Dirk Broer
2004-Jan-28 22:27 UTC
[Samba] Problems mapping winbind/kerberos usernames and groups to Linux user and groups.
Samba 3.0.1 on Mandrake 9.1ish Kerberos version seems to match latest
stable MIT build.
I can log in via Kerberos authentication and/or winbind. A couple of
problems though.
1) telnet with the domain username and password and the telnet session
doesn?t reader /etc/bashrc. Telnet with local username and it does. bash
is the shell for both accounts.
2) The group account is ?Domain User? ? with a guid of 10000. That
matches the winbind settings but I would like to have a group that both
local and domain users can belong to. So I don?t have to open all shared
directories with chmod 777.
I have tried setting up a username map, but the moment I either map a domain
name to a unix name _or_ have a unix username that is the same as a domain
name, that user can no longer access the server.
template primary group = users. This seems to have no affect.
I have a CVS directory that for an internal project that I want to protect
and I don?t want to set permissions to 777. I would also have to set the
default directory permissions for all the CVS users to 777 as well ? or they
will add directories that only same group members can access.
Should I just change the guid map to point everyone to 100? (guid users=100)
Samba was configured with the following options:
--with-acl-support
--with-automount
--with-smbmount
--with-libsmbclient
--with-sendfile-support
--with-smbwrapper
--with-winbind
PAM wasn?t compiled in.
# Samba config file created using SWAT
# from 192.168.0.85 (192.168.0.85)
# Date: 2004/01/28 17:07:49
# Global parameters
[global]
workgroup = MYWORKGROUP
realm = MYWORKGROUP.COM
security = DOMAIN
obey pam restrictions = Yes
log level = 2
add user script = /usr/sbin/useradd -s /bin/bash -g 100 %u
delete user script = /usr/sbin/userdel %u
preferred master = No
local master = No
domain master = No
dns proxy = No
ldap ssl = no
idmap uid = 10000-20000
idmap gid = 10000-20000
template primary group = users
template shell = /bin/bash
use sendfile = Yes
case sensitive = Yes
hide dot files = No
[homes]
comment = Home directory
read only = No
browseable = No
[dirk]
path = /home/dirk
valid users = dirk
read only = No
guest ok = Yes
Thank you,
Dirk
#include <standard_disclaimer>
#include <funny_quote>
Buchan Milne
2004-Feb-03 10:23 UTC
[Samba] Problems mapping winbind/kerberos usernames and groups to Linux user and groups.
On Wed, 28 Jan 2004, Dirk Broer wrote:> Samba 3.0.1 on Mandrake 9.1ish Kerberos version seems to match latest > stable MIT build. > > I can log in via Kerberos authentication and/or winbind. A couple of > problems though. > > 1) telnet with the domain username and password and the telnet session > doesn?t reader /etc/bashrc. Telnet with local username and it does. bash > is the shell for both accounts.How are you creating home directories? If you use pam_mkhomedir, it should work, if not, you might not be copying a correct ~/.bashrc from /etc/skel.> 2) The group account is ?Domain User? ? with a guid of 10000. That > matches the winbind settings but I would like to have a group that both > local and domain users can belong to. So I don?t have to open all shared > directories with chmod 777.You should be able to create a local group entry (you don't say where Linux users exist ...), or if you are using XFS you can use ACLs instead. But, it may not be the best idea to have local and winbind accounts that must have overlapping group memberships ...> > I have tried setting up a username map, but the moment I either map a domain > name to a unix name _or_ have a unix username that is the same as a domain > name, that user can no longer access the server. > > template primary group = users. This seems to have no affect. > > I have a CVS directory that for an internal project that I want to protect > and I don?t want to set permissions to 777. I would also have to set the > default directory permissions for all the CVS users to 777 as well ? or they > will add directories that only same group members can access. > > Should I just change the guid map to point everyone to 100? (guid users=100) >Yes, if you can't use ACLs (ie on XFS), that may work.> Samba was configured with the following options: > --with-acl-support > --with-automount > --with-smbmount > --with-libsmbclient > --with-sendfile-support > --with-smbwrapper > --with-winbindHmm, you may rather want to try rebuilding the source release against your Kerberos install with the rpm tools, just: $ cd packaging/Mandrake $ sh makerpms.sh> > PAM wasn?t compiled in. > > > > # Samba config file created using SWAT > # from 192.168.0.85 (192.168.0.85) > # Date: 2004/01/28 17:07:49 > > # Global parameters > [global] > workgroup = MYWORKGROUP > realm = MYWORKGROUP.COM > security = DOMAIN > obey pam restrictions = Yes > log level = 2 > add user script = /usr/sbin/useradd -s /bin/bash -g 100 %u > delete user script = /usr/sbin/userdel %u > preferred master = No > local master = No > domain master = No > dns proxy = No > ldap ssl = no > idmap uid = 10000-20000 > idmap gid = 10000-20000 > template primary group = users > template shell = /bin/bash > use sendfile = Yes > case sensitive = Yes > hide dot files = No > > [homes] > comment = Home directory > read only = No > browseable = No > > [dirk] > path = /home/dirk > valid users = dirk > read only = No > guest ok = Yes >Regards, Buchan