Steve Rippl wrote:
On Wed, 2008-07-23 at 10:22 -0700, Howard Wilkinson wrote:
[snip]
Have you put POSIX attributes onto the users in the active directory?
idmap backend = ad:ldap://domain.fqdn
winbind nss info = rfc2307
Should work. You also need
use kerberos keytab = yes
Howard.
Yep, I've got posix attributes for users in AD. I added the keytab (net
ads keytab create -P) and changed smb.conf to reflect the lines you have
above (with my actual fqdn for the AD server), and now I get this in
log.winbindd-idmap
[2008/07/23 15:33:25, 1] nsswitch/idmap.c:idmap_init(377)
Initializing idmap domains
[2008/07/23 15:33:25, 2] lib/module.c:do_smb_load_module(64)
Module '/usr/local/samba/lib/idmap/ad.so' loaded
[2008/07/23 15:33:25, 2] lib/module.c:do_smb_load_module(64)
Module '/usr/local/samba/lib/idmap/ad.so' loaded
[2008/07/23 15:33:25, 2] nsswitch/idmap.c:idmap_init(779)
idmap_init: Unable to get methods for alloc backend ad
The line above look suspicious! It looks as though your build does not
do the dynamic linking properly! I would need to get to this release and
build it locally to find out what is going wrong. Perhaps somebody else
could tell us what is going on here.
[2008/07/23 15:33:25, 2]
nsswitch/idmap_ad.c:ad_idmap_cached_connection(152)
ad_idmap_cached_connection: Failed to obtain schema details!
[2008/07/23 15:33:25, 1]
nsswitch/idmap_ad.c:idmap_ad_sids_to_unixids(514)
ADS uninitialized
[2008/07/23 15:33:25, 2]
nsswitch/idmap.c:idmap_backends_sids_to_unixids(1233)
ERROR: NTSTATUS = 0xc0000001
I can wbinfo -a|n|s, that works, but getent is still not returning the
user. I copied libnss_winbind into /lib and ran ldconfig but it seems
as though getent isn't using it?!
Also, maybe I'm wrong but I though that to query ldap attributes in AD
you had to bind with a valid user, how is the idmap backend doing that?
The way I do this is to use kerberos keytabs in my nss_ldap lookups. I
take the machine keytab (or specially created ones) and add them to the
nss_Ldap setup.
This needs at least nss_ldap 259 and my latest patches which I published
about 2 weeks ago.
I have not yet tried the libnss-ldapd software as I need to write
patches for that as well. My systems are all Fedora Linux (7,8,9 with
some bleeding edge backports) so similar but not the same as yours.
However, I can confirm the pam_krb5, nss_ldap, samba combination can be
made to work with an AD backend just about seamlessly. SO keep plugging
away and you will get it to work.
Howard.
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
