Hey man,
You only need to do the nsswitch stuff in order to accomplish what you
described.
The pam stuff is for logging in to the unix box with an AD account, the
nss stuff is necessary for the enumeration of the AD accounts + groups.
So you need winbindd + libnss_winbind.so + changes to nsswitch.conf
Hope this helped.
Thanks,
Mark
-----Original Message-----
From: samba-bounces+markl=bbd.co.za@lists.samba.org
[mailto:samba-bounces+markl=bbd.co.za@lists.samba.org] On Behalf Of Greg
Adams
Sent: 06 October 2004 05:26 PM
To: samba@lists.samba.org
Subject: [Samba] winbind pam nsswitch question
I am setting up a Samba 3.0.6 ADS member server, configured like this:
Windows 2000 ADS Server
Samba 3.0.6 ADS members server (Solaris 9) is a member of ADS domain
Windows XP clients are members of ADS domain, require access to Samba
shares on Solaris server.
I'm trying to make it so that I don't have to maintain a usermap to map
all of the users or groups in the ADS domain on the Solaris server. I
think I still need winbindd running in order for Samba to be able to
enumerate the users and groups on the ADS server, but I'm confused as to
which parts of the tutorials to follow. I don't want the ADS accounts to
be able to log in to the Solaris server, I just want them to be able to
map drives. I also don't want to have files that the ADS accounts access
to have user or group ownership based on their ADS accounts... I'd like
to force all the ADS users to a single Solaris account. From looking at
the tutorials, I'm thinking that I'll use Unix directory permissions to
achieve that instead of "force user" in smb.conf. Here are my
questions:
1. The By Example document talks about adding winbind to
/etc/nsswitch.conf and putting libnss_winbind.so in my /usr/lib
directory. Is this required for the situation described above, or is
this only required if you want to be able to log into the Solaris server
using an ADS account and password?
2. The Official Howto talks about adding pam_smbpass.so and/or
pam_winbind.so entries to /etc/pam.conf. Again, is this required for the
situation described above, or is this only required for logging into
Unix with ADS accounts?
Thanks for any info...
Greg Adams
--
To unsubscribe from this list go to the following URL and read the
instructions: http://lists.samba.org/mailman/listinfo/samba