Hi All!
I have been a happy and contented user of samba for several years now,
when I got asked several questions I didn't know the answer to. The
questions were:
1) Is there a way to create a network appliance type unix box, where
usernames and groupnames are pulled from an existing NT4 or W2K domain?
(without maintaining a local /etc/passwd file) What is the best way to
do this?
2) How to set up a box so that anybody in the NT domain could log into
with their NT Domain username and password. (again, without futzing with
the /etc/passwd file)
Question 1 relates to replacing NT servers housing datashares with
license-free unix/linux boxes. Question 2 relates to an experimental
project to replace NT workstation desktops with unix desktops, and
providing a seamless transition for users.
So I did some research and found the samba appliance stuff in
samba.org/pub/samba/appliance I've tried out several versions as they
have come out (versions 0.3 thru 0.5(haven't tested yet), binary and
compiled myself from src.rpm) and I've come up with several errata and
questions.
First of all, I am running Redhat 6.2 out-of-the box install, with
applicable patches and fixes applied, glibc-2.1.3. This has been on
several Dell Poweredge servers. First, I remove the existing samba
packages if installed, then install the samba-appliance rpms.
Our NT domain structure is a multi-master/resource domain structure
with more than 30,000 objects in the master domains and resource
domains. One of our master domains is called "AMERICAS", and the
resource domain that the samba appliance resides in is "US".
First, very minor issues with the RPM:
1.) missing symbolic link: /lib/libnss_winbind.so.2 -->
/lib/libnss_winbind.so
The .so file gets put in /lib, but it won't work without the .so.2
symlinked back to the main shared library.
2.) /etc/rc.d/init.d/smb
The startup file has two errors in it. A) It looks for /etc/smb.conf
and exits if it does not exist (problem because smb.conf is in
/usr/local/samba/lib/smb.conf) and B) it tries to run the daemons
without the fully qualified path, which doesn't work out-of-the-box
unless you add /usr/local/samba/bin to the path.
I had been having problems with winbindd coredumping until version 0.4,
so 0.4 was the first version I could actually use. And as 0.5 just came
out, I haven't had a chance to mess with it yet. So I have been having
two major "showstopper" issues with 0.4:
1.) Can't get logins to work. I have modified /etc/nsswitch to add
winbind to the passwd and group entries. The really wierd thing is that
I can no longer log into the machine when I start winbindd. This is even
if I haven't modified the /etc/pam.d/login file and I am trying to use a
user in /etc/passwd. I've tried modifying /etc/pam.d/login as shown in
the winbindd man page, but that doesn't work either. As soon as I kill
winbindd, I can then log into the machine.
The thing that DOES work and is really cool, I can do a "getent
passwd"
and it will dump out our NT domain database, as well as the local
/etc/passwd file. I can do a "chown AMERICAS\\michael_e_brown
filename"
and it will work. I can do a "wbinfo -n AMERICAS\\michael_e_brown" and
it will dump my SID. One interesting problem I have been having is that
Linux kernel 2.2 only supports 16 bit UID, so I get some error messages
when winbindd bumps up against the uid range limit. Will this problem be
solved if I drop in a 2.4 kernel and expand the range? I have been
ignoring this for the time being, while I try to get the other problems
solved.
2.) Because of the size of our NT domain, I experimented with changing
the "winbind cache time" to a much larger value (several hours),
without
much sucess. I think that because of the size of our domain, I should
leave this set at a very high value, is this correct? I have done a
tcpdump on winbindd grabbing the NT domain userlist, and it normally
takes a while (between two to ten minutes).
3.) and the really BIG problem: can't get samba to recognize my login
from another NT box. I have shares set up as shown in my attached
smb.conf. I set up the share so that my UID owns the directory and all
files in it, and yet I cannot attach to the share.
And other misc questions:
1.) How does the $WINBINDD_DOMAIN variable work? Is it a system wide
config setting that takes effect when you start winbindd, or is it
per-process that uses winbindd?
2.) I had some real problems trying to join the machine to the domain
with "password server = *" in smb.conf. I had to manually point the
smb.conf at one of our password servers to join the domain as indicated
in the winbindd man page.
I am really motivated to try to get some of these things fixed. Can you
please let me know what I would need to send in order to help debug this
further?
--------------smb.conf----------------------
[global]
workgroup = US
security = domain
encrypt passwords = true
stat cache = false
winbind cache time = 6000
winbind uid = 1000-32000
winbind gid = 1000-32000
password server = *
;password server = dc-us02
template homedir = /home/%U
template shell = /bin/sh
load printers = no
log file = /usr/local/samba/var/log.%m
max log size = 50
username map = /etc/smbusers
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
name resolve order = wins lmhosts bcast
wins server = xxx.xxx.xxx.252
; wins server = xxx.xxx.xxx.148
dns proxy = yes
#============================ Share Definitions
=============================[homes]
comment = Home Directories
browseable = no
writable = yes
[share]
comment = a share
path = /home/share
public = no
writable = yes
printable = no
create mask = 0770
---------------/usr/local/samba/var/log.winbindd----------------
load_unicode_map: filename
/usr/local/samba/lib/codepages/unicode_map.850 does not exist.
getting trusted domain list
adding trusted domain US
adding trusted domain JAPAN
adding trusted domain W2KAMER
adding trusted domain EUROPE
adding trusted domain ASIA-PACIFIC
adding trusted domain NON
adding trusted domain AMERICAS
Getting domain info for domain AMERICAS
looking up sid for domain AMERICAS
found sid S-1-5-21-1802859667-647903414-1863928812 for domain AMERICAS
1st session setup ok
2nd session setup ok
Getting domain info for domain NON
looking up sid for domain NON
found sid S-1-5-21-1851004207-1854559766-313593124 for domain NON
Getting domain info for domain ASIA-PACIFIC
looking up sid for domain ASIA-PACIFIC
found sid S-1-5-21-1971345664-1559653683-1850952788 for domain
ASIA-PACIFIC
Getting domain info for domain EUROPE
looking up sid for domain EUROPE
found sid S-1-5-21-198575724-866408411-929701000 for domain EUROPE
Getting domain info for domain W2KAMER
looking up sid for domain W2KAMER
found sid S-1-5-21-455109234-1055159399-1539857752 for domain W2KAMER
1st session setup ok
2nd session setup ok
Getting domain info for domain JAPAN
looking up sid for domain JAPAN
found sid S-1-5-21-699284886-586374940-262303683 for domain JAPAN
1st session setup ok
2nd session setup ok
Getting domain info for domain US
looking up sid for domain US
found sid S-1-5-21-37171169-1994200146-44198299 for domain US
----------------------/usr/local/samba/var/log.smb-----------------------
file_init: Information only: requested 10000 open files, 1014 are
available.
load_unicode_map: filename
/usr/local/samba/lib/codepages/unicode_map.850 does not exist.
file_init: Information only: requested 10000 open files, 1014 are
available.
load_unicode_map: filename
/usr/local/samba/lib/codepages/unicode_map.850 does not exist.
file_init: Information only: requested 10000 open files, 1014 are
available.
load_unicode_map: filename
/usr/local/samba/lib/codepages/unicode_map.850 does not exist.
file_init: Information only: requested 10000 open files, 1014 are
available.
load_unicode_map: filename
/usr/local/samba/lib/codepages/unicode_map.850 does not exist.
Failed to set socket option SO_KEEPALIVE (Error Bad file descriptor)
Failed to set socket option TCP_NODELAY (Error Bad file descriptor)
Failed to set socket option SO_RCVBUF (Error Bad file descriptor)
Failed to set socket option SO_SNDBUF (Error Bad file descriptor)
file_init: Information only: requested 10000 open files, 1014 are
available.
load_unicode_map: filename
/usr/local/samba/lib/codepages/unicode_map.850 does not exist.
----------------------/usr/local/samba/log.nmbd-------------------------
[2000/08/09 09:01:37, 1] nmbd/nmbd.c:main(759)
Netbios nameserver version pre-3.0.0 started.
Copyright Andrew Tridgell 1994-1998
load_unicode_map: filename
/usr/local/samba/lib/codepages/unicode_map.850 does not exist.
Got SIGTERM: going down...
[2000/08/09 09:10:14, 1] nmbd/nmbd.c:main(759)
Netbios nameserver version pre-3.0.0 started.
Copyright Andrew Tridgell 1994-1998
load_unicode_map: filename
/usr/local/samba/lib/codepages/unicode_map.850 does not exist.
Got SIGTERM: going down...
[2000/08/09 09:40:28, 1] nmbd/nmbd.c:main(759)
Netbios nameserver version pre-3.0.0 started.
Copyright Andrew Tridgell 1994-1998
load_unicode_map: filename
/usr/local/samba/lib/codepages/unicode_map.850 does not exist.
find_response_record: response packet id 36930 received with no matching
record.Got SIGTERM: going down...
[2000/08/09 10:53:00, 1] nmbd/nmbd.c:main(759)
Netbios nameserver version pre-3.0.0 started.
Copyright Andrew Tridgell 1994-1998
-------------------------/usr/local/samba/log.smbd----------------------
[2000/08/09 09:01:34, 1] smbd/server.c:main(646)
smbd version pre-3.0.0 started.
Copyright Andrew Tridgell 1992-1998
[2000/08/09 09:10:14, 1] smbd/server.c:main(646)
smbd version pre-3.0.0 started.
Copyright Andrew Tridgell 1992-1998
[2000/08/09 09:40:28, 1] smbd/server.c:main(646)
smbd version pre-3.0.0 started.
Copyright Andrew Tridgell 1992-1998
[2000/08/09 10:53:00, 1] smbd/server.c:main(646)
smbd version pre-3.0.0 started.
Copyright Andrew Tridgell 1992-1998