Re: [Samba] Anyone have Solaris 8/9, W2K AD, NIS working?
Paul Gienger wrote: It sounds like you need to pick a network directory service and go with it, I'd suggest LDAP over NIS any day. I have had a solaris (9 I think) box running happily over LDAP and AD2000, although it was just for test. Oh, I totally agree with you on choosing LDAP over NIS. The problem is that if I go LDAP, I'd prefer a non-proprietary solution, and that means OpenLDAP. There are known conflicts between Solaris's built-in LDAP libraries and OpenLDAP (but those can, in theory, be gotten around, although I've run into grief attempting to do so). I inherited the NIS setup when I took this job, and because it's been working fine, I haven't bothered to change it. Chalk that up to other projects taking priority. I'm trying to get Solaris authentication to work using AD user accounts. According to The Official Samba 3 Howto and Reference Guide, this should be a simple thing. Well, it is, as long as you don't care that the UNIX userid to SID mapping isn't consistent across NIS clients, which really screws up file ownership. You need a central structure to hold your SID mappings if you're traversing machines, AFAICT, the only network structure supported is LDAP. In theory, AD is LDAP-compliant, although Microsoft's added a bunch of tweaks. So I was hoping to us AD as the LDAP repository. That many not work, though, and may be the cause of a lot of my problems. When you got it to work, did you use a separate LDAP repository for SID mappings? Or did you manage to store them in AD? Well, it just isn't working. I've tried the instructions in there, which are laughably inadequate. They don't cover NIS or the SID-userid mapping problem properly. I've searched this mailing list for answers, and haven't found much. I simply cannot get Samba to store the userid mapping in the AD Idmap OU. Perhaps some expansion on your issues here would help: What kind of errors is samba spitting back What configurations have you done. The reason I didn't supply them is that I've been playing with so many different configurations over the last few months that listing them all would be counterproductive. So I adopted a new strategy: find out if anyone got it working and what config they used. I'm curious, why the insistance on NIS? Do you have other apps that require it? Are you having problems getting autofs on solaris to talk to LDAP? If so, a guy can short circuit it by making files from the ldap structure, that's what I do. Are you an old school sun guy from way back that can't let go of it? Give in to the dark side of the DIT,... err... I mean use ldap, its better over here... or something, you get my drift hopefully. I agree. I wanted to use NIS because it's already installed and working. My thinking was that, if I could get Samba working with AD as the LDAP repository for SID mappings, I could eventually move my maps over to AD and get rid of NIS completely. I'd prefer to have only one LDAP server running, and the architecture here already has AD. So I'd like to keep things simple and use AD as that repository if I can. I'm willing to build an OpenLDAP server if I have to, but that seems redundant to me. I am an old school Sun guy (but System V, not BSD!), but I agree that NIS is obsolete, has a million security holes in it, and deserves to be given a decent burial. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Anyone have Solaris 8/9, W2K AD, NIS working?
Okay, I'm at wit's end, and am about ready to give up on Samba 3.x as a way to implement single sign-on. I would like to know if there's anyone out there who has the following environment: - Solaris 8 and 9, running NIS (not NIS+) for automount and passwd/group maps - W2K-based Active Directory I'm trying to get Solaris authentication to work using AD user accounts. According to The Official Samba 3 Howto and Reference Guide, this should be a simple thing. Well, it is, as long as you don't care that the UNIX userid to SID mapping isn't consistent across NIS clients, which really screws up file ownership. Well, it just isn't working. I've tried the instructions in there, which are laughably inadequate. They don't cover NIS or the SID-userid mapping problem properly. I've searched this mailing list for answers, and haven't found much. I simply cannot get Samba to store the userid mapping in the AD Idmap OU. I'm not going to detail the very large list of things I've been trying for months now, but they include installing Services for Unix on the AD servers, installing OpenLDAP and Kerberos, installing the idmap_ad plugin on my test Solaris box, configuring pam.conf and nsswitch.conf, setting up winbind, oh, the list goes on. If anyone out there is running NIS on their Solaris boxes, and has single sign-on working properly using AD-based authentication, with consistent SID-userid mapping (i.e. a SID gets mapped to the same UNIX userid no matter which Solaris client is used), I'd very much like to talk to that person to find out how they got it working. Anyone? -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba 3.0.3 installing issue
You need to set your LD_LIBRARY_PATH to include the directory where your LDAP libraries are. Try that. I'm also, as I type this, wrestling with Solaris 9, Samba 3.0.3, and getting winbindd to properly store SID-uid mappings in AD. When you get to that point (if you're heading there), let me know if you run into problems. Erwin Fritz Talwar, Puneet (NIH/NIAID) wrote: I am trying to install Samba 3.0.3 on Solaris 9 and when I execute the configure command I get the following error msg. I did install the latest version of openldap and set the env variable for the ldap lib. If anyone has encountered similar problem please let me know. #./configure --with-ads --with-krb5=/usr --with-pam --with-pam_smbpasss --with-syslog --with-libsmbclient --with-winbind .. ... .. checking for LDAP support... auto checking ldap.h usability... yes checking ldap.h presence... yes checking for ldap.h... yes checking lber.h usability... yes checking lber.h presence... yes checking for lber.h... yes checking for ber_scanf in -llber... yes checking for ldap_init in -lldap... yes checking for ldap_domain2hostlist... no checking for ldap_set_rebind_proc... yes checking whether ldap_set_rebind_proc takes 3 arguments... 3 checking for ldap_initialize... no configure: WARNING: libldap is needed for LDAP support checking for Active Directory and krb5 support... yes configure: error: Active Directory Support requires LDAP support -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba 3.0.3 installing issue
Which LDAP libraries are you using? Solaris has some built in ones that have been known to cause problems. The Samba dox say that OpenLDAP libraries are preferred, so I've installed them to /opt/openldap, and my LD_LIBRARY_PATH has that. The other thing to check is the config.log file. It's in the same directory as the configure script you ran, and may shed some light on the errors. Not sure if this'll help, but my configure command is run like this: LD_LIBRARY_PATH=/opt/openldap/lib:/opt/kerberos/lib \ CPPFLAGS=-I/opt/openldap/include -I/opt/kerberos/include \ LDFLAGS=-L/opt/openldap/lib -L/opt/kerberos/lib \ ./configure --prefix=/opt/samba \ --with-configdir=/var/samba/conf \ --with-lockdir=/var/samba/lock \ --with-privatedir=/var/samba/private \ --with-swatdir=/var/samba/swat \ --with-logfilebase=/var/samba/log\ --localstatedir=/var/run \ --sharedstatedir=/var/run\ --with-syslog\ --with-utmp \ --with-acl-support \ --with-krb5=/opt/kerberos\ --with-winbind \ --with-ldap \ --with-ads Does that help? Erwin Fritz Talwar, Puneet (NIH/NIAID) wrote: Well I did do that as well and ran the crle command. HMMM What else can I be missing here? -Original Message- From: Erwin Fritz [mailto:[EMAIL PROTECTED] Sent: Tuesday, May 04, 2004 4:50 PM To: Talwar, Puneet (NIH/NIAID) Cc: [EMAIL PROTECTED] Subject: Re: [Samba] Samba 3.0.3 installing issue You need to set your LD_LIBRARY_PATH to include the directory where your LDAP libraries are. Try that. I'm also, as I type this, wrestling with Solaris 9, Samba 3.0.3, and getting winbindd to properly store SID-uid mappings in AD. When you get to that point (if you're heading there), let me know if you run into problems. Erwin Fritz Talwar, Puneet (NIH/NIAID) wrote: I am trying to install Samba 3.0.3 on Solaris 9 and when I execute the configure command I get the following error msg. I did install the latest version of openldap and set the env variable for the ldap lib. If anyone has encountered similar problem please let me know. #./configure --with-ads --with-krb5=/usr --with-pam --with-pam_smbpasss --with-syslog --with-libsmbclient --with-winbind .. ... .. checking for LDAP support... auto checking ldap.h usability... yes checking ldap.h presence... yes checking for ldap.h... yes checking lber.h usability... yes checking lber.h presence... yes checking for lber.h... yes checking for ber_scanf in -llber... yes checking for ldap_init in -lldap... yes checking for ldap_domain2hostlist... no checking for ldap_set_rebind_proc... yes checking whether ldap_set_rebind_proc takes 3 arguments... 3 checking for ldap_initialize... no configure: WARNING: libldap is needed for LDAP support checking for Active Directory and krb5 support... yes configure: error: Active Directory Support requires LDAP support -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Winbindd can't load Idmap OU with SID-uid mappings
I'm running Samba 3.0.2a on Solaris 9. My shop also runs Active Directory on W2K (SP4). In an attempt to build a single sign-on solution, I thought I'd get Samba to allow Windows 2000 users to telnet/rlogin/ftp to my UNIX boxes without requiring those users to have a UNIX account. The Samba dox claim this is possible, because winbindd will map the AD account SID to a UNIX userid, and will store that mapping in the winbindd_idmap.tdb file. This works just fine. AD users can map drives and can connect to the UNIX box through telnet, rlogin, or ftp. They do not need a UNIX account. Problem solved? Not quite. I have many UNIX boxes, and because the Samba shares are NFS-mounted to these boxes, I have to ensure that the SID-uid mapping is consistent across all machines. Samba will do this by keeping the mapping in an OU created in the AD tree. I created that OU, and called it Idmap. For the life of me, though, I can't get Samba to store the mapping in the OU. It continues to store it in the winbindd_idmap file. My Solaris box is running Solaris 9, with patch 113476-13, MIT Kerberos 1.3.1, and OpenLDAP 2.2.5 (because Samba needs the LDAP stuff to compile). Samba was configured with these options: ./configure --prefix=/opt/samba\ --with-syslog\ --with-utmp \ --with-codepagedir=/var/samba/code \ --with-configdir=/var/samba/conf \ --with-lockdir=/var/samba/lock \ --with-privatedir=/var/samba/private \ --with-swatdir=/var/samba/swat \ --with-logfilebase=/var/samba/log\ --datadir=/var/samba/share \ --localstatedir=/var/samba/var \ --sharedstatedir=/var/samba/com \ --sysconfdir=/var/samba/etc \ --with-acl-support \ --with-krb5=/opt/kerberos\ --with-winbind \ --with-ldap \ --with-ldapsam The global portion of my smb.conf is: [global] workgroup = AD_DOMAIN realm = INTERNAL_DOMAIN.COM server string = Test server security = ADS password server = ad1.internal_domain.com ad2.internal_domain.com lanman auth = No ntlm auth = No client NTLMv2 auth = Yes client lanman auth = No client plaintext auth = No log level = 2 disable netbios = Yes name resolve order = host load printers = No os level = 0 lm announce = No preferred master = No local master = No domain master = No dns proxy = No ldap suffix = dc=internal_domain,dc=com ldap idmap suffix = ou=Idmap,dc=internal_domain,dc=com ldap admin dn = cn=Administrator,ou=Users,dc=internal_domain,dc=com ldap ssl = no idmap uid = 1-2 idmap gid = 1-2 template shell = /bin/ksh winbind separator = + hosts allow = 198.161.66., 192.168.100. wide links = No I know the problem isn't with pam.conf or nsswitch.conf, since my AD users can connect to the Solaris box without any problems. When I try to connect, I get this error message on the Samba server: 'failed to bind to server with dn= cn=Administrator,ou=Users,dc=internal_domain,dc=com Error: Can't contact LDAP server' Well, I know the LDAP server works. Running both 'wbinfo -u' and 'getent passwd' shows the AD accounts. Am I missing something obvious here? Erwin Fritz Network Administrator Gilbert Laustsen Jung Associates Ltd. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
