Hello,
Please forgive me if this has been discussed, I did not find any
references when I searched.
I'm trying to replace a W2K server with a samba member server in a
single ADS domain.
It seems that the Fedora rpms do not support idmap_rid so I am trying to
compile from the Fedora SRPM. After following the docs for building and
configuring idmap_rid I get no ADS users from `getent passwd`. wbinfo -u
returns the user list without the DOMAIN\ prefix.
When I try to connect to the samba share I am confronted with an auth
box that I have not been able to satisfy.
/var/log/samba/winbindd includes:
idmap_init: using 'idmap_rid' as remote backend
Can anyone help?
Thanks,
Brian Hoover
/*/*/*/*/* smb.conf /*/*/*/*/*/*
[global]
unix charset = LOCALE
workgroup = VIDAR
realm = VIDAR.CORP
server string = BIS05
security = ADS
allow trusted domains = No
log level = 10
syslog = 0
log file = /var/log/samba/%m
max log size = 50
ldap ssl = no
idmap backend = idmap_rid:VIDAR=10000-20000
idmap uid = 10000-20000
idmap gid = 10000-20000
template shell = /bin/bash
winbind enum users = No
winbind enum groups = No
winbind use default domain = Yes
winbind nested groups = Yes
[users]
comment = User Folders
path = /smb/users
admin users = root, 'Domain Admins'
read only = No
guest ok = Yes
/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*
/*/*/*/*/* config.log SNIPPED /*/*/*/*/*/*
$ ./configure --with-shared-modules=idmap_rid --with-ads --with-pam
--with_pamsmbpass
#define HAVE_LDAP 1
#define HAVE_KRB5 1
/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*
/*/*/*/*/* nsswitch.conf /*/*/*/*/*/*
passwd: files winbind
shadow: files winbind
group: files winbind
hosts: files dns wins
bootparams: nisplus [NOTFOUND=return] files
ethers: files
netmasks: files
networks: files
protocols: files
rpc: files
services: files
netgroup: files
publickey: nisplus
automount: files
aliases: files nisplus
/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*
/*/*/*/*/* nsswitch.conf /*/*/*/*/*/*
#%PAM-1.0
auth required /lib/security/$ISA/pam_env.so
auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok
auth sufficient /lib/security/$ISA/pam_winbind.so
use_first_pass
auth required /lib/security/$ISA/pam_deny.so
account required /lib/security/$ISA/pam_unix.so
account sufficient /lib/security/$ISA/pam_winbind.so
use_first_pass
password required /lib/security/$ISA/pam_cracklib.so retry=3
type# Note: The above line is complete. There is nothing following the
'='
password sufficient /lib/security/$ISA/pam_unix.so \
nullok use_authtok md5
shadow
password sufficient /lib/security/$ISA/pam_winbind.so
use_first_pass
password required /lib/security/$ISA/pam_deny.so
session required /lib/security/$ISA/pam_limits.so
session sufficient /lib/security/$ISA/pam_unix.so
session sufficient /lib/security/$ISA/pam_winbind.so
use_first_pass
/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*
On Sunday 30 January 2005 09:17, MailLists wrote:> Hello, > > Please forgive me if this has been discussed, I did not find any > references when I searched. > > I'm trying to replace a W2K server with a samba member server in a > single ADS domain. > > It seems that the Fedora rpms do not support idmap_rid so I am trying to > compile from the Fedora SRPM. After following the docs for building and > configuring idmap_rid I get no ADS users from `getent passwd`. wbinfo -u > returns the user list without the DOMAIN\ prefix. > > When I try to connect to the samba share I am confronted with an auth > box that I have not been able to satisfy. > > /var/log/samba/winbindd includes: > idmap_init: using 'idmap_rid' as remote backend > > Can anyone help?As one of the arguments to the 'configure' command add: --with-shared-modules=idmap_rid \ Then rebuild. Make sure you add the idmap_rid module to the /usr/lib/samba/idmap directory. - John T.> > Thanks, > Brian Hoover > > /*/*/*/*/* smb.conf /*/*/*/*/*/* > [global] > unix charset = LOCALE > workgroup = VIDAR > realm = VIDAR.CORP > server string = BIS05 > security = ADS > allow trusted domains = No > log level = 10 > syslog = 0 > log file = /var/log/samba/%m > max log size = 50 > ldap ssl = no > idmap backend = idmap_rid:VIDAR=10000-20000 > idmap uid = 10000-20000 > idmap gid = 10000-20000 > template shell = /bin/bash > winbind enum users = No > winbind enum groups = No > winbind use default domain = Yes > winbind nested groups = Yes > > [users] > comment = User Folders > path = /smb/users > admin users = root, 'Domain Admins' > read only = No > guest ok = Yes > > /*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/* > > /*/*/*/*/* config.log SNIPPED /*/*/*/*/*/* > > $ ./configure --with-shared-modules=idmap_rid --with-ads --with-pam > --with_pamsmbpass > > #define HAVE_LDAP 1 > #define HAVE_KRB5 1 > > /*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/* > > /*/*/*/*/* nsswitch.conf /*/*/*/*/*/* > > passwd: files winbind > shadow: files winbind > group: files winbind > > hosts: files dns wins > > > bootparams: nisplus [NOTFOUND=return] files > > ethers: files > netmasks: files > networks: files > protocols: files > rpc: files > services: files > > netgroup: files > > publickey: nisplus > > automount: files > aliases: files nisplus > > /*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/* > > /*/*/*/*/* nsswitch.conf /*/*/*/*/*/* > > #%PAM-1.0 > auth required /lib/security/$ISA/pam_env.so > auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok > auth sufficient /lib/security/$ISA/pam_winbind.so > use_first_pass > auth required /lib/security/$ISA/pam_deny.so > > account required /lib/security/$ISA/pam_unix.so > account sufficient /lib/security/$ISA/pam_winbind.so > use_first_pass > > password required /lib/security/$ISA/pam_cracklib.so retry=3 > type> # Note: The above line is complete. There is nothing following the '=' > password sufficient /lib/security/$ISA/pam_unix.so \ > nullok use_authtok md5 > shadow > password sufficient /lib/security/$ISA/pam_winbind.so > use_first_pass > password required /lib/security/$ISA/pam_deny.so > > session required /lib/security/$ISA/pam_limits.so > session sufficient /lib/security/$ISA/pam_unix.so > session sufficient /lib/security/$ISA/pam_winbind.so > use_first_pass > > /*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*-- John H Terpstra Samba-Team Member Phone: +1 (650) 580-8668 Author: The Official Samba-3 HOWTO & Reference Guide, ISBN: 0131453556 Samba-3 by Example, ISBN: 0131472216 Hardening Linux, ISBN: 0072254971 Other books in production.
John, sorry I did not mean to reply directly, I hate MS-Outlook! John H Terpstra wrote:> On Sunday 30 January 2005 09:17, MailLists wrote: >> Hello, >> >> Please forgive me if this has been discussed, I did not find any >> references when I searched. >> >> I'm trying to replace a W2K server with a samba member server in a >> single ADS domain. >> >> It seems that the Fedora rpms do not support idmap_rid so I am trying >> to compile from the Fedora SRPM. After following the docs for >> building and configuring idmap_rid I get no ADS users from `getent >> passwd`. wbinfo -u returns the user list without the DOMAIN\ prefix. >> >> When I try to connect to the samba share I am confronted with an auth >> box that I have not been able to satisfy. >> >> /var/log/samba/winbindd includes: >> idmap_init: using 'idmap_rid' as remote backend >> >> Can anyone help? > > As one of the arguments to the 'configure' command add: > > --with-shared-modules=idmap_rid \ > > Then rebuild. Make sure you add the idmap_rid module to the > /usr/lib/samba/idmap directory. > > - John T. >I compiled with: ./configure --with-shared-modules=idmap_rid --with-ads --with-pam --with-pam_smbpass --with-logbasedir=/var/log/samba Then created the dir: /usr/lib/samba/idmap then added the symlink: /usr/lib/samba/idmap/idmap_rid.so -> /usr/local/samba/lib/idmap/idmap_rid.so Restarted the daemons - nmbd then winbond then smbd But getent passwd still gives no ADS users. Brian>> >> Thanks, >> Brian Hoover >> >> /*/*/*/*/* smb.conf /*/*/*/*/*/* >> [global] >> unix charset = LOCALE >> workgroup = VIDAR >> realm = VIDAR.CORP >> server string = BIS05 >> security = ADS >> allow trusted domains = No >> log level = 10 >> syslog = 0 >> log file = /var/log/samba/%m >> max log size = 50 >> ldap ssl = no >> idmap backend = idmap_rid:VIDAR=10000-20000 >> idmap uid = 10000-20000 >> idmap gid = 10000-20000 >> template shell = /bin/bash >> winbind enum users = No >> winbind enum groups = No >> winbind use default domain = Yes >> winbind nested groups = Yes >> >> [users] >> comment = User Folders >> path = /smb/users >> admin users = root, 'Domain Admins' >> read only = No >> guest ok = Yes >> >> /*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/* >> >> /*/*/*/*/* config.log SNIPPED /*/*/*/*/*/* >> >> $ ./configure --with-shared-modules=idmap_rid --with-ads --with-pam >> --with_pamsmbpass >> >> #define HAVE_LDAP 1 >> #define HAVE_KRB5 1 >> >> /*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/* >> >> /*/*/*/*/* nsswitch.conf /*/*/*/*/*/* >> >> passwd: files winbind >> shadow: files winbind >> group: files winbind >> >> hosts: files dns wins >> >> >> bootparams: nisplus [NOTFOUND=return] files >> >> ethers: files >> netmasks: files >> networks: files >> protocols: files >> rpc: files >> services: files >> >> netgroup: files >> >> publickey: nisplus >> >> automount: files >> aliases: files nisplus >> >> /*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/* >> >> /*/*/*/*/* nsswitch.conf /*/*/*/*/*/* >> >> #%PAM-1.0 >> auth required /lib/security/$ISA/pam_env.so >> auth sufficient /lib/security/$ISA/pam_unix.so likeauth >> nullok auth sufficient /lib/security/$ISA/pam_winbind.so >> use_first_pass auth required >> /lib/security/$ISA/pam_deny.so >> >> account required /lib/security/$ISA/pam_unix.so >> account sufficient /lib/security/$ISA/pam_winbind.so >> use_first_pass >> >> password required /lib/security/$ISA/pam_cracklib.so retry=3 >> type= # Note: The above line is complete. There is nothing following >> the '=' password sufficient /lib/security/$ISA/pam_unix.so \ >> nullok use_authtok md5 >> shadow password sufficient /lib/security/$ISA/pam_winbind.so >> use_first_pass password required >> /lib/security/$ISA/pam_deny.so >> >> session required /lib/security/$ISA/pam_limits.so >> session sufficient /lib/security/$ISA/pam_unix.so >> session sufficient /lib/security/$ISA/pam_winbind.so >> use_first_pass >> >> /*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/* > > -- > John H Terpstra > Samba-Team Member > Phone: +1 (650) 580-8668 > > Author: > The Official Samba-3 HOWTO & Reference Guide, ISBN: 0131453556 > Samba-3 by Example, ISBN: 0131472216 > Hardening Linux, ISBN: 0072254971 > Other books in production.