Matthews, John
2002-Feb-26 10:32 UTC
[Samba] winbind problem with existing linux user accounts. (S amba 2.2.3a)
Thank you for your reply. Below are the entries for winbind I have in my smb.conf. Do you see any problems with them? # separate domain and username with '+', like DOMAIN+username winbind separator = + # use uids from 10000 to 20000 for domain users winbind uid = 10000-20000 # user gids from 10000 to 20000 for domain groups winbind gid = 10000-20000 # allow enumeration of winbind users and groups winbind enum users = yes winbind enum groups = yes # give winbind users a real shell (only needed if they have telnet access) template shell = /bin/bash template homedir = /home/%U In addition this is what I currently have for my pam.d/samba file: auth sufficient /lib/security/pam_winbind.so auth required /lib/security/pam_stack.so service=system-auth auth required /lib/security/pam_stack.so service=system-auth use_first_pass account required /lib/security/pam_stack.so service=system-auth Would you mind recommending what other courses of action I should pursue? Thanks in advance, John Matthews -----Original Message----- From: Ariel Mella [mailto:samba@nebula-sa.com.ar] Sent: Tuesday, February 26, 2002 12:47 PM To: Matthews, John; samba@lists.samba.org Subject: Re: [Samba] winbind problem with existing linux user accounts. (Samba 2.2.3a) Mathews: In your smb.conf you have to put somewhere whats uids winbind can take off. [global] winbind uid = 10000-20000 winbind gid = 10000-20000 this maps each ad or pdc account to a valid unix id. this means that the user "fred" you are mentioning have already a uid in the linux+winbind box. but if you already have a "fred" account in the linux box and a "fred" account in the ad or pdc and winbind is running the results is a unix account and ad or pdc account that ar equal in name "fred" but different uid. i think that this is your problem.> Hello, > > I'm experiencing a frustrating problem configuring winbind and Samba > 2.2.3a on a Red Hat Linux 7.2 server. I would appreciate ANY help and/or > advice. I have read the documentation which comes with the samba source, > but I'm still having problems. I can successfully see the Windows > Users/Groups through Linux, using "wbinfo -u", "wbinfo -g", "getentpasswd",> and "getent group". I think my problem might be related to thepam.d/samba> file, but I'm not sure how to fix it. > > Configuration: Red Hat Linux 7.2, Samba 2.2.3a with winbind. Primary > Domain Controller is a Windows 2000 machine. > Here's my problem: > > A user "fred" logs into his Windows 2000 PC, and attempts to access > through Samba his /home/fred directory. > 1. If "fred" is a normal linux user, and has an entry in > /etc/passwd AND winbind is loaded then I receive an error "The networkname> cannot be found.". Samba seems able to determine that "fred" is a linux > user and shows the corresponding [homes] directory, I'm just not able to > access the home directory. I was thinking that this might be related tothe> UID's being different between the linux account of "fred" and the windbind > account "domain+fred". > 2. If "fred" does the same thing as above, but this time > winbind isn't loaded (I need to restart smb after killing the winbind > process) then everything works as I want. The problem is that now with > winbind not loaded, Windows Users who don't have a Linux account areunable> to access most of the Linux shares. > > I'm hoping there's a way to fix this. Ideally I'd like to allow > everyone to access the Samba share on the linux server, if a user has a > linux account then in addition I'd like their linux home directory to be > displayed as well. > > Thanks in advance for help, > John Matthews > > > > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: http://lists.samba.org/mailman/listinfo/samba >
Noel Kelly
2002-Feb-26 11:40 UTC
[Samba] winbind problem with existing linux user accounts. (S amba 2.2.3a)
John, Just a quick idea - is this not a permissions thing ? Surely the owner of /home/fred should be domain+fred - try a 'chown domain+fred.domain+fred /etc/home/fred' and see if that helps. With winbind running the network user will be domain+fred and the right permissions are in place. Noel -----Original Message----- From: Matthews, John [mailto:JMatthews@LIO.AACISD.com] Sent: 26 February 2002 18:32 To: 'Ariel Mella' Cc: samba@lists.samba.org Subject: RE: [Samba] winbind problem with existing linux user accounts. (S amba 2.2.3a) Thank you for your reply. Below are the entries for winbind I have in my smb.conf. Do you see any problems with them? # separate domain and username with '+', like DOMAIN+username winbind separator = + # use uids from 10000 to 20000 for domain users winbind uid = 10000-20000 # user gids from 10000 to 20000 for domain groups winbind gid = 10000-20000 # allow enumeration of winbind users and groups winbind enum users = yes winbind enum groups = yes # give winbind users a real shell (only needed if they have telnet access) template shell = /bin/bash template homedir = /home/%U In addition this is what I currently have for my pam.d/samba file: auth sufficient /lib/security/pam_winbind.so auth required /lib/security/pam_stack.so service=system-auth auth required /lib/security/pam_stack.so service=system-auth use_first_pass account required /lib/security/pam_stack.so service=system-auth Would you mind recommending what other courses of action I should pursue? Thanks in advance, John Matthews -----Original Message----- From: Ariel Mella [mailto:samba@nebula-sa.com.ar] Sent: Tuesday, February 26, 2002 12:47 PM To: Matthews, John; samba@lists.samba.org Subject: Re: [Samba] winbind problem with existing linux user accounts. (Samba 2.2.3a) Mathews: In your smb.conf you have to put somewhere whats uids winbind can take off. [global] winbind uid = 10000-20000 winbind gid = 10000-20000 this maps each ad or pdc account to a valid unix id. this means that the user "fred" you are mentioning have already a uid in the linux+winbind box. but if you already have a "fred" account in the linux box and a "fred" account in the ad or pdc and winbind is running the results is a unix account and ad or pdc account that ar equal in name "fred" but different uid. i think that this is your problem.> Hello, > > I'm experiencing a frustrating problem configuring winbind and Samba > 2.2.3a on a Red Hat Linux 7.2 server. I would appreciate ANY help and/or > advice. I have read the documentation which comes with the samba source, > but I'm still having problems. I can successfully see the Windows > Users/Groups through Linux, using "wbinfo -u", "wbinfo -g", "getentpasswd",> and "getent group". I think my problem might be related to thepam.d/samba> file, but I'm not sure how to fix it. > > Configuration: Red Hat Linux 7.2, Samba 2.2.3a with winbind. Primary > Domain Controller is a Windows 2000 machine. > Here's my problem: > > A user "fred" logs into his Windows 2000 PC, and attempts to access > through Samba his /home/fred directory. > 1. If "fred" is a normal linux user, and has an entry in > /etc/passwd AND winbind is loaded then I receive an error "The networkname> cannot be found.". Samba seems able to determine that "fred" is a linux > user and shows the corresponding [homes] directory, I'm just not able to > access the home directory. I was thinking that this might be related tothe> UID's being different between the linux account of "fred" and the windbind > account "domain+fred". > 2. If "fred" does the same thing as above, but this time > winbind isn't loaded (I need to restart smb after killing the winbind > process) then everything works as I want. The problem is that now with > winbind not loaded, Windows Users who don't have a Linux account areunable> to access most of the Linux shares. > > I'm hoping there's a way to fix this. Ideally I'd like to allow > everyone to access the Samba share on the linux server, if a user has a > linux account then in addition I'd like their linux home directory to be > displayed as well. > > Thanks in advance for help, > John Matthews > > > > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: http://lists.samba.org/mailman/listinfo/samba >-- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Matthews, John
2002-Feb-26 12:15 UTC
[Samba] winbind problem with existing linux user accounts. (S amba 2.2.3a)
Hi Noel, Sorry I didn't explain my problem better. The user "fred" is a linux user, who does most of their work in linux. I'd like to have their /home/fred directory available for browsing when they are working in windows, which happens once in a while. My understanding of winbind is pretty shaky, but I was under the impression that when "fred" is logged onto windows and accesses their home directory through SAMBA, winbind would kick in and name them "domain+fred" and then assign them a different UID than the user "fred" normally has. I'd like to avoid changing the owner of /home/fred to "domain+fred", because then I would prohibit "fred" from working in their normal linux environment. Ideally I'd like some way to tell winbind to not do anything if an entry for that user name exists in passwd. Maybe I'm going in the wrong direction in using winbind. Would it be possible to set up Samba so that it would authenticate already existing entries in the passwd file with the user's NT password, and then map all users without passwd entries to a generic user account with read only permission? I was looking for a way to allow users with a linux account to keep two separate passwords, a linux password and windows password. Then when the user is in windows they could access their files through Samba using the windows password. Thank you for taking the time to answer, John -----Original Message----- From: Noel Kelly [mailto:nkelly@tarsus.co.uk] Sent: Tuesday, February 26, 2002 2:33 PM To: 'Matthews, John'; 'Ariel Mella' Cc: samba@lists.samba.org Subject: RE: [Samba] winbind problem with existing linux user accounts. (S amba 2.2.3a) John, Just a quick idea - is this not a permissions thing ? Surely the owner of /home/fred should be domain+fred - try a 'chown domain+fred.domain+fred /etc/home/fred' and see if that helps. With winbind running the network user will be domain+fred and the right permissions are in place. Noel -----Original Message----- From: Matthews, John [mailto:JMatthews@LIO.AACISD.com] Sent: 26 February 2002 18:32 To: 'Ariel Mella' Cc: samba@lists.samba.org Subject: RE: [Samba] winbind problem with existing linux user accounts. (S amba 2.2.3a) Thank you for your reply. Below are the entries for winbind I have in my smb.conf. Do you see any problems with them? # separate domain and username with '+', like DOMAIN+username winbind separator = + # use uids from 10000 to 20000 for domain users winbind uid = 10000-20000 # user gids from 10000 to 20000 for domain groups winbind gid = 10000-20000 # allow enumeration of winbind users and groups winbind enum users = yes winbind enum groups = yes # give winbind users a real shell (only needed if they have telnet access) template shell = /bin/bash template homedir = /home/%U In addition this is what I currently have for my pam.d/samba file: auth sufficient /lib/security/pam_winbind.so auth required /lib/security/pam_stack.so service=system-auth auth required /lib/security/pam_stack.so service=system-auth use_first_pass account required /lib/security/pam_stack.so service=system-auth Would you mind recommending what other courses of action I should pursue? Thanks in advance, John Matthews -----Original Message----- From: Ariel Mella [mailto:samba@nebula-sa.com.ar] Sent: Tuesday, February 26, 2002 12:47 PM To: Matthews, John; samba@lists.samba.org Subject: Re: [Samba] winbind problem with existing linux user accounts. (Samba 2.2.3a) Mathews: In your smb.conf you have to put somewhere whats uids winbind can take off. [global] winbind uid = 10000-20000 winbind gid = 10000-20000 this maps each ad or pdc account to a valid unix id. this means that the user "fred" you are mentioning have already a uid in the linux+winbind box. but if you already have a "fred" account in the linux box and a "fred" account in the ad or pdc and winbind is running the results is a unix account and ad or pdc account that ar equal in name "fred" but different uid. i think that this is your problem.> Hello, > > I'm experiencing a frustrating problem configuring winbind and Samba > 2.2.3a on a Red Hat Linux 7.2 server. I would appreciate ANY help and/or > advice. I have read the documentation which comes with the samba source, > but I'm still having problems. I can successfully see the Windows > Users/Groups through Linux, using "wbinfo -u", "wbinfo -g", "getentpasswd",> and "getent group". I think my problem might be related to thepam.d/samba> file, but I'm not sure how to fix it. > > Configuration: Red Hat Linux 7.2, Samba 2.2.3a with winbind. Primary > Domain Controller is a Windows 2000 machine. > Here's my problem: > > A user "fred" logs into his Windows 2000 PC, and attempts to access > through Samba his /home/fred directory. > 1. If "fred" is a normal linux user, and has an entry in > /etc/passwd AND winbind is loaded then I receive an error "The networkname> cannot be found.". Samba seems able to determine that "fred" is a linux > user and shows the corresponding [homes] directory, I'm just not able to > access the home directory. I was thinking that this might be related tothe> UID's being different between the linux account of "fred" and the windbind > account "domain+fred". > 2. If "fred" does the same thing as above, but this time > winbind isn't loaded (I need to restart smb after killing the winbind > process) then everything works as I want. The problem is that now with > winbind not loaded, Windows Users who don't have a Linux account areunable> to access most of the Linux shares. > > I'm hoping there's a way to fix this. Ideally I'd like to allow > everyone to access the Samba share on the linux server, if a user has a > linux account then in addition I'd like their linux home directory to be > displayed as well. > > Thanks in advance for help, > John Matthews > > > > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: http://lists.samba.org/mailman/listinfo/samba >-- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Noel Kelly
2002-Feb-27 08:40 UTC
[Samba] winbind problem with existing linux user accounts. (S amba 2.2.3a)
John, Maybe I am still off your track here, but I think what you need is the PAM module for Samba. This allows you to use winbind for authentication to both the local machine and via the network. Have a look at Chapter 3 in the Samba Proj Doc. Noel -----Original Message----- From: Matthews, John [mailto:JMatthews@LIO.AACISD.com] Sent: 26 February 2002 20:15 To: 'Noel Kelly' Cc: 'samba@lists.samba.org' Subject: RE: [Samba] winbind problem with existing linux user accounts. (S amba 2.2.3a) Hi Noel, Sorry I didn't explain my problem better. The user "fred" is a linux user, who does most of their work in linux. I'd like to have their /home/fred directory available for browsing when they are working in windows, which happens once in a while. My understanding of winbind is pretty shaky, but I was under the impression that when "fred" is logged onto windows and accesses their home directory through SAMBA, winbind would kick in and name them "domain+fred" and then assign them a different UID than the user "fred" normally has. I'd like to avoid changing the owner of /home/fred to "domain+fred", because then I would prohibit "fred" from working in their normal linux environment. Ideally I'd like some way to tell winbind to not do anything if an entry for that user name exists in passwd. Maybe I'm going in the wrong direction in using winbind. Would it be possible to set up Samba so that it would authenticate already existing entries in the passwd file with the user's NT password, and then map all users without passwd entries to a generic user account with read only permission? I was looking for a way to allow users with a linux account to keep two separate passwords, a linux password and windows password. Then when the user is in windows they could access their files through Samba using the windows password. Thank you for taking the time to answer, John -----Original Message----- From: Noel Kelly [mailto:nkelly@tarsus.co.uk] Sent: Tuesday, February 26, 2002 2:33 PM To: 'Matthews, John'; 'Ariel Mella' Cc: samba@lists.samba.org Subject: RE: [Samba] winbind problem with existing linux user accounts. (S amba 2.2.3a) John, Just a quick idea - is this not a permissions thing ? Surely the owner of /home/fred should be domain+fred - try a 'chown domain+fred.domain+fred /etc/home/fred' and see if that helps. With winbind running the network user will be domain+fred and the right permissions are in place. Noel -----Original Message----- From: Matthews, John [mailto:JMatthews@LIO.AACISD.com] Sent: 26 February 2002 18:32 To: 'Ariel Mella' Cc: samba@lists.samba.org Subject: RE: [Samba] winbind problem with existing linux user accounts. (S amba 2.2.3a) Thank you for your reply. Below are the entries for winbind I have in my smb.conf. Do you see any problems with them? # separate domain and username with '+', like DOMAIN+username winbind separator = + # use uids from 10000 to 20000 for domain users winbind uid = 10000-20000 # user gids from 10000 to 20000 for domain groups winbind gid = 10000-20000 # allow enumeration of winbind users and groups winbind enum users = yes winbind enum groups = yes # give winbind users a real shell (only needed if they have telnet access) template shell = /bin/bash template homedir = /home/%U In addition this is what I currently have for my pam.d/samba file: auth sufficient /lib/security/pam_winbind.so auth required /lib/security/pam_stack.so service=system-auth auth required /lib/security/pam_stack.so service=system-auth use_first_pass account required /lib/security/pam_stack.so service=system-auth Would you mind recommending what other courses of action I should pursue? Thanks in advance, John Matthews -----Original Message----- From: Ariel Mella [mailto:samba@nebula-sa.com.ar] Sent: Tuesday, February 26, 2002 12:47 PM To: Matthews, John; samba@lists.samba.org Subject: Re: [Samba] winbind problem with existing linux user accounts. (Samba 2.2.3a) Mathews: In your smb.conf you have to put somewhere whats uids winbind can take off. [global] winbind uid = 10000-20000 winbind gid = 10000-20000 this maps each ad or pdc account to a valid unix id. this means that the user "fred" you are mentioning have already a uid in the linux+winbind box. but if you already have a "fred" account in the linux box and a "fred" account in the ad or pdc and winbind is running the results is a unix account and ad or pdc account that ar equal in name "fred" but different uid. i think that this is your problem.> Hello, > > I'm experiencing a frustrating problem configuring winbind and Samba > 2.2.3a on a Red Hat Linux 7.2 server. I would appreciate ANY help and/or > advice. I have read the documentation which comes with the samba source, > but I'm still having problems. I can successfully see the Windows > Users/Groups through Linux, using "wbinfo -u", "wbinfo -g", "getentpasswd",> and "getent group". I think my problem might be related to thepam.d/samba> file, but I'm not sure how to fix it. > > Configuration: Red Hat Linux 7.2, Samba 2.2.3a with winbind. Primary > Domain Controller is a Windows 2000 machine. > Here's my problem: > > A user "fred" logs into his Windows 2000 PC, and attempts to access > through Samba his /home/fred directory. > 1. If "fred" is a normal linux user, and has an entry in > /etc/passwd AND winbind is loaded then I receive an error "The networkname> cannot be found.". Samba seems able to determine that "fred" is a linux > user and shows the corresponding [homes] directory, I'm just not able to > access the home directory. I was thinking that this might be related tothe> UID's being different between the linux account of "fred" and the windbind > account "domain+fred". > 2. If "fred" does the same thing as above, but this time > winbind isn't loaded (I need to restart smb after killing the winbind > process) then everything works as I want. The problem is that now with > winbind not loaded, Windows Users who don't have a Linux account areunable> to access most of the Linux shares. > > I'm hoping there's a way to fix this. Ideally I'd like to allow > everyone to access the Samba share on the linux server, if a user has a > linux account then in addition I'd like their linux home directory to be > displayed as well. > > Thanks in advance for help, > John Matthews > > > > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: http://lists.samba.org/mailman/listinfo/samba >-- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Matthews, John
2002-Feb-27 10:23 UTC
[Samba] winbind problem with existing linux user accounts. (S amba 2.2.3a)
I think your suggestion makes a lot of sense. I'm just not sure how to set PAM up correctly for Red Hat 7.2. I got confused with the "auth required /lib/security/pam_stack.so service=system-auth". I don't know where I should modify the /etc/pam.d/samba file. I attempted adding "auth sufficient /lib/security/pam_winbind.so", but it doesn't appear to be working. I'm also not sure if I should modify the /etc/pam.d/system-auth file, because it says it's an automatically generated file which is subject to change. Would you mind point me in the right direction of finding the "Samba Proj Doc."? This is the first time I've heard of it. I've been referring to the little documentation that comes with the samba-2.2.3a.tar.gz in regard to winbind. Thanks again, John -----Original Message----- From: Noel Kelly [mailto:nkelly@tarsus.co.uk] Sent: Wednesday, February 27, 2002 11:33 AM To: 'Matthews, John'; Noel Kelly Cc: 'samba@lists.samba.org' Subject: RE: [Samba] winbind problem with existing linux user accounts. (S amba 2.2.3a) John, Maybe I am still off your track here, but I think what you need is the PAM module for Samba. This allows you to use winbind for authentication to both the local machine and via the network. Have a look at Chapter 3 in the Samba Proj Doc. Noel -----Original Message----- From: Matthews, John [mailto:JMatthews@LIO.AACISD.com] Sent: 26 February 2002 20:15 To: 'Noel Kelly' Cc: 'samba@lists.samba.org' Subject: RE: [Samba] winbind problem with existing linux user accounts. (S amba 2.2.3a) Hi Noel, Sorry I didn't explain my problem better. The user "fred" is a linux user, who does most of their work in linux. I'd like to have their /home/fred directory available for browsing when they are working in windows, which happens once in a while. My understanding of winbind is pretty shaky, but I was under the impression that when "fred" is logged onto windows and accesses their home directory through SAMBA, winbind would kick in and name them "domain+fred" and then assign them a different UID than the user "fred" normally has. I'd like to avoid changing the owner of /home/fred to "domain+fred", because then I would prohibit "fred" from working in their normal linux environment. Ideally I'd like some way to tell winbind to not do anything if an entry for that user name exists in passwd. Maybe I'm going in the wrong direction in using winbind. Would it be possible to set up Samba so that it would authenticate already existing entries in the passwd file with the user's NT password, and then map all users without passwd entries to a generic user account with read only permission? I was looking for a way to allow users with a linux account to keep two separate passwords, a linux password and windows password. Then when the user is in windows they could access their files through Samba using the windows password. Thank you for taking the time to answer, John -----Original Message----- From: Noel Kelly [mailto:nkelly@tarsus.co.uk] Sent: Tuesday, February 26, 2002 2:33 PM To: 'Matthews, John'; 'Ariel Mella' Cc: samba@lists.samba.org Subject: RE: [Samba] winbind problem with existing linux user accounts. (S amba 2.2.3a) John, Just a quick idea - is this not a permissions thing ? Surely the owner of /home/fred should be domain+fred - try a 'chown domain+fred.domain+fred /etc/home/fred' and see if that helps. With winbind running the network user will be domain+fred and the right permissions are in place. Noel -----Original Message----- From: Matthews, John [mailto:JMatthews@LIO.AACISD.com] Sent: 26 February 2002 18:32 To: 'Ariel Mella' Cc: samba@lists.samba.org Subject: RE: [Samba] winbind problem with existing linux user accounts. (S amba 2.2.3a) Thank you for your reply. Below are the entries for winbind I have in my smb.conf. Do you see any problems with them? # separate domain and username with '+', like DOMAIN+username winbind separator = + # use uids from 10000 to 20000 for domain users winbind uid = 10000-20000 # user gids from 10000 to 20000 for domain groups winbind gid = 10000-20000 # allow enumeration of winbind users and groups winbind enum users = yes winbind enum groups = yes # give winbind users a real shell (only needed if they have telnet access) template shell = /bin/bash template homedir = /home/%U In addition this is what I currently have for my pam.d/samba file: auth sufficient /lib/security/pam_winbind.so auth required /lib/security/pam_stack.so service=system-auth auth required /lib/security/pam_stack.so service=system-auth use_first_pass account required /lib/security/pam_stack.so service=system-auth Would you mind recommending what other courses of action I should pursue? Thanks in advance, John Matthews -----Original Message----- From: Ariel Mella [mailto:samba@nebula-sa.com.ar] Sent: Tuesday, February 26, 2002 12:47 PM To: Matthews, John; samba@lists.samba.org Subject: Re: [Samba] winbind problem with existing linux user accounts. (Samba 2.2.3a) Mathews: In your smb.conf you have to put somewhere whats uids winbind can take off. [global] winbind uid = 10000-20000 winbind gid = 10000-20000 this maps each ad or pdc account to a valid unix id. this means that the user "fred" you are mentioning have already a uid in the linux+winbind box. but if you already have a "fred" account in the linux box and a "fred" account in the ad or pdc and winbind is running the results is a unix account and ad or pdc account that ar equal in name "fred" but different uid. i think that this is your problem.> Hello, > > I'm experiencing a frustrating problem configuring winbind and Samba > 2.2.3a on a Red Hat Linux 7.2 server. I would appreciate ANY help and/or > advice. I have read the documentation which comes with the samba source, > but I'm still having problems. I can successfully see the Windows > Users/Groups through Linux, using "wbinfo -u", "wbinfo -g", "getentpasswd",> and "getent group". I think my problem might be related to thepam.d/samba> file, but I'm not sure how to fix it. > > Configuration: Red Hat Linux 7.2, Samba 2.2.3a with winbind. Primary > Domain Controller is a Windows 2000 machine. > Here's my problem: > > A user "fred" logs into his Windows 2000 PC, and attempts to access > through Samba his /home/fred directory. > 1. If "fred" is a normal linux user, and has an entry in > /etc/passwd AND winbind is loaded then I receive an error "The networkname> cannot be found.". Samba seems able to determine that "fred" is a linux > user and shows the corresponding [homes] directory, I'm just not able to > access the home directory. I was thinking that this might be related tothe> UID's being different between the linux account of "fred" and the windbind > account "domain+fred". > 2. If "fred" does the same thing as above, but this time > winbind isn't loaded (I need to restart smb after killing the winbind > process) then everything works as I want. The problem is that now with > winbind not loaded, Windows Users who don't have a Linux account areunable> to access most of the Linux shares. > > I'm hoping there's a way to fix this. Ideally I'd like to allow > everyone to access the Samba share on the linux server, if a user has a > linux account then in addition I'd like their linux home directory to be > displayed as well. > > Thanks in advance for help, > John Matthews > > > > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: http://lists.samba.org/mailman/listinfo/samba >-- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Noel Kelly
2002-Feb-27 15:30 UTC
[Samba] winbind problem with existing linux user accounts. (S amba 2.2.3a)
John, Have a look at the PAM section in here: http://ie.samba.org/samba/docs/Samba-HOWTO-Collection.pdf -----Original Message----- From: Matthews, John [mailto:JMatthews@LIO.AACISD.com] Sent: 27 February 2002 18:20 To: 'Noel Kelly' Cc: samba@lists.samba.org Subject: RE: [Samba] winbind problem with existing linux user accounts. (S amba 2.2.3a) I think your suggestion makes a lot of sense. I'm just not sure how to set PAM up correctly for Red Hat 7.2. I got confused with the "auth required /lib/security/pam_stack.so service=system-auth". I don't know where I should modify the /etc/pam.d/samba file. I attempted adding "auth sufficient /lib/security/pam_winbind.so", but it doesn't appear to be working. I'm also not sure if I should modify the /etc/pam.d/system-auth file, because it says it's an automatically generated file which is subject to change. Would you mind point me in the right direction of finding the "Samba Proj Doc."? This is the first time I've heard of it. I've been referring to the little documentation that comes with the samba-2.2.3a.tar.gz in regard to winbind. Thanks again, John -----Original Message----- From: Noel Kelly [mailto:nkelly@tarsus.co.uk] Sent: Wednesday, February 27, 2002 11:33 AM To: 'Matthews, John'; Noel Kelly Cc: 'samba@lists.samba.org' Subject: RE: [Samba] winbind problem with existing linux user accounts. (S amba 2.2.3a) John, Maybe I am still off your track here, but I think what you need is the PAM module for Samba. This allows you to use winbind for authentication to both the local machine and via the network. Have a look at Chapter 3 in the Samba Proj Doc. Noel -----Original Message----- From: Matthews, John [mailto:JMatthews@LIO.AACISD.com] Sent: 26 February 2002 20:15 To: 'Noel Kelly' Cc: 'samba@lists.samba.org' Subject: RE: [Samba] winbind problem with existing linux user accounts. (S amba 2.2.3a) Hi Noel, Sorry I didn't explain my problem better. The user "fred" is a linux user, who does most of their work in linux. I'd like to have their /home/fred directory available for browsing when they are working in windows, which happens once in a while. My understanding of winbind is pretty shaky, but I was under the impression that when "fred" is logged onto windows and accesses their home directory through SAMBA, winbind would kick in and name them "domain+fred" and then assign them a different UID than the user "fred" normally has. I'd like to avoid changing the owner of /home/fred to "domain+fred", because then I would prohibit "fred" from working in their normal linux environment. Ideally I'd like some way to tell winbind to not do anything if an entry for that user name exists in passwd. Maybe I'm going in the wrong direction in using winbind. Would it be possible to set up Samba so that it would authenticate already existing entries in the passwd file with the user's NT password, and then map all users without passwd entries to a generic user account with read only permission? I was looking for a way to allow users with a linux account to keep two separate passwords, a linux password and windows password. Then when the user is in windows they could access their files through Samba using the windows password. Thank you for taking the time to answer, John -----Original Message----- From: Noel Kelly [mailto:nkelly@tarsus.co.uk] Sent: Tuesday, February 26, 2002 2:33 PM To: 'Matthews, John'; 'Ariel Mella' Cc: samba@lists.samba.org Subject: RE: [Samba] winbind problem with existing linux user accounts. (S amba 2.2.3a) John, Just a quick idea - is this not a permissions thing ? Surely the owner of /home/fred should be domain+fred - try a 'chown domain+fred.domain+fred /etc/home/fred' and see if that helps. With winbind running the network user will be domain+fred and the right permissions are in place. Noel -----Original Message----- From: Matthews, John [mailto:JMatthews@LIO.AACISD.com] Sent: 26 February 2002 18:32 To: 'Ariel Mella' Cc: samba@lists.samba.org Subject: RE: [Samba] winbind problem with existing linux user accounts. (S amba 2.2.3a) Thank you for your reply. Below are the entries for winbind I have in my smb.conf. Do you see any problems with them? # separate domain and username with '+', like DOMAIN+username winbind separator = + # use uids from 10000 to 20000 for domain users winbind uid = 10000-20000 # user gids from 10000 to 20000 for domain groups winbind gid = 10000-20000 # allow enumeration of winbind users and groups winbind enum users = yes winbind enum groups = yes # give winbind users a real shell (only needed if they have telnet access) template shell = /bin/bash template homedir = /home/%U In addition this is what I currently have for my pam.d/samba file: auth sufficient /lib/security/pam_winbind.so auth required /lib/security/pam_stack.so service=system-auth auth required /lib/security/pam_stack.so service=system-auth use_first_pass account required /lib/security/pam_stack.so service=system-auth Would you mind recommending what other courses of action I should pursue? Thanks in advance, John Matthews -----Original Message----- From: Ariel Mella [mailto:samba@nebula-sa.com.ar] Sent: Tuesday, February 26, 2002 12:47 PM To: Matthews, John; samba@lists.samba.org Subject: Re: [Samba] winbind problem with existing linux user accounts. (Samba 2.2.3a) Mathews: In your smb.conf you have to put somewhere whats uids winbind can take off. [global] winbind uid = 10000-20000 winbind gid = 10000-20000 this maps each ad or pdc account to a valid unix id. this means that the user "fred" you are mentioning have already a uid in the linux+winbind box. but if you already have a "fred" account in the linux box and a "fred" account in the ad or pdc and winbind is running the results is a unix account and ad or pdc account that ar equal in name "fred" but different uid. i think that this is your problem.> Hello, > > I'm experiencing a frustrating problem configuring winbind and Samba > 2.2.3a on a Red Hat Linux 7.2 server. I would appreciate ANY help and/or > advice. I have read the documentation which comes with the samba source, > but I'm still having problems. I can successfully see the Windows > Users/Groups through Linux, using "wbinfo -u", "wbinfo -g", "getentpasswd",> and "getent group". I think my problem might be related to thepam.d/samba> file, but I'm not sure how to fix it. > > Configuration: Red Hat Linux 7.2, Samba 2.2.3a with winbind. Primary > Domain Controller is a Windows 2000 machine. > Here's my problem: > > A user "fred" logs into his Windows 2000 PC, and attempts to access > through Samba his /home/fred directory. > 1. If "fred" is a normal linux user, and has an entry in > /etc/passwd AND winbind is loaded then I receive an error "The networkname> cannot be found.". Samba seems able to determine that "fred" is a linux > user and shows the corresponding [homes] directory, I'm just not able to > access the home directory. I was thinking that this might be related tothe> UID's being different between the linux account of "fred" and the windbind > account "domain+fred". > 2. If "fred" does the same thing as above, but this time > winbind isn't loaded (I need to restart smb after killing the winbind > process) then everything works as I want. The problem is that now with > winbind not loaded, Windows Users who don't have a Linux account areunable> to access most of the Linux shares. > > I'm hoping there's a way to fix this. Ideally I'd like to allow > everyone to access the Samba share on the linux server, if a user has a > linux account then in addition I'd like their linux home directory to be > displayed as well. > > Thanks in advance for help, > John Matthews > > > > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: http://lists.samba.org/mailman/listinfo/samba >-- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba