface version >> [ 0]: request location of privileged pipe >> [ 0]: domain_info [EU15] >> [ 0]: pam auth crap domain: [EU15] user: test1 >> [ 8520]: pam auth crap domain: EU15 user: test1 >> [ 0]: domain_info [EU15] >> [ 0]: pam auth crap domain: [EU15] user: test1 >> [ 8520]: pam auth crap domain: EU15 user: test1 >> >> -----Original Message----- >> From: Michael Gasch [mailto:[EMAIL PROTECTED] >> Sent: Monday, July 03, 2006 1:19 PM >> To: Nir Barkan >> Cc: [email protected] >> Subject: Re: [Samba] Samba and trusted domains >> >> for trusted domains to work you have to use either tdbsam or ldap >> backend. don´t know whether ad works, though. >> >> this should work for you: >> # idmap backend = # please comment out for tdbsam >> idmap uid = 10000-100000 >> idmap gid = 10000-100000 >> winbind use default domain = Yes # your choice >> winbind trusted domains only = no # must >> allow trusted domains = yes # must >> >> >> greez >> >> >> Nir Barkan wrote: >>> I tried all the combinations on the "idmap backend" line and still have >>> errors. >>> >>> What is the exact "idmap backend" line that I should add to my smb.conf >> file >>> when "ITGIL" = my domain and "EU15" = my trusted domain? >>> >>> Thanks, >>> >>> Nir >>> >>> -----Original Message----- >>> From: Michael Gasch [mailto:[EMAIL PROTECTED] >>> Sent: Monday, July 03, 2006 11:22 AM >>> To: Nir Barkan >>> Cc: [email protected] >>> Subject: Re: [Samba] Samba and trusted domains >>> >>> :) >>> >>> > idmap backend = ITGIL=10000-19999,EU15=20000-30000 >>> this is not correct semantic ;) >>> >>> example: >>> idmap backend = rid:"BUILTIN=1000-1999,DOMNAME=2000-100000000" >>> >>> this should work >>> >>> greez >>> >>> >>> Nir Barkan wrote: >>>> I added the idmap backend to my smb.conf as you suggested >>>> >>>> >>>> idmap backend = ITGIL=10000-19999,EU15=20000-30000 >>>> >>>> I get the following (on the winbind debug): >>>> >>>> idmap_init: using 'ITGIL=10000-19999' as remote backend >>>> Error loading module '/opt/local/lib/idmap/ITGIL=10000-19999.so': >> ld.so.1: >>>> ./winbindd: fatal: /opt/local/lib/idmap/ITGIL=10000-19999.so: open >> failed: >>>> No such file or directory >>>> idmap_init: could not load remote backend 'ITGIL=10000-19999' >>>> Could not init idmap -- netlogon proxy only >>>> >>>> The idmap directory exists; do I need to run something manually? >>>> >>>> P.S >>>> >>>> ITGIL = my domain >>>> EU15 = my trusted domain >>>> >>>> Thanks, >>>> >>>> Nir >>>> >>>> >>>> -----Original Message----- >>>> From: Michael Gasch [mailto:[EMAIL PROTECTED] >>>> Sent: Sunday, July 02, 2006 9:46 PM >>>> To: Nir Barkan >>>> Cc: [email protected] >>>> Subject: Re: [Samba] Samba and trusted domains >>>> >>>> you should do something like >>>> >>>> idmap backend = "MYDOMAIN=10000-19999,TRUSTEDDOMAINNAME=20000-100000000" >>>> >>>> as i already wrote in a posting before. this won't work with idmap_rid, >>>> but with all other backend. >>>> i think you can stay with "winbind trusted domains only". >>>> >>>> you should also run winbindd in interactive mode and debug level 3. >>>> then you should see something like "init idmap backend for DOMAIN >>>> MYDOMAIN, init idmap backend for DOMAIN TRUSTEDDOMAINNAME" >>>> >>>> greez >>>> >>>> >>>> Nir Barkan wrote: >>>>> Id test1 not working >>>>> >>>>> Wbinfo -u return DomainName username (EUROPE test1) >>>>> >>>>> The user is from trusted domain >>>>> >>>>> I defined idmap uid = 10000-2000 and idmap gid = 10000-20000 on my >>>>> smb.conf, Do I need to define something more? >>>>> >>>>> Thanks, >>>>> >>>>> Nir >>>>> >>>>> -----Original Message----- >>>>> From: Michael Gasch [mailto:[EMAIL PROTECTED] >>>>> Sent: Friday, June 30, 2006 4:12 PM >>>>> To: Nir Barkan >>>>> Cc: [email protected] >>>>> Subject: Re: [Samba] Samba and trusted domains >>>>> >>>>> > Id test1 not working >>>>> but wbinfo -u shows it? >>>>> if so you have a problem with with mapping samba accounts to unix >>>> accounts. >>>>> is it a user from a trusted domain (to get back to the thread title)? >>>>> >>>>> > My dc is windows 2003 DC, do I need to install something on it? >>>>> no >>>>> >>>>> greez >>>>> >>>>> Nir Barkan wrote: >>>>> >>>>>> Id test1 not working >>>>>> >>>>>> I tried without "winbind trusted domains only = Yes" and got the same >>>>>> results. >>>>>> >>>>>> My dc is windows 2003 DC, do I need to install something on it? >>>>>> >>>>>> P.S >>>>>> >>>>>> Thanks much for your help :-) >>>>>> >>>>>> -----Original Message----- >>>>>> From: Michael Gasch [mailto:[EMAIL PROTECTED] >>>>>> Sent: Thursday, June 29, 2006 1:19 PM >>>>>> To: Nir Barkan >>>>>> Cc: [email protected] >>>>>> Subject: Re: [Samba] Samba and trusted domains >>>>>> >>>>>> >>>>>>> "Id <username_from_local_domain_without_prefix_domainname" give me > the >>>>>> user >>>>>> >>>>>>> uid and gid. >>>>>> good >>>>>> >>>>>> some further questions: >>>>>> - does "id test1" work? >>>>>> - why did you set "winbind trusted domains only = Yes" >>>>>> >>>>>> for trusted domains to work, you have to use winbind on your DC. >>>>>> furthermore on each member server you have to specify an idmap range >> for >>>>>> each domain, like >>>>>> >>>>>> idmap backend = "MYDOMAIN=10000-19999,TRUSTEDDOMAIN=20000-100000000" >>>>>> >>>>>> greez >>>>>> >>>>>> >>>>>> >>>> > -- Michael Gasch Max Planck Institute for Evolutionary Anthropology Department of Human Evolution (IT Staff) Deutscher Platz 6 D-04103 Leipzig Germany Phone: 49 (0)341 - 3550 137 49 (0)341 - 3550 374 Fax: 49 (0)341 - 3550 399 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
