[Samba] Moving to a New Domain
Can someone point me to information on how Samba handles SID History when using security=ads and changing domains? I've done some prototyping in transferring the idmaps from old to new SIDs when using an ldap backend, but would like to see a recommended practice if one exists. I'm especially interested in if and how ACLs on a global share would transfer with the domain change. BTW: If the LDAP backend has to contain multiple SIDs (the SID history) pointing to the same uid/gid, this can cause a winbindd crash (Bug #997). So, again, any personal experience or document references would be appreciated. Tons of Thanks, john -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] AD Connection Problems
We are using Samba for shares and Winbind for Active Directory authentication, and are down to a few problems. If the AD goes down or reboots, Winbind loses its connection. In the winbind log, it reports: Could not open a connection to TEST1 for \PIPE\NETLOGON (NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND) Right now we have to reboot all Winbind systems for them to connect again. Is there a way for Winbind to automatically connect to the rebooted AD? Thanks, john -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Windbindd restarts and lost uids
We have a problem with our setup that exposed another problem in winbindd. Setup: Samba 3.0.1, openLDAP 1.2.23 for idmap backend using port 1389, security=ads (w2k). All works after we get the daemons started successfully. The first issue has to do with the initial setup of both a Samba server [smbd, nmbd, winbindd, slapd], and a Samba client [just nmbd and winbindd]. We do the following: 1) Configure smb.conf, krb5.conf, slapd.conf 2) kinit [EMAIL PROTECTED] 3) net ads join At this point, a klist shows the tickets, and net ads testjoin returns success. Then we try to start all the processes as root via: slapd -h ldap://smbdev.tst.samba17.test:1389 smbd -D nmbd -D winbindd Usually, and this is the first problem, the log.winbindd reports the following: nsswitch/winbindd.c:main(842) winbindd version 3.0.1 started. Copyright The Samba Team 2000-2003 nsswitch/winbindd_util.c:add_trusted_domain(150) Added domain TST TST.SAMBA17.TEST libsmb/clikrb5.c:ads_krb5_mk_req(269) krb5_cc_get_principal failed (No credentials cache found) libads/kerberos.c:ads_kinit_password(133) kerberos_kinit_password HOST/[EMAIL PROTECTED] failed: Client not found in Kerberos database nsswitch/winbindd_ads.c:ads_cached_connection(65) ads_connect for domain TST failed: Operations error nsswitch/winbindd_util.c:add_trusted_domains(207) scanning trusted domain list If the error Client not found in Kerberos database appears, winbindd will not connect to the AD, giving the Operations error. If we leave winbindd running it appears not to ever reconnect. Instead, we have to kill and restart winbindd. So now we have an ugly scripted loop that does something to the effect of the following: 1) start all daemons 2) Wait 30 seconds for winbindd to go through its initialization 3) try a wbinfo -u. 4) If no users are returned by wbinfo, kill all daemons and go back to step 1. Winbindd successfully connects after an average of 2.5 minutes. On this success, the same section of the log will show: nsswitch/winbindd.c:main(842) winbindd version 3.0.1 started. Copyright The Samba Team 2000-2003 nsswitch/winbindd_util.c:add_trusted_domain(150) Added domain TST TST.SAMBA17.TEST libsmb/clikrb5.c:ads_krb5_mk_req(269) krb5_cc_get_principal failed (No credentials cache found) nsswitch/winbindd_util.c:add_trusted_domains(207) scanning trusted domain list I would truly like to know what we are doing wrong here. I've searched the web and newsgroups and have found similar errors, but no solutions that worked here. Code purusals haven't found anything (yet). The time between the Samba server and the AD are within a second of each other. Permissions are correct and files exist as expected. It definitely appears to be related to time, though. If I do the kinit and net ads join, then wait around five minutes before starting the daemons, winbindd starts up fine. What could need the time? Is there any command that I can run before starting Samba to verify all is ready? If you have suggestions for this, please pass them on, because this causes another problem that is a killer for us. First I'll give an abbreviated description of what I'm about to describe. I hope this will make the next paragraph easier to follow: with user testuser1 and domain TST: 0) client tries to access a global share 1) client GETPWNAMrequest for tst+testuser1 to the Samba server 2) client GETPWNAMrequest for TST+testuser1 to the Samba server 3) client GETPWNAMrequest for TST+TESTUSER1 to the Samba server 4) client GETPWNAMrequest for testuser1 to the Samba server 5) client GETPWNAMrequest for TESTUSER1 to the Samba server 6) client CREATE_USER request for testuser1, which returns success and uses up a uid. 7) Process repeats since the winbindd server still can't authenticate using the AD -- including the CREATE_USER. Now to elaborate: There have been situations where a PC tries to access a Samba share. In this case, the user is an AD global user that is not yet in the openLDAP idmap backend. I expect that even if it was in the idmap, the problem would still exist. At the time of these client requests, winbindd is up and running on the Samba server, but received that Kerberos error above (we are at step 2 of the startup loop, so winbindd can't talk with AD yet). The client tries five variations of the user name, attempting to authenticate using the winbindd server. This failing, it sends a CREATE_USER request to the winbindd server. The winbindd server pulls the next available id from the openLDAP backend, incrementing the openLDAP's next-available stored in uidNumber (= issue!!), then calls wb_storepwnam. wb_storepwnam returns success (h, recall that we authenticate to AD and don't have a working connection to AD). The client then repeats this cycle, requesting authentication, then
[Samba] AD Primary Group Masked by Local Primary Group
Solaris 8, Samba 3.0.1, Winbind with LDAP backend and security = ads. This may or may not be a problem, depending on what is expected behaviour. We came across a user that was defined both locally and in AD. Their local primary group, call it localgrp, was not the same as their global primary group, call it globalgrp. One important note is that by using an LDAP browser, we can see that the user is not explicitly a Member Of globalgrp (ie: there is no member entry for the user in globalgrp). The only way the user is tied to the globalgrp is that it is his AD primary group. Now, onto the solaris side. At logon, their groups are determined through nsswitch and a call to the solaris wrapper function nss_winbind_getgroupsbymember_solwrap. With the patch from Bug 972, this returns all local and AD groups, including both the local primary group, localgrp, and the AD primary group, globalgrp. Other functions, like id -a username, go through the getgrent cycle, and only return localgrp. This is due to the user not being an explicit group member. The getgrent cycle does not see a user's primary group. Parallels exist in other systems, like NIS, when a local primary group overloads a directory's primary group. In those cases, only the local is shown. So, should the getgrent cycle go through User's primary groups too? The concern is that some applications will use a function to check group access by using a method that does not return the overloaded primary group. john -- The first section below is a modified debug output of an su - user2a execution, where both the local primary group, localgrp, and the global primary group, globalgrp (10328), is returned. [ 1277]: nss_winbind: Initialized nss_winbind group backend [ 1277]: nss_winbind: _nss_winbind_getgroupsbymember [ 1277]: initgroups user2a (10) [ 1277]: initgroups gid=1 [ 1277]: initgroups gid=10328 Below is a modified debug output of an id -a user2a execution, where only the local primary group, localgrp, is returned. [ 932]: nss_winbind: Initialized nss_winbind group backend [ 932]: nss_winbind: _nss_winbind_setgrent_solwrap [ 932]: setgrent ... [ 932]: getgrent group.gr_name = Domain Users group.gr_passwd = x group.gr_gid= 1 group.gr_mem= 0x25afc (user1a) 0x25b00 (user2a) [ 932]: nss_winbind: _nss_winbind_getgrent_solwrap: Returning group: Domain Users ... [ 932]: getgrent group.gr_name = globalgrp group.gr_passwd = x group.gr_gid= 10328 group.gr_mem= 0x25af8 (user1a) 0x25b00 (domadmin) [ 932]: nss_winbind: _nss_winbind_getgrent_solwrap: Returning group: TBMCS ... [ 932]: getgrent [ 932]: nss_winbind: _nss_winbind_getgrent_solwrap: Returning error: 1. [ 932]: nss_winbind: _nss_winbind_endgrent_solwrap [ 932]: endgrent [ 932]: nss_winbind: _nss_winbind_group_destr uid=1001(user2a) gid=10(localgrp) groups=1(other)[ 932]: nss_winbind: Initialized nss_winbind group backend [ 932]: nss_winbind: _nss_winbind_getgrgid_solwrap [ 932]: getgrgid 1 ,2(bin),4(adm),14(sysadmin),1(Domain Users) -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] dtsession PAM error
This may be OT, since I don't think is related to samba, but since we just made pam.conf changes for samba, we are on the top of the suspect list. Ocassionally, we are getting a running error in a .dt/errorlog stating: TIMESTAMP dtsession: pam_start status = 4 This *quickly* fills up the disk, as it is written many, many times per second. It occurs on both Samba clients and servers, but doesn't start until after the system has been running for quite a while. We've been unable to pin down what is causing it. I've been doing net searches but have yet to find any pointers. Samba code searches have not illuminated anything either. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Winbind PAM authentication
Config: Solaris 8, OpenLDAP winbind backend, using AD for global users. Is there documentation on what service_name / module_type pairs are supported by pam_winbind? I've gone through the Samba-3 HOWTO book and internet searches, but haven't found anything difinitive. I have been able to tell through experimentation that winbind doesn't work with rsh auth, giving a Protocol Error when attempted. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Secondary Groups and Group Mapping
The problem was in the libnss_winbind.so code for Solaris 8. The wrapper function to initialize the secondary groups immediately returned without doing any work. As Jerry mentioned previously, this is already an open bug. I've submitted a patch to that bug report that adds the required functionality. See: https://bugzilla.samba.org/show_bug.cgi?id=395 As I stated in the bug report: Preliminary tests using this patch were completely successful. However, I'm going to be performing further tests to ensure there are no side effects that I have yet to find. john -Original Message- From: Klinger, John (N-CSC) Thank you for your response. Bug 910 looks like a different issue. We are using Samba on Solaris 8, with security = ads, with AD running on a W2K server. We cannot access someone else's file on Solaris that is owned by a group that we are a member of, if that group is not our primary group. example: Given nsswitch that have 2 lines modified for winbind: passwd: files winbind group: files winbind Given a file owned by user1:group2 such as the following: -rw-rw user1 group2 0 Jan 7 testfile.txt And given user2 has a primary group of group1 and a secondary group of group2. The following commands were executed on our smbdev platform, that contains the smb server. smbdev su - user2 Password: smbdev id uid=1001(user2) gid=10001(group1) smbdev id -a uid=1001(user2) gid=10001(group1) groups=10001(group1) smbdev id -a user2 uid=1001(user2) gid=10001(group1) groups=10002(group2) smbdev getent group | grep user2 group1:x:10001:user1,user2 group2:x:10002:user1,user2 smbdev grep user2 /etc/group smbdev wbinfo -r user2 10002 10001 smbdev groups group1 smbdev cat testfile.txt cat: cannot open testfile.txt smbdev touch testfile smbdev chgrp group2 testfile2 chgrp: group2: Not owner smbdev newgrp group2 $ chgrp group2 testfile2 $ ls -l testfile2 -rw-r- user2 group2 0 Jan 7 testfile2 $exit smbdev At the initial su to user2, there is a lot of activity in the winbindd log with log level = 10, but it only mentions the uid of 1001 and the gid of 10001. The secondary group is not mentioned in the log. If I add group2 to the /etc/group file, it works (as one would expect due to the nsswitch.conf settings). I expect it is a problem in libnss_winbind.so. john From: Hansjoerg Maurer Sent: Wednesday, January 07, 2004 12:05 AM Hi, this might be related to bug 910 domain admin rights only works for user, which primary group is domain admins I submitted last week. Just for your information. If you want me doing some testing, just give me a note. Thank you Hansjörg Klinger, John (N-CSC) wrote: From: Klinger, John (N-CSC) Sent: Friday, December 19, 2003 8:14 AM | | The first issue deals with the file sharing. Even if a file gives | | full permission to one of a user's secondary groups, that user | | cannot access the file. The user can only access the file (or | | directory) if the file's group is the user's primary group. I've | | fond several references on the web and in https://bugzilla.samba.org, | | which seem to indicate that the bug is fixed. However, we also tried | | this with 3.0.1rc2 and have the same problem; which makes us think | | it is a configuration error or something we haven't found | | related to nsswitch. | |Gerald (Jerry) Carter wrote: | | This is an open bug | | ~ https://bugzilla.samba.org/show_bug.cgi?id=395 | | cheers, jerry -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Secondary Groups and Group Mapping
Thank you for your response. Bug 910 looks like a different issue. We are using Samba on Solaris 8, with security = ads, with AD running on a W2K server. We cannot access someone else's file on Solaris that is owned by a group that we are a member of, if that group is not our primary group. example: Given nsswitch that have 2 lines modified for winbind: passwd: files winbind group: files winbind Given a file owned by user1:group2 such as the following: -rw-rw user1 group2 0 Jan 7 testfile.txt And given user2 has a primary group of group1 and a secondary group of group2. The following commands were executed on our smbdev platform, that contains the smb server. smbdev su - user2 Password: smbdev id uid=1001(user2) gid=10001(group1) smbdev id -a uid=1001(user2) gid=10001(group1) groups=10001(group1) smbdev id -a user2 uid=1001(user2) gid=10001(group1) groups=10002(group2) smbdev getent group | grep user2 group1:x:10001:user1,user2 group2:x:10002:user1,user2 smbdev grep user2 /etc/group smbdev wbinfo -r user2 10002 10001 smbdev groups group1 smbdev cat testfile.txt cat: cannot open testfile.txt smbdev touch testfile smbdev chgrp group2 testfile2 chgrp: group2: Not owner smbdev newgrp group2 $ chgrp group2 testfile2 $ ls -l testfile2 -rw-r- user2 group2 0 Jan 7 testfile2 $exit smbdev At the initial su to user2, there is a lot of activity in the winbindd log with log level = 10, but it only mentions the uid of 1001 and the gid of 10001. The secondary group is not mentioned in the log. If I add group2 to the /etc/group file, it works (as one would expect due to the nsswitch.conf settings). I expect it is a problem in libnss_winbind.so. john -Original Message- From: Hansjoerg Maurer [mailto:[EMAIL PROTECTED] Sent: Wednesday, January 07, 2004 12:05 AM To: Klinger, John (N-CSC) Cc: Gerald (Jerry) Carter Subject: Re: [Samba] Secondary Groups and Group Mapping Hi, this might be related to bug 910 domain admin rights only works for user, which primary group is domain admins I submitted last week. Just for your information. If you want me doing some testing, just give me a note. Thank you Hansjörg Klinger, John (N-CSC) wrote: -Original Message- From: Klinger, John (N-CSC) Sent: Friday, December 19, 2003 8:14 AM | | Klinger, John (N-CSC) wrote: | | | | The first issue deals with the file sharing. Even if a file gives | | full permission to one of a user's secondary groups, that user | | cannot access the file. The user can only access the file (or | | directory) if the file's group is the user's primary group. I've | | fond several references on the web and in https://bugzilla.samba.org, | | which seem to indicate that the bug is fixed. However, we also tried | | this with 3.0.1rc2 and have the same problem; which makes us think | | it is a configuration error or something we haven't found | | related to nsswitch. | |Gerald (Jerry) Carter wrote: | | This is an open bug | | ~ https://bugzilla.samba.org/show_bug.cgi?id=395 | | cheers, jerry Good news, Jerry; thanks for the reply. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Secondary Groups and Group Mapping
-Original Message- From: Klinger, John (N-CSC) Sent: Friday, December 19, 2003 8:14 AM | | Klinger, John (N-CSC) wrote: | | | | The first issue deals with the file sharing. Even if a file gives | | full permission to one of a user's secondary groups, that user | | cannot access the file. The user can only access the file (or | | directory) if the file's group is the user's primary group. I've | | fond several references on the web and in https://bugzilla.samba.org, | | which seem to indicate that the bug is fixed. However, we also tried | | this with 3.0.1rc2 and have the same problem; which makes us think | | it is a configuration error or something we haven't found | | related to nsswitch. | |Gerald (Jerry) Carter wrote: | | This is an open bug | | ~ https://bugzilla.samba.org/show_bug.cgi?id=395 | | cheers, jerry Good news, Jerry; thanks for the reply. This puts a large and noticeable kink in our architecture. What can we do to help get it resolved? Bug 395 references another link describing a similar problem on Solaris 9 with patch 112960-03. However, the problem exists for us on Solaris 8 without said patch series. We've successfully executed Samba using the same configuration files on a Debian and Red Hat 9 system built from scratch using the same Samba source. We were going to build on Solaris 9 in an attempt narrow the problem when I received your reply. Again, what can we do to support Samba and help hunt this down? I've now been tasked to work on this full time. Do you have any pointers or suggestions on what I should investigate first? I'll use 395 as a loose basis unless I hear otherwise (and look into the 3.0.2rc when it arrives). thanks, john -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Secondary Groups and Group Mapping
| | Klinger, John (N-CSC) wrote: | | | | The first issue deals with the file sharing. Even if a file gives | | full permission to one of a user's secondary groups, that user | | cannot access the file. The user can only access the file (or | | directory) if the file's group is the user's primary group. I've | | fond several references on the web and in https://bugzilla.samba.org, | | which seem to indicate that the bug is fixed. However, we also tried | | this with 3.0.1rc2 and have the same problem; which makes us think | | it is a configuration error or something we haven't found | | related to nsswitch. | | Gerald (Jerry) Carter wrote: | | This is an open bug | | ~ https://bugzilla.samba.org/show_bug.cgi?id=395 | | cheers, jerry Good news, Jerry; thanks for the reply. This puts a large and noticeable kink in our architecture. What can we do to help get it resolved? Bug 395 references another link describing a similar problem on Solaris 9 with patch 112960-03. However, the problem exists for us on Solaris 8 without said patch series. We've successfully executed Samba using the same configuration files on a Debian and Red Hat 9 system built from scratch using the same Samba source. We were going to build on Solaris 9 in an attempt narrow the problem when I received your reply. Again, what can we do to support Samba and help hunt this down? john -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] RE: Secondary Groups and Group Mapping
Okay, we have the net groupmap command running without errors. We had to add the unixgroup/gid to both the /etc/group file and samba's openldap before groupmap would work without errors. I suspect that we could remove the dependence on /etc/group by modifying nsswitch.conf to add ldap for group resolution [currently just files winbind for passwd and group]. We'll be looking at that today. However, after I established the groupmap, it still doesn't work as I expected. Using the example from my earlier post, if I log into Solaris with user1 that has LOTR+fairfolk as his primary group in AD, I thought Samba would translate that to the unix group elves. What we are seeing is that if I log into Unix as this user and create a file, the group for that file is LOTR+fairfolk. An id -a lists LOTR+fairfolk in his groups, but not elves. Furthermore, if I create another file owned by user2:elves, I expected user1 to be able to access this due to the mapping. He can't; again it appears that Unix only sees him as belonging to LOTR+fairfolk. I've reread the documentation, and it appears my understanding of groupmap is correct. What am I missing here? What is groupmap supposed to do? We've downloaded 3.0.1 with hopes it helps resolve these issues. We still have the above groupmap issues. We haven't tried the secondary group access yet. john -Original Message- From: Klinger, John (N-CSC) Sent: Monday, December 15, 2003 4:59 PM To: '[EMAIL PROTECTED]' Subject:Secondary Groups and Group Mapping We are having what appears to be two main issues in our attempt to setup Samba 3.0.0 compiled from src on Solaris 8. We are using Samba to provide Unix shares on W2K clients, and to authenticate against a W2K Active Directory server. OpenLDAP is used on the Samba side for the UID/GID to SID mappings. The first issue deals with the file sharing. Even if a file gives full permission to one of a user's secondary groups, that user cannot access the file. The user can only access the file (or directory) if the file's group is the user's primary group. I've found several references on the web and in https://bugzilla.samba.org, which seem to indicate that the bug is fixed. However, we also tried this with 3.0.1rc2 and have the same problem; which makes us think it is a configuration error or something we haven't found related to nsswitch. The second issue deals with groupmap. Again, searches haven't turned up anything fruitful. When we execute commands similar to the following: groupadd elves net groupmap add ntuser=LOTR+fairfolk username=elves We always get the following error: No rid or sid specified, choosing algorithmic mapping adding entry for group LOTR+fairfolk failed! -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Secondary Groups and Group Mapping
We are having what appears to be two main issues in our attempt to setup Samba 3.0.0 compiled from src on Solaris 8. We are using Samba to provide Unix shares on W2K clients, and to authenticate against a W2K Active Directory server. OpenLDAP is used on the Samba side for the UID/GID to SID mappings. The first issue deals with the file sharing. Even if a file gives full permission to one of a user's secondary groups, that user cannot access the file. The user can only access the file (or directory) if the file's group is the user's primary group. I've found several references on the web and in https://bugzilla.samba.org, which seem to indicate that the bug is fixed. However, we also tried this with 3.0.1rc2 and have the same problem; which makes us think it is a configuration error or something we haven't found related to nsswitch. The second issue deals with groupmap. Again, searches haven't turned up anything fruitful. When we execute commands similar to the following: groupadd elves net groupmap add ntuser=LOTR+fairfolk username=elves We always get the following error: No rid or sid specified, choosing algorithmic mapping adding entry for group LOTR+fairfolk failed! Output from the above groupmap command with debug level of 3 gives: param/loadparm.c:lp_load(3917) lp_load: refreshing parameters param/loadparm.c:init_globals(1303) Initialising global parameters param/params.c:pm_process(566) params.c:pm_process() - Processing configuration file /h/SMBSVR/cfg/smb.conf param/loadparm.c:do_section(3420) Processing section [global] lib/interface.c:add_interface(79) added interface ip=172.31.4.133 bcast=172.31.4.143 nmask=255.255.255.240 passdb/pdb_ldap.c:ldapsam_search_one_group(1597) ldapsam_search_one_group: searching for:[((objectClass=sambaGroupMapping)(gidNumber=4294967295))] lib/smbldap.c:smbldap_open_connection(623) smbldap_open_connection: connection opened lib/smbldap.c:smbldap_connect_system(785) ldap_connect_system: succesful connection to the LDAP server passdb/pdb_ldap.c:ldapsam_search_one_group(1597) ldapsam_search_one_group: searching for:[((objectClass=posixGroup)(gidNumber=4294967295))] passdb/pdb_ldap.c:ldapsam_search_one_group(1597) ldapsam_search_one_group: searching for:[((objectClass=sambaGroupMapping)(gidNumber=4294967295))] the above 4 lines repeat 10 more times passdb/pdb_ldap.c:ldapsam_search_one_group(1597) ldapsam_search_one_group: searching for:[((objectClass=posixGroup)(gidNumber=4294967295))] passdb/pdb_ldap.c:ldapsam_search_one_group(1597) ldapsam_search_one_group: searching for:[((objectClass=sambaGroupMapping)(gidNumber=201))] passdb/pdb_ldap.c:ldapsam_search_one_group(1597) ldapsam_search_one_group: searching for:[((objectClass=posixGroup)(gidNumber=201))] utils/net.c:main(758) return code = -1 No rid or sid specified, choosing algorithmic mapping adding entry for group LOTR+fairfolk failed! Other tidbits: Using the previous example, getent group LOTR+fairfolk returns a group id of 11959. getent group elves returns a group id of 201. /usr/bin/id -a LOTR+sampleuser gives correct user and full group list. getent passwd LOTR+sampleuser and getent group | grep sampleuser give user info and all groups. /etc/group contains the elves group with a group id of 201. net groupmap list returns nothing (debug 2 shows ldapsam_setsampwent: 0 entries in the base!). Samba compilation performed using the flags: --with-ads --with-ldap --with-included-popt --with-winbind --with-winbind-auth-challenge --with-pam --with-ldapsam --with-acl-support smb.conf Contains: ldap admin dn = cn=smbldapuser,ou=user,dc=lan,dc=subd,dc=dom,dc=com ldap server = globalsvr.lan.subd.dom.com ldap port = 8001 ldap suffix = ou=idmap,dc=lan,dc=subd,dc=dom,dc=com ldap ssl = no ldap filter = ((uid=%u) (objectclass=sambaAccount)) winbind separator = + idmap backend = ldap:ldap://globalsvr.lan.subd.dom.com:8001 idmap uid = 1-2 idmap gid = 1-2 winbind enum users = yes winbind enum groups = yes template homedir = /USERS/global/%U template shell = /bin/ksh workgroup = LOTR server string = smbdev security = ads encrypt passwords = yes password server = activedsvr.lan.subd.dom.com client use spnego = yes log file = /SMBSVR/var/log.%m max log size = 5000 realm = LOTR.REF.DOMAIN.COM socket options = TCP_NODELAY socket options = TCP_NODELAY local master = no dns proxy = yes inherit permissions = no create mask = 0774 force create mode = security mask = 0774 force security mode = directory mask = 0775 force directory mode = directory security mask = 0775 force directory security mode = [homes] comment = Home Directories path = /users/%S browseable = no writable = yes only user = yes [global_data] comment = Global Data share browseable = yes path = /globaldata read only = no public = yes ldap.conf contains host activedsvr.lan.subd.dom.com base