Hi,
If you are using LDAP, it'd probably be better to point your member
server to it's LDAP directory. You probably don't want "winbind use
default domain" set to "yes" as this will fill your IDMAP backend
with
local domain accounts, really in a Samba domain you only want foreign
domain stuff in there. Try:
passdb backend = ldapsam:ldap://pdc ip
idmap backend = ldap:ldap://pdc ip
idmap uid = 10000-20000
idmap gid = 10000-20000
winbind nested groups = yes
winbind trusted domains only = yes
winbind use default domain = no
winbind enum users = yes
winbind enum groups = yes
allow trusted domains = yes
and copy the all the parameters starting with "ldap " from your pdc.
You might also want:
domain logons = yes
domain master = no
preferred master = no
wins server = pdc's IP address
This works for me with both local and trusted domains.
Alex
On Sat, 2009-09-19 at 21:18 -0300, Edson Marquezani Filho
wrote:> Hello,
>
> I would like to know what is really necessary to setup a Samba as a
> simple client of a PDC Server, because, the way I'm trying, things are
> not working.
>
> I have Samba + LDAP on a server as PDC, and I want to setup
> transparent proxy authentication through Squid and Samba + Winbind on
> another server, but I can't make this Samba to authenticate against
> the PDC.
>
> I have been trying with a very simple config like, like this:
>
> [global]
> workgroup = MYDOMAIN
> security = DOMAIN
> password server = (I have already tried with *, FQDN, netbios
> name and IP address.)
> idmap uid = 10000-20000
> idmap gid = 10000-20000
> winbind use default domain = Yes
>
>
> Domain joining happened succesfully, with net rpc join, but I can't
> authenticate any user with smclient, and winbind doesn't work too. A
> attempt to connect on localhost via smbclient fails with the following
> message:
>
> session setup failed: NT_STATUS_LOGON_FAILURE
>
> I have tried to include other parameters, but nothing has worked. What
> I'm missing?
>
> Thank you.
--
This message is intended only for the addressee and may contain
confidential information. Unless you are that person, you may not
disclose its contents or use it in any way and are requested to delete
the message along with any attachments and notify us immediately.
"Transact" is operated by Integrated Financial Arrangements plc
Domain House, 5-7 Singer Street, London EC2A 4BQ
Tel: (020) 7608 4900 Fax: (020) 7608 1200
(Registered office: as above; Registered in England and Wales under
number: 3727592)
Authorised and regulated by the Financial Services Authority (entered on
the FSA Register; number: 190856)