Re: [Samba] Prevent smbd from consulting winbindd
Harry Jede wrote: I am running smbd in a setup described in http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/idmapper.h tml#id2604553 under Winbind is not used; users and groups are local. Samba is running in the security=domain mode, Do you have a PDC with the same setup? The PDC is a Windows 2000 (sic!) server. I cannot change that. Are you syncing uid/gid manually? I keep Unix uid/gid on Unix and don't want any Winbind-generated uids or gids. All I want is a Windows user MYDOMAIN\johndoe to be mapped to the unix user johndoe whose Unix uid is 2000 in /etc/passwd. This is exactly what happens when winbinnd is not started. [dd] Now I need to run winbindd for Squid authentication. The problem is, as soon as I start winbindd, smbd begins consulting it so you are running smbd and winbind an squid on the same machine Yes. and all Windows users start receiving uids/gids different from those in /etc/passwd. Thats quite normal. Thats undesirable. How do I prevent smbd from consulting winbindd and make it use the old /etc/passwd mechanism for uids? I do not know. I believe it's not possible. Run smbd on one machine with NIS or LDAP, winbind for squid on an other machine. This is an obvious solution, I will do that if I find no other way. But how does smbd communicate with winbindd? Can I hide them from each other? is auth methods = ntdomain or auth methods = trustdomain not what I want? Which of the auth methods does smbd use when it cannot find a functional winbindd? Alternatively you may try to run winbind with an own smb.conf This may be a good idea but how do I hide winbindd (even running with its own smb.conf) from smbd? How does it communicate with smbd? if you wish to try this, you may start with a new setup. I have done this tree times with LDAP as backend, it works. If you need more details, I can write a step-by-step guide, maybe next week. I don't need a step-by-step guide but I would appreciate an explanation how to hide smbd and winbindd from each other other than running them on different hosts. -- Victor Sudakov, VAS4-RIPE, VAS47-RIPN sip:suda...@sibptus.tomsk.ru -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Prevent smbd from consulting winbindd
Can't you just disable winbind from nssswitch ? On 28/01/12 11:45, Victor Sudakov wrote: Harry Jede wrote: I am running smbd in a setup described in http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/idmapper.h tml#id2604553 under Winbind is not used; users and groups are local. Samba is running in the security=domain mode, Do you have a PDC with the same setup? The PDC is a Windows 2000 (sic!) server. I cannot change that. Are you syncing uid/gid manually? I keep Unix uid/gid on Unix and don't want any Winbind-generated uids or gids. All I want is a Windows user MYDOMAIN\johndoe to be mapped to the unix user johndoe whose Unix uid is 2000 in /etc/passwd. This is exactly what happens when winbinnd is not started. [dd] Now I need to run winbindd for Squid authentication. The problem is, as soon as I start winbindd, smbd begins consulting it so you are running smbd and winbind an squid on the same machine Yes. and all Windows users start receiving uids/gids different from those in /etc/passwd. Thats quite normal. Thats undesirable. How do I prevent smbd from consulting winbindd and make it use the old /etc/passwd mechanism for uids? I do not know. I believe it's not possible. Run smbd on one machine with NIS or LDAP, winbind for squid on an other machine. This is an obvious solution, I will do that if I find no other way. But how does smbd communicate with winbindd? Can I hide them from each other? is auth methods = ntdomain or auth methods = trustdomain not what I want? Which of the auth methods does smbd use when it cannot find a functional winbindd? Alternatively you may try to run winbind with an own smb.conf This may be a good idea but how do I hide winbindd (even running with its own smb.conf) from smbd? How does it communicate with smbd? if you wish to try this, you may start with a new setup. I have done this tree times with LDAP as backend, it works. If you need more details, I can write a step-by-step guide, maybe next week. I don't need a step-by-step guide but I would appreciate an explanation how to hide smbd and winbindd from each other other than running them on different hosts. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Prevent smbd from consulting winbindd
a.key wrote: Can't you just disable winbind from nssswitch ? I don't use winbind in nsswitch. Sorry, you misunderstood the whole thread. -- Victor Sudakov, VAS4-RIPE, VAS47-RIPN sip:suda...@sibptus.tomsk.ru -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Prevent smbd from consulting winbindd
Harry Jede wrote: I am running smbd in a setup described in http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/idmapper.h tml#id2604553 under Winbind is not used; users and groups are local. Samba is running in the security=domain mode, Do you have a PDC with the same setup? The PDC is a Windows 2000 (sic!) server. I cannot change that. Are you syncing uid/gid manually? I keep Unix uid/gid on Unix and don't want any Winbind-generated uids or gids. All I want is a Windows user MYDOMAIN\johndoe to be mapped to the unix user johndoe whose Unix uid is 2000 in /etc/passwd. This is exactly what happens when winbinnd is not started. [dd] Now I need to run winbindd for Squid authentication. The problem is, as soon as I start winbindd, smbd begins consulting it so you are running smbd and winbind an squid on the same machine Yes. and all Windows users start receiving uids/gids different from those in /etc/passwd. Thats quite normal. Thats undesirable. How do I prevent smbd from consulting winbindd and make it use the old /etc/passwd mechanism for uids? I do not know. I believe it's not possible. Run smbd on one machine with NIS or LDAP, winbind for squid on an other machine. This is an obvious solution, I will do that if I find no other way. But how does smbd communicate with winbindd? Can I hide them from each other? is auth methods = ntdomain or auth methods = trustdomain not what I want? Which of the auth methods does smbd use when it cannot find a functional winbindd? Alternatively you may try to run winbind with an own smb.conf This may be a good idea but how do I hide winbindd (even running with its own smb.conf) from smbd? How does it communicate with smbd? if you wish to try this, you may start with a new setup. I have done this tree times with LDAP as backend, it works. If you need more details, I can write a step-by-step guide, maybe next week. I don't need a step-by-step guide but I would appreciate an explanation how to hide smbd and winbindd from each other other than running them on different hosts. -- Victor Sudakov, VAS4-RIPE, VAS47-RIPN sip:suda...@sibptus.tomsk.ru -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Prevent smbd from consulting winbindd
Volker Lendecke wrote: Colleagues, please respond. Have I asked something too unconventional or something too trivial? idmap backend = nss ?? Its man page is very scarce. Is it supposed to work at all? Do you have any experience with it? root@fs02-sibptus:~# id zimaev uid=3237(zimaev) gid=2000(user) groups=2000(user),2012(budget),3134(pto),2011(ntd) root@fs02-sibptus:~# wbinfo -n zimaev S-1-5-21-839522115-2139871995-725345543-1618 User (1) root@fs02-sibptus:~# wbinfo -i zimaev Could not get info for user zimaev root@fs02-sibptus:~# what gives? -- Victor Sudakov, VAS4-RIPE, VAS47-RIPN sip:suda...@sibptus.tomsk.ru -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Prevent smbd from consulting winbindd
Am 25.01.2012 09:58, schrieb Victor Sudakov: Volker Lendecke wrote: Colleagues, please respond. Have I asked something too unconventional or something too trivial? idmap backend = nss ?? Its man page is very scarce. Is it supposed to work at all? Do you have any experience with it? root@fs02-sibptus:~# id zimaev uid=3237(zimaev) gid=2000(user) groups=2000(user),2012(budget),3134(pto),2011(ntd) root@fs02-sibptus:~# wbinfo -n zimaev S-1-5-21-839522115-2139871995-725345543-1618 User (1) root@fs02-sibptus:~# wbinfo -i zimaev Could not get info for user zimaev root@fs02-sibptus:~# what gives? what do you have in smb.conf defined for security? (general portion of smb.conf) Greetz, L. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Prevent smbd from consulting winbindd
Lukas wrote: Colleagues, please respond. Have I asked something too unconventional or something too trivial? idmap backend = nss ?? Its man page is very scarce. Is it supposed to work at all? Do you have any experience with it? root@fs02-sibptus:~# id zimaev uid=3237(zimaev) gid=2000(user) groups=2000(user),2012(budget),3134(pto),2011(ntd) root@fs02-sibptus:~# wbinfo -n zimaev S-1-5-21-839522115-2139871995-725345543-1618 User (1) root@fs02-sibptus:~# wbinfo -i zimaev Could not get info for user zimaev root@fs02-sibptus:~# what gives? what do you have in smb.conf defined for security? (general portion of smb.conf) [global] workgroup = SIBPTUS wins server = 10.14.134.1 10.14.134.4 security = domain idmap backend = nss idmap uid = 1000-199 idmap gid = 1000-199 template shell = /bin/bash winbind use default domain = Yes allow trusted domains = Yes -- Victor Sudakov, VAS4-RIPE, VAS47-RIPN sip:suda...@sibptus.tomsk.ru -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Prevent smbd from consulting winbindd
Am 25.01.2012 11:49, schrieb Victor Sudakov: Lukas wrote: Colleagues, please respond. Have I asked something too unconventional or something too trivial? idmap backend = nss ?? Its man page is very scarce. Is it supposed to work at all? Do you have any experience with it? root@fs02-sibptus:~# id zimaev uid=3237(zimaev) gid=2000(user) groups=2000(user),2012(budget),3134(pto),2011(ntd) root@fs02-sibptus:~# wbinfo -n zimaev S-1-5-21-839522115-2139871995-725345543-1618 User (1) root@fs02-sibptus:~# wbinfo -i zimaev Could not get info for user zimaev root@fs02-sibptus:~# what gives? what do you have in smb.conf defined for security? (general portion of smb.conf) [global] workgroup = SIBPTUS wins server = 10.14.134.1 10.14.134.4 security = domain idmap backend = nss idmap uid = 1000-199 idmap gid = 1000-199 template shell = /bin/bash winbind use default domain = Yes allow trusted domains = Yes To me it seems, since you have security = domain, samba will try to authenticate4 always to the domain controller. Therefore: wbinfo -i zimaev will not return something valid, unless you prepend the user with the domain (wbinfo -i DOMAIN\zimaev don't forget to map the backslash with a second one DOMAIN\\zimaev) :-) More about how that works with the security: http://www.samba.org/samba/docs/man/manpages-3/smb.conf.5.html#SECURITY The idmap backend = nss just tells samba, where to store the mapping informations from AD- versus *nix-Users. that's about what I know of... :) hope it can hint you to where you'd like to go ... L. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Prevent smbd from consulting winbindd
Lukas wrote: Lukas wrote: Colleagues, please respond. Have I asked something too unconventional or something too trivial? idmap backend = nss ?? Its man page is very scarce. Is it supposed to work at all? Do you have any experience with it? root@fs02-sibptus:~# id zimaev uid=3237(zimaev) gid=2000(user) groups=2000(user),2012(budget),3134(pto),2011(ntd) root@fs02-sibptus:~# wbinfo -n zimaev S-1-5-21-839522115-2139871995-725345543-1618 User (1) root@fs02-sibptus:~# wbinfo -i zimaev Could not get info for user zimaev root@fs02-sibptus:~# what gives? what do you have in smb.conf defined for security? (general portion of smb.conf) [global] workgroup = SIBPTUS wins server = 10.14.134.1 10.14.134.4 security = domain idmap backend = nss idmap uid = 1000-199 idmap gid = 1000-199 template shell = /bin/bash winbind use default domain = Yes allow trusted domains = Yes To me it seems, since you have security = domain, samba will try to authenticate4 always to the domain controller. Therefore: wbinfo -i zimaev will not return something valid, unless you prepend the user with the domain (wbinfo -i DOMAIN\zimaev don't forget to map the backslash with a second one DOMAIN\\zimaev) :-) Don't forget, I have winbind use default domain = Yes and wbinfo -n user_without_domain is successful. Anyway, I have tried both: root@fs02-sibptus:~# wbinfo -n kuskovaa S-1-5-21-839522115-2139871995-725345543-1114 User (1) root@fs02-sibptus:~# wbinfo -i kuskovaa Could not get info for user kuskovaa root@fs02-sibptus:~# wbinfo -i SIBPTUS\\kuskovaa Could not get info for user SIBPTUS\kuskovaa root@fs02-sibptus:~# wbinfo --own-domain SIBPTUS root@fs02-sibptus:~# More about how that works with the security: http://www.samba.org/samba/docs/man/manpages-3/smb.conf.5.html#SECURITY The idmap backend = nss just tells samba, where to store the mapping informations from AD- versus *nix-Users. Yes, I want to store the mapping in getpwnam() and the primary group in getgrnam(). -- Victor Sudakov, VAS4-RIPE, VAS47-RIPN sip:suda...@sibptus.tomsk.ru -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Prevent smbd from consulting winbindd
On 13:37:19 wrote Victor Sudakov: Colleagues, I am running smbd in a setup described in http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/idmapper.h tml#id2604553 under Winbind is not used; users and groups are local. Samba is running in the security=domain mode, Do you have a PDC with the same setup? Are you syncing uid/gid manually? but all Windows users are being mapped to Unix users in /etc/passwd. This will break the setup which is described in the Samba-HOWTO- Collection you refere above :-( . The only way in which this differs from having local accounts is that the accounts are stored in a repository that *can be shared* . In practice this means that they will reside in either *an NIS-type database or else in LDAP* . So only NIS or LDAP will guarantee that you have identical uid/gid mapping across different machines. Now I need to run winbindd for Squid authentication. The problem is, as soon as I start winbindd, smbd begins consulting it so you are running smbd and winbind an squid on the same machine and all Windows users start receiving uids/gids different from those in /etc/passwd. Thats quite normal. How do I prevent smbd from consulting winbindd and make it use the old /etc/passwd mechanism for uids? I do not know. I believe it's not possible. Run smbd on one machine with NIS or LDAP, winbind for squid on an other machine. Alternatively you may try to run winbind with an own smb.conf for example # smb.conf for winbind only # Here you MUST have one blank line include /etc/samba.conf [global] security = domain winbind use default domain = yes # and so on if you wish to try this, you may start with a new setup. I have done this tree times with LDAP as backend, it works. If you need more details, I can write a step-by-step guide, maybe next week. In all cases you must have a PDC with security=user in smb.conf. TIA for any input. -- regards Harry Jede -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Prevent smbd from consulting winbindd
Colleagues, please respond. Have I asked something too unconventional or something too trivial? Victor Sudakov wrote: Colleagues, I am running smbd in a setup described in http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/idmapper.html#id2604553 under Winbind is not used; users and groups are local. Samba is running in the security=domain mode, but all Windows users are being mapped to Unix users in /etc/passwd. Now I need to run winbindd for Squid authentication. The problem is, as soon as I start winbindd, smbd begins consulting it and all Windows users start receiving uids/gids different from those in /etc/passwd. How do I prevent smbd from consulting winbindd and make it use the old /etc/passwd mechanism for uids? TIA for any input. -- Victor Sudakov, VAS4-RIPE, VAS47-RIPN sip:suda...@sibptus.tomsk.ru -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- Victor Sudakov, VAS4-RIPE, VAS47-RIPN sip:suda...@sibptus.tomsk.ru -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Prevent smbd from consulting winbindd
On Mon, Jan 23, 2012 at 05:34:35PM +0700, Victor Sudakov wrote: Colleagues, please respond. Have I asked something too unconventional or something too trivial? idmap backend = nss ?? Volker -- SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen phone: +49-551-37-0, fax: +49-551-37-9 AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen http://www.sernet.de, mailto:kont...@sernet.de -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Prevent smbd from consulting winbindd
Colleagues, I am running smbd in a setup described in http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/idmapper.html#id2604553 under Winbind is not used; users and groups are local. Samba is running in the security=domain mode, but all Windows users are being mapped to Unix users in /etc/passwd. Now I need to run winbindd for Squid authentication. The problem is, as soon as I start winbindd, smbd begins consulting it and all Windows users start receiving uids/gids different from those in /etc/passwd. How do I prevent smbd from consulting winbindd and make it use the old /etc/passwd mechanism for uids? TIA for any input. -- Victor Sudakov, VAS4-RIPE, VAS47-RIPN sip:suda...@sibptus.tomsk.ru -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba