samba - Oct 2002 - Winbind!

Hello,

I am running Red Hat 7.3 Samba 2.26 and winbind.  I have been able to join
the domain and test all of the following with these commands.  All works
great.  

winbind -u 

winbind -g

getent passwd

getent group 

But when I set up a share to test with one domain user account it just
presents me with a password dialog box and does not accept anything. It
should not prompt me but if it does it should authenticate. I have tried it
with the username map = /etc/samba/smbusers and that did not work either.

 

I have the winbind separator as + but if I run testparm I get the following:

[root@gtdns root]# testparm
Load smb config files from /etc/samba/smb.conf
Processing section "[TESTIT]"
Loaded services file OK.
'winbind separator = +' might cause problems with group membership.
Press enter to see a dump of your service definitions


If I change the separator to \ and run testparm I get the following:

[root@gtdns root]# testparm
Load smb config files from /etc/samba/smb.conf
Processing section "[TESTIT]"
Loaded services file OK.
ERROR: the 'winbind separator' parameter must be a single character.
Press enter to see a dump of your service definitions


Here is my information:

#======================= Global Settings
====================================
[global]

workgroup = GTESS1.COM

netbios name = GTDNS

server string = Linux 7.3 Samba Server

log file = /var/log/samba/log.%m

security = domain

password server = *

wins server = 192.168.2.1

;username map = /etc/samba/smbusers

encrypt passwords = yes

winbind separator = +

winbind uid = 10000-20000

winbind gid = 10000-20000

winbind enum users = yes

winbind enum groups = yes

template shell = /bin/bash

winbind use default domain = yes

socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192

remote announce = 192.168.1.255 192.168.2.44 192.168.4.255

 

[TESTIT]

comment = TESTIT

path = /usr/stuff

valid users = GTESS1.COM+jcrusade

read only = No

create mask = 0777

directory mask = 0777

Thanks, 

Jennifer Crusade 
GTESS Corp. 
CCNA, MCSE W2k\NT 4.0, MCP +I 

 
-------------- next part --------------
HTML attachment scrubbed and removed

On Mon, Oct 28, 2002 at 05:33:22PM -0600, Jennifer Crusade
wrote:
> Hello,
> 
> I am running Red Hat 7.3 Samba 2.26 and winbind.  I have been able to join
> the domain and test all of the following with these commands.  All works
> great.  
> 
> But when I set up a share to test with one domain user account it just
> presents me with a password dialog box and does not accept anything. It
> should not prompt me but if it does it should authenticate.
I suggest configuring PAM to allow shell logins for domain users.
If you can get them to login at a Linux login: prompt, then it
should work also through Samba.  It's just one thing you can do
to check.
> I have the winbind separator as + but if I run testparm I get the
following:
> 
> [root@gtdns root]# testparm
> Load smb config files from /etc/samba/smb.conf
> Processing section "[TESTIT]"
> Loaded services file OK.
> 'winbind separator = +' might cause problems with group membership.
> Press enter to see a dump of your service definitions
Looks like a warning rather than an error.  IIRC, the examples in
the Samba docs use a +, so it seems like it should be ok.
> If I change the separator to \ and run testparm I get the following:
> 
> [root@gtdns root]# testparm
> Load smb config files from /etc/samba/smb.conf
> Processing section "[TESTIT]"
> Loaded services file OK.
> ERROR: the 'winbind separator' parameter must be a single
character.
> Press enter to see a dump of your service definitions
Maybe you need to specify the backslash as \\ instead of a single \. ?
I don't remember just offhand exactly how I did it, but I had things
configured here to use \ as the winbind separator.

If you don't get it working pretty quickly ... coincidentally, I am
currently working on the section on winbind for Using Samba, 2nd edition.
I might be able to send you a copy of that, and see if the directions work
for you. Hopefully, you can also provide some pre-publication user
feedback. Email me privately if you'd like to do this.

Jay Ts
jay@jayts.cx

Have you done wbinfo -A Administrator%password?

             Shaolin - IT Systems
                     WB Ltd.
.: http://www.security-forums.com :.


  ----- Original Message ----- 
  From: Jennifer Crusade 
  To: samba@lists.samba.org 
  Sent: Monday, October 28, 2002 11:33 PM
  Subject: [Samba] Winbind!


  Hello,

  I am running Red Hat 7.3 Samba 2.26 and winbind.  I have been able to join the
domain and test all of the following with these commands.  All works great.

  winbind -u 

  winbind -g

  getent passwd

  getent group 

  But when I set up a share to test with one domain user account it just
presents me with a password dialog box and does not accept anything. It should
not prompt me but if it does it should authenticate. I have tried it with the
username map = /etc/samba/smbusers and that did not work either.



  I have the winbind separator as + but if I run testparm I get the following:

  [root@gtdns root]# testparm
  Load smb config files from /etc/samba/smb.conf
  Processing section "[TESTIT]"
  Loaded services file OK.
  'winbind separator = +' might cause problems with group membership.
  Press enter to see a dump of your service definitions


  If I change the separator to \ and run testparm I get the following:

  [root@gtdns root]# testparm
  Load smb config files from /etc/samba/smb.conf
  Processing section "[TESTIT]"
  Loaded services file OK.
  ERROR: the 'winbind separator' parameter must be a single character.
  Press enter to see a dump of your service definitions


  Here is my information:

  #======================= Global Settings ====================================
  [global]

  workgroup = GTESS1.COM

  netbios name = GTDNS

  server string = Linux 7.3 Samba Server

  log file = /var/log/samba/log.%m

  security = domain

  password server = *

  wins server = 192.168.2.1

  ;username map = /etc/samba/smbusers

  encrypt passwords = yes

  winbind separator = +

  winbind uid = 10000-20000

  winbind gid = 10000-20000

  winbind enum users = yes

  winbind enum groups = yes

  template shell = /bin/bash

  winbind use default domain = yes

  socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192

  remote announce = 192.168.1.255 192.168.2.44 192.168.4.255



  [TESTIT]

  comment = TESTIT

  path = /usr/stuff

  valid users = GTESS1.COM+jcrusade

  read only = No

  create mask = 0777

  directory mask = 0777

  Thanks, 

  Jennifer Crusade 
  GTESS Corp. 
  CCNA, MCSE W2k\NT 4.0, MCP +I 


-------------- next part --------------
HTML attachment scrubbed and removed

question about winbind:  is this normal"

when i do a ID with my user act (nt user) i get the following info:

$ id
uid=40001(jfountai) gid=50000()
$

I am a domain admin and a member of many other groups - they aren't listed
though!
this is driving me insane :)
thanks

-----Original Message-----
From: Gareth Davies [mailto:gdavies@willowbrook.co.uk]
Sent: Tuesday, October 29, 2002 8:50 AM
To: Roger Schmeits; samba@lists.samba.org
Subject: Re: [Samba] Winbind!


----- Original Message -----
From: "Roger Schmeits" <knothead@clarksoncollege.edu>
To: <samba@lists.samba.org>
Sent: Tuesday, October 29, 2002 7:28 AM
Subject: Re: [Samba] Winbind!

>
> > If you don't get it working pretty quickly ... coincidentally, I
am
> > currently working on the section on winbind for Using Samba, 2nd
edition.
> > I might be able to send you a copy of that, and see if the directions
work
> > for you. Hopefully, you can also provide some pre-publication user
> > feedback. Email me privately if you'd like to do this.
> Would be interested in your directions if I may pipe in here:)
> Currently working on replacing a server with RH7.3 & Samba 2.6 for our
> NT40 server that houses 200+ shares.
>
>
<snip>


I'm writing a little doc on how to get Winbind working in a win2k domain on
a Debian machine for home directories and company shares (groups and users)
using SAMBA 2.2.5, perhaps I could contribute this aswell as I've found all
the other documents a little patchy.

             Shaolin - IT Systems
                     WB Ltd.
.: http://www.security-forums.com :.

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

we have \ setup as our separator and when i type groups ntdomain\jfountain i
get no such user.  when i type $ groups i get:
50000 - when i am logged in as myself and if it type $ groups jfountain i
get:
domain admins 

It's like something is missing somewhere. I am not getting the entire list
of groups - when i run wbinfo -g (no domain in front of them though)




-----Original Message-----
From: Gareth Davies [mailto:gdavies@willowbrook.co.uk]
Sent: Tuesday, October 29, 2002 10:29 AM
To: Jennifer Fountain; samba@lists.samba.org
Subject: Re: [Samba] Winbind!


What about if you do groups?

debmac:~# groups WILLOWBROOK+gdavies
WILLOWBROOK+gdavies : WILLOWBROOK+Domain Users WILLOWBROOK+Domain Admins
WILLOWBROOK+BackOffice Internet Users WILLOWBROOK+IT

This is what I get.

             Shaolin - IT Systems
                     WB Ltd.
.: http://www.security-forums.com :.

----- Original Message -----
From: "Jennifer Fountain" <JFountain@rbinc.com>
To: <samba@lists.samba.org>
Sent: Tuesday, October 29, 2002 2:44 PM
Subject: RE: [Samba] Winbind!

> question about winbind:  is this normal"
>
> when i do a ID with my user act (nt user) i get the following info:
>
> $ id
> uid=40001(jfountai) gid=50000()
> $
>
> I am a domain admin and a member of many other groups - they aren't
listed
> though!
> this is driving me insane :)
> thanks
>
> -----Original Message-----
> From: Gareth Davies [mailto:gdavies@willowbrook.co.uk]
> Sent: Tuesday, October 29, 2002 8:50 AM
> To: Roger Schmeits; samba@lists.samba.org
> Subject: Re: [Samba] Winbind!
>
>
> ----- Original Message -----
> From: "Roger Schmeits" <knothead@clarksoncollege.edu>
> To: <samba@lists.samba.org>
> Sent: Tuesday, October 29, 2002 7:28 AM
> Subject: Re: [Samba] Winbind!
>
>
> >
> > > If you don't get it working pretty quickly ...
coincidentally, I am
> > > currently working on the section on winbind for Using Samba, 2nd
> edition.
> > > I might be able to send you a copy of that, and see if the
directions
> work
> > > for you. Hopefully, you can also provide some pre-publication
user
> > > feedback. Email me privately if you'd like to do this.
> > Would be interested in your directions if I may pipe in here:)
> > Currently working on replacing a server with RH7.3 & Samba 2.6 for
our
> > NT40 server that houses 200+ shares.
> >
> >
> <snip>
>
>
> I'm writing a little doc on how to get Winbind working in a win2k
domain
on
> a Debian machine for home directories and company shares (groups and
users)
> using SAMBA 2.2.5, perhaps I could contribute this aswell as I've found
all
> the other documents a little patchy.
>
>              Shaolin - IT Systems
>                      WB Ltd.
> .: http://www.security-forums.com :.
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  http://lists.samba.org/mailman/listinfo/samba
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  http://lists.samba.org/mailman/listinfo/samba
>

Thanks for the info! 

-----Original Message-----
From: dj@4ict.com [mailto:dj@4ict.com]
Sent: Tuesday, October 29, 2002 11:35 AM
To: Jennifer Fountain
Cc: 'Gareth Davies'; samba@lists.samba.org
Subject: RE: [Samba] Winbind!


On Tue, 29 Oct 2002, Jennifer Fountain wrote:
> we have \ setup as our separator and when i type groups ntdomain\jfountain
i
> get no such user.  when i type $ groups i get:
> 50000 - when i am logged in as myself and if it type $ groups jfountain i
> get:
> domain admins
>
> It's like something is missing somewhere. I am not getting the entire
list
> of groups - when i run wbinfo -g (no domain in front of them though)
Hi Jennifer,

Some input from my side, if you use \ as seperator then you have to escape
the \ since this is the normal shell escape character

If you would enter "groups ntdomain\jfountain" then this would be
interpreted as : "groups ntdomainjfountain" by the shell.

You should enter " groups ntdomain\\jfountain", this would be
interpreted
as : "groups ntdomain\jfountain" by the shell.

Kind regards,
Tim Verhoeven

-- 
==========================================================================Tim
Verhoeven
                                Linux & Open Source Specialist
GSM : 0496 / 693 453                          + e-business solutions
Email : dj@4ict.com                           + consulting
URL : www.sin.khk.be/~dj/                     + Server consolidation
===========================================================================

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Mon, 28 Oct 2002, Jennifer Crusade wrote:
> winbind use default domain = yes
Do not use this parameter.




cheers, jerry
 ---------------------------------------------------------------------
 Hewlett-Packard           ------------------------- http://www.hp.com
 SAMBA Team                ---------------------- http://www.samba.org
 GnuPG Key                 ---- http://www.plainjoe.org/gpg_public.asc
 ISBN 0-672-32269-2        "SAMS Teach Yourself Samba in 24 Hours" 2ed
 "I never saved anything for the swim back."     Ethan Hawk in Gattaca
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.0 (GNU/Linux)
Comment: For info see http://quantumlab.net/pine_privacy_guard/

iD8DBQE9wV0WIR7qMdg1EfYRAnlDAJ99cZ+DbXR6SWoK1oJqT8w5EdtIOwCgnY6I
u5CRkyMjtZgXoKcUHQy5wE8=xfZl
-----END PGP SIGNATURE-----

Why not?  It does not affect whether or not my NT user gets matched to a
UNIX UID and GID (username.map does that part for me),  but for files
created by users with no corresponding UNIX account,  it makes the domain
username show up on an "ls -l" minus the domain prefix so I can see
who owns
the file,  otherwise,  ls -l shows a truncated version of
DOMAINNAMEseparatorUSERNAME,  and I can't tell who owns anything ...  

What is the purpose of the parameter,  and why is it a bad idea to use it?  

	Thanks,

		Karen Wieprecht

From: Gerald (Jerry) Carter [mailto:jerry@samba.org] 
> winbind use default domain = yes
Do not use this parameter.

How do you get the GID numbers to resolve to the domain names? i am having
an issue - when I type groups jfountain, i get all numbers. I need them to
be names. 


-----Original Message-----
From: Wieprecht, Karen M. [mailto:Karen.Wieprecht@jhuapl.edu]
Sent: Thursday, October 31, 2002 12:39 PM
To: 'Gerald (Jerry) Carter'; 'Jennifer Crusade'
Cc: 'samba@lists.samba.org'
Subject: RE: [Samba] Winbind!


Why not?  It does not affect whether or not my NT user gets matched to a
UNIX UID and GID (username.map does that part for me),  but for files
created by users with no corresponding UNIX account,  it makes the domain
username show up on an "ls -l" minus the domain prefix so I can see
who owns
the file,  otherwise,  ls -l shows a truncated version of
DOMAINNAMEseparatorUSERNAME,  and I can't tell who owns anything ...  

What is the purpose of the parameter,  and why is it a bad idea to use it?  

	Thanks,

		Karen Wieprecht

From: Gerald (Jerry) Carter [mailto:jerry@samba.org] 
> winbind use default domain = yes
Do not use this parameter.




-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

In nsswitch.conf, check your group line.  It should have winbind in it,
something like this:

group:      files winbind nisplus nis

In this case, when the system needs to look up a group name it'll check the
/etc/groups file first, then winbind, then nisplus, then nis.  If it still
can't find it it'll represent it numerically.

-----Original Message-----
From: Jennifer Fountain [mailto:JFountain@rbinc.com]
Sent: Thursday, October 31, 2002 2:02 PM
To: 'Wieprecht, Karen M.'
Cc: 'samba@lists.samba.org'
Subject: RE: [Samba] Winbind!


How do you get the GID numbers to resolve to the domain names? i am having
an issue - when I type groups jfountain, i get all numbers. I need them to
be names.

Ok I made sure that it reads files, winbind. now i only get the number of
domain admins when i type groups and when i type groups jfountain, i get
domain admins. but i am a member of 10 groups :( 

-----Original Message-----
From: David Brodbeck [mailto:DavidB@mail.interclean.com]
Sent: Thursday, October 31, 2002 2:16 PM
To: 'Jennifer Fountain'; 'Wieprecht, Karen M.'
Cc: 'samba@lists.samba.org'
Subject: RE: [Samba] Winbind!


In nsswitch.conf, check your group line.  It should have winbind in it,
something like this:

group:      files winbind nisplus nis

In this case, when the system needs to look up a group name it'll check the
/etc/groups file first, then winbind, then nisplus, then nis.  If it still
can't find it it'll represent it numerically.

-----Original Message-----
From: Jennifer Fountain [mailto:JFountain@rbinc.com]
Sent: Thursday, October 31, 2002 2:02 PM
To: 'Wieprecht, Karen M.'
Cc: 'samba@lists.samba.org'
Subject: RE: [Samba] Winbind!


How do you get the GID numbers to resolve to the domain names? i am having
an issue - when I type groups jfountain, i get all numbers. I need them to
be names.