Hi folks, I'm using Samba 3beta running on RH 8.0 and I'd like to authentificate against a Microsoft AD. This all works very well, except that not all AD User are mapped to my Unixbox! When starting getent passwd, my UnixBox shoiws just my User from passwd and some of the AD User - not all!! Looking through my User with the command wbinfo -u all AD user are shown correctly! Anybody knowing any workaround? Attached I'm sending my setups. Sascha my smb.conf: [global] workgroup = *** realm = ***** ADS server = DE4A068C.ffm.sbs.de server string = Samba ADS security = ADS password server = ***** #passdb backend = smbpasswd algorithmic rid base = 100000 socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 encrypt passwords = yes log file = /usr/local/samba/var/%m.log log level = 10 max log size = 100000 domain logons = yes ldap ssl = no idmap uid = 1000-200000 idmap gid = 1000-200000 template shell = /bin/false template homedir = /home/%D/%U winbind cache time = 1 #'winbind gid = 20001 - 30000 #winbind uid = 20001 - 30000 winbind separator =* winbind enum groups = yes winbind enum users = yes unix password sync = Yes extract from winbindd.log when trying getent passwd - User Sascha is shown but mapping ofHugo fails! [2003/06/26 14:04:39, 1] nsswitch/winbindd_user.c:winbindd_getpwent(511) could not lookup domain user hugo [2003/06/26 14:04:39, 10] sam/idmap_util.c:sid_to_uid(219) sid_to_uid: sid = [S-1-5-21-484763869-1563985344-1343024091-1313] [2003/06/26 14:04:39, 10] sam/idmap_util.c:sid_to_uid(245) sid_to_uid: Fall back to algorithmic mapping [2003/06/26 14:04:39, 3] sam/idmap_util.c:sid_to_uid(248) sid_to_uid: SID S-1-5-21-484763869-1563985344-1343024091-1313 is *NOT* a user [2003/06/26 14:04:39, 1] nsswitch/winbindd_user.c:winbindd_fill_pwent(46) error getting user id for sid S-1-5-21-484763869-1563985344-1343024091-1313 [2003/06/26 14:04:39, 1] nsswitch/winbindd_user.c:winbindd_getpwent(511) could not lookup domain user sascha [2003/06/26 14:04:39, 10] sam/idmap_util.c:sid_to_uid(219) sid_to_uid: sid = [S-1-5-21-484763869-1563985344-1343024091-1337] [2003/06/26 14:04:39, 10] sam/idmap_util.c:sid_to_uid(231) sid_to_uid: uid = [10006] [2003/06/26 14:04:39, 10] sam/idmap_util.c:sid_to_gid(277) sid_to_gid: sid = [S-1-5-21-484763869-1563985344-1343024091-513] [2003/06/26 14:04:39, 10] sam/idmap_util.c:sid_to_gid(289) sid_to_gid: gid = [30000]
On Fri, 2003-06-27 at 16:56, Student2 SIM wrote:> Hi folks, > > I'm using Samba 3beta running on RH 8.0 and I'd like to authentificate against a Microsoft AD. This all works very well, except that not all AD User are mapped to my Unixbox! > > When starting getent passwd, my UnixBox shoiws just my User from passwd and some of the AD User - not all!! Looking through my User with the command wbinfo -u all AD user are shown correctly! > > Anybody knowing any workaround? > > Attached I'm sending my setups. > > Sascha > > my smb.conf: > > [global] > workgroup = *** > realm = ***** > ADS server = DE4A068C.ffm.sbs.de > server string = Samba ADS > security = ADS > password server = ***** > #passdb backend = smbpasswd > algorithmic rid base = 100000 > socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 > encrypt passwords = yes > log file = /usr/local/samba/var/%m.log > log level = 10 > max log size = 100000 > domain logons = yesBy setting 'security=ads' and 'domain logons = yes' you have hit the magic combination for the secret 'Samba as an active directory server' mode. Unfortunately for you, you both didn't intend do be an Active Directory PDC, and we don't support it (it's just at the experimental hack stage). Turn off domain logons, and it should be fine. Andrew Bartlett -- Andrew Bartlett abartlet@pcug.org.au Manager, Authentication Subsystems, Samba Team abartlet@samba.org Student Network Administrator, Hawker College abartlet@hawkerc.net http://samba.org http://build.samba.org http://hawkerc.net -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part Url : http://lists.samba.org/archive/samba/attachments/20030627/179cd206/attachment.bin
>> It's [Samba ADC replacement for X2k] the kind of thing a lot of people are >> trying to pull off, but very few of them are working together :-)If I knew who they were, I'm totally willing to collaborate to reach a goal. It's kinda the only way to get something big done.>> What particular features of AD do you need? How much effort are you willing >> to put in to achieve these features?It's hard to encapsulate... our org has been running it almost since it hit the market and I've just been looking more and more at alternatives (MS looks scarier to me every day). But the only way I can sell it to management is if the road taken is still interoperable with *everything* currently in place. One big thing would be to still be able to use ADSI to get/set info from the workstations and member servers. Some of the applications we have developed over the years leverage ADSI pretty heavily and if a SAMBA backend still "talks the talk" from that standpoint, that's agood thing.>> It's not much action - if you go to www.samba-tng.org you can browse the >> mailing-list archives.I will take a look to see what's going on. I'm far from a great programmer, but maybe I can help in some way.>> I would love to see what Exchange (and I don't think you can run 2000, only >> 5.5) requires of it's DC.AFAIK, Exchange 5.5's demands on a DC are pretty light, seeing as how NT4 domains are all you need, and not even much of that. It's because 5.5 is its own direrctory store, whereas X2k extends the AD schema and uses that, sharing exchange info amongst the DCs. But you know all this stuff, I'm sure.>> The usual solution for Exchange 2000 is the running on it's own PDC, and >> trusting Samba.Yeah, that's what I'm figuring out. It's somewhat acceptable for now, but I'd like to see even less dependence on MS for anything other than Exchange. Truly long run, I'd love to use another mail server, but I haven't found one that does all the things my users need like Exchange does. Personally, if there's one thing MS does pretty well, that's it. Thanks for the input, Andrew. I will check out TNG.> Andrew, your dedication to this project is obvious given the number of > questions you answer here. It is appreciated. Samba has come a very > long way since I was first introduced to it back in '98, and it is > thanks to the efforts of individuals just like you. > > VR > J-- Andrew Bartlett abartlet@pcug.org.au Manager, Authentication Subsystems, Samba Team abartlet@samba.org Student Network Administrator, Hawker College abartlet@hawkerc.net http://samba.org http://build.samba.org http://hawkerc.net