About item 1. You might want to look into
winbind trusted domains only = yes
to force resolution of domain user & groups to be only the defined user
& groups.
I run NIS & I'll migrate to LDAP at some future point.
Regards, Doug
egold@fsa.com wrote:
>
>
>I sent this the other day, but did not get any replies, can anyone help?
>
>
>Hi All,
>I have a sparc solaris 8 server running samba 2.2.11 (which i complied with
>winbind).
>The server has been running for years and has about 20 local users setup
>using local files for openssh and rexec logins, and samba shares.
>They each use samba to map to their home directory and a common shared
>folder.
>They also use rexec and openssh to login on the command line.
>
>4 users are in a special group called "sap" and only those 4 have
write
>access to the shared folder, the rest are in a group called
"dataentry" and
>only have read access to the shared folder.
>
>I now have a requirement to have the unix server get its passwords for
>these users from our win2000 active directory server.
>I used this guide to try and set this up:
>
>http://us3.samba.org/samba/ftp/docs/textdocs/Solaris-Winbind-HOWTO.txt
>
>
>I am now able to map to the samba share using winbind, but i have some
>problems:
>
>
>1) When the users login using ssh or rexec, they get the local UID, but
>when they map with samba they get the UID from samba and active directory.
>These do not match and im having permission problems. Also when they login
>local, they get their group "sap" or "dataentry" but
when they use
>winbind/AD to map they are in a group called "domain users", so
the
>permissions are wrong here also. Is there a way to have them keep their
>UID's and GID's that im now using from local files when i switch to
winbind
>and AD? The users have different groups for unix local files and AD.
>If not I have to change the perms on thousands of files.
>
>2) I only want these 20 users to be able to map to the samba share, but it
>seems that anyone in the windows active directory can now map to this
>share. How do i only allow the 20 users to map?
>
>3) I am trying to setup logins with rexec and openssh to use winbind and
>active directory, but its not working for me. I think my pam.conf is setup
>wrong. How can i fix this? Do i need to delete their entries from the local
>passwd, shadow and group files when i switch to AD?
>
>Thank you in advance gurus!
>
>Here is my pam.conf and my smb.conf:
>
>
>
>
>
>root@egotest1:/export# cat /etc/pam.conf
>#
># ident "@(#)pam.conf 1.19 03/01/10 SMI"
>#
># Copyright 1996-2002 Sun Microsystems, Inc. All rights reserved.
># Use is subject to license terms.
>#
># PAM configuration
>#
># Unless explicitly defined, all services use the modules
># defined in the "other" section.
>#
># Modules are defined with relative pathnames, i.e., they are
># relative to /usr/lib/security/$ISA. Absolute path names, as
># present in this file in previous releases are still acceptable.
>#
># Authentication management
>#
># login service (explicit because of pam_dial_auth)
>#
>login auth required /usr/lib/security/pam_winbind.so
>login auth requisite pam_authtok_get.so.1
>login auth required pam_dhkeys.so.1
>login auth required pam_unix_auth.so.1
>login auth required pam_dial_auth.so.1
>#
># rlogin service (explicit because of pam_rhost_auth)
>#
>rlogin auth sufficient /usr/lib/security/pam_winbind.so
>rlogin auth sufficient pam_rhosts_auth.so.1
>rlogin auth requisite pam_authtok_get.so.1
>rlogin auth required pam_dhkeys.so.1
>rlogin auth required pam_unix_auth.so.1
>#
># rsh service (explicit because of pam_rhost_auth,
># and pam_unix_auth for meaningful pam_setcred)
>#
>rsh auth sufficient pam_rhosts_auth.so.1
>rsh auth required pam_unix_auth.so.1
>#
># PPP service (explicit because of pam_dial_auth)
>#
>ppp auth requisite pam_authtok_get.so.1
>ppp auth required pam_dhkeys.so.1
>ppp auth required pam_unix_auth.so.1
>ppp auth required pam_dial_auth.so.1
>#
># Default definitions for Authentication management
># Used when service name is not explicitly mentioned for authenctication
>#
>other account sufficient /usr/lib/security/pam_winbind.so
>other auth requisite pam_authtok_get.so.1
>other auth required pam_dhkeys.so.1
>other auth required pam_unix_auth.so.1
>#
># passwd command (explicit because of a different authentication module)
>#
>passwd auth required pam_passwd_auth.so.1
>#
># cron service (explicit because of non-usage of pam_roles.so.1)
>#
>cron account required pam_projects.so.1
>cron account required pam_unix_account.so.1
>#
># Default definition for Account management
># Used when service name is not explicitly mentioned for account management
>#
>other account requisite pam_roles.so.1
>other account required pam_projects.so.1
>other account required pam_unix_account.so.1
>#
># Default definition for Session management
># Used when service name is not explicitly mentioned for session management
>#
>other session required pam_unix_session.so.1
>#
># Default definition for Password management
># Used when service name is not explicitly mentioned for password
>management
>#
>other password required pam_dhkeys.so.1
>other password requisite pam_authtok_get.so.1
>other password requisite pam_authtok_check.so.1
>other password required pam_authtok_store.so.1
>#
># Support for Kerberos V5 authentication (uncomment to use Kerberos)
>#
>#rlogin auth optional pam_krb5.so.1 try_first_pass
>#login auth optional pam_krb5.so.1 try_first_pass
>#other auth optional pam_krb5.so.1 try_first_pass
>#cron account optional pam_krb5.so.1
>#other account optional pam_krb5.so.1
>#other session optional pam_krb5.so.1
>#other password optional pam_krb5.so.1 try_first_pass
>
>
>
>
>
>
>
>root@egotest1:/usr/local/samba/lib# cat smb.conf
>[Global] parameters
> workgroup = ego
> netbios name = egotest1
> wins support = Yes
>#security = share
> security = domain
> hosts allow = all
> encrypt passwords = Yes
> unix password sync = Yes
> passwd program = /usr/bin/passwd %u
> update encrypted = No
> lm announce = true
> log file = /var/adm/messages.smb
># winbind
> # use uids from 10000 to 20000 for domain users
> winbind uid = 10000-20000
> # use gids from 10000 to 20000 for domain groups
> winbind gid = 10000-20000
> # allow enumeration of winbind users and groups
> winbind enum users = yes
> winbind enum groups = yes
> # give winbind users a real shell (only needed if
> # they have telnet access)
> #template homedir = /home/winnt/%D/%U
> template homedir = /export/%U
> template shell = /bin/bash
>[export]
> path = /export
> comment = export
> browseable = yes
> writable = yes
> read only = No
> public = No
>
>
>
>____________________________________
>This e-mail message is for the sole use of the intended recipient(s) and
>may contain proprietary, confidential and/or privileged information. Any
>unauthorized review, use, disclosure or distribution is prohibited. If you
>are not the intended recipient (or an employee or agent responsible to
>deliver it to the intended recipient), you may not copy or deliver this
>message to anyone. In such case, you should destroy this message and kindly
>notify the sender by reply e-mail.
>____________________________________
>This e-mail message is for the sole use of the intended recipient(s) and
>may contain proprietary, confidential and/or privileged information. Any
>unauthorized review, use, disclosure or distribution is prohibited. If you
>are not the intended recipient (or an employee or agent responsible to
>deliver it to the intended recipient), you may not copy or deliver this
>message to anyone. In such case, you should destroy this message and kindly
>notify the sender by reply e-mail.
>
>
>