Hi,
I've got some problems with winbind and ADS Domain Membership stuff.
I've joined the domain without problems with "kinit
admin@MY.DOMAIN" and
"net ads join", i can see the machine account in AD with ldapbrowser.
Klist give me three tickets, as say in the documentation, OK.
I created the idmap entry in my openldap (with samba3 schema), OK.
I've set the ldap admin password in the secrets.tdb, OK (ldap idmap).
Starting service smb3, OK.
Starting service winbind3, OK.
wbinfo -u and wbinfo - g give me the list of users and groups correctly,
wbinfo -a user%passord works fine, OK.
BUT
When i try a "getent passwd" or "getent group", i don't
have the windows
users. I can't see or connect to the shares on the linux box with windows
file
explorer (it prompts me a user/password). It works fine with samba 2.2.7a.
I've installed the samba3 mandrake package, wich suffixes all libs and
executables with the samba version's number (eg. for libnss_winbind.so ->
libnss_winbind3.so, smbpasswd -> smbpasswd3).
What's the problem ? Where is my error ? Is the mdk version suffixing
can be the source of the problem ?
Thanks for any help
Rgeards,
Thomas.
My config
Mandrake 9.1 , krb5-1.2.7, samba3-3.0.1-0.pre1
/etc/krb5.conf
[libdefaults]
default_realm = MY.DOMAIN
default_etypes = des-cbc-crc des-cbc-md5
default_etypes_des = des-cbc-crc des-cbc-md5
[realms]
MY.DOMAIN = {
kdc = ads.my.domain
}
/etc/samba3/smb.conf
[global]
workgroup = DOMAIN
netbios name = 509-smb3
server string = Samba Server %v
printcap name = cups
load printers = yes
printing = cups
printer admin = @"Domain Admins"
log file = /var/log/samba3/log.%m
max log size = 100
log level = 10
security = ADS
realm = MY.DOMAIN
password server = ads.my.domain
encrypt passwords = yes
winbind uid = 10000-20000
winbind gid = 10000-20000
winbind use default domain = yes
winbind enum users = yes
winbind enum groups = yes
template homedir = /home/profiles/%D/%U
obey pam restrictions = yes
template shell = /bin/bash
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
idmap backend = ldap:ldap://openldap.my.domain
idmap uid = 10000-20000
idmap gid = 10000-20000
ldap admin dn = cn=manager,dc=my,dc=domain
ldap ssl = start_tls
ldap suffix = dc=my,dc=domain
ldap idmap suffix = ou=Idmap
dns proxy = yes
dos charset = 850
unix charset = ISO8859-1
[homes]
comment = Home Directories
browseable = no
writable = yes
[printers]
comment = All Printers
path = /var/spool/samba3
browseable = no
guest ok = yes
writable = no
printable = yes
create mode = 0700
print command = lpr-cups -P %p -o raw %s -r
[print$]
path = /var/lib/samba3/printers
browseable = yes
read only = yes
write list = @adm root
guest ok = yes
/etc/nsswitch.conf
....
passwd: files winbind3 ldap
shadow: files ldap
group: files winbind3 ldap
....
> When i try a "getent passwd" or "getent group", i don't have the windows > users. I can't see or connect to the shares on the linux box with windowsTry this, then restart winbind and check getent again: ln -s /lib/libnss_winbind.so /lib/libnss_winbind.so.2 && ldconfig> obey pam restrictions = yesChange this to no.> passwd: files winbind3 ldap > shadow: files ldap > group: files winbind3 ldapChange winbind3 to winbind for passwd & group. Ron L. Smith
Greetings ...> When i try a "getent passwd" or "getent group", i don't have the windows > users.I had a same problem, and found that if I had "winbind trusted domains only = yes" or "domain logons = yes" then "getent passwd" would not work, change them both to "no" and it work fine ... I looked at you confs, but did not see this options. Do a "testparm -v -s|less" and see if these are set. I have ask the list if this is by design, but have not get a direct answer. Mailed Lee
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1> Date: Wed, 5 Nov 2003 21:48:18 +0100 > From: Thomas Sillard <thomas.sillard@free.fr> > Subject: [Samba] Samba 3.0.1pre1 winbind / getent problems > To: samba@lists.samba.org > Message-ID: <200311052148.18113.thomas.sillard@free.fr> > Content-Type: text/plain; charset="us-ascii" > > Hi, > > I've got some problems with winbind and ADS Domain Membership stuff. > I've joined the domain without problems with "kinit admin@MY.DOMAIN" and > "net ads join", i can see the machine account in AD with ldapbrowser. > Klist give me three tickets, as say in the documentation, OK. > I created the idmap entry in my openldap (with samba3 schema), OK. > I've set the ldap admin password in the secrets.tdb, OK (ldap idmap). > Starting service smb3, OK. > Starting service winbind3, OK. > wbinfo -u and wbinfo - g give me the list of users and groups correctly, > wbinfo -a user%passord works fine, OK. > > BUT > > When i try a "getent passwd" or "getent group", i don't have the windows > users. I can't see or connect to the shares on the linux box withwindows file> explorer (it prompts me a user/password). It works fine with samba2.2.7a.> I've installed the samba3 mandrake package, wich suffixes all libs and > executables with the samba version's number (eg. for libnss_winbind.so -> > libnss_winbind3.so, smbpasswd -> smbpasswd3).Only the default packages. Since you're running on 9.1, you either are running cooker packages on 9.1 (not suggested, since cooker/9.2 have openldap-2.1.x and kerberos 1.3.x) or you rebuilt the SRPM. If you rebuilt the SRPM, you might as well add the '--with system' switch when you build it, and you will get 'samba-3.0.1' packages without suffixes.> > What's the problem ? Where is my error ? Is the mdk version suffixing > can be the source of the problem ?I am quite sure I tested this, and that it worked, but that was quite a while ago, and I didn't have much time availble to test it then. If it doesn't work for you, I can introduce alternatives for the winbind files (as we have on 9.2 for the client binaries). Unfortunately I don't have a production AD network to test on, so any feedback on improvements to the Mandrake packages with regard to winbind would be appreciated (and any other aspects, but I have two samba+ldap networks, one currently running 2.2.8a and one running 3.0.1pre1). Regards, Buchan - -- |--------------Another happy Mandrake Club member--------------| Buchan Milne Mechanical Engineer, Network Manager Cellphone * Work +27 82 472 2231 * +27 21 8828820x202 Stellenbosch Automotive Engineering http://www.cae.co.za GPG Key http://ranger.dnsalias.com/bgmilne.asc 1024D/60D204A7 2919 E232 5610 A038 87B1 72D6 AC92 BA50 60D2 04A7 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQE/q7iSrJK6UGDSBKcRAo/iAKCX3vLJUzKqvk/+PoqjSNV/dGbygwCeITy0 5D6rU06FJbb4ZtaxEsZhdMU=mz26 -----END PGP SIGNATURE-----