Re: [Samba] Samba + Winbind + Windows 2003 AD
as req. I will resend part of first message: My Samba config: http://pastebin.com/ZqaA0Ypn After the join I'm able to lookup peoples with # wbinfo -u [...] XX hds XXX [...] # wbinfo -g [...] bg XX bg hds bg XXX [...] Now the problem, getent only returns the local users and not the users from the AD The funny thing is that if a user is local on the UNIX and in the AD, I can login with the password from both local and AD, so I know that it can lookup people and passwords # getent passwd hs ; echo $? 2 When I debug on getent it returns 2, witch means that it can't find the user. I know there can be a problem with this if the resolv-names is not working # ping addc.UNDERVISNING.LOCAL PING addc.birke-gym.dk (10.3.17.1) 56(84) bytes of data. 64 bytes from bgdc.birke-gym.dk (10.3.17.1): icmp_seq=1 ttl=128 time=0.211 ms 64 bytes from bgdc.birke-gym.dk (10.3.17.1): icmp_seq=2 ttl=128 time=0.207 ms # ping mail.UNDERVISNING.LOCAL PING mail.birke-gym.dk (127.0.1.1) 56(84) bytes of data. 64 bytes from mail.birke-gym.dk (127.0.1.1): icmp_seq=1 ttl=64 time=0.099 ms 64 bytes from mail.birke-gym.dk (127.0.1.1): icmp_seq=2 ttl=64 time=0.094 ms My krb5-conf: Med Venlig Hilsen / Best Regards Henrik Dige Semark Den 19-07-2010 01:49, Necos Secon skrev: I accidentally deleted the first set of messages in my email for this thread, but does your DNS resolve properly? What does your resolv.conf look like? Also, what do these files look like: krb5.conf smb.conf There's an option in smb.conf, winbind enum users, which needs to be set in order for getent to function properly. There is a corresponding option for groups as well. Look at them and let us know. Date: Mon, 19 Jul 2010 01:12:41 +0200 From:h...@semark.dk To:esiot...@gmail.com CC:samba@lists.samba.org Subject: Re: [Samba] Samba + Winbind + Windows 2003 AD Hi Micheal Sorry for not sending that information in the first place, but I though that it was so basic that it wasn't necessary. My nsswitch.conf: # cat /etc/nsswitch.conf # /etc/nsswitch.conf # # Example configuration of GNU Name Service Switch functionality. # If you have the `glibc-doc-reference' and `info' packages installed, try: # `info libc "Name Service Switch"' for information about this file. passwd: compat winbind group: compat winbind shadow: compat winbind hosts: files mdns4_minimal [NOTFOUND=return] dns mdns4 networks: files services: db files ethers: db files protocols: db files rpc:db files netgroup: nis I will mean that it is the way to do this (and it works just fine on the UNIX servers that run there own Domain Controller) Med Venlig Hilsen / Best Regards Henrik Dige Semark Den 18-07-2010 17:03, Michael Wood skrev: On 18 July 2010 01:34, Henrik Dige Semark wrote: Hey out there. I have to join my UNIX server with an existing Win2k3 AD network. My system info: Debian Lenny Samba - 3.4.8 Winbind - 3.4.8 Windows Server 2003 with 2000-style-AD My problem is that, I have en UNIX server that have to run auth up against our existing windows 2003 AD. I have successfully joined my UNIX server to the AD, without problems. # net ads join -U Administrator Enter Administrator's password: Using short domain name -- TEST Joined 'MAIL' to realm 'TEST.LOCAL' My Samba config:http://pastebin.com/ZqaA0Ypn After the join I'm able to lookup peoples with # wbinfo -u [...] # wbinfo -g [...] Now the problem, getent only returns the local users and not the users from the AD The funny thing is that if a user is local on the UNIX and in the AD, I can login with the password from both local and AD, so I know that it can lookup people and passwords # getent passwd hs ; echo $? 2 When I debug on getent it returns 2, witch means that it can't find the user. Do you have winbind specified in your nsswitch.conf file as mentioned here: http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/winbind.html#id2654732 _ The New Busy is not the old busy. Search, chat and e-mail from your inbox. http://www.windowslive.com/campaign/thenewbusy?ocid=PID28326::T:WLMTAGL:ON:WL:en-US:WM_HMP:042010_3 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba + Winbind + Windows 2003 AD
Hi, I found a working Winbind version which is 3.4.7 coming with SLES-11 SP1. I managed to configure Winbind with backend AD to authenticate and authorize users based on Winbind and SFU3.5. Thanks for this Opensoure product. Tobias Mit freundlichen Grüßen Tobias Mucke LFK-Lenkflugkörpersysteme GmbH Serverpool, FCI4 Landshuter Straße 26, 85716 Unterschleißheim, GERMANY Phone: +49 89 3179 8438 Fax: +49 89 3179 8927 Mobile: +49 170 635 3830 E-Mail: tobias.mu...@mbda-systems.de http://www.mbda.net Chairman of the Supervisory Board: Antoine Bouvier Managing Director: Werner Kaltenegger Registered Office: Schrobenhausen Commercial Register: Amtsgericht Ingolstadt, HRB 4365 Message sent from handheld via BlackBerry Server. Von: Mucke, Tobias, FCI4 An: 'samba@lists.samba.org' Gesendet: Mon Jul 19 18:09:24 2010 Betreff: AW: Re: [Samba] Samba + Winbind + Windows 2003 AD Hi Michael, which version of Samba do you have? Are you able to post your Samba configuration? Thank you. Tobias Mit freundlichen Grüßen Tobias Mucke LFK-Lenkflugkörpersysteme GmbH Serverpool, FCI4 Landshuter Straße 26, 85716 Unterschleißheim, GERMANY Phone: +49 89 3179 8438 Fax: +49 89 3179 8927 Mobile: +49 170 635 3830 E-Mail: tobias.mu...@mbda-systems.de http://www.mbda.net Chairman of the Supervisory Board: Antoine Bouvier Managing Director: Werner Kaltenegger Registered Office: Schrobenhausen Commercial Register: Amtsgericht Ingolstadt, HRB 4365 Message sent from handheld via BlackBerry Server. Von: Michael Lyon An: Mucke, Tobias, FCI4; samba@lists.samba.org Gesendet: Mon Jul 19 14:22:37 2010 Betreff: Re: [Samba] Samba + Winbind + Windows 2003 AD I'm in a 2k8 r2 domain with SFU and home shells managed through the ADUC console. I'm using Samba/WInbind and use samba shares as user home directories that are mounted at login-time on Windows 7 machines. This is a first attempt as we migrated to Windows 2k8r2 in order to have better support for Win7 clients, as we had too many issues with Samba as our PDC. Mike On Mon, Jul 19, 2010 at 3:08 AM, Mucke, Tobias, FCI4 wrote: Hi, I'am afraid this is a general issue with Winbind. I am experiencing the same problems and my logs look quite similar to Henrik's logs. I am using Samba 3.5.4 and tried to resolve this issue without luck. In fact I have a working lab environment with Winbind 3.5.4, AD based on Windows Server 2008 R2 with IDMU. I set idmap backend = ad and winbind nss info = rfc2307. Unfortunately I was not able to port this setup back to the actual production environment with Winbind 3.5.4 and AD based on Windows Server 2003 with SFU 3.5. Besides AD "versions" there is another large difference between the production and the lab. In production the domain structure is far more complex ... Actually I am deploying a lab more close to the actual production environment. Another important thing to me would be a configuration example of somebody out there using Winbind in an actual version 3.5.x with backend ad and SFU for Shell and Home Directories. Anybody? Thank you. Tobias LFK-Lenkflugkörpersysteme GmbH Serverpool, FCI4 Landshuter Straße 26, 85716 Unterschleißheim, GERMANY Phone: +49 89 3179 8438 Fax: +49 89 3179 8927 Mobile: +49 170 635 3830 E-Mail: tobias.mu...@mbda-systems.de http://www.mbda.net Chairman of the Supervisory Board: Antoine Bouvier Managing Director: Werner Kaltenegger Registered Office: Schrobenhausen Commercial Register: Amtsgericht Ingolstadt, HRB 4365 -Ursprüngliche Nachricht- Von: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] Im Auftrag von Necos Secon Gesendet: Montag, 19. Juli 2010 01:50 An: samba@lists.samba.org Betreff: Re: [Samba] Samba + Winbind + Windows 2003 AD I accidentally deleted the first set of messages in my email for this thread, but does your DNS resolve properly? What does your resolv.conf look like? Also, what do these files look like: krb5.conf smb.conf There's an option in smb.conf, winbind enum users, which needs to be set in order for getent to function properly. There is a corresponding option for groups as well. Look at them and let us know. > Date: Mon, 19 Jul 2010 01:12:41 +0200 > From: h...@semark.dk > To: esiot...@gmail.com > CC: samba@lists.samba.org > Subject: Re: [Samba] Samba + Winbind + Windows 2003 AD > > Hi Micheal > > Sorry for not sending that informat
Re: [Samba] Samba + Winbind + Windows 2003 AD
Ah, I'm a Slackware user myself (and I still do sometimes use their binaries for samba when I don't need AD support). I'm not sure if the Fedora package is compiled with AD support, but an ldd `which smbd` will answer that question. You do have the proper options that I mentioned enabled, so this might be an issue elsewhere. Have you tried reinitializing the kerberos ticket with kinit? The other thing to be sure to check is the clock skew. By default, it's 5 minutes in Windows 2003 and higher (not sure about other versions off-hand). Use an ntpdate script (or some other method) to keep the clocks in sync. Hopefully, that helps some. > Date: Mon, 19 Jul 2010 11:22:15 -0500 > From: mjl...@gmail.com > To: samba@lists.samba.org > Subject: Re: [Samba] Samba + Winbind + Windows 2003 AD > > In all honesty, this is my first time using a binary samba package (I am a > native slackware user that converted to Fedora simply because it was easier > from start-to-finish FWIW) > > []# smbd -V > Version 3.4.7-58.fc12 > > Here's my smb.conf global section: > > [global] >workgroup = WORKGROUPNAME >realm = ad.university.edu >server string = Samba Server Version %v >netbios name = vm-srvname >security = ADS >password server = * >passdb backend = tdbsam >admin users = @"WORKGROUPNAME+Domain Admins" >log level = 2 >log file = /var/log/samba/log.%m >max log size = 5000 >interfaces = eth0 lo >socket options = TCP_NODELAY IPTOS_LOWDELAY SO_RCVBUF=524288 > SO_SNDBUF=524288 >load printers = No >#printing = >printcap name = /etc/printcap >client use spnego = yes >client ntlmv2 auth = yes >winbind use default domain = yes >winbind separator = + >winbind nested groups = Yes >winbind enum users = yes >winbind enum groups = yes >winbind nss info = rfc2307 >allow trusted domains = yes >idmap uid = 1-9 >idmap gid = 1-9 >#idmap backend = ad >idmap domains = WORKGROUPNAME >idmap config WORKGROUPNAME:backend = ad >idmap config WORKGROUPNAME:schema_mode = rfc2307 >idmap config WORKGROUPNAME:range = 1000-75999 >#template shell = /bin/bash >#template homedir = /home/share >#server signing = enabled >;dead time = 15 >getwd cache = yes >nt acl support = yes >acl map full control = no >store dos attributes = yes >map acl inherit = yes >local master = yes >master browser = no >dns proxy = no >unix extensions = no >guest account = nobody > > > Mike > > > On Mon, Jul 19, 2010 at 11:09 AM, Mucke, Tobias, FCI4 < > tobias.mu...@mbda-systems.de> wrote: > > > Hi Michael, > > > > which version of Samba do you have? > > > > Are you able to post your Samba configuration? > > > > Thank you. > > > > Tobias > > > > > > Mit freundlichen Grüßen > > > > Tobias Mucke > > > > > > > > LFK-Lenkflugkörpersysteme GmbH > > Serverpool, FCI4 > > Landshuter Straße 26, 85716 Unterschleißheim, GERMANY > > Phone: +49 89 3179 8438 > > Fax: +49 89 3179 8927 > > Mobile: +49 170 635 3830 > > E-Mail: tobias.mu...@mbda-systems.de > > > > http://www.mbda.net > > > > Chairman of the Supervisory Board: Antoine Bouvier > > Managing Director: Werner Kaltenegger > > Registered Office: Schrobenhausen > > Commercial Register: Amtsgericht Ingolstadt, HRB 4365 > > > > Message sent from handheld via BlackBerry Server. > > > > > > > > Von: Michael Lyon > > An: Mucke, Tobias, FCI4; samba@lists.samba.org > > Gesendet: Mon Jul 19 14:22:37 2010 > > Betreff: Re: [Samba] Samba + Winbind + Windows 2003 AD > > > > > > I'm in a 2k8 r2 domain with SFU and home shells managed through the ADUC > > console. I'm using Samba/WInbind and use samba shares as user home > > directories that are mounted at login-time on Windows 7 machines. > > > > This is a first attempt as we migrated to Windows 2k8r2 in order to have > > better support for Win7 clients, as we had too many issues with Samba as our > > PDC. > > > > Mike > > > > > > > > On Mon, Jul 19, 2010 at 3:08 AM, Mucke, Tobias, FCI4 < > > tobias.mu...@mbda-systems.de> wrote: > > > > > >Hi, > > >
Re: [Samba] Samba + Winbind + Windows 2003 AD
In all honesty, this is my first time using a binary samba package (I am a native slackware user that converted to Fedora simply because it was easier from start-to-finish FWIW) []# smbd -V Version 3.4.7-58.fc12 Here's my smb.conf global section: [global] workgroup = WORKGROUPNAME realm = ad.university.edu server string = Samba Server Version %v netbios name = vm-srvname security = ADS password server = * passdb backend = tdbsam admin users = @"WORKGROUPNAME+Domain Admins" log level = 2 log file = /var/log/samba/log.%m max log size = 5000 interfaces = eth0 lo socket options = TCP_NODELAY IPTOS_LOWDELAY SO_RCVBUF=524288 SO_SNDBUF=524288 load printers = No #printing = printcap name = /etc/printcap client use spnego = yes client ntlmv2 auth = yes winbind use default domain = yes winbind separator = + winbind nested groups = Yes winbind enum users = yes winbind enum groups = yes winbind nss info = rfc2307 allow trusted domains = yes idmap uid = 1-9 idmap gid = 1-9 #idmap backend = ad idmap domains = WORKGROUPNAME idmap config WORKGROUPNAME:backend = ad idmap config WORKGROUPNAME:schema_mode = rfc2307 idmap config WORKGROUPNAME:range = 1000-75999 #template shell = /bin/bash #template homedir = /home/share #server signing = enabled ;dead time = 15 getwd cache = yes nt acl support = yes acl map full control = no store dos attributes = yes map acl inherit = yes local master = yes master browser = no dns proxy = no unix extensions = no guest account = nobody Mike On Mon, Jul 19, 2010 at 11:09 AM, Mucke, Tobias, FCI4 < tobias.mu...@mbda-systems.de> wrote: > Hi Michael, > > which version of Samba do you have? > > Are you able to post your Samba configuration? > > Thank you. > > Tobias > > > Mit freundlichen Grüßen > > Tobias Mucke > > > > LFK-Lenkflugkörpersysteme GmbH > Serverpool, FCI4 > Landshuter Straße 26, 85716 Unterschleißheim, GERMANY > Phone: +49 89 3179 8438 > Fax: +49 89 3179 8927 > Mobile: +49 170 635 3830 > E-Mail: tobias.mu...@mbda-systems.de > > http://www.mbda.net > > Chairman of the Supervisory Board: Antoine Bouvier > Managing Director: Werner Kaltenegger > Registered Office: Schrobenhausen > Commercial Register: Amtsgericht Ingolstadt, HRB 4365 > > Message sent from handheld via BlackBerry Server. > > > > Von: Michael Lyon > An: Mucke, Tobias, FCI4; samba@lists.samba.org > Gesendet: Mon Jul 19 14:22:37 2010 > Betreff: Re: [Samba] Samba + Winbind + Windows 2003 AD > > > I'm in a 2k8 r2 domain with SFU and home shells managed through the ADUC > console. I'm using Samba/WInbind and use samba shares as user home > directories that are mounted at login-time on Windows 7 machines. > > This is a first attempt as we migrated to Windows 2k8r2 in order to have > better support for Win7 clients, as we had too many issues with Samba as our > PDC. > > Mike > > > > On Mon, Jul 19, 2010 at 3:08 AM, Mucke, Tobias, FCI4 < > tobias.mu...@mbda-systems.de> wrote: > > >Hi, > >I'am afraid this is a general issue with Winbind. I am experiencing > the same problems and my logs look quite similar to Henrik's logs. I am > using Samba 3.5.4 and tried to resolve this issue without luck. In fact I > have a working lab environment with Winbind 3.5.4, AD based on Windows > Server 2008 R2 with IDMU. I set idmap backend = ad and winbind nss info = > rfc2307. Unfortunately I was not able to port this setup back to the actual > production environment with Winbind 3.5.4 and AD based on Windows Server > 2003 with SFU 3.5. >Besides AD "versions" there is another large difference between the > production and the lab. In production the domain structure is far more > complex ... >Actually I am deploying a lab more close to the actual production > environment. > >Another important thing to me would be a configuration example of > somebody out there using Winbind in an actual version 3.5.x with backend ad > and SFU for Shell and Home Directories. Anybody? > >Thank you. > >Tobias > > > >LFK-Lenkflugkörpersysteme GmbH >Serverpool, FCI4 >Landshuter Straße 26, 85716 Unterschleißheim, GERMANY >Phone: +49 89 3179 8438 >Fax: +49 89 3179 8927 >Mobile: +49 170 635 3830 >E-Mail: tobias.mu...@mbda-systems.de > >http://ww
Re: [Samba] Samba + Winbind + Windows 2003 AD
Hi Michael, which version of Samba do you have? Are you able to post your Samba configuration? Thank you. Tobias Mit freundlichen Grüßen Tobias Mucke LFK-Lenkflugkörpersysteme GmbH Serverpool, FCI4 Landshuter Straße 26, 85716 Unterschleißheim, GERMANY Phone: +49 89 3179 8438 Fax: +49 89 3179 8927 Mobile: +49 170 635 3830 E-Mail: tobias.mu...@mbda-systems.de http://www.mbda.net Chairman of the Supervisory Board: Antoine Bouvier Managing Director: Werner Kaltenegger Registered Office: Schrobenhausen Commercial Register: Amtsgericht Ingolstadt, HRB 4365 Message sent from handheld via BlackBerry Server. Von: Michael Lyon An: Mucke, Tobias, FCI4; samba@lists.samba.org Gesendet: Mon Jul 19 14:22:37 2010 Betreff: Re: [Samba] Samba + Winbind + Windows 2003 AD I'm in a 2k8 r2 domain with SFU and home shells managed through the ADUC console. I'm using Samba/WInbind and use samba shares as user home directories that are mounted at login-time on Windows 7 machines. This is a first attempt as we migrated to Windows 2k8r2 in order to have better support for Win7 clients, as we had too many issues with Samba as our PDC. Mike On Mon, Jul 19, 2010 at 3:08 AM, Mucke, Tobias, FCI4 wrote: Hi, I'am afraid this is a general issue with Winbind. I am experiencing the same problems and my logs look quite similar to Henrik's logs. I am using Samba 3.5.4 and tried to resolve this issue without luck. In fact I have a working lab environment with Winbind 3.5.4, AD based on Windows Server 2008 R2 with IDMU. I set idmap backend = ad and winbind nss info = rfc2307. Unfortunately I was not able to port this setup back to the actual production environment with Winbind 3.5.4 and AD based on Windows Server 2003 with SFU 3.5. Besides AD "versions" there is another large difference between the production and the lab. In production the domain structure is far more complex ... Actually I am deploying a lab more close to the actual production environment. Another important thing to me would be a configuration example of somebody out there using Winbind in an actual version 3.5.x with backend ad and SFU for Shell and Home Directories. Anybody? Thank you. Tobias LFK-Lenkflugkörpersysteme GmbH Serverpool, FCI4 Landshuter Straße 26, 85716 Unterschleißheim, GERMANY Phone: +49 89 3179 8438 Fax: +49 89 3179 8927 Mobile: +49 170 635 3830 E-Mail: tobias.mu...@mbda-systems.de http://www.mbda.net Chairman of the Supervisory Board: Antoine Bouvier Managing Director: Werner Kaltenegger Registered Office: Schrobenhausen Commercial Register: Amtsgericht Ingolstadt, HRB 4365 -Ursprüngliche Nachricht- Von: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] Im Auftrag von Necos Secon Gesendet: Montag, 19. Juli 2010 01:50 An: samba@lists.samba.org Betreff: Re: [Samba] Samba + Winbind + Windows 2003 AD I accidentally deleted the first set of messages in my email for this thread, but does your DNS resolve properly? What does your resolv.conf look like? Also, what do these files look like: krb5.conf smb.conf There's an option in smb.conf, winbind enum users, which needs to be set in order for getent to function properly. There is a corresponding option for groups as well. Look at them and let us know. > Date: Mon, 19 Jul 2010 01:12:41 +0200 > From: h...@semark.dk > To: esiot...@gmail.com > CC: samba@lists.samba.org > Subject: Re: [Samba] Samba + Winbind + Windows 2003 AD > > Hi Micheal > > Sorry for not sending that information in the first place, but I > though that it was so basic that it wasn't necessary. > > My nsswitch.conf: > # cat /etc/nsswitch.conf > # /etc/nsswitch.conf > # > # Example configuration of GNU Name Service Switch functionality. > # If you have the `glibc-doc-reference' and `info' packages installed, try: > # `info libc "Name Service Switch"' for information about this file. > > passwd: compat winbind > group: compat winbind > shadow: compat winbind > > hosts: files mdns4_minimal [NOTFOUND=return] dns mdns4 > networks: files > > services: db files > ethers: db files > protocols: db files > rpc:db files &
Re: [Samba] Samba + Winbind + Windows 2003 AD
I'm in a 2k8 r2 domain with SFU and home shells managed through the ADUC console. I'm using Samba/WInbind and use samba shares as user home directories that are mounted at login-time on Windows 7 machines. This is a first attempt as we migrated to Windows 2k8r2 in order to have better support for Win7 clients, as we had too many issues with Samba as our PDC. Mike On Mon, Jul 19, 2010 at 3:08 AM, Mucke, Tobias, FCI4 < tobias.mu...@mbda-systems.de> wrote: > Hi, > > I'am afraid this is a general issue with Winbind. I am experiencing the > same problems and my logs look quite similar to Henrik's logs. I am using > Samba 3.5.4 and tried to resolve this issue without luck. In fact I have a > working lab environment with Winbind 3.5.4, AD based on Windows Server 2008 > R2 with IDMU. I set idmap backend = ad and winbind nss info = rfc2307. > Unfortunately I was not able to port this setup back to the actual > production environment with Winbind 3.5.4 and AD based on Windows Server > 2003 with SFU 3.5. > Besides AD "versions" there is another large difference between the > production and the lab. In production the domain structure is far more > complex ... > Actually I am deploying a lab more close to the actual production > environment. > > Another important thing to me would be a configuration example of somebody > out there using Winbind in an actual version 3.5.x with backend ad and SFU > for Shell and Home Directories. Anybody? > > Thank you. > > Tobias > > > > LFK-Lenkflugkörpersysteme GmbH > Serverpool, FCI4 > Landshuter Straße 26, 85716 Unterschleißheim, GERMANY > Phone: +49 89 3179 8438 > Fax: +49 89 3179 8927 > Mobile: +49 170 635 3830 > E-Mail: tobias.mu...@mbda-systems.de > > http://www.mbda.net > > Chairman of the Supervisory Board: Antoine Bouvier > Managing Director: Werner Kaltenegger > Registered Office: Schrobenhausen > Commercial Register: Amtsgericht Ingolstadt, HRB 4365 > > -Ursprüngliche Nachricht- > Von: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] > Im Auftrag von Necos Secon > Gesendet: Montag, 19. Juli 2010 01:50 > An: samba@lists.samba.org > Betreff: Re: [Samba] Samba + Winbind + Windows 2003 AD > > > I accidentally deleted the first set of messages in my email for this > thread, but does your DNS resolve properly? What does your resolv.conf look > like? Also, what do these files look like: > > krb5.conf > smb.conf > > There's an option in smb.conf, winbind enum users, which needs to be set in > order for getent to function properly. There is a corresponding option for > groups as well. Look at them and let us know. > > > Date: Mon, 19 Jul 2010 01:12:41 +0200 > > From: h...@semark.dk > > To: esiot...@gmail.com > > CC: samba@lists.samba.org > > Subject: Re: [Samba] Samba + Winbind + Windows 2003 AD > > > > Hi Micheal > > > > Sorry for not sending that information in the first place, but I > > though that it was so basic that it wasn't necessary. > > > > My nsswitch.conf: > > # cat /etc/nsswitch.conf > > # /etc/nsswitch.conf > > # > > # Example configuration of GNU Name Service Switch functionality. > > # If you have the `glibc-doc-reference' and `info' packages installed, > try: > > # `info libc "Name Service Switch"' for information about this file. > > > > passwd: compat winbind > > group: compat winbind > > shadow: compat winbind > > > > hosts: files mdns4_minimal [NOTFOUND=return] dns mdns4 > > networks: files > > > > services: db files > > ethers: db files > > protocols: db files > > rpc:db files > > > > netgroup: nis > > > > I will mean that it is the way to do this (and it works just fine on > > the UNIX servers that run there own Domain Controller) > > > > Med Venlig Hilsen / Best Regards > > Henrik Dige Semark > > > > Den 18-07-2010 17:03, Michael Wood skrev: > > > On 18 July 2010 01:34, Henrik Dige Semark wrote: > > > > > >> Hey out there. > > >> > > >> I have to join my UNIX server with an existing Win2k3 AD network. > > >> > > >> My system info: > > >> Debian Lenny > > >> Samba - 3.4.8 > > >> Winbind - 3.4.8 > > >> > > >> Windows Server 2003 with 2000-style-AD > > >> > > >> My problem is that, I have en UNIX server that have to run auth up > > >> against our existing windows 2003 AD. > > >>
Re: [Samba] Samba + Winbind + Windows 2003 AD
Hi, I'am afraid this is a general issue with Winbind. I am experiencing the same problems and my logs look quite similar to Henrik's logs. I am using Samba 3.5.4 and tried to resolve this issue without luck. In fact I have a working lab environment with Winbind 3.5.4, AD based on Windows Server 2008 R2 with IDMU. I set idmap backend = ad and winbind nss info = rfc2307. Unfortunately I was not able to port this setup back to the actual production environment with Winbind 3.5.4 and AD based on Windows Server 2003 with SFU 3.5. Besides AD "versions" there is another large difference between the production and the lab. In production the domain structure is far more complex ... Actually I am deploying a lab more close to the actual production environment. Another important thing to me would be a configuration example of somebody out there using Winbind in an actual version 3.5.x with backend ad and SFU for Shell and Home Directories. Anybody? Thank you. Tobias LFK-Lenkflugkörpersysteme GmbH Serverpool, FCI4 Landshuter Straße 26, 85716 Unterschleißheim, GERMANY Phone: +49 89 3179 8438 Fax: +49 89 3179 8927 Mobile: +49 170 635 3830 E-Mail: tobias.mu...@mbda-systems.de http://www.mbda.net Chairman of the Supervisory Board: Antoine Bouvier Managing Director: Werner Kaltenegger Registered Office: Schrobenhausen Commercial Register: Amtsgericht Ingolstadt, HRB 4365 -Ursprüngliche Nachricht- Von: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] Im Auftrag von Necos Secon Gesendet: Montag, 19. Juli 2010 01:50 An: samba@lists.samba.org Betreff: Re: [Samba] Samba + Winbind + Windows 2003 AD I accidentally deleted the first set of messages in my email for this thread, but does your DNS resolve properly? What does your resolv.conf look like? Also, what do these files look like: krb5.conf smb.conf There's an option in smb.conf, winbind enum users, which needs to be set in order for getent to function properly. There is a corresponding option for groups as well. Look at them and let us know. > Date: Mon, 19 Jul 2010 01:12:41 +0200 > From: h...@semark.dk > To: esiot...@gmail.com > CC: samba@lists.samba.org > Subject: Re: [Samba] Samba + Winbind + Windows 2003 AD > > Hi Micheal > > Sorry for not sending that information in the first place, but I > though that it was so basic that it wasn't necessary. > > My nsswitch.conf: > # cat /etc/nsswitch.conf > # /etc/nsswitch.conf > # > # Example configuration of GNU Name Service Switch functionality. > # If you have the `glibc-doc-reference' and `info' packages installed, try: > # `info libc "Name Service Switch"' for information about this file. > > passwd: compat winbind > group: compat winbind > shadow: compat winbind > > hosts: files mdns4_minimal [NOTFOUND=return] dns mdns4 > networks: files > > services: db files > ethers: db files > protocols: db files > rpc:db files > > netgroup: nis > > I will mean that it is the way to do this (and it works just fine on > the UNIX servers that run there own Domain Controller) > > Med Venlig Hilsen / Best Regards > Henrik Dige Semark > > Den 18-07-2010 17:03, Michael Wood skrev: > > On 18 July 2010 01:34, Henrik Dige Semark wrote: > > > >> Hey out there. > >> > >> I have to join my UNIX server with an existing Win2k3 AD network. > >> > >> My system info: > >> Debian Lenny > >> Samba - 3.4.8 > >> Winbind - 3.4.8 > >> > >> Windows Server 2003 with 2000-style-AD > >> > >> My problem is that, I have en UNIX server that have to run auth up > >> against our existing windows 2003 AD. > >> > >> I have successfully joined my UNIX server to the AD, without problems. > >> # net ads join -U Administrator > >> Enter Administrator's password: > >> Using short domain name -- TEST > >> Joined 'MAIL' to realm 'TEST.LOCAL' > >> > >> My Samba config: http://pastebin.com/ZqaA0Ypn > >> > >> After the join I'm able to lookup peoples with # wbinfo -u > >> > > [...] > > > >> # wbinfo -g > >> > > [...] > > > >> Now the problem, getent only returns the local users and not the > >> users from the AD The funny thing is that if a user is local on the > >> UNIX and in the AD, I can login with the password from both local > >> and AD, so I know that it can lookup people and passwords > >> > >> # getent passwd hs ; echo $? > >> 2 > >> > >> When I debug on
Re: [Samba] Samba + Winbind + Windows 2003 AD
I accidentally deleted the first set of messages in my email for this thread, but does your DNS resolve properly? What does your resolv.conf look like? Also, what do these files look like: krb5.conf smb.conf There's an option in smb.conf, winbind enum users, which needs to be set in order for getent to function properly. There is a corresponding option for groups as well. Look at them and let us know. > Date: Mon, 19 Jul 2010 01:12:41 +0200 > From: h...@semark.dk > To: esiot...@gmail.com > CC: samba@lists.samba.org > Subject: Re: [Samba] Samba + Winbind + Windows 2003 AD > > Hi Micheal > > Sorry for not sending that information in the first place, but I though > that it was so basic that it wasn't necessary. > > My nsswitch.conf: > # cat /etc/nsswitch.conf > # /etc/nsswitch.conf > # > # Example configuration of GNU Name Service Switch functionality. > # If you have the `glibc-doc-reference' and `info' packages installed, try: > # `info libc "Name Service Switch"' for information about this file. > > passwd: compat winbind > group: compat winbind > shadow: compat winbind > > hosts: files mdns4_minimal [NOTFOUND=return] dns mdns4 > networks: files > > services: db files > ethers: db files > protocols: db files > rpc:db files > > netgroup: nis > > I will mean that it is the way to do this (and it works just fine on the > UNIX servers that run there own Domain Controller) > > Med Venlig Hilsen / Best Regards > Henrik Dige Semark > > Den 18-07-2010 17:03, Michael Wood skrev: > > On 18 July 2010 01:34, Henrik Dige Semark wrote: > > > >> Hey out there. > >> > >> I have to join my UNIX server with an existing Win2k3 AD network. > >> > >> My system info: > >> Debian Lenny > >> Samba - 3.4.8 > >> Winbind - 3.4.8 > >> > >> Windows Server 2003 with 2000-style-AD > >> > >> My problem is that, I have en UNIX server that have to run auth up against > >> our existing windows 2003 AD. > >> > >> I have successfully joined my UNIX server to the AD, without problems. > >> # net ads join -U Administrator > >> Enter Administrator's password: > >> Using short domain name -- TEST > >> Joined 'MAIL' to realm 'TEST.LOCAL' > >> > >> My Samba config: http://pastebin.com/ZqaA0Ypn > >> > >> After the join I'm able to lookup peoples with > >> # wbinfo -u > >> > > [...] > > > >> # wbinfo -g > >> > > [...] > > > >> Now the problem, getent only returns the local users and not the users from > >> the AD > >> The funny thing is that if a user is local on the UNIX and in the AD, I can > >> login with the password from both local and AD, so I know that it can > >> lookup > >> people and passwords > >> > >> # getent passwd hs ; echo $? > >> 2 > >> > >> When I debug on getent it returns 2, witch means that it can't find the > >> user. > >> > > Do you have winbind specified in your nsswitch.conf file as mentioned here: > > > > http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/winbind.html#id2654732 > > > > _ The New Busy is not the old busy. Search, chat and e-mail from your inbox. http://www.windowslive.com/campaign/thenewbusy?ocid=PID28326::T:WLMTAGL:ON:WL:en-US:WM_HMP:042010_3 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba + Winbind + Windows 2003 AD
Hi Micheal Sorry for not sending that information in the first place, but I though that it was so basic that it wasn't necessary. My nsswitch.conf: # cat /etc/nsswitch.conf # /etc/nsswitch.conf # # Example configuration of GNU Name Service Switch functionality. # If you have the `glibc-doc-reference' and `info' packages installed, try: # `info libc "Name Service Switch"' for information about this file. passwd: compat winbind group: compat winbind shadow: compat winbind hosts: files mdns4_minimal [NOTFOUND=return] dns mdns4 networks: files services: db files ethers: db files protocols: db files rpc:db files netgroup: nis I will mean that it is the way to do this (and it works just fine on the UNIX servers that run there own Domain Controller) Med Venlig Hilsen / Best Regards Henrik Dige Semark Den 18-07-2010 17:03, Michael Wood skrev: On 18 July 2010 01:34, Henrik Dige Semark wrote: Hey out there. I have to join my UNIX server with an existing Win2k3 AD network. My system info: Debian Lenny Samba - 3.4.8 Winbind - 3.4.8 Windows Server 2003 with 2000-style-AD My problem is that, I have en UNIX server that have to run auth up against our existing windows 2003 AD. I have successfully joined my UNIX server to the AD, without problems. # net ads join -U Administrator Enter Administrator's password: Using short domain name -- TEST Joined 'MAIL' to realm 'TEST.LOCAL' My Samba config: http://pastebin.com/ZqaA0Ypn After the join I'm able to lookup peoples with # wbinfo -u [...] # wbinfo -g [...] Now the problem, getent only returns the local users and not the users from the AD The funny thing is that if a user is local on the UNIX and in the AD, I can login with the password from both local and AD, so I know that it can lookup people and passwords # getent passwd hs ; echo $? 2 When I debug on getent it returns 2, witch means that it can't find the user. Do you have winbind specified in your nsswitch.conf file as mentioned here: http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/winbind.html#id2654732 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba + Winbind + Windows 2003 AD
On 18 July 2010 01:34, Henrik Dige Semark wrote: > Hey out there. > > I have to join my UNIX server with an existing Win2k3 AD network. > > My system info: > Debian Lenny > Samba - 3.4.8 > Winbind - 3.4.8 > > Windows Server 2003 with 2000-style-AD > > My problem is that, I have en UNIX server that have to run auth up against > our existing windows 2003 AD. > > I have successfully joined my UNIX server to the AD, without problems. > # net ads join -U Administrator > Enter Administrator's password: > Using short domain name -- TEST > Joined 'MAIL' to realm 'TEST.LOCAL' > > My Samba config: http://pastebin.com/ZqaA0Ypn > > After the join I'm able to lookup peoples with > # wbinfo -u [...] > # wbinfo -g [...] > > Now the problem, getent only returns the local users and not the users from > the AD > The funny thing is that if a user is local on the UNIX and in the AD, I can > login with the password from both local and AD, so I know that it can lookup > people and passwords > > # getent passwd hs ; echo $? > 2 > > When I debug on getent it returns 2, witch means that it can't find the > user. Do you have winbind specified in your nsswitch.conf file as mentioned here: http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/winbind.html#id2654732 -- Michael Wood -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba + Winbind + Windows 2003 AD
Hi Tobias To be honest I don't really know that mutch about the Windows AD, I'm not an Windows guy, when I talked with the Windows AD Administrator he told my that it was an RFC2307 schema and not an old SFU, but I have just now logged on to the AD server and it doesn't seams like any schemas is loaded at all. My winbind debugging: http://pastebin.com/WjDRvp8q Winbind debugging while getent passwd USER: http://pastebin.com/0B24yePY I don't know way there is a lot of UVROOT.LOCAL, my server is only joined to UNDERVISNING.LOCAL, but the windows AD server do know UVROOT also. -- Med Venlig Hilsen / Best Regards Henrik Dige Semark Den 18-07-2010 08:58, Mucke, Tobias, FCI4 skrev: Hi Henrik, I am also fighting with Winbind for a few days now experiencing some weird behaviour. Regarding your explanation I assume you have SFU running in your AD Domain. Do you really have a RFC2307 complaint schema in AD or do you still stick to SFU schema? For debugging the winbind it was helpful to me to start it in a shell as a foreground process with debugging on, e. g. /usr/sbin/winbindd -SFi -d3 Now you should be able to see the different Winbind behaviour regarding the login and getent. Good luck. Tobias Mucke LFK-Lenkflugkörpersysteme GmbH Serverpool, FCI4 Landshuter Straße 26, 85716 Unterschleißheim, GERMANY Phone: +49 89 3179 8438 Fax: +49 89 3179 8927 Mobile: +49 170 635 3830 E-Mail: tobias.mu...@mbda-systems.de http://www.mbda.net Chairman of the Supervisory Board: Antoine Bouvier Managing Director: Werner Kaltenegger Registered Office: Schrobenhausen Commercial Register: Amtsgericht Ingolstadt, HRB 4365 -Original Message- From: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] On Behalf Of Henrik Dige Semark Sent: Sunday, July 18, 2010 1:35 AM To: samba@lists.samba.org Subject: [Samba] Samba + Winbind + Windows 2003 AD Hey out there. I have to join my UNIX server with an existing Win2k3 AD network. My system info: Debian Lenny Samba - 3.4.8 Winbind - 3.4.8 Windows Server 2003 with 2000-style-AD My problem is that, I have en UNIX server that have to run auth up against our existing windows 2003 AD. I have successfully joined my UNIX server to the AD, without problems. # net ads join -U Administrator Enter Administrator's password: Using short domain name -- TEST Joined 'MAIL' to realm 'TEST.LOCAL' My Samba config: http://pastebin.com/ZqaA0Ypn After the join I'm able to lookup peoples with # wbinfo -u [...] XX hds XXX [...] # wbinfo -g [...] bg XX bg hds bg XXX [...] Now the problem, getent only returns the local users and not the users from the AD The funny thing is that if a user is local on the UNIX and in the AD, I can login with the password from both local and AD, so I know that it can lookup people and passwords # getent passwd hs ; echo $? 2 When I debug on getent it returns 2, witch means that it can't find the user. I know there can be a problem with this if the resolv-names is not working # ping addc.UNDERVISNING.LOCAL PING addc.birke-gym.dk (10.3.17.1) 56(84) bytes of data. 64 bytes from bgdc.birke-gym.dk (10.3.17.1): icmp_seq=1 ttl=128 time=0.211 ms 64 bytes from bgdc.birke-gym.dk (10.3.17.1): icmp_seq=2 ttl=128 time=0.207 ms # ping mail.UNDERVISNING.LOCAL PING mail.birke-gym.dk (127.0.1.1) 56(84) bytes of data. 64 bytes from mail.birke-gym.dk (127.0.1.1): icmp_seq=1 ttl=64 time=0.099 ms 64 bytes from mail.birke-gym.dk (127.0.1.1): icmp_seq=2 ttl=64 time=0.094 ms Is there anyone that can see where I have done something rung in my samba-config.? -- Med Venlig Hilsen / Best Regards Henrik Dige Semark -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba + Winbind + Windows 2003 AD
Hi Henrik, I am also fighting with Winbind for a few days now experiencing some weird behaviour. Regarding your explanation I assume you have SFU running in your AD Domain. Do you really have a RFC2307 complaint schema in AD or do you still stick to SFU schema? For debugging the winbind it was helpful to me to start it in a shell as a foreground process with debugging on, e. g. /usr/sbin/winbindd -SFi -d3 Now you should be able to see the different Winbind behaviour regarding the login and getent. Good luck. Tobias Mucke LFK-Lenkflugkörpersysteme GmbH Serverpool, FCI4 Landshuter Straße 26, 85716 Unterschleißheim, GERMANY Phone: +49 89 3179 8438 Fax: +49 89 3179 8927 Mobile: +49 170 635 3830 E-Mail: tobias.mu...@mbda-systems.de http://www.mbda.net Chairman of the Supervisory Board: Antoine Bouvier Managing Director: Werner Kaltenegger Registered Office: Schrobenhausen Commercial Register: Amtsgericht Ingolstadt, HRB 4365 -Original Message- From: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] On Behalf Of Henrik Dige Semark Sent: Sunday, July 18, 2010 1:35 AM To: samba@lists.samba.org Subject: [Samba] Samba + Winbind + Windows 2003 AD Hey out there. I have to join my UNIX server with an existing Win2k3 AD network. My system info: Debian Lenny Samba - 3.4.8 Winbind - 3.4.8 Windows Server 2003 with 2000-style-AD My problem is that, I have en UNIX server that have to run auth up against our existing windows 2003 AD. I have successfully joined my UNIX server to the AD, without problems. # net ads join -U Administrator Enter Administrator's password: Using short domain name -- TEST Joined 'MAIL' to realm 'TEST.LOCAL' My Samba config: http://pastebin.com/ZqaA0Ypn After the join I'm able to lookup peoples with # wbinfo -u [...] XX hds XXX [...] # wbinfo -g [...] bg XX bg hds bg XXX [...] Now the problem, getent only returns the local users and not the users from the AD The funny thing is that if a user is local on the UNIX and in the AD, I can login with the password from both local and AD, so I know that it can lookup people and passwords # getent passwd hs ; echo $? 2 When I debug on getent it returns 2, witch means that it can't find the user. I know there can be a problem with this if the resolv-names is not working # ping addc.UNDERVISNING.LOCAL PING addc.birke-gym.dk (10.3.17.1) 56(84) bytes of data. 64 bytes from bgdc.birke-gym.dk (10.3.17.1): icmp_seq=1 ttl=128 time=0.211 ms 64 bytes from bgdc.birke-gym.dk (10.3.17.1): icmp_seq=2 ttl=128 time=0.207 ms # ping mail.UNDERVISNING.LOCAL PING mail.birke-gym.dk (127.0.1.1) 56(84) bytes of data. 64 bytes from mail.birke-gym.dk (127.0.1.1): icmp_seq=1 ttl=64 time=0.099 ms 64 bytes from mail.birke-gym.dk (127.0.1.1): icmp_seq=2 ttl=64 time=0.094 ms Is there anyone that can see where I have done something rung in my samba-config.? -- Med Venlig Hilsen / Best Regards Henrik Dige Semark -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Samba + Winbind + Windows 2003 AD
Hey out there. I have to join my UNIX server with an existing Win2k3 AD network. My system info: Debian Lenny Samba - 3.4.8 Winbind - 3.4.8 Windows Server 2003 with 2000-style-AD My problem is that, I have en UNIX server that have to run auth up against our existing windows 2003 AD. I have successfully joined my UNIX server to the AD, without problems. # net ads join -U Administrator Enter Administrator's password: Using short domain name -- TEST Joined 'MAIL' to realm 'TEST.LOCAL' My Samba config: http://pastebin.com/ZqaA0Ypn After the join I'm able to lookup peoples with # wbinfo -u [...] XX hds XXX [...] # wbinfo -g [...] bg XX bg hds bg XXX [...] Now the problem, getent only returns the local users and not the users from the AD The funny thing is that if a user is local on the UNIX and in the AD, I can login with the password from both local and AD, so I know that it can lookup people and passwords # getent passwd hs ; echo $? 2 When I debug on getent it returns 2, witch means that it can't find the user. I know there can be a problem with this if the resolv-names is not working # ping addc.UNDERVISNING.LOCAL PING addc.birke-gym.dk (10.3.17.1) 56(84) bytes of data. 64 bytes from bgdc.birke-gym.dk (10.3.17.1): icmp_seq=1 ttl=128 time=0.211 ms 64 bytes from bgdc.birke-gym.dk (10.3.17.1): icmp_seq=2 ttl=128 time=0.207 ms # ping mail.UNDERVISNING.LOCAL PING mail.birke-gym.dk (127.0.1.1) 56(84) bytes of data. 64 bytes from mail.birke-gym.dk (127.0.1.1): icmp_seq=1 ttl=64 time=0.099 ms 64 bytes from mail.birke-gym.dk (127.0.1.1): icmp_seq=2 ttl=64 time=0.094 ms Is there anyone that can see where I have done something rung in my samba-config.? -- Med Venlig Hilsen / Best Regards Henrik Dige Semark -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba