Guess I'll ask again . . .
[Samba] Winbind and groups Bub Slug bub1slug@hotmail.com
Sun Oct 13 02:35:01 2002
Previous message: [Samba] Strictly Private.
Next message: [Samba] Winbind and groups
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Hi all,
I'm trying to get a samba server which is all by itself, No Windows DCs, or
even windows shares at all, to play nice with Linux clients.
The server is authenticating Win9x, NT and 2000 clients fine and dandy, and
now I have need to add linux clients to the scenario, and have dicovered an
issue I can't seem to work through. Perhaps someone can help?
On the linux client, I can login as a user that exists only on the samba
server (TEST+testuser) , except I get the following message:
id: cannot find name for group id 10000
When I do "wbinfo -t" I get back:
Secret is good.
When I do "wbinfo -u" I get back:
TEST+testuser
When I do "wbinfo -g" I get back:
TEST+Domain Admins
TEST+Domain Users
When I do "getent passwd" I get:
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
.
.
cut for brevity
.
.
bub:x:500:500:Bub Slug:/home/bub:/bin/bash
TEST+testuser:x:10000:10000::/home/testuser:/bin/bash
So far so good, until I do "getent group", which returns:
root:x:0:root
bin:x:1:bin
.
.
cut for brevity again
.
.
bub:x:500:bub
So my net groups "Domain Admins" and "Domain Users"
don't show up when I
getent group, and there is no other network group that winbind can map to
gid 10000 when TEST+testuser logs in to the Linux client, and I suspect this
is why I get the ID message on login (?)
Once again, I am not using any Windows 9x, NT, 2000 servers, the Linux Samba
server is the only PDC (and the only DC).
Can anyone offer some help aside from the stuff that's around on the net.
It all seems to deal with using Samba in a Domain with an actual windows DC,
not as a standalone server being a DC.
I wonder why my client linux box can't see the domain groups on login, and
while I'm on the subject, where do "Domain Admins" and
"Domain Users" come
from in the first place, and how do I add, delete or modify domain groups or
how do I make groups on the Linux Samba server display to linux clients?
Both server and Client use RedHat 7.3 (Stock Kernel) Samba wasn't installed
with the redhat setup, instead I downloaded the tarball for 2.2.5
I compiled the server software in the source directory with:
./configure
make
make install
The server is set up as a PDC with an smb.conf file that looks like:
[global]
workgroup = TEST
netbios name = LINUXSRV
interfaces = 127.0.0.1 192.168.240.20
encrypt passwords = Yes
domain logons = Yes
os level = 64
preferred master = True
domain master = True
wins support = Yes
[homes]
path = /home/%U
read only = No
browseable = No
[netlogon]
path = /usr/local/samba/netlogon
browseable = No
I've configured the linux client and added it to the domain by:
Setting it's host name to linuxclient,
Compiling the samba software from source (2.2.5) in the source directory
with:
./configure --with-winbind
make
make install
make nsswitch
Copied libnss_winbind.so to /lib
Created a link:
ln -s /lib/libnss_winbind.so /lib/libnss_winbind.so.2
copied pam_winbind.so to /lib/security
Created an smb.conf file for winbind that looks like
[global]
workgroup = TEST
winbind separator = +
winbind uid = 10000-20000
winbind gid = 10000-20000
winbind enum users = yes
winbind enum groups = yes
template homedir = /home/%U
template shell = /bin/bash
winbind use default domain = yes
wins server = 192.168.240.20
Created a init script to fire up winbind
edited /etc/nsswitch.conf to change the lines:
passwd: files winbind
shadow: files
group: files windbind
added these lines to /etc/pam.d/login:
auth sufficient /lib/security/pam_winbind.so
account sufficient /lib/security/pam_winbind.so
session required /lib/security/pam_mkhomedir.so skel=/etc/skel
umask=022
did a: /sbin/ldconfig -v | grep winbind which returned:
libnss_winbind.so -> libnss_winbind.so
I started up the winbindd daemon on the client.
Then on the server, I did:
useradd linuxclient$
passwd -l linuxclient$
smbpasswd -a -m linuxclient
useradd testuser
passwd -l testuser
smbpasswd -a testuser
On the linux client I did:
smbpasswd -j TEST -r 192.168.240.20
Which reported I joined the domain successfully.
Doing all this gets me the behaviour described above.
Any help will be appreciated!
Bub
This tagline is umop ap!5dn
_________________________________________________________________
Internet access plans that fit your lifestyle -- join MSN.
http://resourcecenter.msn.com/access/plans/default.asp
Bub Slug wrote:> > Guess I'll ask again . . . > > [Samba] Winbind and groups Bub Slug bub1slug@hotmail.com > Sun Oct 13 02:35:01 2002 > > Previous message: [Samba] Strictly Private. > Next message: [Samba] Winbind and groups > Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] > > Hi all, > > I'm trying to get a samba server which is all by itself, No Windows DCs, or > even windows shares at all, to play nice with Linux clients. > > The server is authenticating Win9x, NT and 2000 clients fine and dandy, and > now I have need to add linux clients to the scenario, and have dicovered an > issue I can't seem to work through. Perhaps someone can help?> edited /etc/nsswitch.conf to change the lines: > passwd: files winbind > shadow: files > group: files windbind^ Try making that winbind :-) Andrew Bartlett -- Andrew Bartlett abartlet@pcug.org.au Manager, Authentication Subsystems, Samba Team abartlet@samba.org Student Network Administrator, Hawker College abartlet@hawkerc.net http://samba.org http://build.samba.org http://hawkerc.net
>Bub Slug wrote: > >>Guess I'll ask again . . . >> >>[Samba] Winbind and groups Bub Slug bub1slug@hotmail.com >>Sun Oct 13 02:35:01 2002 >> >>Previous message: [Samba] Strictly Private. >>Next message: [Samba] Winbind and groups >>Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] >> >>Hi all, >> >>I'm trying to get a samba server which is all by itself, No Windows DCs, >>or >>even windows shares at all, to play nice with Linux clients. >> >>The server is authenticating Win9x, NT and 2000 clients fine and dandy, >>and >>now I have need to add linux clients to the scenario, and have dicovered >>an >>issue I can't seem to work through. Perhaps someone can help? > >> edited /etc/nsswitch.conf to change the lines: >> passwd: files winbind >> shadow: files >> group: files windbind > ^ > >Try making that winbind :-) > >Andrew Bartlett > >-- >Andrew Bartlett abartlet@pcug.org.au >Manager, Authentication Subsystems, Samba Team abartlet@samba.org >Student Network Administrator, Hawker College abartlet@hawkerc.net >http://samba.org http://build.samba.org http://hawkerc.netHi Andrew, thanks for the reply, unfortunately, this was a typo in the description, not in the actual configuration file, so I'm afraid I still have the same issue . . . It is actually: passwd: files winbind shadow: files group: files winbind Any other ideas? (I wish it was something this dumb, I've been working on this for a couple of weeks . . .) TIA, Bub This tagline is umop ap!5dn _________________________________________________________________ Unlimited Internet access -- and 2 months free! Try MSN. http://resourcecenter.msn.com/access/plans/2monthsfree.asp
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Fri, 18 Oct 2002, Bub Slug wrote:> So far so good, until I do "getent group", which returns: > > root:x:0:root > bin:x:1:bin > ...... > bub:x:500:bub > > So my net groups "Domain Admins" and "Domain Users" don't show up when I > getent group, and there is no other network group that winbind can map to > gid 10000 when TEST+testuser logs in to the Linux client, and I suspect this > is why I get the ID message on login (?) > > Once again, I am not using any Windows 9x, NT, 2000 servers, the Linux Samba > server is the only PDC (and the only DC).Samba 2.2.x does not support all of the group enumeration RPCs needed for supporting a winbindd installation on another Samba box. Although I will propose that you don't need winbindd if you are using a Samba PDC. There are other means of achieving the same result. cheers, jerry --------------------------------------------------------------------- Hewlett-Packard ------------------------- http://www.hp.com SAMBA Team ---------------------- http://www.samba.org GnuPG Key ---- http://www.plainjoe.org/gpg_public.asc ISBN 0-672-32269-2 "SAMS Teach Yourself Samba in 24 Hours" 2ed "I never saved anything for the swim back." Ethan Hawk in Gattaca -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://quantumlab.net/pine_privacy_guard/ iD8DBQE9tAPtIR7qMdg1EfYRAuuhAJ9KrjsjNyeBqDTIe5SGAKLBNRW51ACdGdcD sWxgjVmqUt3oISumC/5+9MQ=yqeE -----END PGP SIGNATURE-----
Hi Jerry, Thanks for the reply. What other methods could I use to have both Linux client machines and windows clients authenticate to a samba server? Bub This tagline is umop ap!5dn>From: "Gerald (Jerry) Carter" <jerry@samba.org> >To: Bub Slug <bub1slug@hotmail.com> >CC: samba@lists.samba.org >Subject: Re: [Samba] winbind, getent and wbinfo >Date: Mon, 21 Oct 2002 08:41:00 -0500 (CDT) > >-----BEGIN PGP SIGNED MESSAGE----- >Hash: SHA1 > >On Fri, 18 Oct 2002, Bub Slug wrote: > > > So far so good, until I do "getent group", which returns: > > > > root:x:0:root > > bin:x:1:bin > > ...... > > bub:x:500:bub > > > > So my net groups "Domain Admins" and "Domain Users" don't show up when I > > getent group, and there is no other network group that winbind can map >to > > gid 10000 when TEST+testuser logs in to the Linux client, and I suspect >this > > is why I get the ID message on login (?) > > > > Once again, I am not using any Windows 9x, NT, 2000 servers, the Linux >Samba > > server is the only PDC (and the only DC). > >Samba 2.2.x does not support all of the group enumeration RPCs needed for >supporting a winbindd installation on another Samba box. Although I will >propose that you don't need winbindd if you are using a Samba PDC. >There are other means of achieving the same result. > > > > > >cheers, jerry > --------------------------------------------------------------------- > Hewlett-Packard ------------------------- http://www.hp.com > SAMBA Team ---------------------- http://www.samba.org > GnuPG Key ---- http://www.plainjoe.org/gpg_public.asc > ISBN 0-672-32269-2 "SAMS Teach Yourself Samba in 24 Hours" 2ed > "I never saved anything for the swim back." Ethan Hawk in Gattaca >-----BEGIN PGP SIGNATURE----- >Version: GnuPG v1.0.6 (GNU/Linux) >Comment: For info see http://quantumlab.net/pine_privacy_guard/ > >iD8DBQE9tAPtIR7qMdg1EfYRAuuhAJ9KrjsjNyeBqDTIe5SGAKLBNRW51ACdGdcD >sWxgjVmqUt3oISumC/5+9MQ>=yqeE >-----END PGP SIGNATURE-----_________________________________________________________________ Internet access plans that fit your lifestyle -- join MSN. http://resourcecenter.msn.com/access/plans/default.asp
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Mon, 21 Oct 2002, Bub Slug wrote:> What other methods could I use to have both Linux client machines and > windows clients authenticate to a samba server?You could use NIS or LDAP for all UNIX accounts. If you want to authenticate Linux services against smbpasswd, then look at pam_smbpass.so cheers, jerry --------------------------------------------------------------------- Hewlett-Packard ------------------------- http://www.hp.com SAMBA Team ---------------------- http://www.samba.org GnuPG Key ---- http://www.plainjoe.org/gpg_public.asc ISBN 0-672-32269-2 "SAMS Teach Yourself Samba in 24 Hours" 2ed "I never saved anything for the swim back." Ethan Hawk in Gattaca -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.0 (GNU/Linux) Comment: For info see http://quantumlab.net/pine_privacy_guard/ iD8DBQE9tDmSIR7qMdg1EfYRAgPZAKDyl4FhPlKRPe8JRaBMWV5uC+4v0QCfXY31 xgtE0lsN0Xoc+MbLgAHP9eg=4lG4 -----END PGP SIGNATURE-----
Hi Jerry, We're trying to replace our Windo$e (NT 4 and 2000 domain controllers, but no AD) servers with Samba, and have both Win98, ME, 2000 and XP clients, in addition to some Linux RH7.3 and RH8 desks. Are we still waiting for Samba 3.x before we can have a single unified authentication mechanism for Windows and Un*x desktops? Thanks, Bub This tagline is umop ap!5dn>From: "Gerald (Jerry) Carter" <jerry@samba.org> >To: Bub Slug <bub1slug@hotmail.com> >CC: samba@lists.samba.org >Subject: Re: [Samba] winbind, getent and wbinfo >Date: Mon, 21 Oct 2002 12:29:54 -0500 (CDT) > >-----BEGIN PGP SIGNED MESSAGE----- >Hash: SHA1 > >On Mon, 21 Oct 2002, Bub Slug wrote: > > > What other methods could I use to have both Linux client machines and > > windows clients authenticate to a samba server? > >You could use NIS or LDAP for all UNIX accounts. >If you want to authenticate Linux services against >smbpasswd, then look at pam_smbpass.so > > > >cheers, jerry > --------------------------------------------------------------------- > Hewlett-Packard ------------------------- http://www.hp.com > SAMBA Team ---------------------- http://www.samba.org > GnuPG Key ---- http://www.plainjoe.org/gpg_public.asc > ISBN 0-672-32269-2 "SAMS Teach Yourself Samba in 24 Hours" 2ed > "I never saved anything for the swim back." Ethan Hawk in Gattaca >-----BEGIN PGP SIGNATURE----- >Version: GnuPG v1.2.0 (GNU/Linux) >Comment: For info see http://quantumlab.net/pine_privacy_guard/ > >iD8DBQE9tDmSIR7qMdg1EfYRAgPZAKDyl4FhPlKRPe8JRaBMWV5uC+4v0QCfXY31 >xgtE0lsN0Xoc+MbLgAHP9eg>=4lG4 >-----END PGP SIGNATURE-----_________________________________________________________________ Surf the Web without missing calls! Get MSN Broadband. http://resourcecenter.msn.com/access/plans/freeactivation.asp