Hello All,
I want to thank everyone who reads and responds to this group. You have all
been an invaluable help to me.
I now have a working Samba 3.0.1 LDAP PDC and domain member server using
winbind (both servers are running Slackware 9.1).
I also have virtual users and groups using nss_ldap from www.padl.com,
without pam or users/groups in /etc/passwd or /etc/group only in the LDAP
backend....
Everything works great
getent passwd lists the ldap users, getent group lists the groups, wbinfo -u
works, wbinfo -g works...
My only questions are
1. On my domain member server, I have to set the passdb backend = smbpasswd
otherwise if passdb backend = ldapsam:ldap://frodo, then winbindd won't
start...
FYI on the domain member server running winbindd, the smbpasswd file is 0kb
so nothing is being stored there...???
2. Also I have also read about a parameter idmap backend, which works to
ensure the correct user/group id mappings across different servers
running winbind....(please correct me if I am wrong about this)
but if i add this parameter in the my smb.conf file like
idmap backend = ldap:ldap://frodo/ the log seems to complain about not
finding a file called ldap.so
and winbindd will again fail to start...
Am I supposed to be running winbindd on the PDC also or just on domain
member server....??
Do I need all the LDAP entries on the domain member server....like on the
PDC??
the results for me anyway are the same in either case ...just curious...
If anyone has any clues into where I am going wrong, please let me know
Below are my two smb.conf files for the PDC and the domain member server....
Once again..thanks for all the help and great work Samba team
Clay
Below is the smb file from the PDC.....
#======================= Global Settings
====================================[global]
workgroup = HELMSDEEP
netbios name = FRODO
server string = Samba LDAP Server
log file = /usr/local/samba3/var/%m.log
max log size = 50
log level = 2
; username map =/etc/samba/usermap
; hosts allow = 10.1.41.0/255.255.255.0
######Printer Stuff
load printers = yes
printing = cups
printcap name = cups
######LDAP Stuff
ldap suffix = dc=hharchitects,dc=com
ldap user suffix = ou=People
ldap machine suffix = ou=People
; ldap machine suffix = ou=Computers
ldap group suffix = ou=Groups
ldap ssl = off
ldap admin dn = cn=Manager,dc=hharchitects,dc=com
ldap delete dn = no
ldap filter = (uid=%u)
ldap idmap suffix = ou=Idmap
idmap backend = ldap:ldap://localhost
idmap uid = 20000-30000
idmap gid = 20000-30000
winbind separator = +
######Domain Stuff
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
logon path logon drive = H:
logon home = \\%L\%U
local master = yes
domain master = yes
domain logons = yes
dns proxy = no
logon script = \\%L\netlogon\logon.bat
os level = 33
security = user
preferred master = yes
#######Password stuff
passdb backend = ldapsam:ldap://localhost
; unix password sync = yes
passwd chat debug = Yes
; passwd program =/usr/local/sbin/smbldap-passwd.pl -o %u
; passwd chat = *new*password* %n\n *new*password:* %n\ *successfully*
passwd program = /usr/bin/passwd %u
passwd chat = *New*UNIX*password* %n\n *ReType*new*UNIX*password*
%n\n *passwd:*all*authentication*tokens*updated*successfully*
encrypt passwords = yes
######################################################################
######################User Add Scripts################################
; add machine script = /usr/local/sbin/smbldap-useradd.pl -a -w
"%m"
add machine script = /usr/sbin/useradd -s /bin/false -d /dev/null -g
machines %u
add user script = /usr/local/sbin/smbldap-useradd.pl -a "%u"
delete user script = /usr/local/sbin/smbldap-useradd.pl -d
"%u"
add group script = /usr/local/sbin/smbldap-useradd.pl -a -g
"%g"
delete group script = /usr/local/sbin/smbldap-useradd.pl -d -g
"%g"
add user to group script = /usr/local/sbin/smbldap-useradd.pl -j -u
"%u" -g "%g"
delete user from group script /usr/local/sbin/smbldap-useradd.pl -j -u
"%u" -g "%g"
set primary group script = /usr/local/sbin/smbldap-useradd.pl -m -u
"%u" -gid "%g"
#####################################################################
[homes]
comment = Home Directories
browseable = no
writable = yes
# Un-comment the following and create the netlogon directory for Domain
Logons
[netlogon]
comment = Network Logon Service
path = /home/netlogon
guest ok = yes
writable = no
share modes = no
[printers]
comment = All Printers
path = /var/spool/samba
browseable = no
public = yes
guest ok = yes
writable = no
printable = yes
printer admin = @admins
[public]
comment = Public Stuff
path = /mnt/data
public = yes
writable = yes
inherit permissions = yes
printable = no
write list = @everyone
This is the smb file from the winbind domain member server
# 11.22.03 cbk - remarked winbind templates
# Global parameters
[global]
workgroup = HELMSDEEP
netbios name = WINBINDTEST
passwd program = /usr/bin/passwd %u
; unix password sync = Yes
;trying 01.09.03
passdb backend = smbpasswd
; passdb backend = ldapsam:ldap://frodo;smbpasswd
passwd chat = *New*UNIX*password* %n\n *Retype*new*UNIX*password*
%n\n *Enter*new*UNIX*password* %n\n *Retype*new*UNIX*password* %n\n *passwd:
*all*authentication*tokens*updated*successfully*
update encrypted = Yes
; name resolve order = wins bcast hosts lmhosts
encrypt passwords = Yes
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
; wins server = 10.1.41.2
max log size = 50
passwd chat debug = Yes
server string = Samba Server %v
log level = 10
log file = /usr/local/samba/var/log.%m
security = domain
password server = *
nt acl support = yes
winbind use default domain = Yes
dos filetimes = yes
######LDAP Stuff
ldap suffix = dc=hharchitects,dc=com
ldap user suffix = ou=People
ldap machine suffix = ou=People
; ldap machine suffix = ou=Computers
ldap group suffix = ou=Groups
ldap ssl = off
ldap admin dn = cn=Manager,dc=hharchitects,dc=com
ldap delete dn = no
ldap filter = (uid=%u)
ldap idmap suffix = ou=Idmap
##Winbind Information
# separate domain and username with '+', like DOMAIN+username
winbind separator = +
; idmap backend = ldap:ldap://10.1.41.102/
idmap uid = 20000-30000
idmap gid = 20000-30000
# use uids from 10000 to 20000 for domain users
;winbind uid = 20000-30000
# use gids from 10000 to 20000 for domain groups
;winbind gid = 20000-30000
# allow enumeration of winbind users and groups
# might need to disable these next two for performance
# reasons on the winbindd host
winbind enum users = yes
winbind enum groups = yes
# give winbind users a real shell (only needed if they have
telnet/sshd/etc... access)
template homedir = /home/%D/%U
template shell = /bin/bash
[jobs]
comment = Project Directory
path = /mnt/test
read only = no
nt acl support = yes
inherit permissions = yes
; veto oplock files = /*.mdb/*.MDB/
; oplocks = No
; level2 oplocks = No
---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.554 / Virus Database: 346 - Release Date: 12/20/2003
Andrew Bartlett
2004-Jan-28 09:58 UTC
[Samba] Samba PDC+LDAP+Winbind+Virtual Users/Groups Success
On Wed, 2004-01-28 at 14:14, Clay wrote:> Hello All, > > I want to thank everyone who reads and responds to this group. You have all > been an invaluable help to me. > > I now have a working Samba 3.0.1 LDAP PDC and domain member server using > winbind (both servers are running Slackware 9.1). > I also have virtual users and groups using nss_ldap from www.padl.com, > without pam or users/groups in /etc/passwd or /etc/group only in the LDAP > backend.... > > Everything works great > > getent passwd lists the ldap users, getent group lists the groups, wbinfo -u > works, wbinfo -g works... > > My only questions are > 1. On my domain member server, I have to set the passdb backend = smbpasswd > otherwise if passdb backend = ldapsam:ldap://frodo, then winbindd won't > start... > FYI on the domain member server running winbindd, the smbpasswd file is 0kb > so nothing is being stored there...???This is correct. The domain member server often has no local accounts.> 2. Also I have also read about a parameter idmap backend, which works to > ensure the correct user/group id mappings across different servers > running winbind....(please correct me if I am wrong about this) > > but if i add this parameter in the my smb.conf file like > > idmap backend = ldap:ldap://frodo/ the log seems to complain about not > finding a file called ldap.so > and winbindd will again fail to start...Is your Samba on the member server compiled with ldap?> Am I supposed to be running winbindd on the PDC also or just on domain > member server....??Normally on the member servers only, unless you have domain trusts or some other particular requirements.> Do I need all the LDAP entries on the domain member server....like on the > PDC?? > the results for me anyway are the same in either case ...just curious...If you do, you can avoid running winbind for nsswitch. This may be advantageous for your local environment. Andrew Bartlett -- Andrew Bartlett abartlet@pcug.org.au Manager, Authentication Subsystems, Samba Team abartlet@samba.org Student Network Administrator, Hawker College abartlet@hawkerc.net http://samba.org http://build.samba.org http://hawkerc.net -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part Url : http://lists.samba.org/archive/samba/attachments/20040128/50168e46/attachment.bin