Hi, did you try using nis instead of winbind ??? i'm saying that because you are using MS Identity Management for Unix and this provides a nis server. this would provide you the same UIDs and GIDs on all machines.
Marcos. --- Em sex, 27/6/08, Samba-Liste <[EMAIL PROTECTED]> escreveu: > De: Samba-Liste <[EMAIL PROTECTED]> > Assunto: [Samba] Help needed. Samba 3.2.0rc2 - IDMAP - Windows 2008 Server - > ADS Integration - Winbind > Para: "samba" <samba@lists.samba.org> > Data: Sexta-feira, 27 de Junho de 2008, 8:31 > Hi, > > I read at least 100 different documentations during the > last week and > didn't get it. So I decided to ask the list for help :) > > Unfortunately we have to move to a Windows 2008 Server ADS > in our > company as this is required for some other projects. But we > want to > keep our nice 5+ samba-server providing fast 50TB+ of > storage. > > So we have to find a way to nicely integrate the storage > with the new > ADS installed. Therefor I installed a Testlab consisting of > 2 debian > etch storage-servers with each 12TB lvm-based storage > attached. Also we > have 2 MS 2008 Server SP1 as PDC and BDC. Further we have > some Windows > XP 32 and 64 Bit clients as workstations for testing. > > Now we setup everything and decided to use samba 3.2.0 as > there are some > bugs related to W2k8 server are solved. So I build debian > packages from > experimental for etch an installed them. Then I set up > kerberos and > samba using "security = ads". Everythings works > great. I can get a > kerberos ticket with kinit also I can join the ADS with > "net ads join > -Uadministrator". I set up /etc/nssswitch to use > winbind and I can > request user information successfully. > > But now I have to set up shared IDMAP for my samba servers > to have the > same UIDs and GIDs on all machines. As it would be nice to > have all that > on the ADS server I tried the following for days without > success and > that is where I need help: > > - I installed the "MS Identity Management for > Unix" > - I added UID, Homedir, Shell and "Default Group" > to the AD User > - I set "Unix Attr" for my groups > - I configured samba to as followed: > > ----- snip ----- > > [global] > workgroup = TESTLAB > realm = TESTLAB.COMPANY.COM > netbios name = filesrv001 > server string = Samba Storage Fileserver 001 (%v) > security = ADS > idmap domains = BUILTIN, TESTLAB > idmap config TESTLAB:backend = ad > idmap config TESTLAB:default = yes > idmap config TESTLAB:schema_mode = rfc2307 > idmap config BUILTIN:backend = tdb > idmap config BUILTIN:base_rid = 800 > idmap config BUILTIN:range = 800-999 > winbind nss info = rfc2307 > winbind use default domain = yes > winbind nested groups = Yes > password server = WIN-RXYDW1KO5DH.testlab.company.com > wins server = WIN-RXYDW1KO5DH.testlab.company.com > socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 > hide unreadable = yes > hide dot files = yes > unix charset = LOCALE > log level = 5 > > [big_data] > comment = Very Big Share > path = /SERV > browseable = yes > guest ok = no > valid users = "@STGT\entenhausen" > create mask = 660 > directory mode = 770 > writeable = yes > readonly = no > force group = "STGT\entenhausen" > > ----- snip ----- > > - I cleaned /var/run/samba, /var/log/samba, /var/lib/samba > - I delete the Join on the ADS > - Then I rebooted the Linux-Server, re-joined the ADS > - And I can retrieve the user with getent and it has IT UID > > filesrv001:/var/log/samba# getent passwd tic.tic > tic.tic:*:20007:10001::/home/STGT/tic.tic:/bin/false > > - But the default group, the home-dir and the shell is not > right > - seems like the values are not retrieved correctly from > ADS > - also strange: I set up the second storage with the same > configs > - only changed names > - if I retrieve the user-information there > - it looks like this > > getent passwd tic.tic > tic.tic:*:20007:10000:Tic Tic:/home/STGT/tic.tic:/bin/false > > - so the default-group is changing > - but its still not the value listed in the ADS > > Any ideas on that? Did I get something completely wrong? > I'll now take a > closer look to the Win 2008 logfiles and I'll check the > communication > with tcpdump. But I'm mostly stuck and really could > need some hints. > Or should I try another solution? IDMAP-RID cannot be used > as we are > planning a "trust domain" setup > > Thank you and best regards > > Daniel > > -- > To unsubscribe from this list go to the following URL and > read the > instructions: > https://lists.samba.org/mailman/listinfo/samba Novos endereços, o Yahoo! que você conhece. Crie um email novo com a sua cara @ymail.com ou @rocketmail.com. http://br.new.mail.yahoo.com/addresses -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba