I've seen this posting before but I need to get a grasp on this. I am using winbindd for users that don't have a local account on a Linux box. I thought that placing the entries below in the smb.conf would create users in ou=Idmap. Instead the ou=Idmap increments the uidNumber with every user that is added,but the user ID mappings are stored in /usr/local/var/locks/winbindd_idmap.tdb. What entry in smb.conf will change this. These are the applicable portions of smb.conf. ldap suffix = dc=tow,dc=net ldap machine suffix = ou=Computers ldap user suffix = ou=Users ldap group suffix = ou=Groups ldap admin dn = cn=admin,dc=tow,dc=net ldap ssl = no idmap backend = ldap:ldap://127.0.0.1 ldap idmap suffix = ou=Idmap winbind separator = + idmap uid = 40000-50000 idmap gid = 40000-50000 winbind enum users = yes winbind enum groups = yes template homedir = /accounts/default/%D/%U template shell = /bin/bash winbind use default domain = yes winbind cache time = 15 obey pam restrictions = yes So I use wbinfo -c <username>. This returns a RID number. User can now login or use smbclient -L localhost -U <username> <password> and get available shares on this BDC. In LDAP directory is incremented by 1, but there are no entries. How do I move the entries that are stored in /usr/local/var/locks/winbindd_idmap.tdb to the LDAP directory? What I've omitted in all this is that pam and pam_winbind is setup correctly, which I believe it is. -- Kent nasve525@regis.edu kent@wareham.k12.ma.us Tips:----------------------------------------------> "OpenOffice.org ... Stops Word macro viruses DEAD!" "Postgresql.org ... Don't 'kill -9' the postmaster" "Technology is legislation - C. Einfeldt on OO.o discuss list"
Kent, Did you create the container for the ou=Idmap in your LDAP database? The IDMAP entries are automatically added to LDAP - IF the container exists, and so long as Samba can access that database. Also, I suggest you store your machine accounts in the Users container and not in the Computers container. Samba does not at this time search the Computers container correctly. Execute the following to find out if your LDAP database has an IDMAP container: slapcat | grep -i IDMAP If nothing is returned, execute this: ldapadd -x -D "cn=admin,dc=tow,dc=net" -w 'password' << EOR dn: ou=Idmap,dc=abmas,dc=biz objectClass: organizationalunit ou: idmap structuralObjectClass: organizationalunit EOR Now you must stop samba, delete the winbind*tdb files, restart samba, run: wbinfo -u And that should automatically populate your LDAP IDMAP database. Cheers, John T. On Sat, 3 Jan 2004, Kent L. Nasveschuk wrote:> I've seen this posting before but I need to get a grasp on this. I am > using winbindd for users that don't have a local account on a Linux box. > I thought that placing the entries below in the smb.conf would create > users in ou=Idmap. Instead the ou=Idmap increments the uidNumber with > every user that is added,but the user ID mappings are stored in > /usr/local/var/locks/winbindd_idmap.tdb. What entry in smb.conf will > change this. These are the applicable portions of smb.conf. > > ldap suffix = dc=tow,dc=net > ldap machine suffix = ou=Computers > ldap user suffix = ou=Users > ldap group suffix = ou=Groups > ldap admin dn = cn=admin,dc=tow,dc=net > ldap ssl = no > idmap backend = ldap:ldap://127.0.0.1 > ldap idmap suffix = ou=Idmap > winbind separator = + > idmap uid = 40000-50000 > idmap gid = 40000-50000 > winbind enum users = yes > winbind enum groups = yes > template homedir = /accounts/default/%D/%U > template shell = /bin/bash > winbind use default domain = yes > winbind cache time = 15 > obey pam restrictions = yes > > So I use wbinfo -c <username>. This returns a RID number. User can now > login or use smbclient -L localhost -U <username> <password> and get > available shares on this BDC. In LDAP directory is incremented by 1, but > there are no entries. > > How do I move the entries that are stored in > /usr/local/var/locks/winbindd_idmap.tdb to the LDAP directory? > > What I've omitted in all this is that pam and pam_winbind is setup > correctly, which I believe it is. > > >-- John H Terpstra Email: jht@samba.org
Hi John/List, I'm attemtpting this (idmap in LDAP) with samba3.0.1 and Sun DS 5.2 but without any success. I've tried what John T has suggested below but my idmap OU is still empty (adapted LDAP commnads for Sun DS). I cannot see any errors in either Samba or Sun DS logs, does anyone have any troubleshooting tips to help work out why this isn't working? many thanks Andy. -----Original Message----- From: samba-bounces+pubsyssamba=bbc.co.uk@lists.samba.org [mailto:samba-bounces+pubsyssamba=bbc.co.uk@lists.samba.org]On Behalf Of John H Terpstra Posted At: 03 January 2004 23:54 Posted To: Samba Conversation: [Samba] How do I get Winbind accounts in LDAP? Subject: Re: [Samba] How do I get Winbind accounts in LDAP? Kent, Did you create the container for the ou=Idmap in your LDAP database? The IDMAP entries are automatically added to LDAP - IF the container exists, and so long as Samba can access that database. Also, I suggest you store your machine accounts in the Users container and not in the Computers container. Samba does not at this time search the Computers container correctly. Execute the following to find out if your LDAP database has an IDMAP container: slapcat | grep -i IDMAP If nothing is returned, execute this: ldapadd -x -D "cn=admin,dc=tow,dc=net" -w 'password' << EOR dn: ou=Idmap,dc=abmas,dc=biz objectClass: organizationalunit ou: idmap structuralObjectClass: organizationalunit EOR Now you must stop samba, delete the winbind*tdb files, restart samba, run: wbinfo -u And that should automatically populate your LDAP IDMAP database. Cheers, John T. BBCi at http://www.bbc.co.uk/ This e-mail (and any attachments) is confidential and may contain personal views which are not the views of the BBC unless specifically stated. If you have received it in error, please delete it from your system. Do not use, copy or disclose the information in any way nor act in reliance on it and notify the sender immediately. Please note that the BBC monitors e-mails sent or received. Further communication will signify your consent to this.
Hi Sapan/All, ok this is all in my test/dev environment. I have a Sun Sparc workstation running Solaris 9 and an Intel server running Windows 2000 server acting as a Native mode AD DC. My Sparc system has Samba 3.0.1 installed and is successfully joined to the AD domain, I can authenticate via kerberos and wbinfo -u lists domain users etc. All I need LDAP for is centralising the IDMAP mappings across our theoretical Samba server infrastructure. On the same sparc system I also have SunONE DS 5.2 installed, this has the schema for Samba 3.0.1 successfully loaded. I have created the idamap OU in the directory and I have configured my smb.conf to use LDAP for idmap data, file attached. And I have set the LDAP admin account password with "smbpasswd -w". I have also disabled nscd from starting up & installed patch 113476-05 which is required for Solaris 9. I can also see winbindd establishing a connection to Sun LDAP in its access log. As I was writing this mail I have noticed that a getent for users and groups is not displaying any AD users/groups but is exiting with a status 0, this is despite the fact that wbinfo is correctly displaying all my AD users/groups!? I can see from a snoop and truss run on the getent that it is making LDAP calls to the AD DC but it's not returning anything!?! I have had this running on a Solaris 8 system in my test environment successfully and can't think of anything I've done differently. If anyone can help I'd greatly appreciate it, many thanks Andy. -----Original Message----- From: Ganguly, Sapan [mailto:Sapan.Ganguly@thalesgroup.com] Posted At: 07 January 2004 16:44 Posted To: Samba Conversation: [Samba] How do I get Winbind accounts in LDAP? Subject: RE: [Samba] How do I get Winbind accounts in LDAP? Andy, Tell us a bit more, I'm doing a similar thing I think. I'm not using Sun's LDAP service, I have OpenLDAP running on a Redhat 9.0 box and I'm logging into my Solaris 9.0 machine running winbind, with my NT username and password which creates an idmap in the openldap database on the Redhat box....well, that's what it is supposed to do anyway...it works fine on Redhat, Solaris is proving to be a little more tricky. Is this what you are doing? -----Original Message----- From: ww m-pubsyssamba [mailto:pubsyssamba@bbc.co.uk] Sent: 07 January 2004 14:23 To: samba@lists.samba.org Subject: RE: [Samba] How do I get Winbind accounts in LDAP? Hi John/List, I'm attemtpting this (idmap in LDAP) with samba3.0.1 and Sun DS 5.2 but without any success. I've tried what John T has suggested below but my idmap OU is still empty (adapted LDAP commnads for Sun DS). I cannot see any errors in either Samba or Sun DS logs, does anyone have any troubleshooting tips to help work out why this isn't working? many thanks Andy. -----Original Message----- From: samba-bounces+pubsyssamba=bbc.co.uk@lists.samba.org [mailto:samba-bounces+pubsyssamba=bbc.co.uk@lists.samba.org]On Behalf Of John H Terpstra Posted At: 03 January 2004 23:54 Posted To: Samba Conversation: [Samba] How do I get Winbind accounts in LDAP? Subject: Re: [Samba] How do I get Winbind accounts in LDAP? Kent, Did you create the container for the ou=Idmap in your LDAP database? The IDMAP entries are automatically added to LDAP - IF the container exists, and so long as Samba can access that database. Also, I suggest you store your machine accounts in the Users container and not in the Computers container. Samba does not at this time search the Computers container correctly. Execute the following to find out if your LDAP database has an IDMAP container: slapcat | grep -i IDMAP If nothing is returned, execute this: ldapadd -x -D "cn=admin,dc=tow,dc=net" -w 'password' << EOR dn: ou=Idmap,dc=abmas,dc=biz objectClass: organizationalunit ou: idmap structuralObjectClass: organizationalunit EOR Now you must stop samba, delete the winbind*tdb files, restart samba, run: wbinfo -u And that should automatically populate your LDAP IDMAP database. Cheers, John T. BBCi at http://www.bbc.co.uk/ This e-mail (and any attachments) is confidential and may contain personal views which are not the views of the BBC unless specifically stated. If you have received it in error, please delete it from your system. Do not use, copy or disclose the information in any way nor act in reliance on it and notify the sender immediately. Please note that the BBC monitors e-mails sent or received. Further communication will signify your consent to this. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba BBCi at http://www.bbc.co.uk/ This e-mail (and any attachments) is confidential and may contain personal views which are not the views of the BBC unless specifically stated. If you have received it in error, please delete it from your system. Do not use, copy or disclose the information in any way nor act in reliance on it and notify the sender immediately. Please note that the BBC monitors e-mails sent or received. Further communication will signify your consent to this.
I'm doing the same thing but with NT4 so I'm not using active directory. The only thing you haven't mentioned that I can think of is nsswitch.conf, you should have - Passwd: files winbind Group: files winbind Getent works for me, I'm stuck with getting log ons to the Solaris machine with NT usernames to work. They seem to have changed something in Solaris 9, even Sun hasn't been able to help me! -----Original Message----- From: ww m-pubsyssamba [mailto:pubsyssamba@bbc.co.uk] Sent: 08 January 2004 13:45 To: Ganguly, Sapan ; samba@lists.samba.org Subject: RE: [Samba] How do I get Winbind accounts in LDAP? Hi Sapan/All, ok this is all in my test/dev environment. I have a Sun Sparc workstation running Solaris 9 and an Intel server running Windows 2000 server acting as a Native mode AD DC. My Sparc system has Samba 3.0.1 installed and is successfully joined to the AD domain, I can authenticate via kerberos and wbinfo -u lists domain users etc. All I need LDAP for is centralising the IDMAP mappings across our theoretical Samba server infrastructure. On the same sparc system I also have SunONE DS 5.2 installed, this has the schema for Samba 3.0.1 successfully loaded. I have created the idamap OU in the directory and I have configured my smb.conf to use LDAP for idmap data, file attached. And I have set the LDAP admin account password with "smbpasswd -w". I have also disabled nscd from starting up & installed patch 113476-05 which is required for Solaris 9. I can also see winbindd establishing a connection to Sun LDAP in its access log. As I was writing this mail I have noticed that a getent for users and groups is not displaying any AD users/groups but is exiting with a status 0, this is despite the fact that wbinfo is correctly displaying all my AD users/groups!? I can see from a snoop and truss run on the getent that it is making LDAP calls to the AD DC but it's not returning anything!?! I have had this running on a Solaris 8 system in my test environment successfully and can't think of anything I've done differently. If anyone can help I'd greatly appreciate it, many thanks Andy. -----Original Message----- From: Ganguly, Sapan [mailto:Sapan.Ganguly@thalesgroup.com] Posted At: 07 January 2004 16:44 Posted To: Samba Conversation: [Samba] How do I get Winbind accounts in LDAP? Subject: RE: [Samba] How do I get Winbind accounts in LDAP? Andy, Tell us a bit more, I'm doing a similar thing I think. I'm not using Sun's LDAP service, I have OpenLDAP running on a Redhat 9.0 box and I'm logging into my Solaris 9.0 machine running winbind, with my NT username and password which creates an idmap in the openldap database on the Redhat box....well, that's what it is supposed to do anyway...it works fine on Redhat, Solaris is proving to be a little more tricky. Is this what you are doing? -----Original Message----- From: ww m-pubsyssamba [mailto:pubsyssamba@bbc.co.uk] Sent: 07 January 2004 14:23 To: samba@lists.samba.org Subject: RE: [Samba] How do I get Winbind accounts in LDAP? Hi John/List, I'm attemtpting this (idmap in LDAP) with samba3.0.1 and Sun DS 5.2 but without any success. I've tried what John T has suggested below but my idmap OU is still empty (adapted LDAP commnads for Sun DS). I cannot see any errors in either Samba or Sun DS logs, does anyone have any troubleshooting tips to help work out why this isn't working? many thanks Andy. -----Original Message----- From: samba-bounces+pubsyssamba=bbc.co.uk@lists.samba.org [mailto:samba-bounces+pubsyssamba=bbc.co.uk@lists.samba.org]On Behalf Of John H Terpstra Posted At: 03 January 2004 23:54 Posted To: Samba Conversation: [Samba] How do I get Winbind accounts in LDAP? Subject: Re: [Samba] How do I get Winbind accounts in LDAP? Kent, Did you create the container for the ou=Idmap in your LDAP database? The IDMAP entries are automatically added to LDAP - IF the container exists, and so long as Samba can access that database. Also, I suggest you store your machine accounts in the Users container and not in the Computers container. Samba does not at this time search the Computers container correctly. Execute the following to find out if your LDAP database has an IDMAP container: slapcat | grep -i IDMAP If nothing is returned, execute this: ldapadd -x -D "cn=admin,dc=tow,dc=net" -w 'password' << EOR dn: ou=Idmap,dc=abmas,dc=biz objectClass: organizationalunit ou: idmap structuralObjectClass: organizationalunit EOR Now you must stop samba, delete the winbind*tdb files, restart samba, run: wbinfo -u And that should automatically populate your LDAP IDMAP database. Cheers, John T. BBCi at http://www.bbc.co.uk/ This e-mail (and any attachments) is confidential and may contain personal views which are not the views of the BBC unless specifically stated. If you have received it in error, please delete it from your system. Do not use, copy or disclose the information in any way nor act in reliance on it and notify the sender immediately. Please note that the BBC monitors e-mails sent or received. Further communication will signify your consent to this. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba BBCi at http://www.bbc.co.uk/ This e-mail (and any attachments) is confidential and may contain personal views which are not the views of the BBC unless specifically stated. If you have received it in error, please delete it from your system. Do not use, copy or disclose the information in any way nor act in reliance on it and notify the sender immediately. Please note that the BBC monitors e-mails sent or received. Further communication will signify your consent to this.
Hi Sapan/All, yes I have already correctly configured my nsswitch.conf and it is not working for getent?! Anyone fancy giving me a clue? cheers Andy. PS I agree Sun seem to have changed a few things in Solaris 9 which are catching out third party software developers and end users alike. -----Original Message----- From: Ganguly, Sapan [mailto:Sapan.Ganguly@thalesgroup.com] Posted At: 08 January 2004 14:25 Posted To: Samba Conversation: [Samba] How do I get Winbind accounts in LDAP? Subject: RE: [Samba] How do I get Winbind accounts in LDAP? I'm doing the same thing but with NT4 so I'm not using active directory. The only thing you haven't mentioned that I can think of is nsswitch.conf, you should have - Passwd: files winbind Group: files winbind Getent works for me, I'm stuck with getting log ons to the Solaris machine with NT usernames to work. They seem to have changed something in Solaris 9, even Sun hasn't been able to help me! -----Original Message----- From: ww m-pubsyssamba [mailto:pubsyssamba@bbc.co.uk] Sent: 08 January 2004 13:45 To: Ganguly, Sapan ; samba@lists.samba.org Subject: RE: [Samba] How do I get Winbind accounts in LDAP? Hi Sapan/All, ok this is all in my test/dev environment. I have a Sun Sparc workstation running Solaris 9 and an Intel server running Windows 2000 server acting as a Native mode AD DC. My Sparc system has Samba 3.0.1 installed and is successfully joined to the AD domain, I can authenticate via kerberos and wbinfo -u lists domain users etc. All I need LDAP for is centralising the IDMAP mappings across our theoretical Samba server infrastructure. On the same sparc system I also have SunONE DS 5.2 installed, this has the schema for Samba 3.0.1 successfully loaded. I have created the idamap OU in the directory and I have configured my smb.conf to use LDAP for idmap data, file attached. And I have set the LDAP admin account password with "smbpasswd -w". I have also disabled nscd from starting up & installed patch 113476-05 which is required for Solaris 9. I can also see winbindd establishing a connection to Sun LDAP in its access log. As I was writing this mail I have noticed that a getent for users and groups is not displaying any AD users/groups but is exiting with a status 0, this is despite the fact that wbinfo is correctly displaying all my AD users/groups!? I can see from a snoop and truss run on the getent that it is making LDAP calls to the AD DC but it's not returning anything!?! I have had this running on a Solaris 8 system in my test environment successfully and can't think of anything I've done differently. If anyone can help I'd greatly appreciate it, many thanks Andy. BBCi at http://www.bbc.co.uk/ This e-mail (and any attachments) is confidential and may contain personal views which are not the views of the BBC unless specifically stated. If you have received it in error, please delete it from your system. Do not use, copy or disclose the information in any way nor act in reliance on it and notify the sender immediately. Please note that the BBC monitors e-mails sent or received. Further communication will signify your consent to this.
Yep, I've done that, I basically followed the Solaris 9 HOWTO from the main HOWTO collection that comes with Samba 3.0, the only difference is that I used an /etc/pam.conf for Solaris 9 posted on the list by Patrik Gustavsson. I haven't managed to get hold of him, he says he has made it work on Solaris 9. I also want to get pam_mkhomedir work but I have to get past this bit first.>From his email signature it looks like he work for Sun in Sweden but eventhe Sun helpdesk in the UK hasn't been able to get hold of him yet. -----Original Message----- From: John H Terpstra [mailto:jht@samba.org] Sent: 08 January 2004 15:54 To: Ganguly, Sapan Cc: 'ww m-pubsyssamba'; 'samba@lists.samba.org' Subject: RE: [Samba] How do I get Winbind accounts in LDAP? On Thu, 8 Jan 2004, Ganguly, Sapan wrote:> > I'm doing the same thing but with NT4 so I'm not using active > directory. The only thing you haven't mentioned that I can think of is > nsswitch.conf, you should have - > > Passwd: files winbind > Group: files winbind > > Getent works for me, I'm stuck with getting log ons to the Solaris > machine with NT usernames to work.If you want to log onto the Sun machine using Windows networking credentials you must configure PAM to support the use of pam_winbind.so. Have you done that? - John T.> They seem to have changed something in Solaris 9, even Sun hasn't been > able to help me! > > -----Original Message----- > From: ww m-pubsyssamba [mailto:pubsyssamba@bbc.co.uk] > Sent: 08 January 2004 13:45 > To: Ganguly, Sapan ; samba@lists.samba.org > Subject: RE: [Samba] How do I get Winbind accounts in LDAP? > > > Hi Sapan/All, > > ok this is all in my test/dev environment. I have a Sun Sparc > workstation running Solaris 9 and an Intel server running Windows 2000 > server acting as a Native mode AD DC. My Sparc system has Samba 3.0.1 > installed and is successfully joined to the AD domain, I can > authenticate via kerberos and wbinfo -u lists domain users etc. All I > need LDAP for is centralising the IDMAP mappings across our > theoretical Samba server infrastructure. > > On the same sparc system I also have SunONE DS 5.2 installed, this > has the schema for Samba 3.0.1 successfully loaded. I have created the > idamap OU in the directory and I have configured my smb.conf to use > LDAP for idmap data, file attached. And I have set the LDAP admin > account password with "smbpasswd -w". I have also disabled nscd from > starting up & installed patch 113476-05 which is required for Solaris > 9. I can also see winbindd establishing a connection to Sun LDAP in > its access log. > > As I was writing this mail I have noticed that a getent for users > and groups is not displaying any AD users/groups but is exiting with a > status 0, this is despite the fact that wbinfo is correctly displaying > all my AD users/groups!? I can see from a snoop and truss run on the > getent that it is making LDAP calls to the AD DC but it's not > returning anything!?! I have had this running on a Solaris 8 system in > my test environment successfully and can't think of anything I've done > differently. > > If anyone can help I'd greatly appreciate it, > > many thanks Andy. > > -----Original Message----- > From: Ganguly, Sapan [mailto:Sapan.Ganguly@thalesgroup.com] > Posted At: 07 January 2004 16:44 > Posted To: Samba > Conversation: [Samba] How do I get Winbind accounts in LDAP? > Subject: RE: [Samba] How do I get Winbind accounts in LDAP? > > > > Andy, > > Tell us a bit more, I'm doing a similar thing I think. I'm not using > Sun's LDAP service, I have OpenLDAP running on a Redhat 9.0 box and > I'm logging into my Solaris 9.0 machine running winbind, with my NT > username and password which creates an idmap in the openldap database > on the Redhat box....well, that's what it is supposed to do > anyway...it works fine on Redhat, Solaris is proving to be a little > more tricky. > > Is this what you are doing? > > -----Original Message----- > From: ww m-pubsyssamba [mailto:pubsyssamba@bbc.co.uk] > Sent: 07 January 2004 14:23 > To: samba@lists.samba.org > Subject: RE: [Samba] How do I get Winbind accounts in LDAP? > > > Hi John/List, > > I'm attemtpting this (idmap in LDAP) with samba3.0.1 and Sun DS 5.2 > but without any success. I've tried what John T has suggested below > but my idmap OU is still empty (adapted LDAP commnads for Sun DS). I > cannot see any errors in either Samba or Sun DS logs, does anyone have > any troubleshooting tips to help work out why this isn't working? > > many thanks Andy. > > -----Original Message----- > From: samba-bounces+pubsyssamba=bbc.co.uk@lists.samba.org > [mailto:samba-bounces+pubsyssamba=bbc.co.uk@lists.samba.org]On Behalf > Of John H Terpstra Posted At: 03 January 2004 23:54 Posted To: Samba > Conversation: [Samba] How do I get Winbind accounts in LDAP? > Subject: Re: [Samba] How do I get Winbind accounts in LDAP? > > > Kent, > > Did you create the container for the ou=Idmap in your LDAP database? > The IDMAP entries are automatically added to LDAP - IF the container > exists, and so long as Samba can access that database. > > Also, I suggest you store your machine accounts in the Users container > and not in the Computers container. Samba does not at this time search > the Computers container correctly. > > Execute the following to find out if your LDAP database has an IDMAP > container: > slapcat | grep -i IDMAP > > > If nothing is returned, execute this: > > ldapadd -x -D "cn=admin,dc=tow,dc=net" -w 'password' << EOR > dn: ou=Idmap,dc=abmas,dc=biz > objectClass: organizationalunit > ou: idmap > structuralObjectClass: organizationalunit > EOR > > Now you must stop samba, delete the winbind*tdb files, restart samba, > run: > wbinfo -u > And that should automatically populate your LDAP IDMAP database. > > Cheers, > John T. > > > > BBCi at http://www.bbc.co.uk/ > > This e-mail (and any attachments) is confidential and may contain > personal views which are not the views of the BBC unless specifically > stated. If you have received it in error, please delete it from your > system. Do not use, copy or disclose the information in any way nor > act in reliance on it and notify the sender immediately. Please note > that the BBC monitors e-mails sent or received. Further communication > will signify your consent to this. >-- John H Terpstra Email: jht@samba.org
John, Wbinfo -u lists all my NT user and wbinfo -g lists all my NT groups. Here is a copy of my smb.conf, I took it from a working Redhat 9.0 machine I built. [global] # LDAP stuff for the idmap backend ldap admin dn = cn=root,dc=uk,dc=trt,dc=thales ldap suffix = dc=uk,dc=trt,dc=thales ldap idmap suffix = ou=idmap # Winbind stuff winbind separator = - idmap uid = 10000-20000 winbind uid = 10000-20000 idmap gid = 10000-20000 winbind gid = 10000-20000 winbind enum users = yes winbind enum groups = yes winbind use default domain = yes #template homedir = /home/%D/%U #template homedir = /home/%U template homedir = /mnt/spare/%U template shell = /bin/bash idmap backend = ldap:ldap://lnxs001 # workgroup = NT-Domain-Name or Workgroup-Name workgroup = DOMAIN # server string is the equivalent of the NT Description field server string = SUN001 # if you want to automatically load your printer list rather # than setting them up individually then you'll need this printcap name = /etc/printcap load printers = yes # this tells Samba to use a separate log file for each machine # that connects log file = /var/log/samba/log.%m # Put a capping on the size of the log files (in Kb). max log size = 50 # Security mode. Most people will want user level security. See # security_level.txt for details. security = user # Use password server option only with security = server ; password server = <NT-Server-Name> # Most people will find that this option gives better performance. # See speed.txt and the manual pages for details socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 # Browser Control Options: # set local master to no if you don't want Samba to become a master # browser on your network. Otherwise the normal election rules apply local master = no # WINS Server - Tells the NMBD components of Samba to be a WINS Client # Note: Samba can be either a WINS Server, or a WINS Client, but NOT both wins server = 192.168.224.25 # DNS Proxy - tells Samba whether or not to try to resolve NetBIOS names # via DNS nslookups. The built-in default for versions 1.9.17 is yes, # this has been changed in version 1.9.18 to no. dns proxy = no Thanks, Sapan -----Original Message----- From: John H Terpstra [mailto:jht@samba.org] Sent: 08 January 2004 16:58 To: Ganguly, Sapan Cc: 'samba@lists.samba.org' Subject: RE: [Samba] How do I get Winbind accounts in LDAP? Sapan, I recently installed Samba-3 on Solaris 9 and had no problem with PAM and NSS functionality. Logons using domain users worked well. As I do not have a Sun box it is a little difficult for me to help you directly. What output do you get from: wbinfo -u wbinfo -g Please send me your smb.conf file so I can see what may be going on. - John T. On Thu, 8 Jan 2004, Ganguly, Sapan wrote:> > Yep, I've done that, I basically followed the Solaris 9 HOWTO from the > main HOWTO collection that comes with Samba 3.0, the only difference > is that I used an /etc/pam.conf for Solaris 9 posted on the list by > Patrik Gustavsson. I haven't managed to get hold of him, he says he > has made it work on Solaris 9. I also want to get pam_mkhomedir work > but I have to get past this bit first. > >From his email signature it looks like he work for Sun in Sweden but > >even > the Sun helpdesk in the UK hasn't been able to get hold of him yet. > > -----Original Message----- > From: John H Terpstra [mailto:jht@samba.org] > Sent: 08 January 2004 15:54 > To: Ganguly, Sapan > Cc: 'ww m-pubsyssamba'; 'samba@lists.samba.org' > Subject: RE: [Samba] How do I get Winbind accounts in LDAP? > > > On Thu, 8 Jan 2004, Ganguly, Sapan wrote: > > > > > I'm doing the same thing but with NT4 so I'm not using active > > directory. The only thing you haven't mentioned that I can think of > > is nsswitch.conf, you should have - > > > > Passwd: files winbind > > Group: files winbind > > > > Getent works for me, I'm stuck with getting log ons to the Solaris > > machine with NT usernames to work. > > If you want to log onto the Sun machine using Windows networking > credentials you must configure PAM to support the use of > pam_winbind.so. Have you done that? > > - John T. > > > > They seem to have changed something in Solaris 9, even Sun hasn't > > been able to help me! > > > > -----Original Message----- > > From: ww m-pubsyssamba [mailto:pubsyssamba@bbc.co.uk] > > Sent: 08 January 2004 13:45 > > To: Ganguly, Sapan ; samba@lists.samba.org > > Subject: RE: [Samba] How do I get Winbind accounts in LDAP? > > > > > > Hi Sapan/All, > > > > ok this is all in my test/dev environment. I have a Sun Sparc > > workstation running Solaris 9 and an Intel server running Windows > > 2000 server acting as a Native mode AD DC. My Sparc system has Samba > > 3.0.1 installed and is successfully joined to the AD domain, I can > > authenticate via kerberos and wbinfo -u lists domain users etc. All > > I need LDAP for is centralising the IDMAP mappings across our > > theoretical Samba server infrastructure. > > > > On the same sparc system I also have SunONE DS 5.2 installed, this > > has the schema for Samba 3.0.1 successfully loaded. I have created > > the idamap OU in the directory and I have configured my smb.conf to > > use LDAP for idmap data, file attached. And I have set the LDAP > > admin account password with "smbpasswd -w". I have also disabled > > nscd from starting up & installed patch 113476-05 which is required > > for Solaris 9. I can also see winbindd establishing a connection to > > Sun LDAP in its access log. > > > > As I was writing this mail I have noticed that a getent for users > > and groups is not displaying any AD users/groups but is exiting with > > a status 0, this is despite the fact that wbinfo is correctly > > displaying all my AD users/groups!? I can see from a snoop and truss > > run on the getent that it is making LDAP calls to the AD DC but it's > > not returning anything!?! I have had this running on a Solaris 8 > > system in my test environment successfully and can't think of > > anything I've done differently. > > > > If anyone can help I'd greatly appreciate it, > > > > many thanks Andy. > > > > -----Original Message----- > > From: Ganguly, Sapan [mailto:Sapan.Ganguly@thalesgroup.com] > > Posted At: 07 January 2004 16:44 > > Posted To: Samba > > Conversation: [Samba] How do I get Winbind accounts in LDAP? > > Subject: RE: [Samba] How do I get Winbind accounts in LDAP? > > > > > > > > Andy, > > > > Tell us a bit more, I'm doing a similar thing I think. I'm not > > using Sun's LDAP service, I have OpenLDAP running on a Redhat 9.0 > > box and I'm logging into my Solaris 9.0 machine running winbind, > > with my NT username and password which creates an idmap in the > > openldap database on the Redhat box....well, that's what it is > > supposed to do anyway...it works fine on Redhat, Solaris is proving > > to be a little more tricky. > > > > Is this what you are doing? > > > > -----Original Message----- > > From: ww m-pubsyssamba [mailto:pubsyssamba@bbc.co.uk] > > Sent: 07 January 2004 14:23 > > To: samba@lists.samba.org > > Subject: RE: [Samba] How do I get Winbind accounts in LDAP? > > > > > > Hi John/List, > > > > I'm attemtpting this (idmap in LDAP) with samba3.0.1 and Sun DS 5.2 > > but without any success. I've tried what John T has suggested below > > but my idmap OU is still empty (adapted LDAP commnads for Sun DS). I > > cannot see any errors in either Samba or Sun DS logs, does anyone > > have any troubleshooting tips to help work out why this isn't > > working? > > > > many thanks Andy. > > > > -----Original Message----- > > From: samba-bounces+pubsyssamba=bbc.co.uk@lists.samba.org > > [mailto:samba-bounces+pubsyssamba=bbc.co.uk@lists.samba.org]On > > Behalf Of John H Terpstra Posted At: 03 January 2004 23:54 Posted > > To: Samba > > Conversation: [Samba] How do I get Winbind accounts in LDAP? > > Subject: Re: [Samba] How do I get Winbind accounts in LDAP? > > > > > > Kent, > > > > Did you create the container for the ou=Idmap in your LDAP database? > > The IDMAP entries are automatically added to LDAP - IF the container > > exists, and so long as Samba can access that database. > > > > Also, I suggest you store your machine accounts in the Users > > container and not in the Computers container. Samba does not at this > > time search the Computers container correctly. > > > > Execute the following to find out if your LDAP database has an IDMAP > > container: > > slapcat | grep -i IDMAP > > > > > > If nothing is returned, execute this: > > > > ldapadd -x -D "cn=admin,dc=tow,dc=net" -w 'password' << EOR > > dn: ou=Idmap,dc=abmas,dc=biz > > objectClass: organizationalunit > > ou: idmap > > structuralObjectClass: organizationalunit > > EOR > > > > Now you must stop samba, delete the winbind*tdb files, restart > > samba, > > run: > > wbinfo -u > > And that should automatically populate your LDAP IDMAP database. > > > > Cheers, > > John T. > > > > > > > > BBCi at http://www.bbc.co.uk/ > > > > This e-mail (and any attachments) is confidential and may contain > > personal views which are not the views of the BBC unless > > specifically stated. If you have received it in error, please delete > > it from your system. Do not use, copy or disclose the information in > > any way nor act in reliance on it and notify the sender immediately. > > Please note that the BBC monitors e-mails sent or received. Further > > communication will signify your consent to this. > > > >-- John H Terpstra Email: jht@samba.org
John, Any ideas? When I try to log in it seems to get past the PAM stuff but then it just sits there, I don't get a prompt. I've enabled debug on all the modules in pam.conf, should I post the log files? Sapan -----Original Message----- From: Ganguly, Sapan Sent: 08 January 2004 17:39 To: 'John H Terpstra'; Ganguly, Sapan Cc: 'samba@lists.samba.org' Subject: RE: [Samba] How do I get Winbind accounts in LDAP? John, Wbinfo -u lists all my NT user and wbinfo -g lists all my NT groups. Here is a copy of my smb.conf, I took it from a working Redhat 9.0 machine I built. [global] # LDAP stuff for the idmap backend ldap admin dn = cn=root,dc=uk,dc=trt,dc=thales ldap suffix = dc=uk,dc=trt,dc=thales ldap idmap suffix = ou=idmap # Winbind stuff winbind separator = - idmap uid = 10000-20000 winbind uid = 10000-20000 idmap gid = 10000-20000 winbind gid = 10000-20000 winbind enum users = yes winbind enum groups = yes winbind use default domain = yes #template homedir = /home/%D/%U #template homedir = /home/%U template homedir = /mnt/spare/%U template shell = /bin/bash idmap backend = ldap:ldap://lnxs001 # workgroup = NT-Domain-Name or Workgroup-Name workgroup = DOMAIN # server string is the equivalent of the NT Description field server string = SUN001 # if you want to automatically load your printer list rather # than setting them up individually then you'll need this printcap name = /etc/printcap load printers = yes # this tells Samba to use a separate log file for each machine # that connects log file = /var/log/samba/log.%m # Put a capping on the size of the log files (in Kb). max log size = 50 # Security mode. Most people will want user level security. See # security_level.txt for details. security = user # Use password server option only with security = server ; password server = <NT-Server-Name> # Most people will find that this option gives better performance. # See speed.txt and the manual pages for details socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 # Browser Control Options: # set local master to no if you don't want Samba to become a master # browser on your network. Otherwise the normal election rules apply local master = no # WINS Server - Tells the NMBD components of Samba to be a WINS Client # Note: Samba can be either a WINS Server, or a WINS Client, but NOT both wins server = 192.168.224.25 # DNS Proxy - tells Samba whether or not to try to resolve NetBIOS names # via DNS nslookups. The built-in default for versions 1.9.17 is yes, # this has been changed in version 1.9.18 to no. dns proxy = no Thanks, Sapan -----Original Message----- From: John H Terpstra [mailto:jht@samba.org] Sent: 08 January 2004 16:58 To: Ganguly, Sapan Cc: 'samba@lists.samba.org' Subject: RE: [Samba] How do I get Winbind accounts in LDAP? Sapan, I recently installed Samba-3 on Solaris 9 and had no problem with PAM and NSS functionality. Logons using domain users worked well. As I do not have a Sun box it is a little difficult for me to help you directly. What output do you get from: wbinfo -u wbinfo -g Please send me your smb.conf file so I can see what may be going on. - John T. On Thu, 8 Jan 2004, Ganguly, Sapan wrote:> > Yep, I've done that, I basically followed the Solaris 9 HOWTO from the > main HOWTO collection that comes with Samba 3.0, the only difference > is that I used an /etc/pam.conf for Solaris 9 posted on the list by > Patrik Gustavsson. I haven't managed to get hold of him, he says he > has made it work on Solaris 9. I also want to get pam_mkhomedir work > but I have to get past this bit first. > >From his email signature it looks like he work for Sun in Sweden but > >even > the Sun helpdesk in the UK hasn't been able to get hold of him yet. > > -----Original Message----- > From: John H Terpstra [mailto:jht@samba.org] > Sent: 08 January 2004 15:54 > To: Ganguly, Sapan > Cc: 'ww m-pubsyssamba'; 'samba@lists.samba.org' > Subject: RE: [Samba] How do I get Winbind accounts in LDAP? > > > On Thu, 8 Jan 2004, Ganguly, Sapan wrote: > > > > > I'm doing the same thing but with NT4 so I'm not using active > > directory. The only thing you haven't mentioned that I can think of > > is nsswitch.conf, you should have - > > > > Passwd: files winbind > > Group: files winbind > > > > Getent works for me, I'm stuck with getting log ons to the Solaris > > machine with NT usernames to work. > > If you want to log onto the Sun machine using Windows networking > credentials you must configure PAM to support the use of > pam_winbind.so. Have you done that? > > - John T. > > > > They seem to have changed something in Solaris 9, even Sun hasn't > > been able to help me! > > > > -----Original Message----- > > From: ww m-pubsyssamba [mailto:pubsyssamba@bbc.co.uk] > > Sent: 08 January 2004 13:45 > > To: Ganguly, Sapan ; samba@lists.samba.org > > Subject: RE: [Samba] How do I get Winbind accounts in LDAP? > > > > > > Hi Sapan/All, > > > > ok this is all in my test/dev environment. I have a Sun Sparc > > workstation running Solaris 9 and an Intel server running Windows > > 2000 server acting as a Native mode AD DC. My Sparc system has Samba > > 3.0.1 installed and is successfully joined to the AD domain, I can > > authenticate via kerberos and wbinfo -u lists domain users etc. All > > I need LDAP for is centralising the IDMAP mappings across our > > theoretical Samba server infrastructure. > > > > On the same sparc system I also have SunONE DS 5.2 installed, this > > has the schema for Samba 3.0.1 successfully loaded. I have created > > the idamap OU in the directory and I have configured my smb.conf to > > use LDAP for idmap data, file attached. And I have set the LDAP > > admin account password with "smbpasswd -w". I have also disabled > > nscd from starting up & installed patch 113476-05 which is required > > for Solaris 9. I can also see winbindd establishing a connection to > > Sun LDAP in its access log. > > > > As I was writing this mail I have noticed that a getent for users > > and groups is not displaying any AD users/groups but is exiting with > > a status 0, this is despite the fact that wbinfo is correctly > > displaying all my AD users/groups!? I can see from a snoop and truss > > run on the getent that it is making LDAP calls to the AD DC but it's > > not returning anything!?! I have had this running on a Solaris 8 > > system in my test environment successfully and can't think of > > anything I've done differently. > > > > If anyone can help I'd greatly appreciate it, > > > > many thanks Andy. > > > > -----Original Message----- > > From: Ganguly, Sapan [mailto:Sapan.Ganguly@thalesgroup.com] > > Posted At: 07 January 2004 16:44 > > Posted To: Samba > > Conversation: [Samba] How do I get Winbind accounts in LDAP? > > Subject: RE: [Samba] How do I get Winbind accounts in LDAP? > > > > > > > > Andy, > > > > Tell us a bit more, I'm doing a similar thing I think. I'm not > > using Sun's LDAP service, I have OpenLDAP running on a Redhat 9.0 > > box and I'm logging into my Solaris 9.0 machine running winbind, > > with my NT username and password which creates an idmap in the > > openldap database on the Redhat box....well, that's what it is > > supposed to do anyway...it works fine on Redhat, Solaris is proving > > to be a little more tricky. > > > > Is this what you are doing? > > > > -----Original Message----- > > From: ww m-pubsyssamba [mailto:pubsyssamba@bbc.co.uk] > > Sent: 07 January 2004 14:23 > > To: samba@lists.samba.org > > Subject: RE: [Samba] How do I get Winbind accounts in LDAP? > > > > > > Hi John/List, > > > > I'm attemtpting this (idmap in LDAP) with samba3.0.1 and Sun DS 5.2 > > but without any success. I've tried what John T has suggested below > > but my idmap OU is still empty (adapted LDAP commnads for Sun DS). I > > cannot see any errors in either Samba or Sun DS logs, does anyone > > have any troubleshooting tips to help work out why this isn't > > working? > > > > many thanks Andy. > > > > -----Original Message----- > > From: samba-bounces+pubsyssamba=bbc.co.uk@lists.samba.org > > [mailto:samba-bounces+pubsyssamba=bbc.co.uk@lists.samba.org]On > > Behalf Of John H Terpstra Posted At: 03 January 2004 23:54 Posted > > To: Samba > > Conversation: [Samba] How do I get Winbind accounts in LDAP? > > Subject: Re: [Samba] How do I get Winbind accounts in LDAP? > > > > > > Kent, > > > > Did you create the container for the ou=Idmap in your LDAP database? > > The IDMAP entries are automatically added to LDAP - IF the container > > exists, and so long as Samba can access that database. > > > > Also, I suggest you store your machine accounts in the Users > > container and not in the Computers container. Samba does not at this > > time search the Computers container correctly. > > > > Execute the following to find out if your LDAP database has an IDMAP > > container: > > slapcat | grep -i IDMAP > > > > > > If nothing is returned, execute this: > > > > ldapadd -x -D "cn=admin,dc=tow,dc=net" -w 'password' << EOR > > dn: ou=Idmap,dc=abmas,dc=biz > > objectClass: organizationalunit > > ou: idmap > > structuralObjectClass: organizationalunit > > EOR > > > > Now you must stop samba, delete the winbind*tdb files, restart > > samba, > > run: > > wbinfo -u > > And that should automatically populate your LDAP IDMAP database. > > > > Cheers, > > John T. > > > > > > > > BBCi at http://www.bbc.co.uk/ > > > > This e-mail (and any attachments) is confidential and may contain > > personal views which are not the views of the BBC unless > > specifically stated. If you have received it in error, please delete > > it from your system. Do not use, copy or disclose the information in > > any way nor act in reliance on it and notify the sender immediately. > > Please note that the BBC monitors e-mails sent or received. Further > > communication will signify your consent to this. > > > >-- John H Terpstra Email: jht@samba.org
John, OK, I took out the "winbind uid" and "winbind gid" lines. Here is what I have in /lib, how do I know which is the appropriate version name? I've tried these ones. -rwxr-xr-x 1 root other 751048 Dec 11 13:36 libnss_winbind.so lrwxrwxrwx 1 root other 17 Dec 4 14:20 libnss_winbind.so.1 -> libnss_winbind.so lrwxrwxrwx 1 root other 17 Dec 4 14:19 libnss_winbind.so.2 -> libnss_winbind.so lrwxrwxrwx 1 root other 17 Dec 4 14:20 nss_winbind.so.1 -> libnss_winbind.so lrwxrwxrwx 1 root other 17 Dec 4 14:21 nss_winbind.so.2 -> libnss_winbind.so I've done everything else too but my login still hangs at the "password:" prompt after I have typed the password in. Although when I did a 'getent group' it did pause for a few seconds several times during the listing, that may just be because we have a lot of NT groups. 'getent passwd' worked fine and listed all the unix users as well as all the NT users in a split second. My /etc/nsswitch.conf is configured and I have done the 'smbpasswd -w' command to put my LDAP password into secets.tdb. Here is what I get in my pamlog, as you can see, it does say "access granted" on the last line. I think the first line is me killing the telnet session of a previous attempt. Jan 14 13:29:55 sun001 pam_winbind[15352]: [ID 571141 auth.debug] libpam_winbind:pam_sm_close_sessio n handler Jan 14 13:29:59 sun001 login: [ID 634615 auth.debug] pam_authtok_get:pam_sm_authenticate: flags = 0 Jan 14 13:30:05 sun001 login: [ID 378613 auth.debug] pam_dhkeys: user ganguly not found Jan 14 13:30:05 sun001 login: [ID 896952 auth.debug] pam_unix_auth: entering pam_sm_authenticate() Jan 14 13:30:05 sun001 login: [ID 219349 auth.debug] pam_unix_auth: user ganguly not found Jan 14 13:30:05 sun001 pam_winbind[15369]: [ID 572310 auth.info] Verify user `ganguly' Jan 14 13:30:05 sun001 pam_winbind[15369]: [ID 614614 auth.notice] user 'ganguly' granted acces Jan 14 13:30:05 sun001 login[15369]: [ID 509786 auth.debug] roles pam_sm_authenticate, service = tel net user = ganguly ruser = not set rhost = 192.168.224.90 Does anyone have any ideas on what the problem could be? According to this log access is granted right? So why does it just sit there at "password:"? Thanks, Sapan -----Original Message----- From: John H Terpstra [mailto:jht@samba.org] Sent: 13 January 2004 16:39 To: Ganguly, Sapan Cc: 'samba@lists.samba.org' Subject: RE: [Samba] How do I get Winbind accounts in LDAP? On Tue, 13 Jan 2004, Ganguly, Sapan wrote:> > John, > > Any ideas? When I try to log in it seems to get past the PAM stuff > but then it just sits there, I don't get a prompt. I've enabled debug > on all the modules in pam.conf, should I post the log files?You should get rid of the "winbind uid" and "winbind gid" parameters as they have been superceded by "idmap uid" and "idmap gid". Did you install the libnss_winbind.so module you built (it's in the ~samba/sources/nsswitch directory) as /lib/nss_winbind.so and link it to the appropriate version name? Have you modified in /etc/nsswitch.conf the following: passwd: files winbind group: files winbind Do you obtain correct domain account information from: getent passwd and getent group You will need to install the LDAP admin password into your Samba secrets.tdb file. The command that does that is: smbpasswd -w 'secret_password' PAM provides authentication, NSS (name service switch) does Identity resolution. It is the instrument that will permit the LDAP database to be populated via winbind. I hope this helps. Cheers, John T.> > Sapan > > -----Original Message----- > From: Ganguly, Sapan > Sent: 08 January 2004 17:39 > To: 'John H Terpstra'; Ganguly, Sapan > Cc: 'samba@lists.samba.org' > Subject: RE: [Samba] How do I get Winbind accounts in LDAP? > > > > John, > > Wbinfo -u lists all my NT user and wbinfo -g lists all my NT groups. > > Here is a copy of my smb.conf, I took it from a working Redhat 9.0 > machine I built. > > [global] > > # LDAP stuff for the idmap backend > > ldap admin dn = cn=root,dc=uk,dc=trt,dc=thales > ldap suffix = dc=uk,dc=trt,dc=thales > ldap idmap suffix = ou=idmap > > # Winbind stuff > > winbind separator = - > idmap uid = 10000-20000 > winbind uid = 10000-20000 > idmap gid = 10000-20000 > winbind gid = 10000-20000 > winbind enum users = yes > winbind enum groups = yes > winbind use default domain = yes > #template homedir = /home/%D/%U > #template homedir = /home/%U > template homedir = /mnt/spare/%U > template shell = /bin/bash > idmap backend = ldap:ldap://lnxs001 > > # workgroup = NT-Domain-Name or Workgroup-Name > workgroup = DOMAIN > > # server string is the equivalent of the NT Description field > server string = SUN001 > > # if you want to automatically load your printer list rather # than > setting them up individually then you'll need this > printcap name = /etc/printcap > load printers = yes > > # this tells Samba to use a separate log file for each machine # that > connects > log file = /var/log/samba/log.%m > > # Put a capping on the size of the log files (in Kb). > max log size = 50 > > # Security mode. Most people will want user level security. See # > security_level.txt for details. > security = user > # Use password server option only with security = server > ; password server = <NT-Server-Name> > > # Most people will find that this option gives better performance. # > See speed.txt and the manual pages for details > socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 > > # Browser Control Options: > # set local master to no if you don't want Samba to become a master # > browser on your network. Otherwise the normal election rules apply > local master = no > > # WINS Server - Tells the NMBD components of Samba to be a WINS Client > # Note: Samba can be either a WINS Server, or a WINS Client, but NOT > both > wins server = 192.168.224.25 > > # DNS Proxy - tells Samba whether or not to try to resolve NetBIOS > names # via DNS nslookups. The built-in default for versions 1.9.17 is > yes, # this has been changed in version 1.9.18 to no. > dns proxy = no > > > > Thanks, > Sapan > > -----Original Message----- > From: John H Terpstra [mailto:jht@samba.org] > Sent: 08 January 2004 16:58 > To: Ganguly, Sapan > Cc: 'samba@lists.samba.org' > Subject: RE: [Samba] How do I get Winbind accounts in LDAP? > > > Sapan, > > I recently installed Samba-3 on Solaris 9 and had no problem with PAM > and NSS functionality. Logons using domain users worked well. As I do > not have a Sun box it is a little difficult for me to help you > directly. > > What output do you get from: > wbinfo -u > wbinfo -g > > Please send me your smb.conf file so I can see what may be going on. > > - John T. > > On Thu, 8 Jan 2004, Ganguly, Sapan wrote: > > > > > Yep, I've done that, I basically followed the Solaris 9 HOWTO from > > the main HOWTO collection that comes with Samba 3.0, the only > > difference is that I used an /etc/pam.conf for Solaris 9 posted on > > the list by Patrik Gustavsson. I haven't managed to get hold of him, > > he says he has made it work on Solaris 9. I also want to get > > pam_mkhomedir work but I have to get past this bit first. > > >From his email signature it looks like he work for Sun in Sweden > > >but even > > the Sun helpdesk in the UK hasn't been able to get hold of him yet. > > > > -----Original Message----- > > From: John H Terpstra [mailto:jht@samba.org] > > Sent: 08 January 2004 15:54 > > To: Ganguly, Sapan > > Cc: 'ww m-pubsyssamba'; 'samba@lists.samba.org' > > Subject: RE: [Samba] How do I get Winbind accounts in LDAP? > > > > > > On Thu, 8 Jan 2004, Ganguly, Sapan wrote: > > > > > > > > I'm doing the same thing but with NT4 so I'm not using active > > > directory. The only thing you haven't mentioned that I can think > > > of is nsswitch.conf, you should have - > > > > > > Passwd: files winbind > > > Group: files winbind > > > > > > Getent works for me, I'm stuck with getting log ons to the Solaris > > > machine with NT usernames to work. > > > > If you want to log onto the Sun machine using Windows networking > > credentials you must configure PAM to support the use of > > pam_winbind.so. Have you done that? > > > > - John T. > > > > > > > They seem to have changed something in Solaris 9, even Sun hasn't > > > been able to help me! > > > > > > -----Original Message----- > > > From: ww m-pubsyssamba [mailto:pubsyssamba@bbc.co.uk] > > > Sent: 08 January 2004 13:45 > > > To: Ganguly, Sapan ; samba@lists.samba.org > > > Subject: RE: [Samba] How do I get Winbind accounts in LDAP? > > > > > > > > > Hi Sapan/All, > > > > > > ok this is all in my test/dev environment. I have a Sun Sparc > > > workstation running Solaris 9 and an Intel server running Windows > > > 2000 server acting as a Native mode AD DC. My Sparc system has > > > Samba 3.0.1 installed and is successfully joined to the AD domain, > > > I can authenticate via kerberos and wbinfo -u lists domain users > > > etc. All I need LDAP for is centralising the IDMAP mappings across > > > our theoretical Samba server infrastructure. > > > > > > On the same sparc system I also have SunONE DS 5.2 installed, > > > this has the schema for Samba 3.0.1 successfully loaded. I have > > > created the idamap OU in the directory and I have configured my > > > smb.conf to use LDAP for idmap data, file attached. And I have set > > > the LDAP admin account password with "smbpasswd -w". I have also > > > disabled nscd from starting up & installed patch 113476-05 which > > > is required for Solaris 9. I can also see winbindd establishing a > > > connection to Sun LDAP in its access log. > > > > > > As I was writing this mail I have noticed that a getent for > > > users and groups is not displaying any AD users/groups but is > > > exiting with a status 0, this is despite the fact that wbinfo is > > > correctly displaying all my AD users/groups!? I can see from a > > > snoop and truss run on the getent that it is making LDAP calls to > > > the AD DC but it's not returning anything!?! I have had this > > > running on a Solaris 8 system in my test environment successfully > > > and can't think of anything I've done differently. > > > > > > If anyone can help I'd greatly appreciate it, > > > > > > many thanks Andy. > > > > > > -----Original Message----- > > > From: Ganguly, Sapan [mailto:Sapan.Ganguly@thalesgroup.com] > > > Posted At: 07 January 2004 16:44 > > > Posted To: Samba > > > Conversation: [Samba] How do I get Winbind accounts in LDAP? > > > Subject: RE: [Samba] How do I get Winbind accounts in LDAP? > > > > > > > > > > > > Andy, > > > > > > Tell us a bit more, I'm doing a similar thing I think. I'm not > > > using Sun's LDAP service, I have OpenLDAP running on a Redhat 9.0 > > > box and I'm logging into my Solaris 9.0 machine running winbind, > > > with my NT username and password which creates an idmap in the > > > openldap database on the Redhat box....well, that's what it is > > > supposed to do anyway...it works fine on Redhat, Solaris is > > > proving to be a little more tricky. > > > > > > Is this what you are doing? > > > > > > -----Original Message----- > > > From: ww m-pubsyssamba [mailto:pubsyssamba@bbc.co.uk] > > > Sent: 07 January 2004 14:23 > > > To: samba@lists.samba.org > > > Subject: RE: [Samba] How do I get Winbind accounts in LDAP? > > > > > > > > > Hi John/List, > > > > > > I'm attemtpting this (idmap in LDAP) with samba3.0.1 and Sun DS > > > 5.2 but without any success. I've tried what John T has suggested > > > below but my idmap OU is still empty (adapted LDAP commnads for > > > Sun DS). I cannot see any errors in either Samba or Sun DS logs, > > > does anyone have any troubleshooting tips to help work out why > > > this isn't working? > > > > > > many thanks Andy. > > > > > > -----Original Message----- > > > From: samba-bounces+pubsyssamba=bbc.co.uk@lists.samba.org > > > [mailto:samba-bounces+pubsyssamba=bbc.co.uk@lists.samba.org]On > > > Behalf Of John H Terpstra Posted At: 03 January 2004 23:54 Posted > > > To: Samba > > > Conversation: [Samba] How do I get Winbind accounts in LDAP? > > > Subject: Re: [Samba] How do I get Winbind accounts in LDAP? > > > > > > > > > Kent, > > > > > > Did you create the container for the ou=Idmap in your LDAP > > > database? The IDMAP entries are automatically added to LDAP - IF > > > the container exists, and so long as Samba can access that > > > database. > > > > > > Also, I suggest you store your machine accounts in the Users > > > container and not in the Computers container. Samba does not at > > > this time search the Computers container correctly. > > > > > > Execute the following to find out if your LDAP database has an > > > IDMAP > > > container: > > > slapcat | grep -i IDMAP > > > > > > > > > If nothing is returned, execute this: > > > > > > ldapadd -x -D "cn=admin,dc=tow,dc=net" -w 'password' << EOR > > > dn: ou=Idmap,dc=abmas,dc=biz > > > objectClass: organizationalunit > > > ou: idmap > > > structuralObjectClass: organizationalunit > > > EOR > > > > > > Now you must stop samba, delete the winbind*tdb files, restart > > > samba, > > > run: > > > wbinfo -u > > > And that should automatically populate your LDAP IDMAP database. > > > > > > Cheers, > > > John T. > > > > > > > > > > > > BBCi at http://www.bbc.co.uk/ > > > > > > This e-mail (and any attachments) is confidential and may contain > > > personal views which are not the views of the BBC unless > > > specifically stated. If you have received it in error, please > > > delete it from your system. Do not use, copy or disclose the > > > information in any way nor act in reliance on it and notify the > > > sender immediately. Please note that the BBC monitors e-mails sent > > > or received. Further communication will signify your consent to > > > this. > > > > > > > > >-- John H Terpstra Email: jht@samba.org
If you're interested, Sun has told me that there is some kind of bug with the way nsswitch.conf is dealt with in Solaris 9 but since nsswitch.conf is not a pubic interface...blah blah blah they are still deciding whether they should deal with it or not. In the mean time I'm still wondering how anyone else got this to work, this bug can't only be affecting me?! Does anyone have a working winbind pam.conf from Solaris 9 that I can look at? Thanks, Sap -----Original Message----- From: John H Terpstra [mailto:jht@samba.org] Sent: 13 January 2004 16:39 To: Ganguly, Sapan Cc: 'samba@lists.samba.org' Subject: RE: [Samba] How do I get Winbind accounts in LDAP? On Tue, 13 Jan 2004, Ganguly, Sapan wrote:> > John, > > Any ideas? When I try to log in it seems to get past the PAM stuff > but then it just sits there, I don't get a prompt. I've enabled debug > on all the modules in pam.conf, should I post the log files?You should get rid of the "winbind uid" and "winbind gid" parameters as they have been superceded by "idmap uid" and "idmap gid". Did you install the libnss_winbind.so module you built (it's in the ~samba/sources/nsswitch directory) as /lib/nss_winbind.so and link it to the appropriate version name? Have you modified in /etc/nsswitch.conf the following: passwd: files winbind group: files winbind Do you obtain correct domain account information from: getent passwd and getent group You will need to install the LDAP admin password into your Samba secrets.tdb file. The command that does that is: smbpasswd -w 'secret_password' PAM provides authentication, NSS (name service switch) does Identity resolution. It is the instrument that will permit the LDAP database to be populated via winbind. I hope this helps. Cheers, John T.> > Sapan > > -----Original Message----- > From: Ganguly, Sapan > Sent: 08 January 2004 17:39 > To: 'John H Terpstra'; Ganguly, Sapan > Cc: 'samba@lists.samba.org' > Subject: RE: [Samba] How do I get Winbind accounts in LDAP? > > > > John, > > Wbinfo -u lists all my NT user and wbinfo -g lists all my NT groups. > > Here is a copy of my smb.conf, I took it from a working Redhat 9.0 > machine I built. > > [global] > > # LDAP stuff for the idmap backend > > ldap admin dn = cn=root,dc=uk,dc=trt,dc=thales > ldap suffix = dc=uk,dc=trt,dc=thales > ldap idmap suffix = ou=idmap > > # Winbind stuff > > winbind separator = - > idmap uid = 10000-20000 > winbind uid = 10000-20000 > idmap gid = 10000-20000 > winbind gid = 10000-20000 > winbind enum users = yes > winbind enum groups = yes > winbind use default domain = yes > #template homedir = /home/%D/%U > #template homedir = /home/%U > template homedir = /mnt/spare/%U > template shell = /bin/bash > idmap backend = ldap:ldap://lnxs001 > > # workgroup = NT-Domain-Name or Workgroup-Name > workgroup = DOMAIN > > # server string is the equivalent of the NT Description field > server string = SUN001 > > # if you want to automatically load your printer list rather # than > setting them up individually then you'll need this > printcap name = /etc/printcap > load printers = yes > > # this tells Samba to use a separate log file for each machine # that > connects > log file = /var/log/samba/log.%m > > # Put a capping on the size of the log files (in Kb). > max log size = 50 > > # Security mode. Most people will want user level security. See # > security_level.txt for details. > security = user > # Use password server option only with security = server > ; password server = <NT-Server-Name> > > # Most people will find that this option gives better performance. # > See speed.txt and the manual pages for details > socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 > > # Browser Control Options: > # set local master to no if you don't want Samba to become a master # > browser on your network. Otherwise the normal election rules apply > local master = no > > # WINS Server - Tells the NMBD components of Samba to be a WINS Client > # Note: Samba can be either a WINS Server, or a WINS Client, but NOT > both > wins server = 192.168.224.25 > > # DNS Proxy - tells Samba whether or not to try to resolve NetBIOS > names # via DNS nslookups. The built-in default for versions 1.9.17 is > yes, # this has been changed in version 1.9.18 to no. > dns proxy = no > > > > Thanks, > Sapan > > -----Original Message----- > From: John H Terpstra [mailto:jht@samba.org] > Sent: 08 January 2004 16:58 > To: Ganguly, Sapan > Cc: 'samba@lists.samba.org' > Subject: RE: [Samba] How do I get Winbind accounts in LDAP? > > > Sapan, > > I recently installed Samba-3 on Solaris 9 and had no problem with PAM > and NSS functionality. Logons using domain users worked well. As I do > not have a Sun box it is a little difficult for me to help you > directly. > > What output do you get from: > wbinfo -u > wbinfo -g > > Please send me your smb.conf file so I can see what may be going on. > > - John T. > > On Thu, 8 Jan 2004, Ganguly, Sapan wrote: > > > > > Yep, I've done that, I basically followed the Solaris 9 HOWTO from > > the main HOWTO collection that comes with Samba 3.0, the only > > difference is that I used an /etc/pam.conf for Solaris 9 posted on > > the list by Patrik Gustavsson. I haven't managed to get hold of him, > > he says he has made it work on Solaris 9. I also want to get > > pam_mkhomedir work but I have to get past this bit first. > > >From his email signature it looks like he work for Sun in Sweden > > >but even > > the Sun helpdesk in the UK hasn't been able to get hold of him yet. > > > > -----Original Message----- > > From: John H Terpstra [mailto:jht@samba.org] > > Sent: 08 January 2004 15:54 > > To: Ganguly, Sapan > > Cc: 'ww m-pubsyssamba'; 'samba@lists.samba.org' > > Subject: RE: [Samba] How do I get Winbind accounts in LDAP? > > > > > > On Thu, 8 Jan 2004, Ganguly, Sapan wrote: > > > > > > > > I'm doing the same thing but with NT4 so I'm not using active > > > directory. The only thing you haven't mentioned that I can think > > > of is nsswitch.conf, you should have - > > > > > > Passwd: files winbind > > > Group: files winbind > > > > > > Getent works for me, I'm stuck with getting log ons to the Solaris > > > machine with NT usernames to work. > > > > If you want to log onto the Sun machine using Windows networking > > credentials you must configure PAM to support the use of > > pam_winbind.so. Have you done that? > > > > - John T. > > > > > > > They seem to have changed something in Solaris 9, even Sun hasn't > > > been able to help me! > > > > > > -----Original Message----- > > > From: ww m-pubsyssamba [mailto:pubsyssamba@bbc.co.uk] > > > Sent: 08 January 2004 13:45 > > > To: Ganguly, Sapan ; samba@lists.samba.org > > > Subject: RE: [Samba] How do I get Winbind accounts in LDAP? > > > > > > > > > Hi Sapan/All, > > > > > > ok this is all in my test/dev environment. I have a Sun Sparc > > > workstation running Solaris 9 and an Intel server running Windows > > > 2000 server acting as a Native mode AD DC. My Sparc system has > > > Samba 3.0.1 installed and is successfully joined to the AD domain, > > > I can authenticate via kerberos and wbinfo -u lists domain users > > > etc. All I need LDAP for is centralising the IDMAP mappings across > > > our theoretical Samba server infrastructure. > > > > > > On the same sparc system I also have SunONE DS 5.2 installed, > > > this has the schema for Samba 3.0.1 successfully loaded. I have > > > created the idamap OU in the directory and I have configured my > > > smb.conf to use LDAP for idmap data, file attached. And I have set > > > the LDAP admin account password with "smbpasswd -w". I have also > > > disabled nscd from starting up & installed patch 113476-05 which > > > is required for Solaris 9. I can also see winbindd establishing a > > > connection to Sun LDAP in its access log. > > > > > > As I was writing this mail I have noticed that a getent for > > > users and groups is not displaying any AD users/groups but is > > > exiting with a status 0, this is despite the fact that wbinfo is > > > correctly displaying all my AD users/groups!? I can see from a > > > snoop and truss run on the getent that it is making LDAP calls to > > > the AD DC but it's not returning anything!?! I have had this > > > running on a Solaris 8 system in my test environment successfully > > > and can't think of anything I've done differently. > > > > > > If anyone can help I'd greatly appreciate it, > > > > > > many thanks Andy. > > > > > > -----Original Message----- > > > From: Ganguly, Sapan [mailto:Sapan.Ganguly@thalesgroup.com] > > > Posted At: 07 January 2004 16:44 > > > Posted To: Samba > > > Conversation: [Samba] How do I get Winbind accounts in LDAP? > > > Subject: RE: [Samba] How do I get Winbind accounts in LDAP? > > > > > > > > > > > > Andy, > > > > > > Tell us a bit more, I'm doing a similar thing I think. I'm not > > > using Sun's LDAP service, I have OpenLDAP running on a Redhat 9.0 > > > box and I'm logging into my Solaris 9.0 machine running winbind, > > > with my NT username and password which creates an idmap in the > > > openldap database on the Redhat box....well, that's what it is > > > supposed to do anyway...it works fine on Redhat, Solaris is > > > proving to be a little more tricky. > > > > > > Is this what you are doing? > > > > > > -----Original Message----- > > > From: ww m-pubsyssamba [mailto:pubsyssamba@bbc.co.uk] > > > Sent: 07 January 2004 14:23 > > > To: samba@lists.samba.org > > > Subject: RE: [Samba] How do I get Winbind accounts in LDAP? > > > > > > > > > Hi John/List, > > > > > > I'm attemtpting this (idmap in LDAP) with samba3.0.1 and Sun DS > > > 5.2 but without any success. I've tried what John T has suggested > > > below but my idmap OU is still empty (adapted LDAP commnads for > > > Sun DS). I cannot see any errors in either Samba or Sun DS logs, > > > does anyone have any troubleshooting tips to help work out why > > > this isn't working? > > > > > > many thanks Andy. > > > > > > -----Original Message----- > > > From: samba-bounces+pubsyssamba=bbc.co.uk@lists.samba.org > > > [mailto:samba-bounces+pubsyssamba=bbc.co.uk@lists.samba.org]On > > > Behalf Of John H Terpstra Posted At: 03 January 2004 23:54 Posted > > > To: Samba > > > Conversation: [Samba] How do I get Winbind accounts in LDAP? > > > Subject: Re: [Samba] How do I get Winbind accounts in LDAP? > > > > > > > > > Kent, > > > > > > Did you create the container for the ou=Idmap in your LDAP > > > database? The IDMAP entries are automatically added to LDAP - IF > > > the container exists, and so long as Samba can access that > > > database. > > > > > > Also, I suggest you store your machine accounts in the Users > > > container and not in the Computers container. Samba does not at > > > this time search the Computers container correctly. > > > > > > Execute the following to find out if your LDAP database has an > > > IDMAP > > > container: > > > slapcat | grep -i IDMAP > > > > > > > > > If nothing is returned, execute this: > > > > > > ldapadd -x -D "cn=admin,dc=tow,dc=net" -w 'password' << EOR > > > dn: ou=Idmap,dc=abmas,dc=biz > > > objectClass: organizationalunit > > > ou: idmap > > > structuralObjectClass: organizationalunit > > > EOR > > > > > > Now you must stop samba, delete the winbind*tdb files, restart > > > samba, > > > run: > > > wbinfo -u > > > And that should automatically populate your LDAP IDMAP database. > > > > > > Cheers, > > > John T. > > > > > > > > > > > > BBCi at http://www.bbc.co.uk/ > > > > > > This e-mail (and any attachments) is confidential and may contain > > > personal views which are not the views of the BBC unless > > > specifically stated. If you have received it in error, please > > > delete it from your system. Do not use, copy or disclose the > > > information in any way nor act in reliance on it and notify the > > > sender immediately. Please note that the BBC monitors e-mails sent > > > or received. Further communication will signify your consent to > > > this. > > > > > > > > >-- John H Terpstra Email: jht@samba.org
John, What options did you compile samba with on Solaris 9? Maybe that's where I went wrong? I don't suppose you have copies of the pam.conf from when you did it do you? -----Original Message----- From: Ganguly, Sapan Sent: 14 January 2004 13:40 To: 'John H Terpstra'; Ganguly, Sapan Cc: 'samba@lists.samba.org' Subject: RE: [Samba] How do I get Winbind accounts in LDAP? John, OK, I took out the "winbind uid" and "winbind gid" lines. Here is what I have in /lib, how do I know which is the appropriate version name? I've tried these ones. -rwxr-xr-x 1 root other 751048 Dec 11 13:36 libnss_winbind.so lrwxrwxrwx 1 root other 17 Dec 4 14:20 libnss_winbind.so.1 -> libnss_winbind.so lrwxrwxrwx 1 root other 17 Dec 4 14:19 libnss_winbind.so.2 -> libnss_winbind.so lrwxrwxrwx 1 root other 17 Dec 4 14:20 nss_winbind.so.1 -> libnss_winbind.so lrwxrwxrwx 1 root other 17 Dec 4 14:21 nss_winbind.so.2 -> libnss_winbind.so I've done everything else too but my login still hangs at the "password:" prompt after I have typed the password in. Although when I did a 'getent group' it did pause for a few seconds several times during the listing, that may just be because we have a lot of NT groups. 'getent passwd' worked fine and listed all the unix users as well as all the NT users in a split second. My /etc/nsswitch.conf is configured and I have done the 'smbpasswd -w' command to put my LDAP password into secets.tdb. Here is what I get in my pamlog, as you can see, it does say "access granted" on the last line. I think the first line is me killing the telnet session of a previous attempt. Jan 14 13:29:55 sun001 pam_winbind[15352]: [ID 571141 auth.debug] libpam_winbind:pam_sm_close_sessio n handler Jan 14 13:29:59 sun001 login: [ID 634615 auth.debug] pam_authtok_get:pam_sm_authenticate: flags = 0 Jan 14 13:30:05 sun001 login: [ID 378613 auth.debug] pam_dhkeys: user ganguly not found Jan 14 13:30:05 sun001 login: [ID 896952 auth.debug] pam_unix_auth: entering pam_sm_authenticate() Jan 14 13:30:05 sun001 login: [ID 219349 auth.debug] pam_unix_auth: user ganguly not found Jan 14 13:30:05 sun001 pam_winbind[15369]: [ID 572310 auth.info] Verify user `ganguly' Jan 14 13:30:05 sun001 pam_winbind[15369]: [ID 614614 auth.notice] user 'ganguly' granted acces Jan 14 13:30:05 sun001 login[15369]: [ID 509786 auth.debug] roles pam_sm_authenticate, service = tel net user = ganguly ruser = not set rhost = 192.168.224.90 Does anyone have any ideas on what the problem could be? According to this log access is granted right? So why does it just sit there at "password:"? Thanks, Sapan -----Original Message----- From: John H Terpstra [mailto:jht@samba.org] Sent: 13 January 2004 16:39 To: Ganguly, Sapan Cc: 'samba@lists.samba.org' Subject: RE: [Samba] How do I get Winbind accounts in LDAP? On Tue, 13 Jan 2004, Ganguly, Sapan wrote:> > John, > > Any ideas? When I try to log in it seems to get past the PAM stuff > but then it just sits there, I don't get a prompt. I've enabled debug > on all the modules in pam.conf, should I post the log files?You should get rid of the "winbind uid" and "winbind gid" parameters as they have been superceded by "idmap uid" and "idmap gid". Did you install the libnss_winbind.so module you built (it's in the ~samba/sources/nsswitch directory) as /lib/nss_winbind.so and link it to the appropriate version name? Have you modified in /etc/nsswitch.conf the following: passwd: files winbind group: files winbind Do you obtain correct domain account information from: getent passwd and getent group You will need to install the LDAP admin password into your Samba secrets.tdb file. The command that does that is: smbpasswd -w 'secret_password' PAM provides authentication, NSS (name service switch) does Identity resolution. It is the instrument that will permit the LDAP database to be populated via winbind. I hope this helps. Cheers, John T.> > Sapan > > -----Original Message----- > From: Ganguly, Sapan > Sent: 08 January 2004 17:39 > To: 'John H Terpstra'; Ganguly, Sapan > Cc: 'samba@lists.samba.org' > Subject: RE: [Samba] How do I get Winbind accounts in LDAP? > > > > John, > > Wbinfo -u lists all my NT user and wbinfo -g lists all my NT groups. > > Here is a copy of my smb.conf, I took it from a working Redhat 9.0 > machine I built. > > [global] > > # LDAP stuff for the idmap backend > > ldap admin dn = cn=root,dc=uk,dc=trt,dc=thales > ldap suffix = dc=uk,dc=trt,dc=thales > ldap idmap suffix = ou=idmap > > # Winbind stuff > > winbind separator = - > idmap uid = 10000-20000 > winbind uid = 10000-20000 > idmap gid = 10000-20000 > winbind gid = 10000-20000 > winbind enum users = yes > winbind enum groups = yes > winbind use default domain = yes > #template homedir = /home/%D/%U > #template homedir = /home/%U > template homedir = /mnt/spare/%U > template shell = /bin/bash > idmap backend = ldap:ldap://lnxs001 > > # workgroup = NT-Domain-Name or Workgroup-Name > workgroup = DOMAIN > > # server string is the equivalent of the NT Description field > server string = SUN001 > > # if you want to automatically load your printer list rather # than > setting them up individually then you'll need this > printcap name = /etc/printcap > load printers = yes > > # this tells Samba to use a separate log file for each machine # that > connects > log file = /var/log/samba/log.%m > > # Put a capping on the size of the log files (in Kb). > max log size = 50 > > # Security mode. Most people will want user level security. See # > security_level.txt for details. > security = user > # Use password server option only with security = server > ; password server = <NT-Server-Name> > > # Most people will find that this option gives better performance. # > See speed.txt and the manual pages for details > socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 > > # Browser Control Options: > # set local master to no if you don't want Samba to become a master # > browser on your network. Otherwise the normal election rules apply > local master = no > > # WINS Server - Tells the NMBD components of Samba to be a WINS Client > # Note: Samba can be either a WINS Server, or a WINS Client, but NOT > both > wins server = 192.168.224.25 > > # DNS Proxy - tells Samba whether or not to try to resolve NetBIOS > names # via DNS nslookups. The built-in default for versions 1.9.17 is > yes, # this has been changed in version 1.9.18 to no. > dns proxy = no > > > > Thanks, > Sapan > > -----Original Message----- > From: John H Terpstra [mailto:jht@samba.org] > Sent: 08 January 2004 16:58 > To: Ganguly, Sapan > Cc: 'samba@lists.samba.org' > Subject: RE: [Samba] How do I get Winbind accounts in LDAP? > > > Sapan, > > I recently installed Samba-3 on Solaris 9 and had no problem with PAM > and NSS functionality. Logons using domain users worked well. As I do > not have a Sun box it is a little difficult for me to help you > directly. > > What output do you get from: > wbinfo -u > wbinfo -g > > Please send me your smb.conf file so I can see what may be going on. > > - John T. > > On Thu, 8 Jan 2004, Ganguly, Sapan wrote: > > > > > Yep, I've done that, I basically followed the Solaris 9 HOWTO from > > the main HOWTO collection that comes with Samba 3.0, the only > > difference is that I used an /etc/pam.conf for Solaris 9 posted on > > the list by Patrik Gustavsson. I haven't managed to get hold of him, > > he says he has made it work on Solaris 9. I also want to get > > pam_mkhomedir work but I have to get past this bit first. > > >From his email signature it looks like he work for Sun in Sweden > > >but even > > the Sun helpdesk in the UK hasn't been able to get hold of him yet. > > > > -----Original Message----- > > From: John H Terpstra [mailto:jht@samba.org] > > Sent: 08 January 2004 15:54 > > To: Ganguly, Sapan > > Cc: 'ww m-pubsyssamba'; 'samba@lists.samba.org' > > Subject: RE: [Samba] How do I get Winbind accounts in LDAP? > > > > > > On Thu, 8 Jan 2004, Ganguly, Sapan wrote: > > > > > > > > I'm doing the same thing but with NT4 so I'm not using active > > > directory. The only thing you haven't mentioned that I can think > > > of is nsswitch.conf, you should have - > > > > > > Passwd: files winbind > > > Group: files winbind > > > > > > Getent works for me, I'm stuck with getting log ons to the Solaris > > > machine with NT usernames to work. > > > > If you want to log onto the Sun machine using Windows networking > > credentials you must configure PAM to support the use of > > pam_winbind.so. Have you done that? > > > > - John T. > > > > > > > They seem to have changed something in Solaris 9, even Sun hasn't > > > been able to help me! > > > > > > -----Original Message----- > > > From: ww m-pubsyssamba [mailto:pubsyssamba@bbc.co.uk] > > > Sent: 08 January 2004 13:45 > > > To: Ganguly, Sapan ; samba@lists.samba.org > > > Subject: RE: [Samba] How do I get Winbind accounts in LDAP? > > > > > > > > > Hi Sapan/All, > > > > > > ok this is all in my test/dev environment. I have a Sun Sparc > > > workstation running Solaris 9 and an Intel server running Windows > > > 2000 server acting as a Native mode AD DC. My Sparc system has > > > Samba 3.0.1 installed and is successfully joined to the AD domain, > > > I can authenticate via kerberos and wbinfo -u lists domain users > > > etc. All I need LDAP for is centralising the IDMAP mappings across > > > our theoretical Samba server infrastructure. > > > > > > On the same sparc system I also have SunONE DS 5.2 installed, > > > this has the schema for Samba 3.0.1 successfully loaded. I have > > > created the idamap OU in the directory and I have configured my > > > smb.conf to use LDAP for idmap data, file attached. And I have set > > > the LDAP admin account password with "smbpasswd -w". I have also > > > disabled nscd from starting up & installed patch 113476-05 which > > > is required for Solaris 9. I can also see winbindd establishing a > > > connection to Sun LDAP in its access log. > > > > > > As I was writing this mail I have noticed that a getent for > > > users and groups is not displaying any AD users/groups but is > > > exiting with a status 0, this is despite the fact that wbinfo is > > > correctly displaying all my AD users/groups!? I can see from a > > > snoop and truss run on the getent that it is making LDAP calls to > > > the AD DC but it's not returning anything!?! I have had this > > > running on a Solaris 8 system in my test environment successfully > > > and can't think of anything I've done differently. > > > > > > If anyone can help I'd greatly appreciate it, > > > > > > many thanks Andy. > > > > > > -----Original Message----- > > > From: Ganguly, Sapan [mailto:Sapan.Ganguly@thalesgroup.com] > > > Posted At: 07 January 2004 16:44 > > > Posted To: Samba > > > Conversation: [Samba] How do I get Winbind accounts in LDAP? > > > Subject: RE: [Samba] How do I get Winbind accounts in LDAP? > > > > > > > > > > > > Andy, > > > > > > Tell us a bit more, I'm doing a similar thing I think. I'm not > > > using Sun's LDAP service, I have OpenLDAP running on a Redhat 9.0 > > > box and I'm logging into my Solaris 9.0 machine running winbind, > > > with my NT username and password which creates an idmap in the > > > openldap database on the Redhat box....well, that's what it is > > > supposed to do anyway...it works fine on Redhat, Solaris is > > > proving to be a little more tricky. > > > > > > Is this what you are doing? > > > > > > -----Original Message----- > > > From: ww m-pubsyssamba [mailto:pubsyssamba@bbc.co.uk] > > > Sent: 07 January 2004 14:23 > > > To: samba@lists.samba.org > > > Subject: RE: [Samba] How do I get Winbind accounts in LDAP? > > > > > > > > > Hi John/List, > > > > > > I'm attemtpting this (idmap in LDAP) with samba3.0.1 and Sun DS > > > 5.2 but without any success. I've tried what John T has suggested > > > below but my idmap OU is still empty (adapted LDAP commnads for > > > Sun DS). I cannot see any errors in either Samba or Sun DS logs, > > > does anyone have any troubleshooting tips to help work out why > > > this isn't working? > > > > > > many thanks Andy. > > > > > > -----Original Message----- > > > From: samba-bounces+pubsyssamba=bbc.co.uk@lists.samba.org > > > [mailto:samba-bounces+pubsyssamba=bbc.co.uk@lists.samba.org]On > > > Behalf Of John H Terpstra Posted At: 03 January 2004 23:54 Posted > > > To: Samba > > > Conversation: [Samba] How do I get Winbind accounts in LDAP? > > > Subject: Re: [Samba] How do I get Winbind accounts in LDAP? > > > > > > > > > Kent, > > > > > > Did you create the container for the ou=Idmap in your LDAP > > > database? The IDMAP entries are automatically added to LDAP - IF > > > the container exists, and so long as Samba can access that > > > database. > > > > > > Also, I suggest you store your machine accounts in the Users > > > container and not in the Computers container. Samba does not at > > > this time search the Computers container correctly. > > > > > > Execute the following to find out if your LDAP database has an > > > IDMAP > > > container: > > > slapcat | grep -i IDMAP > > > > > > > > > If nothing is returned, execute this: > > > > > > ldapadd -x -D "cn=admin,dc=tow,dc=net" -w 'password' << EOR > > > dn: ou=Idmap,dc=abmas,dc=biz > > > objectClass: organizationalunit > > > ou: idmap > > > structuralObjectClass: organizationalunit > > > EOR > > > > > > Now you must stop samba, delete the winbind*tdb files, restart > > > samba, > > > run: > > > wbinfo -u > > > And that should automatically populate your LDAP IDMAP database. > > > > > > Cheers, > > > John T. > > > > > > > > > > > > BBCi at http://www.bbc.co.uk/ > > > > > > This e-mail (and any attachments) is confidential and may contain > > > personal views which are not the views of the BBC unless > > > specifically stated. If you have received it in error, please > > > delete it from your system. Do not use, copy or disclose the > > > information in any way nor act in reliance on it and notify the > > > sender immediately. Please note that the BBC monitors e-mails sent > > > or received. Further communication will signify your consent to > > > this. > > > > > > > > >-- John H Terpstra Email: jht@samba.org