Jonathan C. Detert
2006-Apr-27 16:38 UTC
[Samba] winbind nss info = sfu is not so much working
with samba 3.0.22, I'm trying to integrate a linux box with Microsoft AD by using winbind for authentication as well as for the source of nss info. When winbind is configured to use its own local id maps, everything works fine. But when i configure winbind to use 'ad' as the source of nss info, authentication fails, 'getent' commands return no results, and 'wbinfo -r someusername' returns nothing (though wbinfo -u and -g work correctly). I am guessing that either there is something wrong or lacking in my config, or that some kind of caching is messing me up. Here is my pertinent smb.conf stuff when winbind is configed to use local id maps: -------------- winbind enum groups = yes winbind enum users = yes winbind separator = + winbind nested groups = yes winbind use default domain = yes idmap gid = 10000-55000 idmap uid = 10000-55000 template homedir = /home/%D/%U template shell = /bin/bash And here is how smb.conf looks when winbind is configed to use AD for nss: -------------- winbind enum groups = yes winbind enum users = yes winbind separator = + winbind nested groups = yes winbind nss info = sfu winbind use default domain = yes idmap backend = ad Can you see anything wrong/lacking in my config? Btw, I have also tried setting idmap backend to 'idmap_ad' as the smb.conf man page has it, but either way, as 'ad' or as 'idmap_ad', I get the same result. As to cache possibly messing me up, I do the following when switching from local tdb maps to using ad as the map: -------------- /etc/init.d/winbind stop; /etc/init.d/samba stop cat /dev/null > /var/cache/samba/winbindd_cache.tdb mv /var/lib/samba/winbindd_idmap.tdb /var/lib/samba/winbindd_idmap.tdb.orig /etc/init.d/samba start; /etc/init.d/winbind start Is there something else to consider re. caching? Thanks -- Happy Landings, Jon Detert IT Systems Administrator, Milwaukee School of Engineering 1025 N. Broadway, Milwaukee, Wisconsin 53202, U.S.A.
Guenther Deschner
2006-Apr-27 16:56 UTC
[Samba] winbind nss info = sfu is not so much working
On Thu, Apr 27, 2006 at 11:21:45AM -0500, Jonathan C. Detert wrote:> with samba 3.0.22, I'm trying to integrate a linux box with Microsoft AD > by using winbind for authentication as well as for the source of nss info. > > When winbind is configured to use its own local id maps, everything > works fine. > > But when i configure winbind to use 'ad' as the source of nss info, > authentication fails, 'getent' commands return no results, and > 'wbinfo -r someusername' returns nothing (though wbinfo -u and -g work > correctly). > > I am guessing that either there is something wrong or lacking in my config, > or that some kind of caching is messing me up. > > Here is my pertinent smb.conf stuff when winbind is configed to use > local id maps: > -------------- > winbind enum groups = yes > winbind enum users = yes > winbind separator = + > winbind nested groups = yes > winbind use default domain = yes > > idmap gid = 10000-55000 > idmap uid = 10000-55000 > > template homedir = /home/%D/%U > template shell = /bin/bash > > And here is how smb.conf looks when winbind is configed to use AD for > nss: > -------------- > winbind enum groups = yes > winbind enum users = yes > winbind separator = + > winbind nested groups = yes > winbind nss info = sfu > winbind use default domain = yes > > idmap backend = adYou still need to have the idmap ranges set so that winbind does not fall into the "netlogon proxy only" mode. Does it work then? Guenther -- G?nther Deschner GPG-ID: 8EE11688 Novell / SUSE LINUX gd@suse.de Samba Team gd@samba.org -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : http://lists.samba.org/archive/samba/attachments/20060427/c5038083/attachment.bin
Jonathan C. Detert
2006-Apr-27 16:57 UTC
[Samba] winbind nss info = sfu is not so much working
* Jonathan C. Detert <detertj@msoe.edu> [060427 11:39]:> with samba 3.0.22, I'm trying to integrate a linux box with Microsoft AD > by using winbind for authentication as well as for the source of nss info. > > When winbind is configured to use its own local id maps, everything > works fine. > > But when i configure winbind to use 'ad' as the source of nss info, > authentication fails, 'getent' commands return no results, and > 'wbinfo -r someusername' returns nothing (though wbinfo -u and -g work > correctly).a couple notes to add: a) the AD box i'm using is running Win2k3 with SFU schema extensions applied. b) 'wbinfo -n detertj' returns the correct sid, regardless of whether idmap backend is set to ad or not. 'wbinfo -S detertjsid' fails to convert the sid to a uid when idmap backend is set to ad, but succeeds when idmap backend is NOT set. c) the 'detertj' account does have the appropriate msad attributes, as can be seen here: ldapsearch -x -LLL -s sub -H ldap://xxxxxx.msoe.edu -D 'cn=ldap,ou=ccsd,ou=people,dc=msoe,dc=edu' -w 'xxxxxxxx' -b'ou=people,dc=msoe,dc=edu' "samaccountname=detertj" msSFU30UidNumber msSFU30GidNumber msSFU30HomeDirectory msSFU30LoginShell dn: CN=detertj,OU=Administration,OU=People,DC=msoe,DC=edu msSFU30UidNumber: 20225 msSFU30GidNumber: 21795 msSFU30LoginShell: /bin/bash msSFU30HomeDirectory: /home/staff/detertj> I am guessing that either there is something wrong or lacking in my config, > or that some kind of caching is messing me up. > > Here is my pertinent smb.conf stuff when winbind is configed to use > local id maps: > -------------- > winbind enum groups = yes > winbind enum users = yes > winbind separator = + > winbind nested groups = yes > winbind use default domain = yes > > idmap gid = 10000-55000 > idmap uid = 10000-55000 > > template homedir = /home/%D/%U > template shell = /bin/bash > > And here is how smb.conf looks when winbind is configed to use AD for > nss: > -------------- > winbind enum groups = yes > winbind enum users = yes > winbind separator = + > winbind nested groups = yes > winbind nss info = sfu > winbind use default domain = yes > > idmap backend = ad > > Can you see anything wrong/lacking in my config? Btw, I have also tried > setting idmap backend to 'idmap_ad' as the smb.conf man page has it, but > either way, as 'ad' or as 'idmap_ad', I get the same result. > > As to cache possibly messing me up, I do the following when switching > from local tdb maps to using ad as the map: > -------------- > /etc/init.d/winbind stop; /etc/init.d/samba stop > cat /dev/null > /var/cache/samba/winbindd_cache.tdb > mv /var/lib/samba/winbindd_idmap.tdb /var/lib/samba/winbindd_idmap.tdb.orig > /etc/init.d/samba start; /etc/init.d/winbind start > Is there something else to consider re. caching? > > Thanks > -- > Happy Landings, > > Jon Detert > IT Systems Administrator, Milwaukee School of Engineering > 1025 N. Broadway, Milwaukee, Wisconsin 53202, U.S.A. > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/listinfo/samba-- Happy Landings, Jon Detert IT Systems Administrator, Milwaukee School of Engineering 1025 N. Broadway, Milwaukee, Wisconsin 53202, U.S.A.
Possibly Parallel Threads
- win2k domain-less client failing to authenticate when securit y=domain
- winbind: group name doesn't map to a SID, but gid does
- winbind can see some groups but not others
- how to make 'winbind nss info = sfu' work in v >= 3.0.26a
- Retrieving UNIX UID/GID directly through Active Directory