Re: [Samba] How to enable both remote and local users?
On 8. Mar, 2004, at 15:48, Gerald (Jerry) Carter wrote: This is by design. I'm assuming that you mean you want users in the Windows domain to be mapped to local unix accounts if a matching username already exists on the system. Yes, exactly! It's all or none here. You can tell winbindd to map all windows users to local accounts (winbind trusted domains only = yes) or to handle all remote users/groups itself. Oh well... I guess I'll have to go the "all" -way then and set up the shells manually for those, who need a shell access plus create all samba users manually as well. Actually, this is not so bad an idea after it has been done, since password management still goes to winbindd and the kerberos servers. I thought I would have saved a lot of work by only listing shell users to the local /etc/passwd and leaving all the rest to winbindd. cheers, jerry -- -- ArNO 2 -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] How to enable both remote and local users?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Mon, 8 Mar 2004, Arno Hahma wrote: > On 8. Mar, 2004, at 11:26, Manfred Odenstein wrote: > > > take a look in /etc/nsswitch.conf > > > > make an entry like : "passwd: files winbind" should solve your problem > > I forgot to mention, that I already have it that way. No, it does not > work. This is by design. I'm assuming that you mean you want users in the Windows domain to be mapped to local unix accounts if a matching username already exists on the system. It's all or none here. You can tell winbindd to map all windows users to local accounts (winbind trusted domains only = yes) or to handle all remote users/groups itself. cheers, jerry -- Hewlett-Packard- http://www.hp.com SAMBA Team -- http://www.samba.org GnuPG Key http://www.plainjoe.org/gpg_public.asc "If we're adding to the noise, turn off this song" --Switchfoot (2003) -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.0 (GNU/Linux) Comment: For info see http://quantumlab.net/pine_privacy_guard/ iD8DBQFATHmsIR7qMdg1EfYRAnbBAKDACy0HkLPXvMKub2HOXZVlaXXr1gCff5v2 1NNQJksNt/qiQj63QJt/B/c= =8GkF -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] How to enable both remote and local users?
On 8. Mar, 2004, at 11:26, Manfred Odenstein wrote: take a look in /etc/nsswitch.conf make an entry like : "passwd: files winbind" should solve your problem I forgot to mention, that I already have it that way. No, it does not work. My PAM configuration looks like this: /etc/pam.d/samba: #%PAM-1.0 # pam_smbpass.so authenticates against the smbpasswd file auth required pam_smbpass.so nodelay accountrequired /lib/security/pam_stack.so service=system-auth-winbind sessionrequired /lib/security/pam_stack.so service=system-auth-winbind password required pam_smbpass.so nodelay smbconf=/etc/samba/smb.conf So, this one tries to search smbpasswd first. /etc/pam.d/system-auth-winbind: #%PAM-1.0 authrequired /lib/security/pam_env.so authsufficient/lib/security/pam_unix.so likeauth nullok use_first_pa ss authsufficient/lib/security/pam_winbind.so authrequired /lib/security/pam_deny.so account sufficient/lib/security/pam_unix.so account required /lib/security/pam_winbind.so passwordrequired /lib/security/pam_cracklib.so retry=3 passwordsufficient/lib/security/pam_unix.so nullok use_authtok md5 shado w passwordrequired /lib/security/pam_deny.so session required /lib/security/pam_mkhomedir.so skel=/etc/skel/ umask=0 022 session required /lib/security/pam_limits.so session required /lib/security/pam_unix.so This one tries to search /etc/passwd, failing that, goes on to winbind. So, _both_ smbpasswd and /etc/passwd should be checked before winbind, but not avail. regards odi -- ArNO 2 -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] How to enable both remote and local users?
take a look in /etc/nsswitch.conf make an entry like : "passwd: files winbind" should solve your problem regards odi Am Mo, den 08.03.2004 schrieb Arno Hahma um 10:08: > Is there any way to enable both local (/etc/passwd or smbpasswd) users > and users > authenticated remotely by winbindd? > > I have a problem with samba-3.0.2a not recognizing local users at all, > if winbindd is enabled > (and vice versa, of course). However, I'd like to have local users > take precedence over > networked users, i.e. samba would let in a user, if he/she is a local > one and only ask the password server, if none is found by that name. > This way, it would be easiest to implement a small amount of users able > to log in with a shell account the rest being samba-only users. > > So far, I have found no workaround to this problem, especially, if > there is the same username in the active directory domain and local > /etc/passwd. In this case, samba gets a real attack of schitzophrenia > and doesn't know whom to obey - with a result that nobody with such a > duplicate username can get a samba mount. > > > -- > ArNO > 2 -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] How to enable both remote and local users?
Is there any way to enable both local (/etc/passwd or smbpasswd) users and users authenticated remotely by winbindd? I have a problem with samba-3.0.2a not recognizing local users at all, if winbindd is enabled (and vice versa, of course). However, I'd like to have local users take precedence over networked users, i.e. samba would let in a user, if he/she is a local one and only ask the password server, if none is found by that name. This way, it would be easiest to implement a small amount of users able to log in with a shell account the rest being samba-only users. So far, I have found no workaround to this problem, especially, if there is the same username in the active directory domain and local /etc/passwd. In this case, samba gets a real attack of schitzophrenia and doesn't know whom to obey - with a result that nobody with such a duplicate username can get a samba mount. -- ArNO 2 -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
