samba - Nov 2005 - AD domain with SDMS issues & LDAP Idmap backend

Hi,
I have been trying to join a Samba Domain member server to the AD and use
LDAP for IDMAP storage. I have run into many strange issues and I was hoping
someone can please take time to clarify things for me. I have read quite a
bit (I own both the Samba books by Terpstra) and done a lot of Google
searching. I think part of my problem is the unusual setup I have, as all
the examples in the book/net assume user will have a very small AD and have
full control of it.

We are a small division and the AD is hosted by our corporate IT. I do have
Domain Admin access to our branch of the AD, but not the whole tree. The
entire tree has over 8000+ users.

My goals:
[1] Using winbind authenticate users on Linux servers/workstations -
ACCOMPLISHED
[2] Using Kerberos so that users are not prompted for login and password
when accessing Domain shares - ACCOMPLISHED but still has some issues.
[3] Rather than each Linux host maintaining its own idmap db, store
everything on a OpenLDAP server - FAILED

Here is what I have done so far:
[1] OpenLDAP server with three OU's - People, Groups, Idmap
[2] Joined a Linux server to AD (net ads join ...)
[3] Confirmed that I get list of users when I do wbinfo -u (or getent
passwd). - However I do not get ALL the users. As a matter of fact I get
many other domains in AD (ex. SA, EU, AP), but not my own Domain (NA). Does
anyone know why this would be? Due to this I am unable to test user login,
since I do not have account access for another domain.
[4] On the OpenLDAP server there seems to be no change in the Idmap, I don't
understand why it is not getting populated. If I do a manual ldapsearch, I
can access the ldap server and query the directory. I also made sure that
the smbpasswd -w <my ldap user password> is correct.

Here is my smb.conf file:
[global]
workgroup = NA
netbios name = SPDUSLISHNODE01
realm = NA.NET.MYCOMPANY.COM <http://NA.NET.MYCOMPANY.COM>
server string = Queue Headnode
security = ADS
log level = 1 ads:10 passdb:5 auth:10 winbind:8 sam:10 rpc:10
ldap admin dn = cn=spd.ldapadmin,o=mycompany
ldap idmap suffix = ou=Idmap
ldap suffix = o=mycompany
idmap uid = 150000-550000
idmap gid = 150000-550000
template shell = /bin/bash
template homedir = /home/%U
winbind use default domain = yes
encrypt passwords = yes
password server = SPDUSLISDC010
winbind separator = /
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
dns proxy = no
wins server = 10.55.56.4 <http://10.55.56.4>
name resolve order = wins lmhosts bcast

My krb5.conf file is similar to the one in Samba-Guide (and I knwo this
works since I can join the Linux host to AD directory)

Thanks,
Vijay Avarachen

--
"Knowledge is the only wealth that grows as you spend it, and diminishes as
you save it."
-- ancient Sanskrit saying

Ok WTF... idmap is getting populated in OpenLDAP now. :-) I just took a sh*t
load of time....and turns out I was wrong about the headcount in AD, its not
8000+ its close to 40,000+ YIKES! Also I noticed that there are some errors
in the Samba-3 By Example book. On page 235 (7.3.4.2
<http://7.3.4.2>section - IDMAP Storage in LDAP using Winbind) , it
tells you to set passwd,
shadow and group in /etc/nsswitch.conf to "file ldap". It should
really be
"files winbind ldap". Or else when you do getent passwd/group, its not
gonna
see those entries from winbind.

Does anyone know if its safe to turn on nscd cause I don't want the ldap
server getting pounded.

Thanks,

Vijay Avarachen

On 11/22/05, Vijay Avarachen <vavarachen@gmail.com>
wrote:
>
> Hi,
> I have been trying to join a Samba Domain member server to the AD and use
> LDAP for IDMAP storage. I have run into many strange issues and I was
hoping
> someone can please take time to clarify things for me. I have read quite a
> bit (I own both the Samba books by Terpstra) and done a lot of Google
> searching. I think part of my problem is the unusual setup I have, as all
> the examples in the book/net assume user will have a very small AD and have
> full control of it.
>
> We are a small division and the AD is hosted by our corporate IT. I do
> have Domain Admin access to our branch of the AD, but not the whole tree.
> The entire tree has over 8000+ users.
>
> My goals:
> [1] Using winbind authenticate users on Linux servers/workstations -
> ACCOMPLISHED
> [2] Using Kerberos so that users are not prompted for login and password
> when accessing Domain shares - ACCOMPLISHED but still has some issues.
> [3] Rather than each Linux host maintaining its own idmap db, store
> everything on a OpenLDAP server - FAILED
>
> Here is what I have done so far:
> [1] OpenLDAP server with three OU's - People, Groups, Idmap
> [2] Joined a Linux server to AD (net ads join ...)
> [3] Confirmed that I get list of users when I do wbinfo -u (or getent
> passwd). - However I do not get ALL the users. As a matter of fact I get
> many other domains in AD (ex. SA, EU, AP), but not my own Domain (NA). Does
> anyone know why this would be? Due to this I am unable to test user login,
> since I do not have account access for another domain.
> [4] On the OpenLDAP server there seems to be no change in the Idmap, I
> don't understand why it is not getting populated. If I do a manual
> ldapsearch, I can access the ldap server and query the directory. I also
> made sure that the smbpasswd -w <my ldap user password> is correct.
>
> Here is my smb.conf file:
> [global]
> workgroup = NA
> netbios name = SPDUSLISHNODE01
> realm = NA.NET.MYCOMPANY.COM <http://NA.NET.MYCOMPANY.COM>
> server string = Queue Headnode
> security = ADS
> log level = 1 ads:10 passdb:5 auth:10 winbind:8 sam:10 rpc:10
> ldap admin dn = cn=spd.ldapadmin,o=mycompany
> ldap idmap suffix = ou=Idmap
> ldap suffix = o=mycompany
> idmap uid = 150000-550000
> idmap gid = 150000-550000
> template shell = /bin/bash
> template homedir = /home/%U
> winbind use default domain = yes
> encrypt passwords = yes
> password server = SPDUSLISDC010
> winbind separator = /
> socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
> dns proxy = no
> wins server = 10.55.56.4 <http://10.55.56.4>
> name resolve order = wins lmhosts bcast
>
> My krb5.conf file is similar to the one in Samba-Guide (and I knwo this
> works since I can join the Linux host to AD directory)
>
> Thanks,
> Vijay Avarachen
>
> --
> "Knowledge is the only wealth that grows as you spend it, and
diminishes
> as you save it."
> -- ancient Sanskrit saying



--
"Knowledge is the only wealth that grows as you spend it, and diminishes as
you save it."
-- ancient Sanskrit saying

Vijay Avarachen wrote:
> Ok WTF... idmap is getting populated in OpenLDAP now. :-) I just took a
sh*t
> load of time....and turns out I was wrong about the headcount in AD, its
not
> 8000+ its close to 40,000+ YIKES! 
You could consider using these in smb.conf:  (comments mine)

## WARNING: winbind enum ( = yes) can take a *long* time on a
## large domain! -- Rex
winbind enum users = no
winbind enum groups = no

-- Rex

I'm guessing that you need to add some UNIX schema to AD LDAP, either
Posix schema using AD4Unix or SFU, and then configure IDmap to use that.
The IDMAP should then write to UID and GID to AD LDAP instead of a
separate OpenLDAP solution.

I'm desperately looking for documentation, but I am finding most is to
NT-Domain oriented functionality.

-----Original Message-----
From: samba-bounces+letz_samba=realmspace.com@lists.samba.org
[mailto:samba-bounces+letz_samba=realmspace.com@lists.samba.org] On
Behalf Of Vijay Avarachen
Sent: Tuesday, November 22, 2005 9:29 AM
To: samba@lists.samba.org
Subject: [Samba] AD domain with SDMS issues & LDAP Idmap backend

Hi,
I have been trying to join a Samba Domain member server to the AD and
use
LDAP for IDMAP storage. I have run into many strange issues and I was
hoping
someone can please take time to clarify things for me. I have read quite
a
bit (I own both the Samba books by Terpstra) and done a lot of Google
searching. I think part of my problem is the unusual setup I have, as
all
the examples in the book/net assume user will have a very small AD and
have
full control of it.

We are a small division and the AD is hosted by our corporate IT. I do
have
Domain Admin access to our branch of the AD, but not the whole tree. The
entire tree has over 8000+ users.

My goals:
[1] Using winbind authenticate users on Linux servers/workstations -
ACCOMPLISHED
[2] Using Kerberos so that users are not prompted for login and password
when accessing Domain shares - ACCOMPLISHED but still has some issues.
[3] Rather than each Linux host maintaining its own idmap db, store
everything on a OpenLDAP server - FAILED

Here is what I have done so far:
[1] OpenLDAP server with three OU's - People, Groups, Idmap
[2] Joined a Linux server to AD (net ads join ...)
[3] Confirmed that I get list of users when I do wbinfo -u (or getent
passwd). - However I do not get ALL the users. As a matter of fact I get
many other domains in AD (ex. SA, EU, AP), but not my own Domain (NA).
Does
anyone know why this would be? Due to this I am unable to test user
login,
since I do not have account access for another domain.
[4] On the OpenLDAP server there seems to be no change in the Idmap, I
don't
understand why it is not getting populated. If I do a manual ldapsearch,
I
can access the ldap server and query the directory. I also made sure
that
the smbpasswd -w <my ldap user password> is correct.

Here is my smb.conf file:
[global]
workgroup = NA
netbios name = SPDUSLISHNODE01
realm = NA.NET.MYCOMPANY.COM <http://NA.NET.MYCOMPANY.COM>
server string = Queue Headnode
security = ADS
log level = 1 ads:10 passdb:5 auth:10 winbind:8 sam:10 rpc:10
ldap admin dn = cn=spd.ldapadmin,o=mycompany
ldap idmap suffix = ou=Idmap
ldap suffix = o=mycompany
idmap uid = 150000-550000
idmap gid = 150000-550000
template shell = /bin/bash
template homedir = /home/%U
winbind use default domain = yes
encrypt passwords = yes
password server = SPDUSLISDC010
winbind separator = /
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
dns proxy = no
wins server = 10.55.56.4 <http://10.55.56.4>
name resolve order = wins lmhosts bcast

My krb5.conf file is similar to the one in Samba-Guide (and I knwo this
works since I can join the Linux host to AD directory)

Thanks,
Vijay Avarachen

--
"Knowledge is the only wealth that grows as you spend it, and diminishes
as
you save it."
-- ancient Sanskrit saying
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba