Hello,
I've some trouble with winbind and the idmap_rid feature in an ADS
environment. (Opteron with Debian 3.1pure64, official Samba/Winbind
packet 3.0.14a)
Without "idmap backend = idmap_rid:...." in the smb.conf a
"getent
passwd" works fine.
Then I delete the /var/lib/samba/*.tdb-files, activate idmap_rid in
smb.conf (see below) and join the ADS-Domain once more - but now "getent
passwd" brings only the local Linux users.
I need the local ID-mapping from "idmap_rid" for same ID's on all
Linux
machines without the overhead of a schema extension on ADS. In my mind
"idmap_rid" should also work offline (for notebooks)?
Can anybody tell me the right syntax for winbind authentication in
/etc/pam.d/common-account ,-auth, -password ?
Thanks for help and best regards
here are the files:
##########################################
/etc/samba/smb.conf
[global]
unix charset = ISO8859-15
display charset = ISO8859-15
workgroup = XX
realm = XX.YY.TU-DRESDEN.DE
server string = %h server (Samba %v)
security = ADS
allow trusted domains = No
passdb backend = tdbsam, guest
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\sUNIX\spassword:* %n\n
*Retype\snew\sUNIX\spassword:* %n\n .
syslog = 0
log file = /var/log/samba/log.%m
max log size = 1000
preferred master = No
local master = No
domain master = No
dns proxy = No
ldap ssl = no
panic action = /usr/share/samba/panic-action %d
!---> idmap backend = idmap_rid:XX=1000-60000
idmap uid = 1000-60000
idmap gid = 1000-60000
template shell = /bin/bash
winbind cache time = 5
winbind use default domain = Yes
invalid users = root
printer admin = 'Domain, Admins'
[homes]
comment = Home Directories
create mask = 0700
directory mask = 0700
browseable = No
[printers]
comment = All Printers
path = /tmp
create mask = 0700
printable = Yes
browseable = No
[print$]
comment = Printer Drivers
path = /var/lib/samba/printers
##############################################
/etc/nswitch.conf
passwd: files winbind
group: files winbind
shadow: files
hosts: files dns
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
--
--
Mit freundlichen Gruessen
Steffen Kolbe
Andreas-Schubert-Str. 23
D-01062 Dresden
------------------------------------------------------
Phone: +49/0 351 463-36750
Fax: +49/0 351 463-36809
e-mail: kolbe1@vwi.tu-dresden.de
------------------------------------------------------
Institut fuer Wirtschaft und Verkehr
Fakultaet Verkehrswissenschaften "Friedrich List"
Technische Universitaet Dresden
------------------------------------------------------
hi idmap_rid never shows users when invoked by "getent passwd" did you try "getent passwd somuser" ? that should work same with groups greez Steffen Kolbe wrote:> Hello, > > I've some trouble with winbind and the idmap_rid feature in an ADS > environment. (Opteron with Debian 3.1pure64, official Samba/Winbind > packet 3.0.14a) > > Without "idmap backend = idmap_rid:...." in the smb.conf a "getent > passwd" works fine. > Then I delete the /var/lib/samba/*.tdb-files, activate idmap_rid in > smb.conf (see below) and join the ADS-Domain once more - but now "getent > passwd" brings only the local Linux users. > > I need the local ID-mapping from "idmap_rid" for same ID's on all Linux > machines without the overhead of a schema extension on ADS. In my mind > "idmap_rid" should also work offline (for notebooks)? > > > Can anybody tell me the right syntax for winbind authentication in > /etc/pam.d/common-account ,-auth, -password ? > > > Thanks for help and best regards > > here are the files: > ########################################## > /etc/samba/smb.conf > [global] > unix charset = ISO8859-15 > display charset = ISO8859-15 > workgroup = XX > realm = XX.YY.TU-DRESDEN.DE > server string = %h server (Samba %v) > security = ADS > allow trusted domains = No > passdb backend = tdbsam, guest > passwd program = /usr/bin/passwd %u > passwd chat = *Enter\snew\sUNIX\spassword:* %n\n > *Retype\snew\sUNIX\spassword:* %n\n . > syslog = 0 > log file = /var/log/samba/log.%m > max log size = 1000 > preferred master = No > local master = No > domain master = No > dns proxy = No > ldap ssl = no > panic action = /usr/share/samba/panic-action %d > !---> idmap backend = idmap_rid:XX=1000-60000 > idmap uid = 1000-60000 > idmap gid = 1000-60000 > template shell = /bin/bash > winbind cache time = 5 > winbind use default domain = Yes > invalid users = root > printer admin = 'Domain, Admins' > > [homes] > comment = Home Directories > create mask = 0700 > directory mask = 0700 > browseable = No > > [printers] > comment = All Printers > path = /tmp > create mask = 0700 > printable = Yes > browseable = No > > [print$] > comment = Printer Drivers > path = /var/lib/samba/printers > > ############################################## > /etc/nswitch.conf > > passwd: files winbind > group: files winbind > shadow: files > > hosts: files dns > networks: files > > protocols: db files > services: db files > ethers: db files > rpc: db files > > netgroup: nis > > >-- Michael Gasch Max Planck Institute for Evolutionary Anthropology Department of Human Evolution Deutscher Platz 6 D-04103 Leipzig Germany Phone: 49 (0)341 - 3550 137
Apparently Analagous Threads
- New ADS infrastructure with winbind - Which is the best ID-mapping: IDMAP_RID or IDMAP LDAP with ADS + SFU schema ?
- winbind: getent with strange output
- configure: error: Active Directory cannot be supported without krb5.h
- Wbinfo -Y couldn't work with idmap_rid for BUILTIN groups
- Samba RPMs for RedHat/FC and idmap_rid