samba - Jan 2004 - How do I get Winbind accounts in LDAP?

I've seen this posting before but I need to get a grasp on this. I am
using winbindd for users that don't have a local account on a Linux box.
I thought that placing the entries below in the smb.conf would create
users in ou=Idmap. Instead the ou=Idmap increments the uidNumber with
every user that is added,but the user ID mappings are stored in
/usr/local/var/locks/winbindd_idmap.tdb. What entry in smb.conf will
change this. These are the applicable portions of smb.conf.

        ldap suffix = dc=tow,dc=net
        ldap machine suffix = ou=Computers
        ldap user suffix = ou=Users
        ldap group suffix = ou=Groups
        ldap admin dn = cn=admin,dc=tow,dc=net
        ldap ssl = no
        idmap backend = ldap:ldap://127.0.0.1
        ldap idmap suffix = ou=Idmap
        winbind separator = +
        idmap uid = 40000-50000
        idmap gid = 40000-50000
        winbind enum users = yes
        winbind enum groups = yes
        template homedir = /accounts/default/%D/%U
        template shell = /bin/bash
        winbind use default domain = yes
        winbind cache time = 15
        obey pam restrictions = yes

So I use wbinfo -c <username>. This returns a RID number. User can now
login or use smbclient -L localhost -U <username> <password> and get
available shares on this BDC. In LDAP directory is incremented by 1, but
there are no entries.

How do I move the entries that are stored in
/usr/local/var/locks/winbindd_idmap.tdb to the LDAP directory?

What I've omitted in all this is that pam and pam_winbind is setup
correctly, which I believe it is.


-- 
Kent
nasve525@regis.edu
kent@wareham.k12.ma.us

Tips:---------------------------------------------->
"OpenOffice.org ... Stops Word macro viruses DEAD!"
"Postgresql.org ... Don't 'kill -9' the postmaster"
"Technology is legislation - C. Einfeldt on OO.o discuss list"

Kent,

Did you create the container for the ou=Idmap in your LDAP database?
The IDMAP entries are automatically added to LDAP - IF the container
exists, and so long as Samba can access that database.

Also, I suggest you store your machine accounts in the Users container
and not in the Computers container. Samba does not at this time search the
Computers container correctly.

Execute the following to find out if your LDAP database has an IDMAP
container:
	slapcat | grep -i IDMAP


If nothing is returned, execute this:

ldapadd -x -D "cn=admin,dc=tow,dc=net" -w 'password' <<
EOR
dn: ou=Idmap,dc=abmas,dc=biz
objectClass: organizationalunit
ou: idmap
structuralObjectClass: organizationalunit
EOR

Now you must stop samba, delete the winbind*tdb files, restart samba,
run:
	wbinfo -u
And that should automatically populate your LDAP IDMAP database.

Cheers,
John T.


On Sat, 3 Jan 2004, Kent L. Nasveschuk wrote:
> I've seen this posting before but I need to get a grasp on this. I am
> using winbindd for users that don't have a local account on a Linux
box.
> I thought that placing the entries below in the smb.conf would create
> users in ou=Idmap. Instead the ou=Idmap increments the uidNumber with
> every user that is added,but the user ID mappings are stored in
> /usr/local/var/locks/winbindd_idmap.tdb. What entry in smb.conf will
> change this. These are the applicable portions of smb.conf.
>
>         ldap suffix = dc=tow,dc=net
>         ldap machine suffix = ou=Computers
>         ldap user suffix = ou=Users
>         ldap group suffix = ou=Groups
>         ldap admin dn = cn=admin,dc=tow,dc=net
>         ldap ssl = no
>         idmap backend = ldap:ldap://127.0.0.1
>         ldap idmap suffix = ou=Idmap
>         winbind separator = +
>         idmap uid = 40000-50000
>         idmap gid = 40000-50000
>         winbind enum users = yes
>         winbind enum groups = yes
>         template homedir = /accounts/default/%D/%U
>         template shell = /bin/bash
>         winbind use default domain = yes
>         winbind cache time = 15
>         obey pam restrictions = yes
>
> So I use wbinfo -c <username>. This returns a RID number. User can
now
> login or use smbclient -L localhost -U <username> <password>
and get
> available shares on this BDC. In LDAP directory is incremented by 1, but
> there are no entries.
>
> How do I move the entries that are stored in
> /usr/local/var/locks/winbindd_idmap.tdb to the LDAP directory?
>
> What I've omitted in all this is that pam and pam_winbind is setup
> correctly, which I believe it is.
>
>
>
-- 
John H Terpstra
Email: jht@samba.org

Hi John/List,

	I'm attemtpting this (idmap in LDAP) with samba3.0.1 and Sun DS 5.2 but
without any success. I've tried what John T has suggested below but my idmap
OU is still empty (adapted LDAP commnads for Sun DS). I cannot see any errors in
either Samba or Sun DS logs, does anyone have any troubleshooting tips to help
work out why this isn't working?

		many thanks Andy.

-----Original Message-----
From: samba-bounces+pubsyssamba=bbc.co.uk@lists.samba.org
[mailto:samba-bounces+pubsyssamba=bbc.co.uk@lists.samba.org]On Behalf Of
John H Terpstra
Posted At: 03 January 2004 23:54
Posted To: Samba
Conversation: [Samba] How do I get Winbind accounts in LDAP?
Subject: Re: [Samba] How do I get Winbind accounts in LDAP?


Kent,

Did you create the container for the ou=Idmap in your LDAP database?
The IDMAP entries are automatically added to LDAP - IF the container
exists, and so long as Samba can access that database.

Also, I suggest you store your machine accounts in the Users container
and not in the Computers container. Samba does not at this time search the
Computers container correctly.

Execute the following to find out if your LDAP database has an IDMAP
container:
	slapcat | grep -i IDMAP


If nothing is returned, execute this:

ldapadd -x -D "cn=admin,dc=tow,dc=net" -w 'password' <<
EOR
dn: ou=Idmap,dc=abmas,dc=biz
objectClass: organizationalunit
ou: idmap
structuralObjectClass: organizationalunit
EOR

Now you must stop samba, delete the winbind*tdb files, restart samba,
run:
	wbinfo -u
And that should automatically populate your LDAP IDMAP database.

Cheers,
John T.



BBCi at http://www.bbc.co.uk/

This e-mail (and any attachments) is confidential and may contain personal views
which are not the views of the BBC unless specifically
stated.
If you have received it in error, please delete it from your system. Do not use,
copy or disclose the information in any way nor act in
reliance on it and notify the sender immediately. Please note that the BBC
monitors e-mails sent or received.
Further communication will signify your consent to this.

Hi Sapan/All,

	ok this is all in my test/dev environment. I have a Sun Sparc workstation
running Solaris 9 and an Intel server running Windows 2000 server acting as a
Native mode AD DC. My Sparc system has Samba 3.0.1 installed and is successfully
joined to the AD domain, I can authenticate via kerberos and wbinfo -u lists
domain users etc. All I need LDAP for is centralising the IDMAP mappings across
our theoretical Samba server infrastructure.

  On the same sparc system I also have SunONE DS 5.2 installed, this has the
schema for Samba 3.0.1 successfully loaded. I have created the idamap OU in the
directory and I have configured my smb.conf to use LDAP for idmap data, file
attached. And I have set the LDAP admin account password with "smbpasswd
-w". I have also disabled nscd from starting up & installed patch
113476-05 which is required for Solaris 9. I can also see winbindd establishing
a connection to Sun LDAP in its access log.

  As I was writing this mail I have noticed that a getent for users and groups
is not displaying any AD users/groups but is exiting with a status 0, this is
despite the fact that wbinfo is correctly displaying all my AD users/groups!? I
can see from a snoop and truss run on the getent that it is making LDAP calls to
the AD DC but it's not returning anything!?! I have had this running on a
Solaris 8 system in my test environment successfully and can't think of
anything I've done differently.

If anyone can help I'd greatly appreciate it,

	many thanks Andy.

-----Original Message-----
From: Ganguly, Sapan [mailto:Sapan.Ganguly@thalesgroup.com]
Posted At: 07 January 2004 16:44
Posted To: Samba
Conversation: [Samba] How do I get Winbind accounts in LDAP?
Subject: RE: [Samba] How do I get Winbind accounts in LDAP?



Andy,

Tell us a bit more, I'm doing a similar thing I think.  I'm not using
Sun's
LDAP service, I have OpenLDAP running on a Redhat 9.0 box and I'm logging
into my Solaris 9.0 machine running winbind, with my NT username and
password which creates an idmap in the openldap database on the Redhat
box....well, that's what it is supposed to do anyway...it works fine on
Redhat, Solaris is proving to be a little more tricky.

Is this what you are doing?

-----Original Message-----
From: ww m-pubsyssamba [mailto:pubsyssamba@bbc.co.uk] 
Sent: 07 January 2004 14:23
To: samba@lists.samba.org
Subject: RE: [Samba] How do I get Winbind accounts in LDAP?


Hi John/List,

	I'm attemtpting this (idmap in LDAP) with samba3.0.1 and Sun DS 5.2
but without any success. I've tried what John T has suggested below but my
idmap OU is still empty (adapted LDAP commnads for Sun DS). I cannot see any
errors in either Samba or Sun DS logs, does anyone have any troubleshooting
tips to help work out why this isn't working?

		many thanks Andy.

-----Original Message-----
From: samba-bounces+pubsyssamba=bbc.co.uk@lists.samba.org
[mailto:samba-bounces+pubsyssamba=bbc.co.uk@lists.samba.org]On Behalf Of
John H Terpstra Posted At: 03 January 2004 23:54 Posted To: Samba
Conversation: [Samba] How do I get Winbind accounts in LDAP?
Subject: Re: [Samba] How do I get Winbind accounts in LDAP?


Kent,

Did you create the container for the ou=Idmap in your LDAP database? The
IDMAP entries are automatically added to LDAP - IF the container exists, and
so long as Samba can access that database.

Also, I suggest you store your machine accounts in the Users container and
not in the Computers container. Samba does not at this time search the
Computers container correctly.

Execute the following to find out if your LDAP database has an IDMAP
container:
	slapcat | grep -i IDMAP


If nothing is returned, execute this:

ldapadd -x -D "cn=admin,dc=tow,dc=net" -w 'password' <<
EOR
dn: ou=Idmap,dc=abmas,dc=biz
objectClass: organizationalunit
ou: idmap
structuralObjectClass: organizationalunit
EOR

Now you must stop samba, delete the winbind*tdb files, restart samba,
run:
	wbinfo -u
And that should automatically populate your LDAP IDMAP database.

Cheers,
John T.



BBCi at http://www.bbc.co.uk/

This e-mail (and any attachments) is confidential and may contain personal
views which are not the views of the BBC unless specifically stated. If you
have received it in error, please delete it from your system. Do not use,
copy or disclose the information in any way nor act in reliance on it and
notify the sender immediately. Please note that the BBC monitors e-mails
sent or received. Further communication will signify your consent to this.
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

BBCi at http://www.bbc.co.uk/

This e-mail (and any attachments) is confidential and may contain personal views
which are not the views of the BBC unless specifically
stated.
If you have received it in error, please delete it from your system. Do not use,
copy or disclose the information in any way nor act in
reliance on it and notify the sender immediately. Please note that the BBC
monitors e-mails sent or received.
Further communication will signify your consent to this.

I'm doing the same thing but with NT4 so I'm not using active directory.
The only thing you haven't mentioned that I can think of is nsswitch.conf,
you should have -

Passwd: files winbind
Group: files winbind

Getent works for me, I'm stuck with getting log ons to the Solaris machine
with NT usernames to work.
They seem to have changed something in Solaris 9, even Sun hasn't been able
to help me!

-----Original Message-----
From: ww m-pubsyssamba [mailto:pubsyssamba@bbc.co.uk] 
Sent: 08 January 2004 13:45
To: Ganguly, Sapan ; samba@lists.samba.org
Subject: RE: [Samba] How do I get Winbind accounts in LDAP?


Hi Sapan/All,

	ok this is all in my test/dev environment. I have a Sun Sparc
workstation running Solaris 9 and an Intel server running Windows 2000
server acting as a Native mode AD DC. My Sparc system has Samba 3.0.1
installed and is successfully joined to the AD domain, I can authenticate
via kerberos and wbinfo -u lists domain users etc. All I need LDAP for is
centralising the IDMAP mappings across our theoretical Samba server
infrastructure. 

  On the same sparc system I also have SunONE DS 5.2 installed, this has the
schema for Samba 3.0.1 successfully loaded. I have created the idamap OU in
the directory and I have configured my smb.conf to use LDAP for idmap data,
file attached. And I have set the LDAP admin account password with
"smbpasswd -w". I have also disabled nscd from starting up &
installed patch
113476-05 which is required for Solaris 9. I can also see winbindd
establishing a connection to Sun LDAP in its access log.

  As I was writing this mail I have noticed that a getent for users and
groups is not displaying any AD users/groups but is exiting with a status 0,
this is despite the fact that wbinfo is correctly displaying all my AD
users/groups!? I can see from a snoop and truss run on the getent that it is
making LDAP calls to the AD DC but it's not returning anything!?! I have had
this running on a Solaris 8 system in my test environment successfully and
can't think of anything I've done differently.

If anyone can help I'd greatly appreciate it,

	many thanks Andy.

-----Original Message-----
From: Ganguly, Sapan [mailto:Sapan.Ganguly@thalesgroup.com]
Posted At: 07 January 2004 16:44
Posted To: Samba
Conversation: [Samba] How do I get Winbind accounts in LDAP?
Subject: RE: [Samba] How do I get Winbind accounts in LDAP?



Andy,

Tell us a bit more, I'm doing a similar thing I think.  I'm not using
Sun's
LDAP service, I have OpenLDAP running on a Redhat 9.0 box and I'm logging
into my Solaris 9.0 machine running winbind, with my NT username and
password which creates an idmap in the openldap database on the Redhat
box....well, that's what it is supposed to do anyway...it works fine on
Redhat, Solaris is proving to be a little more tricky.

Is this what you are doing?

-----Original Message-----
From: ww m-pubsyssamba [mailto:pubsyssamba@bbc.co.uk] 
Sent: 07 January 2004 14:23
To: samba@lists.samba.org
Subject: RE: [Samba] How do I get Winbind accounts in LDAP?


Hi John/List,

	I'm attemtpting this (idmap in LDAP) with samba3.0.1 and Sun DS 5.2
but without any success. I've tried what John T has suggested below but my
idmap OU is still empty (adapted LDAP commnads for Sun DS). I cannot see any
errors in either Samba or Sun DS logs, does anyone have any troubleshooting
tips to help work out why this isn't working?

		many thanks Andy.

-----Original Message-----
From: samba-bounces+pubsyssamba=bbc.co.uk@lists.samba.org
[mailto:samba-bounces+pubsyssamba=bbc.co.uk@lists.samba.org]On Behalf Of
John H Terpstra Posted At: 03 January 2004 23:54 Posted To: Samba
Conversation: [Samba] How do I get Winbind accounts in LDAP?
Subject: Re: [Samba] How do I get Winbind accounts in LDAP?


Kent,

Did you create the container for the ou=Idmap in your LDAP database? The
IDMAP entries are automatically added to LDAP - IF the container exists, and
so long as Samba can access that database.

Also, I suggest you store your machine accounts in the Users container and
not in the Computers container. Samba does not at this time search the
Computers container correctly.

Execute the following to find out if your LDAP database has an IDMAP
container:
	slapcat | grep -i IDMAP


If nothing is returned, execute this:

ldapadd -x -D "cn=admin,dc=tow,dc=net" -w 'password' <<
EOR
dn: ou=Idmap,dc=abmas,dc=biz
objectClass: organizationalunit
ou: idmap
structuralObjectClass: organizationalunit
EOR

Now you must stop samba, delete the winbind*tdb files, restart samba,
run:
	wbinfo -u
And that should automatically populate your LDAP IDMAP database.

Cheers,
John T.



BBCi at http://www.bbc.co.uk/

This e-mail (and any attachments) is confidential and may contain personal
views which are not the views of the BBC unless specifically stated. If you
have received it in error, please delete it from your system. Do not use,
copy or disclose the information in any way nor act in reliance on it and
notify the sender immediately. Please note that the BBC monitors e-mails
sent or received. Further communication will signify your consent to this.
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

BBCi at http://www.bbc.co.uk/

This e-mail (and any attachments) is confidential and may contain personal
views which are not the views of the BBC unless specifically stated. If you
have received it in error, please delete it from your system. Do not use,
copy or disclose the information in any way nor act in reliance on it and
notify the sender immediately. Please note that the BBC monitors e-mails
sent or received. Further communication will signify your consent to this.

Hi Sapan/All,

	yes I have already correctly configured my nsswitch.conf and it is not working
for getent?! Anyone fancy giving me a clue?

		cheers Andy.

PS I agree Sun seem to have changed a few things in Solaris 9 which are catching
out third party software developers and end users alike.

-----Original Message-----
From: Ganguly, Sapan [mailto:Sapan.Ganguly@thalesgroup.com]
Posted At: 08 January 2004 14:25
Posted To: Samba
Conversation: [Samba] How do I get Winbind accounts in LDAP?
Subject: RE: [Samba] How do I get Winbind accounts in LDAP?



I'm doing the same thing but with NT4 so I'm not using active directory.
The only thing you haven't mentioned that I can think of is nsswitch.conf,
you should have -

Passwd: files winbind
Group: files winbind

Getent works for me, I'm stuck with getting log ons to the Solaris machine
with NT usernames to work.
They seem to have changed something in Solaris 9, even Sun hasn't been able
to help me!

-----Original Message-----
From: ww m-pubsyssamba [mailto:pubsyssamba@bbc.co.uk] 
Sent: 08 January 2004 13:45
To: Ganguly, Sapan ; samba@lists.samba.org
Subject: RE: [Samba] How do I get Winbind accounts in LDAP?


Hi Sapan/All,

	ok this is all in my test/dev environment. I have a Sun Sparc
workstation running Solaris 9 and an Intel server running Windows 2000
server acting as a Native mode AD DC. My Sparc system has Samba 3.0.1
installed and is successfully joined to the AD domain, I can authenticate
via kerberos and wbinfo -u lists domain users etc. All I need LDAP for is
centralising the IDMAP mappings across our theoretical Samba server
infrastructure. 

  On the same sparc system I also have SunONE DS 5.2 installed, this has the
schema for Samba 3.0.1 successfully loaded. I have created the idamap OU in
the directory and I have configured my smb.conf to use LDAP for idmap data,
file attached. And I have set the LDAP admin account password with
"smbpasswd -w". I have also disabled nscd from starting up &
installed patch
113476-05 which is required for Solaris 9. I can also see winbindd
establishing a connection to Sun LDAP in its access log.

  As I was writing this mail I have noticed that a getent for users and
groups is not displaying any AD users/groups but is exiting with a status 0,
this is despite the fact that wbinfo is correctly displaying all my AD
users/groups!? I can see from a snoop and truss run on the getent that it is
making LDAP calls to the AD DC but it's not returning anything!?! I have had
this running on a Solaris 8 system in my test environment successfully and
can't think of anything I've done differently.

If anyone can help I'd greatly appreciate it,

	many thanks Andy.


BBCi at http://www.bbc.co.uk/

This e-mail (and any attachments) is confidential and may contain personal views
which are not the views of the BBC unless specifically
stated.
If you have received it in error, please delete it from your system. Do not use,
copy or disclose the information in any way nor act in
reliance on it and notify the sender immediately. Please note that the BBC
monitors e-mails sent or received.
Further communication will signify your consent to this.

Yep, I've done that, I basically followed the Solaris 9 HOWTO from the main
HOWTO collection that comes with Samba 3.0, the only difference is that I
used an /etc/pam.conf for Solaris 9 posted on the list by Patrik Gustavsson.
I haven't managed to get hold of him, he says he has made it work on Solaris
9.
I also want to get pam_mkhomedir work but I have to get past this bit
first.
>From his email signature it looks like he work for Sun in Sweden but even
the Sun helpdesk in the UK hasn't been able to get hold of him yet. 

-----Original Message-----
From: John H Terpstra [mailto:jht@samba.org] 
Sent: 08 January 2004 15:54
To: Ganguly, Sapan 
Cc: 'ww m-pubsyssamba'; 'samba@lists.samba.org'
Subject: RE: [Samba] How do I get Winbind accounts in LDAP?


On Thu, 8 Jan 2004, Ganguly, Sapan  wrote:
>
> I'm doing the same thing but with NT4 so I'm not using active 
> directory. The only thing you haven't mentioned that I can think of is 
> nsswitch.conf, you should have -
>
> Passwd: files winbind
> Group: files winbind
>
> Getent works for me, I'm stuck with getting log ons to the Solaris 
> machine with NT usernames to work.
If you want to log onto the Sun machine using Windows networking credentials
you must configure PAM to support the use of pam_winbind.so. Have you done
that?

- John T.

> They seem to have changed something in Solaris 9, even Sun hasn't been 
> able to help me!
>
> -----Original Message-----
> From: ww m-pubsyssamba [mailto:pubsyssamba@bbc.co.uk]
> Sent: 08 January 2004 13:45
> To: Ganguly, Sapan ; samba@lists.samba.org
> Subject: RE: [Samba] How do I get Winbind accounts in LDAP?
>
>
> Hi Sapan/All,
>
> 	ok this is all in my test/dev environment. I have a Sun Sparc 
> workstation running Solaris 9 and an Intel server running Windows 2000 
> server acting as a Native mode AD DC. My Sparc system has Samba 3.0.1 
> installed and is successfully joined to the AD domain, I can 
> authenticate via kerberos and wbinfo -u lists domain users etc. All I 
> need LDAP for is centralising the IDMAP mappings across our 
> theoretical Samba server infrastructure.
>
>   On the same sparc system I also have SunONE DS 5.2 installed, this 
> has the schema for Samba 3.0.1 successfully loaded. I have created the 
> idamap OU in the directory and I have configured my smb.conf to use 
> LDAP for idmap data, file attached. And I have set the LDAP admin 
> account password with "smbpasswd -w". I have also disabled nscd
from
> starting up & installed patch 113476-05 which is required for Solaris 
> 9. I can also see winbindd establishing a connection to Sun LDAP in 
> its access log.
>
>   As I was writing this mail I have noticed that a getent for users 
> and groups is not displaying any AD users/groups but is exiting with a 
> status 0, this is despite the fact that wbinfo is correctly displaying 
> all my AD users/groups!? I can see from a snoop and truss run on the 
> getent that it is making LDAP calls to the AD DC but it's not 
> returning anything!?! I have had this running on a Solaris 8 system in 
> my test environment successfully and can't think of anything I've
done
> differently.
>
> If anyone can help I'd greatly appreciate it,
>
> 	many thanks Andy.
>
> -----Original Message-----
> From: Ganguly, Sapan [mailto:Sapan.Ganguly@thalesgroup.com]
> Posted At: 07 January 2004 16:44
> Posted To: Samba
> Conversation: [Samba] How do I get Winbind accounts in LDAP?
> Subject: RE: [Samba] How do I get Winbind accounts in LDAP?
>
>
>
> Andy,
>
> Tell us a bit more, I'm doing a similar thing I think.  I'm not
using
> Sun's LDAP service, I have OpenLDAP running on a Redhat 9.0 box and 
> I'm logging into my Solaris 9.0 machine running winbind, with my NT 
> username and password which creates an idmap in the openldap database 
> on the Redhat box....well, that's what it is supposed to do 
> anyway...it works fine on Redhat, Solaris is proving to be a little 
> more tricky.
>
> Is this what you are doing?
>
> -----Original Message-----
> From: ww m-pubsyssamba [mailto:pubsyssamba@bbc.co.uk]
> Sent: 07 January 2004 14:23
> To: samba@lists.samba.org
> Subject: RE: [Samba] How do I get Winbind accounts in LDAP?
>
>
> Hi John/List,
>
> 	I'm attemtpting this (idmap in LDAP) with samba3.0.1 and Sun DS 5.2 
> but without any success. I've tried what John T has suggested below 
> but my idmap OU is still empty (adapted LDAP commnads for Sun DS). I 
> cannot see any errors in either Samba or Sun DS logs, does anyone have 
> any troubleshooting tips to help work out why this isn't working?
>
> 		many thanks Andy.
>
> -----Original Message-----
> From: samba-bounces+pubsyssamba=bbc.co.uk@lists.samba.org
> [mailto:samba-bounces+pubsyssamba=bbc.co.uk@lists.samba.org]On Behalf 
> Of John H Terpstra Posted At: 03 January 2004 23:54 Posted To: Samba
> Conversation: [Samba] How do I get Winbind accounts in LDAP?
> Subject: Re: [Samba] How do I get Winbind accounts in LDAP?
>
>
> Kent,
>
> Did you create the container for the ou=Idmap in your LDAP database? 
> The IDMAP entries are automatically added to LDAP - IF the container 
> exists, and so long as Samba can access that database.
>
> Also, I suggest you store your machine accounts in the Users container 
> and not in the Computers container. Samba does not at this time search 
> the Computers container correctly.
>
> Execute the following to find out if your LDAP database has an IDMAP
> container:
> 	slapcat | grep -i IDMAP
>
>
> If nothing is returned, execute this:
>
> ldapadd -x -D "cn=admin,dc=tow,dc=net" -w 'password'
<< EOR
> dn: ou=Idmap,dc=abmas,dc=biz
> objectClass: organizationalunit
> ou: idmap
> structuralObjectClass: organizationalunit
> EOR
>
> Now you must stop samba, delete the winbind*tdb files, restart samba,
> run:
> 	wbinfo -u
> And that should automatically populate your LDAP IDMAP database.
>
> Cheers,
> John T.
>
>
>
> BBCi at http://www.bbc.co.uk/
>
> This e-mail (and any attachments) is confidential and may contain 
> personal views which are not the views of the BBC unless specifically 
> stated. If you have received it in error, please delete it from your 
> system. Do not use, copy or disclose the information in any way nor 
> act in reliance on it and notify the sender immediately. Please note 
> that the BBC monitors e-mails sent or received. Further communication 
> will signify your consent to this.
>
-- 
John H Terpstra
Email: jht@samba.org

John,

Wbinfo -u lists all my NT user and wbinfo -g lists all my NT groups.

Here is a copy of my smb.conf, I took it from a working Redhat 9.0 machine I
built.

[global]

# LDAP stuff for the idmap backend

ldap admin dn = cn=root,dc=uk,dc=trt,dc=thales
ldap suffix = dc=uk,dc=trt,dc=thales
ldap idmap suffix = ou=idmap

# Winbind stuff

winbind separator = -
idmap uid = 10000-20000
winbind uid = 10000-20000
idmap gid = 10000-20000
winbind gid = 10000-20000
winbind enum users = yes
winbind enum groups = yes
winbind use default domain = yes
#template homedir = /home/%D/%U
#template homedir = /home/%U
template homedir = /mnt/spare/%U
template shell = /bin/bash
idmap backend = ldap:ldap://lnxs001

# workgroup = NT-Domain-Name or Workgroup-Name
   workgroup = DOMAIN

# server string is the equivalent of the NT Description field
   server string = SUN001 

# if you want to automatically load your printer list rather
# than setting them up individually then you'll need this
   printcap name = /etc/printcap
   load printers = yes

# this tells Samba to use a separate log file for each machine
# that connects
   log file = /var/log/samba/log.%m

# Put a capping on the size of the log files (in Kb).
   max log size = 50

# Security mode. Most people will want user level security. See
# security_level.txt for details.
   security = user
# Use password server option only with security = server
;   password server = <NT-Server-Name>

# Most people will find that this option gives better performance.
# See speed.txt and the manual pages for details
   socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192

# Browser Control Options:
# set local master to no if you don't want Samba to become a master
# browser on your network. Otherwise the normal election rules apply
   local master = no

# WINS Server - Tells the NMBD components of Samba to be a WINS Client
#	Note: Samba can be either a WINS Server, or a WINS Client, but NOT
both
   wins server = 192.168.224.25 

# DNS Proxy - tells Samba whether or not to try to resolve NetBIOS names
# via DNS nslookups. The built-in default for versions 1.9.17 is yes,
# this has been changed in version 1.9.18 to no.
   dns proxy = no 



Thanks,
Sapan

-----Original Message-----
From: John H Terpstra [mailto:jht@samba.org] 
Sent: 08 January 2004 16:58
To: Ganguly, Sapan 
Cc: 'samba@lists.samba.org'
Subject: RE: [Samba] How do I get Winbind accounts in LDAP?


Sapan,

I recently installed Samba-3 on Solaris 9 and had no problem with PAM and
NSS functionality. Logons using domain users worked well. As I do not have a
Sun box it is a little difficult for me to help you directly.

What output do you get from:
	wbinfo -u
	wbinfo -g

Please send me your smb.conf file so I can see what may be going on.

- John T.

On Thu, 8 Jan 2004, Ganguly, Sapan  wrote:
>
> Yep, I've done that, I basically followed the Solaris 9 HOWTO from the 
> main HOWTO collection that comes with Samba 3.0, the only difference 
> is that I used an /etc/pam.conf for Solaris 9 posted on the list by 
> Patrik Gustavsson. I haven't managed to get hold of him, he says he 
> has made it work on Solaris 9. I also want to get pam_mkhomedir work 
> but I have to get past this bit first.
> >From his email signature it looks like he work for Sun in Sweden but 
> >even
> the Sun helpdesk in the UK hasn't been able to get hold of him yet.
>
> -----Original Message-----
> From: John H Terpstra [mailto:jht@samba.org]
> Sent: 08 January 2004 15:54
> To: Ganguly, Sapan
> Cc: 'ww m-pubsyssamba'; 'samba@lists.samba.org'
> Subject: RE: [Samba] How do I get Winbind accounts in LDAP?
>
>
> On Thu, 8 Jan 2004, Ganguly, Sapan  wrote:
>
> >
> > I'm doing the same thing but with NT4 so I'm not using active 
> > directory. The only thing you haven't mentioned that I can think
of
> > is nsswitch.conf, you should have -
> >
> > Passwd: files winbind
> > Group: files winbind
> >
> > Getent works for me, I'm stuck with getting log ons to the Solaris
> > machine with NT usernames to work.
>
> If you want to log onto the Sun machine using Windows networking 
> credentials you must configure PAM to support the use of 
> pam_winbind.so. Have you done that?
>
> - John T.
>
>
> > They seem to have changed something in Solaris 9, even Sun hasn't 
> > been able to help me!
> >
> > -----Original Message-----
> > From: ww m-pubsyssamba [mailto:pubsyssamba@bbc.co.uk]
> > Sent: 08 January 2004 13:45
> > To: Ganguly, Sapan ; samba@lists.samba.org
> > Subject: RE: [Samba] How do I get Winbind accounts in LDAP?
> >
> >
> > Hi Sapan/All,
> >
> > 	ok this is all in my test/dev environment. I have a Sun Sparc 
> > workstation running Solaris 9 and an Intel server running Windows 
> > 2000 server acting as a Native mode AD DC. My Sparc system has Samba 
> > 3.0.1 installed and is successfully joined to the AD domain, I can 
> > authenticate via kerberos and wbinfo -u lists domain users etc. All 
> > I need LDAP for is centralising the IDMAP mappings across our 
> > theoretical Samba server infrastructure.
> >
> >   On the same sparc system I also have SunONE DS 5.2 installed, this 
> > has the schema for Samba 3.0.1 successfully loaded. I have created 
> > the idamap OU in the directory and I have configured my smb.conf to 
> > use LDAP for idmap data, file attached. And I have set the LDAP 
> > admin account password with "smbpasswd -w". I have also
disabled
> > nscd from starting up & installed patch 113476-05 which is
required
> > for Solaris 9. I can also see winbindd establishing a connection to 
> > Sun LDAP in its access log.
> >
> >   As I was writing this mail I have noticed that a getent for users 
> > and groups is not displaying any AD users/groups but is exiting with 
> > a status 0, this is despite the fact that wbinfo is correctly 
> > displaying all my AD users/groups!? I can see from a snoop and truss 
> > run on the getent that it is making LDAP calls to the AD DC but
it's
> > not returning anything!?! I have had this running on a Solaris 8 
> > system in my test environment successfully and can't think of 
> > anything I've done differently.
> >
> > If anyone can help I'd greatly appreciate it,
> >
> > 	many thanks Andy.
> >
> > -----Original Message-----
> > From: Ganguly, Sapan [mailto:Sapan.Ganguly@thalesgroup.com]
> > Posted At: 07 January 2004 16:44
> > Posted To: Samba
> > Conversation: [Samba] How do I get Winbind accounts in LDAP?
> > Subject: RE: [Samba] How do I get Winbind accounts in LDAP?
> >
> >
> >
> > Andy,
> >
> > Tell us a bit more, I'm doing a similar thing I think.  I'm
not
> > using Sun's LDAP service, I have OpenLDAP running on a Redhat 9.0 
> > box and I'm logging into my Solaris 9.0 machine running winbind, 
> > with my NT username and password which creates an idmap in the 
> > openldap database on the Redhat box....well, that's what it is 
> > supposed to do anyway...it works fine on Redhat, Solaris is proving 
> > to be a little more tricky.
> >
> > Is this what you are doing?
> >
> > -----Original Message-----
> > From: ww m-pubsyssamba [mailto:pubsyssamba@bbc.co.uk]
> > Sent: 07 January 2004 14:23
> > To: samba@lists.samba.org
> > Subject: RE: [Samba] How do I get Winbind accounts in LDAP?
> >
> >
> > Hi John/List,
> >
> > 	I'm attemtpting this (idmap in LDAP) with samba3.0.1 and Sun DS
5.2
> > but without any success. I've tried what John T has suggested
below
> > but my idmap OU is still empty (adapted LDAP commnads for Sun DS). I 
> > cannot see any errors in either Samba or Sun DS logs, does anyone 
> > have any troubleshooting tips to help work out why this isn't 
> > working?
> >
> > 		many thanks Andy.
> >
> > -----Original Message-----
> > From: samba-bounces+pubsyssamba=bbc.co.uk@lists.samba.org
> > [mailto:samba-bounces+pubsyssamba=bbc.co.uk@lists.samba.org]On 
> > Behalf Of John H Terpstra Posted At: 03 January 2004 23:54 Posted 
> > To: Samba
> > Conversation: [Samba] How do I get Winbind accounts in LDAP?
> > Subject: Re: [Samba] How do I get Winbind accounts in LDAP?
> >
> >
> > Kent,
> >
> > Did you create the container for the ou=Idmap in your LDAP database? 
> > The IDMAP entries are automatically added to LDAP - IF the container 
> > exists, and so long as Samba can access that database.
> >
> > Also, I suggest you store your machine accounts in the Users 
> > container and not in the Computers container. Samba does not at this 
> > time search the Computers container correctly.
> >
> > Execute the following to find out if your LDAP database has an IDMAP
> > container:
> > 	slapcat | grep -i IDMAP
> >
> >
> > If nothing is returned, execute this:
> >
> > ldapadd -x -D "cn=admin,dc=tow,dc=net" -w 'password'
<< EOR
> > dn: ou=Idmap,dc=abmas,dc=biz
> > objectClass: organizationalunit
> > ou: idmap
> > structuralObjectClass: organizationalunit
> > EOR
> >
> > Now you must stop samba, delete the winbind*tdb files, restart 
> > samba,
> > run:
> > 	wbinfo -u
> > And that should automatically populate your LDAP IDMAP database.
> >
> > Cheers,
> > John T.
> >
> >
> >
> > BBCi at http://www.bbc.co.uk/
> >
> > This e-mail (and any attachments) is confidential and may contain 
> > personal views which are not the views of the BBC unless 
> > specifically stated. If you have received it in error, please delete 
> > it from your system. Do not use, copy or disclose the information in 
> > any way nor act in reliance on it and notify the sender immediately. 
> > Please note that the BBC monitors e-mails sent or received. Further 
> > communication will signify your consent to this.
> >
>
>
-- 
John H Terpstra
Email: jht@samba.org

John,

Any ideas?  When I try to log in it seems to get past the PAM stuff but then
it just sits there, I don't get a prompt.  I've enabled debug on all the
modules in pam.conf, should I post the log files?

Sapan

-----Original Message-----
From: Ganguly, Sapan 
Sent: 08 January 2004 17:39
To: 'John H Terpstra'; Ganguly, Sapan 
Cc: 'samba@lists.samba.org'
Subject: RE: [Samba] How do I get Winbind accounts in LDAP?



John,

Wbinfo -u lists all my NT user and wbinfo -g lists all my NT groups.

Here is a copy of my smb.conf, I took it from a working Redhat 9.0 machine I
built.

[global]

# LDAP stuff for the idmap backend

ldap admin dn = cn=root,dc=uk,dc=trt,dc=thales
ldap suffix = dc=uk,dc=trt,dc=thales
ldap idmap suffix = ou=idmap

# Winbind stuff

winbind separator = -
idmap uid = 10000-20000
winbind uid = 10000-20000
idmap gid = 10000-20000
winbind gid = 10000-20000
winbind enum users = yes
winbind enum groups = yes
winbind use default domain = yes
#template homedir = /home/%D/%U
#template homedir = /home/%U
template homedir = /mnt/spare/%U
template shell = /bin/bash
idmap backend = ldap:ldap://lnxs001

# workgroup = NT-Domain-Name or Workgroup-Name
   workgroup = DOMAIN

# server string is the equivalent of the NT Description field
   server string = SUN001 

# if you want to automatically load your printer list rather
# than setting them up individually then you'll need this
   printcap name = /etc/printcap
   load printers = yes

# this tells Samba to use a separate log file for each machine # that
connects
   log file = /var/log/samba/log.%m

# Put a capping on the size of the log files (in Kb).
   max log size = 50

# Security mode. Most people will want user level security. See #
security_level.txt for details.
   security = user
# Use password server option only with security = server
;   password server = <NT-Server-Name>

# Most people will find that this option gives better performance. # See
speed.txt and the manual pages for details
   socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192

# Browser Control Options:
# set local master to no if you don't want Samba to become a master #
browser on your network. Otherwise the normal election rules apply
   local master = no

# WINS Server - Tells the NMBD components of Samba to be a WINS Client
#	Note: Samba can be either a WINS Server, or a WINS Client, but NOT
both
   wins server = 192.168.224.25 

# DNS Proxy - tells Samba whether or not to try to resolve NetBIOS names #
via DNS nslookups. The built-in default for versions 1.9.17 is yes, # this
has been changed in version 1.9.18 to no.
   dns proxy = no 



Thanks,
Sapan

-----Original Message-----
From: John H Terpstra [mailto:jht@samba.org] 
Sent: 08 January 2004 16:58
To: Ganguly, Sapan 
Cc: 'samba@lists.samba.org'
Subject: RE: [Samba] How do I get Winbind accounts in LDAP?


Sapan,

I recently installed Samba-3 on Solaris 9 and had no problem with PAM and
NSS functionality. Logons using domain users worked well. As I do not have a
Sun box it is a little difficult for me to help you directly.

What output do you get from:
	wbinfo -u
	wbinfo -g

Please send me your smb.conf file so I can see what may be going on.

- John T.

On Thu, 8 Jan 2004, Ganguly, Sapan  wrote:
>
> Yep, I've done that, I basically followed the Solaris 9 HOWTO from the
> main HOWTO collection that comes with Samba 3.0, the only difference 
> is that I used an /etc/pam.conf for Solaris 9 posted on the list by 
> Patrik Gustavsson. I haven't managed to get hold of him, he says he 
> has made it work on Solaris 9. I also want to get pam_mkhomedir work 
> but I have to get past this bit first.
> >From his email signature it looks like he work for Sun in Sweden but
> >even
> the Sun helpdesk in the UK hasn't been able to get hold of him yet.
>
> -----Original Message-----
> From: John H Terpstra [mailto:jht@samba.org]
> Sent: 08 January 2004 15:54
> To: Ganguly, Sapan
> Cc: 'ww m-pubsyssamba'; 'samba@lists.samba.org'
> Subject: RE: [Samba] How do I get Winbind accounts in LDAP?
>
>
> On Thu, 8 Jan 2004, Ganguly, Sapan  wrote:
>
> >
> > I'm doing the same thing but with NT4 so I'm not using active
> > directory. The only thing you haven't mentioned that I can think
of
> > is nsswitch.conf, you should have -
> >
> > Passwd: files winbind
> > Group: files winbind
> >
> > Getent works for me, I'm stuck with getting log ons to the Solaris
> > machine with NT usernames to work.
>
> If you want to log onto the Sun machine using Windows networking
> credentials you must configure PAM to support the use of 
> pam_winbind.so. Have you done that?
>
> - John T.
>
>
> > They seem to have changed something in Solaris 9, even Sun hasn't
> > been able to help me!
> >
> > -----Original Message-----
> > From: ww m-pubsyssamba [mailto:pubsyssamba@bbc.co.uk]
> > Sent: 08 January 2004 13:45
> > To: Ganguly, Sapan ; samba@lists.samba.org
> > Subject: RE: [Samba] How do I get Winbind accounts in LDAP?
> >
> >
> > Hi Sapan/All,
> >
> > 	ok this is all in my test/dev environment. I have a Sun Sparc
> > workstation running Solaris 9 and an Intel server running Windows 
> > 2000 server acting as a Native mode AD DC. My Sparc system has Samba 
> > 3.0.1 installed and is successfully joined to the AD domain, I can 
> > authenticate via kerberos and wbinfo -u lists domain users etc. All 
> > I need LDAP for is centralising the IDMAP mappings across our 
> > theoretical Samba server infrastructure.
> >
> >   On the same sparc system I also have SunONE DS 5.2 installed, this
> > has the schema for Samba 3.0.1 successfully loaded. I have created 
> > the idamap OU in the directory and I have configured my smb.conf to 
> > use LDAP for idmap data, file attached. And I have set the LDAP 
> > admin account password with "smbpasswd -w". I have also
disabled
> > nscd from starting up & installed patch 113476-05 which is
required
> > for Solaris 9. I can also see winbindd establishing a connection to 
> > Sun LDAP in its access log.
> >
> >   As I was writing this mail I have noticed that a getent for users
> > and groups is not displaying any AD users/groups but is exiting with 
> > a status 0, this is despite the fact that wbinfo is correctly 
> > displaying all my AD users/groups!? I can see from a snoop and truss 
> > run on the getent that it is making LDAP calls to the AD DC but
it's
> > not returning anything!?! I have had this running on a Solaris 8 
> > system in my test environment successfully and can't think of 
> > anything I've done differently.
> >
> > If anyone can help I'd greatly appreciate it,
> >
> > 	many thanks Andy.
> >
> > -----Original Message-----
> > From: Ganguly, Sapan [mailto:Sapan.Ganguly@thalesgroup.com]
> > Posted At: 07 January 2004 16:44
> > Posted To: Samba
> > Conversation: [Samba] How do I get Winbind accounts in LDAP?
> > Subject: RE: [Samba] How do I get Winbind accounts in LDAP?
> >
> >
> >
> > Andy,
> >
> > Tell us a bit more, I'm doing a similar thing I think.  I'm
not
> > using Sun's LDAP service, I have OpenLDAP running on a Redhat 9.0 
> > box and I'm logging into my Solaris 9.0 machine running winbind, 
> > with my NT username and password which creates an idmap in the 
> > openldap database on the Redhat box....well, that's what it is 
> > supposed to do anyway...it works fine on Redhat, Solaris is proving 
> > to be a little more tricky.
> >
> > Is this what you are doing?
> >
> > -----Original Message-----
> > From: ww m-pubsyssamba [mailto:pubsyssamba@bbc.co.uk]
> > Sent: 07 January 2004 14:23
> > To: samba@lists.samba.org
> > Subject: RE: [Samba] How do I get Winbind accounts in LDAP?
> >
> >
> > Hi John/List,
> >
> > 	I'm attemtpting this (idmap in LDAP) with samba3.0.1 and Sun DS
5.2
> > but without any success. I've tried what John T has suggested
below
> > but my idmap OU is still empty (adapted LDAP commnads for Sun DS). I 
> > cannot see any errors in either Samba or Sun DS logs, does anyone 
> > have any troubleshooting tips to help work out why this isn't 
> > working?
> >
> > 		many thanks Andy.
> >
> > -----Original Message-----
> > From: samba-bounces+pubsyssamba=bbc.co.uk@lists.samba.org
> > [mailto:samba-bounces+pubsyssamba=bbc.co.uk@lists.samba.org]On
> > Behalf Of John H Terpstra Posted At: 03 January 2004 23:54 Posted 
> > To: Samba
> > Conversation: [Samba] How do I get Winbind accounts in LDAP?
> > Subject: Re: [Samba] How do I get Winbind accounts in LDAP?
> >
> >
> > Kent,
> >
> > Did you create the container for the ou=Idmap in your LDAP database?
> > The IDMAP entries are automatically added to LDAP - IF the container 
> > exists, and so long as Samba can access that database.
> >
> > Also, I suggest you store your machine accounts in the Users
> > container and not in the Computers container. Samba does not at this 
> > time search the Computers container correctly.
> >
> > Execute the following to find out if your LDAP database has an IDMAP
> > container:
> > 	slapcat | grep -i IDMAP
> >
> >
> > If nothing is returned, execute this:
> >
> > ldapadd -x -D "cn=admin,dc=tow,dc=net" -w 'password'
<< EOR
> > dn: ou=Idmap,dc=abmas,dc=biz
> > objectClass: organizationalunit
> > ou: idmap
> > structuralObjectClass: organizationalunit
> > EOR
> >
> > Now you must stop samba, delete the winbind*tdb files, restart
> > samba,
> > run:
> > 	wbinfo -u
> > And that should automatically populate your LDAP IDMAP database.
> >
> > Cheers,
> > John T.
> >
> >
> >
> > BBCi at http://www.bbc.co.uk/
> >
> > This e-mail (and any attachments) is confidential and may contain
> > personal views which are not the views of the BBC unless 
> > specifically stated. If you have received it in error, please delete 
> > it from your system. Do not use, copy or disclose the information in 
> > any way nor act in reliance on it and notify the sender immediately. 
> > Please note that the BBC monitors e-mails sent or received. Further 
> > communication will signify your consent to this.
> >
>
>
-- 
John H Terpstra
Email: jht@samba.org

John,

OK, I took out the "winbind uid" and "winbind gid" lines.

Here is what I have in /lib, how do I know which is the appropriate version
name?  I've tried these ones. 

-rwxr-xr-x   1 root     other     751048 Dec 11 13:36 libnss_winbind.so
lrwxrwxrwx   1 root     other         17 Dec  4 14:20 libnss_winbind.so.1 ->
libnss_winbind.so
lrwxrwxrwx   1 root     other         17 Dec  4 14:19 libnss_winbind.so.2 ->
libnss_winbind.so
lrwxrwxrwx   1 root     other         17 Dec  4 14:20 nss_winbind.so.1 ->
libnss_winbind.so
lrwxrwxrwx   1 root     other         17 Dec  4 14:21 nss_winbind.so.2 ->
libnss_winbind.so

I've done everything else too but my login still hangs at the
"password:"
prompt after I have typed the password in.  Although when I did a 'getent
group' it did pause for a few seconds several times during the listing, that
may just be because we have a lot of NT groups.  'getent passwd' worked
fine
and listed all the unix users as well as all the NT users in a split second.
My /etc/nsswitch.conf is configured and I have done the 'smbpasswd -w'
command to put my LDAP password into secets.tdb.

Here is what I get in my pamlog, as you can see, it does say "access
granted" on the last line.  I think the first line is me killing the telnet
session of a previous attempt. 

Jan 14 13:29:55 sun001 pam_winbind[15352]: [ID 571141 auth.debug]
libpam_winbind:pam_sm_close_sessio
n handler
Jan 14 13:29:59 sun001 login: [ID 634615 auth.debug]
pam_authtok_get:pam_sm_authenticate: flags = 0
Jan 14 13:30:05 sun001 login: [ID 378613 auth.debug] pam_dhkeys: user
ganguly not found
Jan 14 13:30:05 sun001 login: [ID 896952 auth.debug] pam_unix_auth: entering
pam_sm_authenticate()
Jan 14 13:30:05 sun001 login: [ID 219349 auth.debug] pam_unix_auth: user
ganguly not found
Jan 14 13:30:05 sun001 pam_winbind[15369]: [ID 572310 auth.info] Verify user
`ganguly'
Jan 14 13:30:05 sun001 pam_winbind[15369]: [ID 614614 auth.notice] user
'ganguly' granted acces
Jan 14 13:30:05 sun001 login[15369]: [ID 509786 auth.debug] roles
pam_sm_authenticate, service = tel
net user = ganguly ruser = not set rhost = 192.168.224.90

Does anyone have any ideas on what the problem could be?  According to this
log access is granted right?  So why does it just sit there at
"password:"?

Thanks,
Sapan

-----Original Message-----
From: John H Terpstra [mailto:jht@samba.org] 
Sent: 13 January 2004 16:39
To: Ganguly, Sapan 
Cc: 'samba@lists.samba.org'
Subject: RE: [Samba] How do I get Winbind accounts in LDAP?


On Tue, 13 Jan 2004, Ganguly, Sapan  wrote:
>
> John,
>
> Any ideas?  When I try to log in it seems to get past the PAM stuff 
> but then it just sits there, I don't get a prompt.  I've enabled
debug
> on all the modules in pam.conf, should I post the log files?
You should get rid of the "winbind uid" and "winbind gid"
parameters as they
have been superceded by "idmap uid" and "idmap gid".

Did you install the libnss_winbind.so module you built (it's in the
~samba/sources/nsswitch directory) as /lib/nss_winbind.so and link it to the
appropriate version name?

Have you modified in /etc/nsswitch.conf the following:

passwd: files winbind
group: files winbind


Do you obtain correct domain account information from:

	getent passwd

and

	getent group

You will need to install the LDAP admin password into your Samba secrets.tdb
file. The command that does that is:

	smbpasswd -w 'secret_password'

PAM provides authentication, NSS (name service switch) does Identity
resolution. It is the instrument that will permit the LDAP database to be
populated via winbind.

I hope this helps.

Cheers,
John T.
>
> Sapan
>
> -----Original Message-----
> From: Ganguly, Sapan
> Sent: 08 January 2004 17:39
> To: 'John H Terpstra'; Ganguly, Sapan
> Cc: 'samba@lists.samba.org'
> Subject: RE: [Samba] How do I get Winbind accounts in LDAP?
>
>
>
> John,
>
> Wbinfo -u lists all my NT user and wbinfo -g lists all my NT groups.
>
> Here is a copy of my smb.conf, I took it from a working Redhat 9.0 
> machine I built.
>
> [global]
>
> # LDAP stuff for the idmap backend
>
> ldap admin dn = cn=root,dc=uk,dc=trt,dc=thales
> ldap suffix = dc=uk,dc=trt,dc=thales
> ldap idmap suffix = ou=idmap
>
> # Winbind stuff
>
> winbind separator = -
> idmap uid = 10000-20000
> winbind uid = 10000-20000
> idmap gid = 10000-20000
> winbind gid = 10000-20000
> winbind enum users = yes
> winbind enum groups = yes
> winbind use default domain = yes
> #template homedir = /home/%D/%U
> #template homedir = /home/%U
> template homedir = /mnt/spare/%U
> template shell = /bin/bash
> idmap backend = ldap:ldap://lnxs001
>
> # workgroup = NT-Domain-Name or Workgroup-Name
>    workgroup = DOMAIN
>
> # server string is the equivalent of the NT Description field
>    server string = SUN001
>
> # if you want to automatically load your printer list rather # than 
> setting them up individually then you'll need this
>    printcap name = /etc/printcap
>    load printers = yes
>
> # this tells Samba to use a separate log file for each machine # that 
> connects
>    log file = /var/log/samba/log.%m
>
> # Put a capping on the size of the log files (in Kb).
>    max log size = 50
>
> # Security mode. Most people will want user level security. See # 
> security_level.txt for details.
>    security = user
> # Use password server option only with security = server
> ;   password server = <NT-Server-Name>
>
> # Most people will find that this option gives better performance. # 
> See speed.txt and the manual pages for details
>    socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
>
> # Browser Control Options:
> # set local master to no if you don't want Samba to become a master # 
> browser on your network. Otherwise the normal election rules apply
>    local master = no
>
> # WINS Server - Tells the NMBD components of Samba to be a WINS Client
> #	Note: Samba can be either a WINS Server, or a WINS Client, but NOT
> both
>    wins server = 192.168.224.25
>
> # DNS Proxy - tells Samba whether or not to try to resolve NetBIOS 
> names # via DNS nslookups. The built-in default for versions 1.9.17 is 
> yes, # this has been changed in version 1.9.18 to no.
>    dns proxy = no
>
>
>
> Thanks,
> Sapan
>
> -----Original Message-----
> From: John H Terpstra [mailto:jht@samba.org]
> Sent: 08 January 2004 16:58
> To: Ganguly, Sapan
> Cc: 'samba@lists.samba.org'
> Subject: RE: [Samba] How do I get Winbind accounts in LDAP?
>
>
> Sapan,
>
> I recently installed Samba-3 on Solaris 9 and had no problem with PAM 
> and NSS functionality. Logons using domain users worked well. As I do 
> not have a Sun box it is a little difficult for me to help you 
> directly.
>
> What output do you get from:
> 	wbinfo -u
> 	wbinfo -g
>
> Please send me your smb.conf file so I can see what may be going on.
>
> - John T.
>
> On Thu, 8 Jan 2004, Ganguly, Sapan  wrote:
>
> >
> > Yep, I've done that, I basically followed the Solaris 9 HOWTO from
> > the main HOWTO collection that comes with Samba 3.0, the only 
> > difference is that I used an /etc/pam.conf for Solaris 9 posted on 
> > the list by Patrik Gustavsson. I haven't managed to get hold of
him,
> > he says he has made it work on Solaris 9. I also want to get 
> > pam_mkhomedir work but I have to get past this bit first.
> > >From his email signature it looks like he work for Sun in Sweden 
> > >but even
> > the Sun helpdesk in the UK hasn't been able to get hold of him
yet.
> >
> > -----Original Message-----
> > From: John H Terpstra [mailto:jht@samba.org]
> > Sent: 08 January 2004 15:54
> > To: Ganguly, Sapan
> > Cc: 'ww m-pubsyssamba'; 'samba@lists.samba.org'
> > Subject: RE: [Samba] How do I get Winbind accounts in LDAP?
> >
> >
> > On Thu, 8 Jan 2004, Ganguly, Sapan  wrote:
> >
> > >
> > > I'm doing the same thing but with NT4 so I'm not using
active
> > > directory. The only thing you haven't mentioned that I can
think
> > > of is nsswitch.conf, you should have -
> > >
> > > Passwd: files winbind
> > > Group: files winbind
> > >
> > > Getent works for me, I'm stuck with getting log ons to the
Solaris
> > > machine with NT usernames to work.
> >
> > If you want to log onto the Sun machine using Windows networking 
> > credentials you must configure PAM to support the use of 
> > pam_winbind.so. Have you done that?
> >
> > - John T.
> >
> >
> > > They seem to have changed something in Solaris 9, even Sun
hasn't
> > > been able to help me!
> > >
> > > -----Original Message-----
> > > From: ww m-pubsyssamba [mailto:pubsyssamba@bbc.co.uk]
> > > Sent: 08 January 2004 13:45
> > > To: Ganguly, Sapan ; samba@lists.samba.org
> > > Subject: RE: [Samba] How do I get Winbind accounts in LDAP?
> > >
> > >
> > > Hi Sapan/All,
> > >
> > > 	ok this is all in my test/dev environment. I have a Sun Sparc 
> > > workstation running Solaris 9 and an Intel server running Windows
> > > 2000 server acting as a Native mode AD DC. My Sparc system has 
> > > Samba 3.0.1 installed and is successfully joined to the AD
domain,
> > > I can authenticate via kerberos and wbinfo -u lists domain users 
> > > etc. All I need LDAP for is centralising the IDMAP mappings
across
> > > our theoretical Samba server infrastructure.
> > >
> > >   On the same sparc system I also have SunONE DS 5.2 installed, 
> > > this has the schema for Samba 3.0.1 successfully loaded. I have 
> > > created the idamap OU in the directory and I have configured my 
> > > smb.conf to use LDAP for idmap data, file attached. And I have
set
> > > the LDAP admin account password with "smbpasswd -w". I
have also
> > > disabled nscd from starting up & installed patch 113476-05
which
> > > is required for Solaris 9. I can also see winbindd establishing a
> > > connection to Sun LDAP in its access log.
> > >
> > >   As I was writing this mail I have noticed that a getent for 
> > > users and groups is not displaying any AD users/groups but is 
> > > exiting with a status 0, this is despite the fact that wbinfo is 
> > > correctly displaying all my AD users/groups!? I can see from a 
> > > snoop and truss run on the getent that it is making LDAP calls to
> > > the AD DC but it's not returning anything!?! I have had this 
> > > running on a Solaris 8 system in my test environment successfully
> > > and can't think of anything I've done differently.
> > >
> > > If anyone can help I'd greatly appreciate it,
> > >
> > > 	many thanks Andy.
> > >
> > > -----Original Message-----
> > > From: Ganguly, Sapan [mailto:Sapan.Ganguly@thalesgroup.com]
> > > Posted At: 07 January 2004 16:44
> > > Posted To: Samba
> > > Conversation: [Samba] How do I get Winbind accounts in LDAP?
> > > Subject: RE: [Samba] How do I get Winbind accounts in LDAP?
> > >
> > >
> > >
> > > Andy,
> > >
> > > Tell us a bit more, I'm doing a similar thing I think. 
I'm not
> > > using Sun's LDAP service, I have OpenLDAP running on a Redhat
9.0
> > > box and I'm logging into my Solaris 9.0 machine running
winbind,
> > > with my NT username and password which creates an idmap in the 
> > > openldap database on the Redhat box....well, that's what it
is
> > > supposed to do anyway...it works fine on Redhat, Solaris is 
> > > proving to be a little more tricky.
> > >
> > > Is this what you are doing?
> > >
> > > -----Original Message-----
> > > From: ww m-pubsyssamba [mailto:pubsyssamba@bbc.co.uk]
> > > Sent: 07 January 2004 14:23
> > > To: samba@lists.samba.org
> > > Subject: RE: [Samba] How do I get Winbind accounts in LDAP?
> > >
> > >
> > > Hi John/List,
> > >
> > > 	I'm attemtpting this (idmap in LDAP) with samba3.0.1 and Sun
DS
> > > 5.2 but without any success. I've tried what John T has
suggested
> > > below but my idmap OU is still empty (adapted LDAP commnads for 
> > > Sun DS). I cannot see any errors in either Samba or Sun DS logs, 
> > > does anyone have any troubleshooting tips to help work out why 
> > > this isn't working?
> > >
> > > 		many thanks Andy.
> > >
> > > -----Original Message-----
> > > From: samba-bounces+pubsyssamba=bbc.co.uk@lists.samba.org
> > > [mailto:samba-bounces+pubsyssamba=bbc.co.uk@lists.samba.org]On
> > > Behalf Of John H Terpstra Posted At: 03 January 2004 23:54 Posted
> > > To: Samba
> > > Conversation: [Samba] How do I get Winbind accounts in LDAP?
> > > Subject: Re: [Samba] How do I get Winbind accounts in LDAP?
> > >
> > >
> > > Kent,
> > >
> > > Did you create the container for the ou=Idmap in your LDAP 
> > > database? The IDMAP entries are automatically added to LDAP - IF 
> > > the container exists, and so long as Samba can access that 
> > > database.
> > >
> > > Also, I suggest you store your machine accounts in the Users 
> > > container and not in the Computers container. Samba does not at 
> > > this time search the Computers container correctly.
> > >
> > > Execute the following to find out if your LDAP database has an 
> > > IDMAP
> > > container:
> > > 	slapcat | grep -i IDMAP
> > >
> > >
> > > If nothing is returned, execute this:
> > >
> > > ldapadd -x -D "cn=admin,dc=tow,dc=net" -w
'password' << EOR
> > > dn: ou=Idmap,dc=abmas,dc=biz
> > > objectClass: organizationalunit
> > > ou: idmap
> > > structuralObjectClass: organizationalunit
> > > EOR
> > >
> > > Now you must stop samba, delete the winbind*tdb files, restart 
> > > samba,
> > > run:
> > > 	wbinfo -u
> > > And that should automatically populate your LDAP IDMAP database.
> > >
> > > Cheers,
> > > John T.
> > >
> > >
> > >
> > > BBCi at http://www.bbc.co.uk/
> > >
> > > This e-mail (and any attachments) is confidential and may contain
> > > personal views which are not the views of the BBC unless 
> > > specifically stated. If you have received it in error, please 
> > > delete it from your system. Do not use, copy or disclose the 
> > > information in any way nor act in reliance on it and notify the 
> > > sender immediately. Please note that the BBC monitors e-mails
sent
> > > or received. Further communication will signify your consent to 
> > > this.
> > >
> >
> >
>
>
-- 
John H Terpstra
Email: jht@samba.org

If you're interested, Sun has told me that there is some kind of bug with
the way nsswitch.conf is dealt with in Solaris 9 but since nsswitch.conf is
not a pubic interface...blah blah blah they are still deciding whether they
should deal with it or not.  

In the mean time I'm still wondering how anyone else got this to work, this
bug can't only be affecting me?!

Does anyone have a working winbind pam.conf from Solaris 9 that I can look
at? 

Thanks,
Sap

-----Original Message-----
From: John H Terpstra [mailto:jht@samba.org] 
Sent: 13 January 2004 16:39
To: Ganguly, Sapan 
Cc: 'samba@lists.samba.org'
Subject: RE: [Samba] How do I get Winbind accounts in LDAP?


On Tue, 13 Jan 2004, Ganguly, Sapan  wrote:
>
> John,
>
> Any ideas?  When I try to log in it seems to get past the PAM stuff 
> but then it just sits there, I don't get a prompt.  I've enabled
debug
> on all the modules in pam.conf, should I post the log files?
You should get rid of the "winbind uid" and "winbind gid"
parameters as they
have been superceded by "idmap uid" and "idmap gid".

Did you install the libnss_winbind.so module you built (it's in the
~samba/sources/nsswitch directory) as /lib/nss_winbind.so and link it to the
appropriate version name?

Have you modified in /etc/nsswitch.conf the following:

passwd: files winbind
group: files winbind


Do you obtain correct domain account information from:

	getent passwd

and

	getent group

You will need to install the LDAP admin password into your Samba secrets.tdb
file. The command that does that is:

	smbpasswd -w 'secret_password'

PAM provides authentication, NSS (name service switch) does Identity
resolution. It is the instrument that will permit the LDAP database to be
populated via winbind.

I hope this helps.

Cheers,
John T.
>
> Sapan
>
> -----Original Message-----
> From: Ganguly, Sapan
> Sent: 08 January 2004 17:39
> To: 'John H Terpstra'; Ganguly, Sapan
> Cc: 'samba@lists.samba.org'
> Subject: RE: [Samba] How do I get Winbind accounts in LDAP?
>
>
>
> John,
>
> Wbinfo -u lists all my NT user and wbinfo -g lists all my NT groups.
>
> Here is a copy of my smb.conf, I took it from a working Redhat 9.0 
> machine I built.
>
> [global]
>
> # LDAP stuff for the idmap backend
>
> ldap admin dn = cn=root,dc=uk,dc=trt,dc=thales
> ldap suffix = dc=uk,dc=trt,dc=thales
> ldap idmap suffix = ou=idmap
>
> # Winbind stuff
>
> winbind separator = -
> idmap uid = 10000-20000
> winbind uid = 10000-20000
> idmap gid = 10000-20000
> winbind gid = 10000-20000
> winbind enum users = yes
> winbind enum groups = yes
> winbind use default domain = yes
> #template homedir = /home/%D/%U
> #template homedir = /home/%U
> template homedir = /mnt/spare/%U
> template shell = /bin/bash
> idmap backend = ldap:ldap://lnxs001
>
> # workgroup = NT-Domain-Name or Workgroup-Name
>    workgroup = DOMAIN
>
> # server string is the equivalent of the NT Description field
>    server string = SUN001
>
> # if you want to automatically load your printer list rather # than 
> setting them up individually then you'll need this
>    printcap name = /etc/printcap
>    load printers = yes
>
> # this tells Samba to use a separate log file for each machine # that 
> connects
>    log file = /var/log/samba/log.%m
>
> # Put a capping on the size of the log files (in Kb).
>    max log size = 50
>
> # Security mode. Most people will want user level security. See # 
> security_level.txt for details.
>    security = user
> # Use password server option only with security = server
> ;   password server = <NT-Server-Name>
>
> # Most people will find that this option gives better performance. # 
> See speed.txt and the manual pages for details
>    socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
>
> # Browser Control Options:
> # set local master to no if you don't want Samba to become a master # 
> browser on your network. Otherwise the normal election rules apply
>    local master = no
>
> # WINS Server - Tells the NMBD components of Samba to be a WINS Client
> #	Note: Samba can be either a WINS Server, or a WINS Client, but NOT
> both
>    wins server = 192.168.224.25
>
> # DNS Proxy - tells Samba whether or not to try to resolve NetBIOS 
> names # via DNS nslookups. The built-in default for versions 1.9.17 is 
> yes, # this has been changed in version 1.9.18 to no.
>    dns proxy = no
>
>
>
> Thanks,
> Sapan
>
> -----Original Message-----
> From: John H Terpstra [mailto:jht@samba.org]
> Sent: 08 January 2004 16:58
> To: Ganguly, Sapan
> Cc: 'samba@lists.samba.org'
> Subject: RE: [Samba] How do I get Winbind accounts in LDAP?
>
>
> Sapan,
>
> I recently installed Samba-3 on Solaris 9 and had no problem with PAM 
> and NSS functionality. Logons using domain users worked well. As I do 
> not have a Sun box it is a little difficult for me to help you 
> directly.
>
> What output do you get from:
> 	wbinfo -u
> 	wbinfo -g
>
> Please send me your smb.conf file so I can see what may be going on.
>
> - John T.
>
> On Thu, 8 Jan 2004, Ganguly, Sapan  wrote:
>
> >
> > Yep, I've done that, I basically followed the Solaris 9 HOWTO from
> > the main HOWTO collection that comes with Samba 3.0, the only 
> > difference is that I used an /etc/pam.conf for Solaris 9 posted on 
> > the list by Patrik Gustavsson. I haven't managed to get hold of
him,
> > he says he has made it work on Solaris 9. I also want to get 
> > pam_mkhomedir work but I have to get past this bit first.
> > >From his email signature it looks like he work for Sun in Sweden 
> > >but even
> > the Sun helpdesk in the UK hasn't been able to get hold of him
yet.
> >
> > -----Original Message-----
> > From: John H Terpstra [mailto:jht@samba.org]
> > Sent: 08 January 2004 15:54
> > To: Ganguly, Sapan
> > Cc: 'ww m-pubsyssamba'; 'samba@lists.samba.org'
> > Subject: RE: [Samba] How do I get Winbind accounts in LDAP?
> >
> >
> > On Thu, 8 Jan 2004, Ganguly, Sapan  wrote:
> >
> > >
> > > I'm doing the same thing but with NT4 so I'm not using
active
> > > directory. The only thing you haven't mentioned that I can
think
> > > of is nsswitch.conf, you should have -
> > >
> > > Passwd: files winbind
> > > Group: files winbind
> > >
> > > Getent works for me, I'm stuck with getting log ons to the
Solaris
> > > machine with NT usernames to work.
> >
> > If you want to log onto the Sun machine using Windows networking 
> > credentials you must configure PAM to support the use of 
> > pam_winbind.so. Have you done that?
> >
> > - John T.
> >
> >
> > > They seem to have changed something in Solaris 9, even Sun
hasn't
> > > been able to help me!
> > >
> > > -----Original Message-----
> > > From: ww m-pubsyssamba [mailto:pubsyssamba@bbc.co.uk]
> > > Sent: 08 January 2004 13:45
> > > To: Ganguly, Sapan ; samba@lists.samba.org
> > > Subject: RE: [Samba] How do I get Winbind accounts in LDAP?
> > >
> > >
> > > Hi Sapan/All,
> > >
> > > 	ok this is all in my test/dev environment. I have a Sun Sparc 
> > > workstation running Solaris 9 and an Intel server running Windows
> > > 2000 server acting as a Native mode AD DC. My Sparc system has 
> > > Samba 3.0.1 installed and is successfully joined to the AD
domain,
> > > I can authenticate via kerberos and wbinfo -u lists domain users 
> > > etc. All I need LDAP for is centralising the IDMAP mappings
across
> > > our theoretical Samba server infrastructure.
> > >
> > >   On the same sparc system I also have SunONE DS 5.2 installed, 
> > > this has the schema for Samba 3.0.1 successfully loaded. I have 
> > > created the idamap OU in the directory and I have configured my 
> > > smb.conf to use LDAP for idmap data, file attached. And I have
set
> > > the LDAP admin account password with "smbpasswd -w". I
have also
> > > disabled nscd from starting up & installed patch 113476-05
which
> > > is required for Solaris 9. I can also see winbindd establishing a
> > > connection to Sun LDAP in its access log.
> > >
> > >   As I was writing this mail I have noticed that a getent for 
> > > users and groups is not displaying any AD users/groups but is 
> > > exiting with a status 0, this is despite the fact that wbinfo is 
> > > correctly displaying all my AD users/groups!? I can see from a 
> > > snoop and truss run on the getent that it is making LDAP calls to
> > > the AD DC but it's not returning anything!?! I have had this 
> > > running on a Solaris 8 system in my test environment successfully
> > > and can't think of anything I've done differently.
> > >
> > > If anyone can help I'd greatly appreciate it,
> > >
> > > 	many thanks Andy.
> > >
> > > -----Original Message-----
> > > From: Ganguly, Sapan [mailto:Sapan.Ganguly@thalesgroup.com]
> > > Posted At: 07 January 2004 16:44
> > > Posted To: Samba
> > > Conversation: [Samba] How do I get Winbind accounts in LDAP?
> > > Subject: RE: [Samba] How do I get Winbind accounts in LDAP?
> > >
> > >
> > >
> > > Andy,
> > >
> > > Tell us a bit more, I'm doing a similar thing I think. 
I'm not
> > > using Sun's LDAP service, I have OpenLDAP running on a Redhat
9.0
> > > box and I'm logging into my Solaris 9.0 machine running
winbind,
> > > with my NT username and password which creates an idmap in the 
> > > openldap database on the Redhat box....well, that's what it
is
> > > supposed to do anyway...it works fine on Redhat, Solaris is 
> > > proving to be a little more tricky.
> > >
> > > Is this what you are doing?
> > >
> > > -----Original Message-----
> > > From: ww m-pubsyssamba [mailto:pubsyssamba@bbc.co.uk]
> > > Sent: 07 January 2004 14:23
> > > To: samba@lists.samba.org
> > > Subject: RE: [Samba] How do I get Winbind accounts in LDAP?
> > >
> > >
> > > Hi John/List,
> > >
> > > 	I'm attemtpting this (idmap in LDAP) with samba3.0.1 and Sun
DS
> > > 5.2 but without any success. I've tried what John T has
suggested
> > > below but my idmap OU is still empty (adapted LDAP commnads for 
> > > Sun DS). I cannot see any errors in either Samba or Sun DS logs, 
> > > does anyone have any troubleshooting tips to help work out why 
> > > this isn't working?
> > >
> > > 		many thanks Andy.
> > >
> > > -----Original Message-----
> > > From: samba-bounces+pubsyssamba=bbc.co.uk@lists.samba.org
> > > [mailto:samba-bounces+pubsyssamba=bbc.co.uk@lists.samba.org]On
> > > Behalf Of John H Terpstra Posted At: 03 January 2004 23:54 Posted
> > > To: Samba
> > > Conversation: [Samba] How do I get Winbind accounts in LDAP?
> > > Subject: Re: [Samba] How do I get Winbind accounts in LDAP?
> > >
> > >
> > > Kent,
> > >
> > > Did you create the container for the ou=Idmap in your LDAP 
> > > database? The IDMAP entries are automatically added to LDAP - IF 
> > > the container exists, and so long as Samba can access that 
> > > database.
> > >
> > > Also, I suggest you store your machine accounts in the Users 
> > > container and not in the Computers container. Samba does not at 
> > > this time search the Computers container correctly.
> > >
> > > Execute the following to find out if your LDAP database has an 
> > > IDMAP
> > > container:
> > > 	slapcat | grep -i IDMAP
> > >
> > >
> > > If nothing is returned, execute this:
> > >
> > > ldapadd -x -D "cn=admin,dc=tow,dc=net" -w
'password' << EOR
> > > dn: ou=Idmap,dc=abmas,dc=biz
> > > objectClass: organizationalunit
> > > ou: idmap
> > > structuralObjectClass: organizationalunit
> > > EOR
> > >
> > > Now you must stop samba, delete the winbind*tdb files, restart 
> > > samba,
> > > run:
> > > 	wbinfo -u
> > > And that should automatically populate your LDAP IDMAP database.
> > >
> > > Cheers,
> > > John T.
> > >
> > >
> > >
> > > BBCi at http://www.bbc.co.uk/
> > >
> > > This e-mail (and any attachments) is confidential and may contain
> > > personal views which are not the views of the BBC unless 
> > > specifically stated. If you have received it in error, please 
> > > delete it from your system. Do not use, copy or disclose the 
> > > information in any way nor act in reliance on it and notify the 
> > > sender immediately. Please note that the BBC monitors e-mails
sent
> > > or received. Further communication will signify your consent to 
> > > this.
> > >
> >
> >
>
>
-- 
John H Terpstra
Email: jht@samba.org

John,

What options did you compile samba with on Solaris 9?  Maybe that's where I
went wrong?  I don't suppose you have copies of the pam.conf from when you
did it do you?

-----Original Message-----
From: Ganguly, Sapan 
Sent: 14 January 2004 13:40
To: 'John H Terpstra'; Ganguly, Sapan 
Cc: 'samba@lists.samba.org'
Subject: RE: [Samba] How do I get Winbind accounts in LDAP?



John,

OK, I took out the "winbind uid" and "winbind gid" lines.

Here is what I have in /lib, how do I know which is the appropriate version
name?  I've tried these ones. 

-rwxr-xr-x   1 root     other     751048 Dec 11 13:36 libnss_winbind.so
lrwxrwxrwx   1 root     other         17 Dec  4 14:20 libnss_winbind.so.1 ->
libnss_winbind.so
lrwxrwxrwx   1 root     other         17 Dec  4 14:19 libnss_winbind.so.2 ->
libnss_winbind.so
lrwxrwxrwx   1 root     other         17 Dec  4 14:20 nss_winbind.so.1 ->
libnss_winbind.so
lrwxrwxrwx   1 root     other         17 Dec  4 14:21 nss_winbind.so.2 ->
libnss_winbind.so

I've done everything else too but my login still hangs at the
"password:"
prompt after I have typed the password in.  Although when I did a 'getent
group' it did pause for a few seconds several times during the listing, that
may just be because we have a lot of NT groups.  'getent passwd' worked
fine
and listed all the unix users as well as all the NT users in a split second.
My /etc/nsswitch.conf is configured and I have done the 'smbpasswd -w'
command to put my LDAP password into secets.tdb.

Here is what I get in my pamlog, as you can see, it does say "access
granted" on the last line.  I think the first line is me killing the telnet
session of a previous attempt. 

Jan 14 13:29:55 sun001 pam_winbind[15352]: [ID 571141 auth.debug]
libpam_winbind:pam_sm_close_sessio
n handler
Jan 14 13:29:59 sun001 login: [ID 634615 auth.debug]
pam_authtok_get:pam_sm_authenticate: flags = 0 Jan 14 13:30:05 sun001 login:
[ID 378613 auth.debug] pam_dhkeys: user ganguly not found Jan 14 13:30:05
sun001 login: [ID 896952 auth.debug] pam_unix_auth: entering
pam_sm_authenticate() Jan 14 13:30:05 sun001 login: [ID 219349 auth.debug]
pam_unix_auth: user ganguly not found Jan 14 13:30:05 sun001
pam_winbind[15369]: [ID 572310 auth.info] Verify user `ganguly' Jan 14
13:30:05 sun001 pam_winbind[15369]: [ID 614614 auth.notice] user
'ganguly'
granted acces Jan 14 13:30:05 sun001 login[15369]: [ID 509786 auth.debug]
roles pam_sm_authenticate, service = tel net user = ganguly ruser = not set
rhost = 192.168.224.90

Does anyone have any ideas on what the problem could be?  According to this
log access is granted right?  So why does it just sit there at
"password:"?

Thanks,
Sapan

-----Original Message-----
From: John H Terpstra [mailto:jht@samba.org] 
Sent: 13 January 2004 16:39
To: Ganguly, Sapan 
Cc: 'samba@lists.samba.org'
Subject: RE: [Samba] How do I get Winbind accounts in LDAP?


On Tue, 13 Jan 2004, Ganguly, Sapan  wrote:
>
> John,
>
> Any ideas?  When I try to log in it seems to get past the PAM stuff
> but then it just sits there, I don't get a prompt.  I've enabled
debug
> on all the modules in pam.conf, should I post the log files?
You should get rid of the "winbind uid" and "winbind gid"
parameters as they
have been superceded by "idmap uid" and "idmap gid".

Did you install the libnss_winbind.so module you built (it's in the
~samba/sources/nsswitch directory) as /lib/nss_winbind.so and link it to the
appropriate version name?

Have you modified in /etc/nsswitch.conf the following:

passwd: files winbind
group: files winbind


Do you obtain correct domain account information from:

	getent passwd

and

	getent group

You will need to install the LDAP admin password into your Samba secrets.tdb
file. The command that does that is:

	smbpasswd -w 'secret_password'

PAM provides authentication, NSS (name service switch) does Identity
resolution. It is the instrument that will permit the LDAP database to be
populated via winbind.

I hope this helps.

Cheers,
John T.
>
> Sapan
>
> -----Original Message-----
> From: Ganguly, Sapan
> Sent: 08 January 2004 17:39
> To: 'John H Terpstra'; Ganguly, Sapan
> Cc: 'samba@lists.samba.org'
> Subject: RE: [Samba] How do I get Winbind accounts in LDAP?
>
>
>
> John,
>
> Wbinfo -u lists all my NT user and wbinfo -g lists all my NT groups.
>
> Here is a copy of my smb.conf, I took it from a working Redhat 9.0
> machine I built.
>
> [global]
>
> # LDAP stuff for the idmap backend
>
> ldap admin dn = cn=root,dc=uk,dc=trt,dc=thales
> ldap suffix = dc=uk,dc=trt,dc=thales
> ldap idmap suffix = ou=idmap
>
> # Winbind stuff
>
> winbind separator = -
> idmap uid = 10000-20000
> winbind uid = 10000-20000
> idmap gid = 10000-20000
> winbind gid = 10000-20000
> winbind enum users = yes
> winbind enum groups = yes
> winbind use default domain = yes
> #template homedir = /home/%D/%U
> #template homedir = /home/%U
> template homedir = /mnt/spare/%U
> template shell = /bin/bash
> idmap backend = ldap:ldap://lnxs001
>
> # workgroup = NT-Domain-Name or Workgroup-Name
>    workgroup = DOMAIN
>
> # server string is the equivalent of the NT Description field
>    server string = SUN001
>
> # if you want to automatically load your printer list rather # than
> setting them up individually then you'll need this
>    printcap name = /etc/printcap
>    load printers = yes
>
> # this tells Samba to use a separate log file for each machine # that
> connects
>    log file = /var/log/samba/log.%m
>
> # Put a capping on the size of the log files (in Kb).
>    max log size = 50
>
> # Security mode. Most people will want user level security. See #
> security_level.txt for details.
>    security = user
> # Use password server option only with security = server
> ;   password server = <NT-Server-Name>
>
> # Most people will find that this option gives better performance. #
> See speed.txt and the manual pages for details
>    socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
>
> # Browser Control Options:
> # set local master to no if you don't want Samba to become a master #
> browser on your network. Otherwise the normal election rules apply
>    local master = no
>
> # WINS Server - Tells the NMBD components of Samba to be a WINS Client
> #	Note: Samba can be either a WINS Server, or a WINS Client, but NOT
> both
>    wins server = 192.168.224.25
>
> # DNS Proxy - tells Samba whether or not to try to resolve NetBIOS
> names # via DNS nslookups. The built-in default for versions 1.9.17 is 
> yes, # this has been changed in version 1.9.18 to no.
>    dns proxy = no
>
>
>
> Thanks,
> Sapan
>
> -----Original Message-----
> From: John H Terpstra [mailto:jht@samba.org]
> Sent: 08 January 2004 16:58
> To: Ganguly, Sapan
> Cc: 'samba@lists.samba.org'
> Subject: RE: [Samba] How do I get Winbind accounts in LDAP?
>
>
> Sapan,
>
> I recently installed Samba-3 on Solaris 9 and had no problem with PAM
> and NSS functionality. Logons using domain users worked well. As I do 
> not have a Sun box it is a little difficult for me to help you 
> directly.
>
> What output do you get from:
> 	wbinfo -u
> 	wbinfo -g
>
> Please send me your smb.conf file so I can see what may be going on.
>
> - John T.
>
> On Thu, 8 Jan 2004, Ganguly, Sapan  wrote:
>
> >
> > Yep, I've done that, I basically followed the Solaris 9 HOWTO from
> > the main HOWTO collection that comes with Samba 3.0, the only 
> > difference is that I used an /etc/pam.conf for Solaris 9 posted on 
> > the list by Patrik Gustavsson. I haven't managed to get hold of
him,
> > he says he has made it work on Solaris 9. I also want to get 
> > pam_mkhomedir work but I have to get past this bit first.
> > >From his email signature it looks like he work for Sun in Sweden
> > >but even
> > the Sun helpdesk in the UK hasn't been able to get hold of him
yet.
> >
> > -----Original Message-----
> > From: John H Terpstra [mailto:jht@samba.org]
> > Sent: 08 January 2004 15:54
> > To: Ganguly, Sapan
> > Cc: 'ww m-pubsyssamba'; 'samba@lists.samba.org'
> > Subject: RE: [Samba] How do I get Winbind accounts in LDAP?
> >
> >
> > On Thu, 8 Jan 2004, Ganguly, Sapan  wrote:
> >
> > >
> > > I'm doing the same thing but with NT4 so I'm not using
active
> > > directory. The only thing you haven't mentioned that I can
think
> > > of is nsswitch.conf, you should have -
> > >
> > > Passwd: files winbind
> > > Group: files winbind
> > >
> > > Getent works for me, I'm stuck with getting log ons to the
Solaris
> > > machine with NT usernames to work.
> >
> > If you want to log onto the Sun machine using Windows networking
> > credentials you must configure PAM to support the use of 
> > pam_winbind.so. Have you done that?
> >
> > - John T.
> >
> >
> > > They seem to have changed something in Solaris 9, even Sun
hasn't
> > > been able to help me!
> > >
> > > -----Original Message-----
> > > From: ww m-pubsyssamba [mailto:pubsyssamba@bbc.co.uk]
> > > Sent: 08 January 2004 13:45
> > > To: Ganguly, Sapan ; samba@lists.samba.org
> > > Subject: RE: [Samba] How do I get Winbind accounts in LDAP?
> > >
> > >
> > > Hi Sapan/All,
> > >
> > > 	ok this is all in my test/dev environment. I have a Sun Sparc
> > > workstation running Solaris 9 and an Intel server running Windows
> > > 2000 server acting as a Native mode AD DC. My Sparc system has 
> > > Samba 3.0.1 installed and is successfully joined to the AD
domain,
> > > I can authenticate via kerberos and wbinfo -u lists domain users 
> > > etc. All I need LDAP for is centralising the IDMAP mappings
across
> > > our theoretical Samba server infrastructure.
> > >
> > >   On the same sparc system I also have SunONE DS 5.2 installed,
> > > this has the schema for Samba 3.0.1 successfully loaded. I have 
> > > created the idamap OU in the directory and I have configured my 
> > > smb.conf to use LDAP for idmap data, file attached. And I have
set
> > > the LDAP admin account password with "smbpasswd -w". I
have also
> > > disabled nscd from starting up & installed patch 113476-05
which
> > > is required for Solaris 9. I can also see winbindd establishing a
> > > connection to Sun LDAP in its access log.
> > >
> > >   As I was writing this mail I have noticed that a getent for
> > > users and groups is not displaying any AD users/groups but is 
> > > exiting with a status 0, this is despite the fact that wbinfo is 
> > > correctly displaying all my AD users/groups!? I can see from a 
> > > snoop and truss run on the getent that it is making LDAP calls to
> > > the AD DC but it's not returning anything!?! I have had this 
> > > running on a Solaris 8 system in my test environment successfully
> > > and can't think of anything I've done differently.
> > >
> > > If anyone can help I'd greatly appreciate it,
> > >
> > > 	many thanks Andy.
> > >
> > > -----Original Message-----
> > > From: Ganguly, Sapan [mailto:Sapan.Ganguly@thalesgroup.com]
> > > Posted At: 07 January 2004 16:44
> > > Posted To: Samba
> > > Conversation: [Samba] How do I get Winbind accounts in LDAP?
> > > Subject: RE: [Samba] How do I get Winbind accounts in LDAP?
> > >
> > >
> > >
> > > Andy,
> > >
> > > Tell us a bit more, I'm doing a similar thing I think. 
I'm not
> > > using Sun's LDAP service, I have OpenLDAP running on a Redhat
9.0
> > > box and I'm logging into my Solaris 9.0 machine running
winbind,
> > > with my NT username and password which creates an idmap in the 
> > > openldap database on the Redhat box....well, that's what it
is
> > > supposed to do anyway...it works fine on Redhat, Solaris is 
> > > proving to be a little more tricky.
> > >
> > > Is this what you are doing?
> > >
> > > -----Original Message-----
> > > From: ww m-pubsyssamba [mailto:pubsyssamba@bbc.co.uk]
> > > Sent: 07 January 2004 14:23
> > > To: samba@lists.samba.org
> > > Subject: RE: [Samba] How do I get Winbind accounts in LDAP?
> > >
> > >
> > > Hi John/List,
> > >
> > > 	I'm attemtpting this (idmap in LDAP) with samba3.0.1 and Sun
DS
> > > 5.2 but without any success. I've tried what John T has
suggested
> > > below but my idmap OU is still empty (adapted LDAP commnads for 
> > > Sun DS). I cannot see any errors in either Samba or Sun DS logs, 
> > > does anyone have any troubleshooting tips to help work out why 
> > > this isn't working?
> > >
> > > 		many thanks Andy.
> > >
> > > -----Original Message-----
> > > From: samba-bounces+pubsyssamba=bbc.co.uk@lists.samba.org
> > > [mailto:samba-bounces+pubsyssamba=bbc.co.uk@lists.samba.org]On
> > > Behalf Of John H Terpstra Posted At: 03 January 2004 23:54 Posted
> > > To: Samba
> > > Conversation: [Samba] How do I get Winbind accounts in LDAP?
> > > Subject: Re: [Samba] How do I get Winbind accounts in LDAP?
> > >
> > >
> > > Kent,
> > >
> > > Did you create the container for the ou=Idmap in your LDAP
> > > database? The IDMAP entries are automatically added to LDAP - IF 
> > > the container exists, and so long as Samba can access that 
> > > database.
> > >
> > > Also, I suggest you store your machine accounts in the Users
> > > container and not in the Computers container. Samba does not at 
> > > this time search the Computers container correctly.
> > >
> > > Execute the following to find out if your LDAP database has an
> > > IDMAP
> > > container:
> > > 	slapcat | grep -i IDMAP
> > >
> > >
> > > If nothing is returned, execute this:
> > >
> > > ldapadd -x -D "cn=admin,dc=tow,dc=net" -w
'password' << EOR
> > > dn: ou=Idmap,dc=abmas,dc=biz
> > > objectClass: organizationalunit
> > > ou: idmap
> > > structuralObjectClass: organizationalunit
> > > EOR
> > >
> > > Now you must stop samba, delete the winbind*tdb files, restart
> > > samba,
> > > run:
> > > 	wbinfo -u
> > > And that should automatically populate your LDAP IDMAP database.
> > >
> > > Cheers,
> > > John T.
> > >
> > >
> > >
> > > BBCi at http://www.bbc.co.uk/
> > >
> > > This e-mail (and any attachments) is confidential and may contain
> > > personal views which are not the views of the BBC unless 
> > > specifically stated. If you have received it in error, please 
> > > delete it from your system. Do not use, copy or disclose the 
> > > information in any way nor act in reliance on it and notify the 
> > > sender immediately. Please note that the BBC monitors e-mails
sent
> > > or received. Further communication will signify your consent to 
> > > this.
> > >
> >
> >
>
>
-- 
John H Terpstra
Email: jht@samba.org