Using winbind for authentication through PDC. Problem: Some users do not get access to the samba share and some do. When I do "wbinfo -u" the users who cannot access show up but when I do "getent passwd", they are not there. What does this mean? -- Bob Wooldridge EDM Incorporated http://www.edm-inc.com 314 335-6911
On Mon, 25 Aug 2003, Robert A Wooldridge wrote:> Using winbind for authentication through PDC. > > Problem: Some users do not get access to the samba share and some do. > When I do "wbinfo -u" the users who cannot access show up but when I do > "getent passwd", they are not there. What does this mean?It means that you likely do not have in your /etc/nsswitch.conf: passwd: files winbind shadow: files winbind group: files winbind - John T. -- John H Terpstra Email: jht@samba.org
>>Using winbind for authentication through PDC. >> >> Problem: Some users do not get access to the samba share and some do. >> When I do "wbinfo -u" the users who cannot access show up but when I do >> "getent passwd", they are not there. What does this mean?> >It means that you likely do not have in your /etc/nsswitch.conf: > >passwd: files winbind >shadow: files winbind >group: files winbindDoes one really need the "shadow: files winbind"? From the Samba HOWTO, it states only passwd and group need winbind. Also, you might not have any more info for why getent does not displace the users from AD domain? Mailed Lee
Samba 2.2.8a
RedHat Linux 8.0
ESP Print Pro 4.4
Everytime I add a printer to cups, SAMBA does not see it till I restart the
SAMBA daemon. I can give it an infinite amount of time and samba will not
see the newly added printers in cups till I restart the daemon. This can be
verified when I add a printer then go into rpcclient server and run
enumprinters. Before the restart I do not see the printers, after the
restart I do.
Here is my smb.conf
[global]
workgroup = STEDS
netbios name = EDSHARE
server string = Steds File Share
interfaces = 209.99.108.82 127.0.0.1
bind interfaces only = Yes
encrypt passwords = Yes
log level = 2
time server = Yes
socket options = TCP_NODELAY IPTOS_LOWDELAY SO_RCVBUF=8192
add user script = /usr/sbin/useradd -d /dev/null -g 527 -c Machine
-s /bin/false -M %u
domain logons = Yes
os level = 255
preferred master = Yes
domain master = Yes
wins support = Yes
ldap server = ldap1.stedwards.edu
ldap port = 9111
ldap suffix = dc=stedwards,dc=edu
ldap admin dn = cn=Manager,dc=stedwards,dc=edu
ldap ssl = no
invalid users = bin daemon sys man postfix mail ftp
admin users = root coreyh
load printers = yes
printing = cups
printcap name = cups
log file = /usr/local/samba/install/var/log/log.%U
logon script = scripts\%U.bat
logon drive = S:
logon home = \\%N\%U
[netlogon]
Comment = Netlogon Shares
path = /usr/local/samba/install/lib/netlogon
browseable = No
guest ok = no
writable = no
write list = admin
locking = no
; call the shell script (make_logon_script) with parameters :
; %m (machine netbios name) %U (user) %a (architecture) %g (group) %L
(server)
; perhaps you prefer : %u, %G, ...
; quote in case of spaces
root preexec = /usr/local/samba/install/bin/make_logon_script
'%m'
'%U' '%a' '%g' '%L'
[homes]
read only = No
browseable = No
create mask = 0770
directory mask = 0770
[profiles]
path = /usr/local/samba/install/lib/profiles
read only = No
create mask = 0700
directory mask = 0700
browseable = No
writeable = no
guest ok = no
[printers]
comment = All Printers
path = /var/spool/samba
browsable = No
public = Yes
guest ok = Yes
writeable = No
printable = Yes
printer admin = root, coreyh, davidjf, georges, garrodh, mattv, rays
[print$]
comment = Printer Drivers
path = /usr/local/drivers
browsable = yes
guest ok = no
read only = yes
write list = root, coreyh
--
----
Corey Hart
Systems/Security Analyst
St. Edward's University
coreyh@admin.stedwards.edu
512/428-1038 - voice
512/448-8492 - fax
512/470-8462 - cell
Robert A Wooldridge wrote:>I have tried both ways for groups. With files winbinded and without. > >It makes no difference to this problem. >Myself ... having problems with winbind and can't seem to work them out ...>I don't understand the 2nd question you have here. >Well, running getent passwd should list all local users and remote users, as in users from AD domain, but I can't get my test system to list users from AD.>>>>Using winbind for authentication through PDC. >>>> >>>>Problem: Some users do not get access to the samba share and some do. >>>>When I do "wbinfo -u" the users who cannot access show up but when I do >>>>"getent passwd", they are not there. What does this mean? >>>> >>>> >>>It means that you likely do not have in your /etc/nsswitch.conf: >>> >>>passwd: files winbind >>>shadow: files winbind >>>group: files winbind >>> >>> >> Does one really need the "shadow: files winbind"? From the Samba HOWTO, it states only passwd and group need winbind. >> >> Also, you might not have any more info for why getent does not displace the users from AD domain? >>
Brian C Otto wrote:>Make sure that libnss_winbind.so and libnss_winbind.so.2 (in /lib) are >the versions built in the nsswitch directory of the samba build, and >that you've run ldconfig -V to link them properly. >I have, I am used both RedHat RawHide src.rpm and Samba's makerpm.sh to create the binaries that I install.>w/o those files (one is a link to the other) it won't work right. Also, >/etc/nsswitch.conf needs to be setup, obviously. There may be a few >other steps to get getent working I'll try and remember them all. >I believe I have setup the nsswitch.conf file correctly. The funny thing this that I am able to see files owned by a AD user if I have done wbinfo -S <SID>. But I can't chown, it tell's me invalid user. Mailed Lee
Brian C Otto wrote:>I've had it in that situation. >So I am not alone ... I want to thank some dite, but think it best not too ...>it means winbind is querying properly, but that the winbind<->nsswitch/pam >stuff isn't. Are you using pam? >That seems to be the problem ... put pam stuff in with no differance ... I have a LDAP system running, which I am using as a bench, so I know that my system is work, and the LDAP stuff is fine ...>and 'net ads join' is working properly? >Perfect, wbinfo -t reports fine too ...>any winbind errors in the logfile? Or login unknown errors in >All the winbind.log says, is that it can't find "root", which is the user I am logged in as ...>/var/log/messages? How about 'kinit'? >Nothing in messages, and kinit -V auth reports fine too.>Just some ideas. I'm not sure if pam entries are necessary for a 'getent >passwd' >Thanks, at least I am getting some idesa, but I have tried these at least. Mailed Lee
Brian C Otto wrote:>Hmm. you're doing a 'net ads join -U administrator' ? >Actually, I do ... [root@dctest-01 root]#kinit -V Administrator@REALM.CORP Password for Administrator@REALM.CORP: Authenticated to Kerberos v5 then [root@dctest-01 root]# net ads join -U Administrator Administrator password: [2003/08/28 15:05:07, 0] libads/ldap.c:ads_join_realm(1305) Host account for dctest-01 already exists - deleting old account Joined 'DCTEST-01' to realm 'REALM.CORP' If I don't use a capital "A" in administrator, Kerberos will not authenticate.>check to make sure that the /lib/security/pam_winbind.so is >up-to-the-samba-rpm date. >[root@dctest-01 root]# rpm -qf /lib/security/pam_winbind.so samba-common-3.0.0rc1-1lnx2 Which I believe is correct.>I didn't use the rpm's ( I needed ACL support, so had to use SuSE, and compile >it myself) so most of my problems were due to the versions of kerberos I tried >to use, and whether or not it had LDAP support built in. >I have build my own rpms from the src.rpm, seeing that I need a few changes of my own ... but I use rpms, because I have a better idea of the same binaries between systems. Mailed Lee
Brian C Otto wrote:>Damn. Sounds like all the ducks are in order. >That's what I throught ...>hmm. I'll try and remember any more 'gotcha's' I might have encountered. >Thanks, if you do, you have my e-mail ...>Sorry I've not been much help. >I disagree, you have at least put me at rest, I think less that it is my system, and maybe for something else, but I don't seem to be able to get any solid advice or direction. Thanks again Mailed Lee