Re: [Samba] Samba as Domain Member
I believe you need to add in [global]
winbind enum users = Yes
winbind enum groups = Yes
Dale
On 06/17/2013 9:41 AM, Zane Zakraisek wrote:
I have Samba 4.6.6 running as an ADDC and all is working great. I have a
Samba 3.6.9 File Server that I want to join to the domain. I have gone
through the steps but am having issues.
In my smb.conf file I have added the following
realm = my.domain
security = ads
encrypt passwords = yes
I edited my Kerberos file
[libdefaults]
default_realm = MY.DOMAIN
dns_lookup_kdc = true
[realms]
ZAKRAISEK.COM = {
kdc = server.my.domain
}
[domain_realms]
.kerberos.server = MY.DOMAIN
I installed winbind and edited my nsswitch.conf to add winbind options.
The book that I went off to set this up says to use the idmap uid and idmap
gid options, but to my knowledge these were deprecated a while ago so I did
not include them.
I did net join -U administrator, and it joined fine. If I look in Active
Directory Users and Computers, I can see a computer account created for the
Linux machine.
I ran net ads testjoin, all is good here, no errors
I ran wbinfo -p, all is good here, no errors
I ran wbinfo -t, all is good here, no errors
lastly I ran wbinfo -a MY.DOMAIN\user, typed the password, and everything
worked successfully
The samba book I'm using then says to run getent passwd My.DOMAIN\user
Here is where the error is. I can not seem to get any domain accounts to
work with this command. If I run getent passwd by itself, it displays a
list of all my local accounts on the machine, but no domain ones. Did I
miss a step
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] samba ldap domain member server with cifs and nfs
On 27/02/12 12:01, Guilhem Souque wrote: t's seems that in samba 3.0.24 (debian etch) the uid in the idmap OU was the same that those in the USERS OU because i have some entry that are correct and i had domain member server in this samba version. Is there a way to synchronize unix uids with idmap uids? Hi We got bad mappings when nscd was cache-ing the wrong uids. In the end, we decided against winbind and took the uid:gid directly from ldap. Turn off nscd? Cheers, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] samba ldap domain member server with cifs and nfs
From: Guilhem Souque gsou...@artprice.com Date: Mon, 27 Feb 2012 12:01:50 +0100 I try to configure a domain member server on an other debian squeeze that will serve as cifs and nfs server. (snip) The unix uids provided by winbind are not the same than those used by the system (libnsss-ldap) winbind don't know the reel user uid. The result is that i can't use nfs with cifs because the system users uid (libnss-ldap) are different than those provided by winbind. it's seems that in samba 3.0.24 (debian etch) the uid in the idmap OU was the same that those in the USERS OU because i have some entry that are correct and i had domain member server in this samba version. Is there a way to synchronize unix uids with idmap uids? (snip) winbind trusted domains only = Yes winbind trusted domains only is somewhat deprecated. You should use idmap_nss instead. --- TAKAHASHI Motonobu mo...@samba.gr.jp -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba as Domain Member Server Authentication Problem
John, See samba@lists.samba.orghttp://www.samba.org/samba/history/samba-3.4.0.html for the authentication changes made in that version. There is a new parameter to revert to the old behavior. Dale On 04/22/2010 8:17 AM, John Lawler wrote: I've been working for hours with Samba on Ubuntu Server 9.10 (Samba version 3.4.0), trying to get it setup simply as a fileserver that performs authentication to an NT 4 server (yes, I know, old and out of date). After much struggling, I finally realized that my configuration *was* working when the clients connecting (from XP, and Win2k clients, mostly) were actually joined to the domain (where the PDC is the NT 4 Server) and logged into the domain. For various reasons, many of the Windows clients at this location don't actually log into the domain, even though they have login/passwords that are valid users on the domain and they'll typically have some drives mapped to the PDC. By the way, I have this working on another Linux box running Samba 3.0.28, so I'm sure it's possible, I'm just lost as to how to do it. When I try to connect to a share on my new Samba box, I see entries like these in the logs: === [2010/04/20 15:24:29, 3] auth/auth.c:222(check_ntlm_password) check_ntlm_password: Checking password for unmapped user []...@[client1] with the new password interface [2010/04/20 15:24:29, 3] auth/auth.c:225(check_ntlm_password) check_ntlm_password: mapped user is: [filesrv]...@[client1] [2010/04/20 15:24:29, 3] auth/auth.c:271(check_ntlm_password) check_ntlm_password: guest authentication for user [] succeeded [2010/04/20 15:24:29, 0] param/loadparm.c:9783(widelinks_warning) Share 'IPC$' has wide links and unix extensions enabled. These parameters are incompatible. Wide links will be disabled for this share. [2010/04/20 15:24:29, 3] auth/auth.c:222(check_ntlm_password) check_ntlm_password: Checking password for unmapped user [client1]\[use...@[illi NI] with the new password interface [2010/04/20 15:24:29, 3] auth/auth.c:225(check_ntlm_password) check_ntlm_password: mapped user is: [filesrv]\[use...@[client1] [2010/04/20 15:24:29, 3] auth/auth_sam.c:282(check_sam_security) check_sam_security: Couldn't find user 'user1' in passdb. [2010/04/20 15:24:29, 3] auth/auth_winbind.c:54(check_winbind_security) check_winbind_security: Not using winbind, requested domain [FILESRV] was for this SAM. [2010/04/20 15:24:29, 2] auth/auth.c:320(check_ntlm_password) check_ntlm_password: Authentication for user [user1] - [user1] FAILED with error NT_STATUS_NO_SUCH_USER [2010/04/20 15:24:29, 1] smbd/service.c:676(make_connection_snum) create_connection_server_info failed: NT_STATUS_ACCESS_DENIED === I think the critical part is where it says Not using winbind, requested domain [FILESRV] was for this SAM I *do* want it to use winbind and authenticate via the remote NT 4 Server, not locally only. This is an example on the Samba 3.4.0 box where the login *works*, but I think only because the user is actually logged into the domain: === [2010/04/20 15:23:20, 3] auth/auth.c:222(check_ntlm_password) check_ntlm_password: Checking password for unmapped user [domname]\[clien...@[m AILMAN2] with the new password interface [2010/04/20 15:23:20, 3] auth/auth.c:225(check_ntlm_password) check_ntlm_password: mapped user is: [domname]\[clien...@[client2] [2010/04/20 15:23:20, 3] auth/auth.c:271(check_ntlm_password) check_ntlm_password: winbind authentication for user [client2] succeeded [2010/04/20 15:23:20, 2] auth/auth.c:310(check_ntlm_password) check_ntlm_password: authentication for user [client2] - [client2] - [MAI N+user2] succeeded [2010/04/20 15:23:20, 0] param/loadparm.c:9783(widelinks_warning) Share 'Admin' has wide links and unix extensions enabled. These parameters are incompatible. Wide links will be disabled for this share. [2010/04/20 15:23:20, 1] smbd/service.c:1062(make_connection_snum) user2 (:::192.168.1.5) connect to service Admin initially as user DOMNAME+ user2 (uid=70030, gid=70005) (pid 4821) [2010/04/20 15:23:20, 0] param/loadparm.c:9783(widelinks_warning) Share 'Admin' has wide links and unix extensions enabled. These parameters are incompatible. Wide links will be disabled for this share. [2010/04/20 15:23:20, 1] smbd/service.c:1062(make_connection_snum) user2 (:::192.168.1.5) connect to service Admin initially as user DOMNAME+ user2 (uid=70030, gid=70005) (pid 4821) [2010/04/20 15:23:39, 1] smbd/service.c:1241(close_cnum) user2 (:::192.168.1.5) closed connection to service Admin === This is an example of the same authentication (from user1, *not* logged into the domain) succeeding on Samba 3.0.x:
Re: [Samba] Samba as Domain Member Server Authentication Problem
http://www.samba.org/samba/history/samba-3.4.0.html for the authentication changes made in that version. There is a new parameter to revert to the old behavior. Dale, Thanks a bunch. As you correctly identified, that was the exact problem. Now I can authenticate from the other clients. Adding: map untrusted to domain = Yes to my smb.conf solved the problem and reverted to the behavior I'm used to (and currently relying on). I'm only sorry I didn't post my problem about a day earlier. jl -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba as domain member to another samba PDC
Daniel Müller schrieb: Hello, with pdbedit -L on my MemberServer (Samba) I could not list the domain users and groups! With pdbedit -L it is only working on my PDC(Samba) I assume then this is - at least at the moment - normal behaviour of pdbedit. Perhaps someone else on this list can tell me if this is going to change or has already changed e.g. with Samba 4. Try getent passwd and getent group instead. If there show up your users and groups. try example: touch test.txt and then chown yourdomainuser:thisuserdomaingroup. If this function you can test next: Make a share on your SambaMemberServer. Give the rights to a user only known in your SambaDomain (no local user) . Try to connect the share as this user. If this is working you got it. I already did that, and it works. That's not the point I'm asking for. As I wrote in my first post, I want to use a GUI for creating samba shares that relies on the output of pdbedit -L for listing users which are allowed/denied access. If pdbedit -L does not work, I will either have to write my own pdbedit which wil mimic the expected output by calling ldapsearch and formatting the output like pdbedit does. Or I will have to find another suitable GUI. Thank you for your help, Andreas -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba as domain member to another samba PDC
Daniel Müller schrieb: Hello, when i have read wright. You joined an ubuntu samba pc to your samba domain! testparm gives you: ROLE_DOMAIN_MEMBER? Correct. First of all your domain member must have exactly the same users and passwords as your pdc/ldap. You can do that with installing ldapclient. Configure it with ldapserver: your pdc/ldap. Now getent passwd and getend group should show you all your users/groups kept on you pdc/ldap. I did that using libpam-ldap/libnsswitch-ldap. getent group/passwd returns what you say, and user authentication on the UNIX side works well. If you succed with this. You need in your smb.conf: security=DOMAIN password server=YOUR-PDC-LDAP I have password server = *, but explicitly setting the PDC changes nothing. For me I had to copy my ladp config section from my smb.conf on my PDC here: ldap idmap backend=ldap:ldap://YOUR-PDC-LDAP idmap uid... idmap gid I do not currently have the idmap... things, since I thought I do not need them. I tried, and it changed nothing. pdbedit -L still returns SID ... does not belong to our domain. What does it return on your machine? Bye, Andreas -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba became Domain Member Server
Martin Hauptmann wrote: Hi group, I have problems with a former Samba-server. It has been a simple server, no acl-stuff,not a DC or so. ACL's would be a good idea here. Now we have a Windows 2003 PDC and I intergated the Samba-Server as a Domain Member Server. Everything works fine, except one annoying thing: I cannot allow the Domain-Members to full-access the files recursively. Example: The users complain, that they can make an excel-sheet and save it. When someone else opens it, he cannot overwrite it. When the owner of the file gives the right to all domain-users to change the file they can do that.But when they save it, it is the same game again: Nobody else can overwrite it. This is because MS Excel deletes the old file and replaces it with the new one, thus resseting privaleges on the file to 700. Man smb.conf for force user, or force directory mask, whcih should eliminate the problem, if you don't want to mess with ACL's. I am not a member of this group but I hope you will answer my question :-) bye Martin Verschicken Sie romantische, coole und witzige Bilder per SMS! Jetzt neu bei WEB.DE FreeMail: http://freemail.web.de/?mc=021193 -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
