The nss_ldap has some performance problems and doesn't have any caching
features that windbind does. What I was aways wondering is does IDMAP
write UID/GID derived from SID to the extended schema in AD? Can
winbindd use this extended schema, instead of using nss_ldap?
-----Original Message-----
From: samba-bounces+letz_samba=realmspace.com@lists.samba.org
[mailto:samba-bounces+letz_samba=realmspace.com@lists.samba.org] On
Behalf Of markus
Sent: Tuesday, November 29, 2005 11:56 PM
To: Jason Gerfen
Cc: samba@lists.samba.org
Subject: Re: [Samba] AD4Unix & Samba-3.0.20b+winbind (UPDATE)
Hi Jason,
I don't really understand, why you are extending your schema with
AD4Unix whilst using winbind. You don't need to. If your are using
nss_ldap your schema needs some more entries to fetch unix related data
like gid, uid and so on. Winbind is based on SID's and stores mappings
in so called idmaps.
Markus
Jason Gerfen wrote:> Ok in my test environment I just got done updating the schema on the
> Win2K domain to include the AD4Unix package and I am still able to
> authentication and view all users from any container including the
> CN=Users (default) and a new OU=authenticated. Can someone please
help > me out on this? The only major difference between the test domain and
> the live domain is the number of users at this point and the container
> setup in AD.
>
> Jason Gerfen wrote:
>
>> Scenario: Samba-3.0.20b domain member server on SuSE 9.3 (w/ all
>> available patches applied) providing kerberos authentication through
a >> Windows 2000 domain with AD4Unix services installed.
>>
>> Problem(s):
>> 1. Can only view users from one OU in Active Directory (default is:
>> CN=Users, problem container is: OU=authenticated)
>> 2. According to log.winbind and log.smbd authentication fails with
>> error: check_ntlm_password: Authentication for user [testj] ->
>> [testj] FAILED with error NT_STATUS_WRONG_PASSWORD. Is this error
due >> to falling back to NTLM authentication vs. Kerberos TGT systems?
>>
>> Troubleshooting performed:
>> 1. Used 'net ads leave' to remove from domain, updated
Samba+Winbind
>> from 3.0.13 to 3.0.20b
>> 2. Manually removed machine trust account from active directory
>> 3. Manually removed cache files for Samba prior to upgrade
>> 4. Attempted using 3.0.21rc1 release with same results
>> 5. Created a Win 2K test domain w/o AD4Unix and Samba-3.0.13 ADS
>> member server which would authenticate via Kerberos without problems.
>> 6. Upgraded Samba to 3.0.20b and still worked fine on test domain w/o
>> AD4Unix setup
>> 7. Am in the process of upgrading Win2K domain server (in test env.)
>> to provide AD4Unix services to see if it breaks.
>>
>> Any help, insight into this is definately appreciated
>>
>> Here is the pertinent configuration files:
>>
>> [smb.conf]
>> [global]
>> workgroup = DOMAIN
>> realm = DOMAIN.COM
>> server string = new-odin.domain.com
>> security = ADS
>> update encrypted = Yes
>> encrypt passwords = yes
>> password server = *
>> preferred master = No
>> domain master = No
>> idmap uid = 500-500000
>> idmap gid = 500-500000
>> winbind trusted domains only = yes
>> winbind separator = /
>> winbind cache time = 5
>> winbind use default domain = Yes
>> winbind nested groups = Yes
>> log level = 2
>> interfaces = eth*
>> bind interfaces only = yes
>> socket options = IPTOS_LOWDELAY TCP_NODELAY
>>
>> [images]
>> comment = ODIN
>> user = %S
>> path = /odin/images
>> inherit acls = Yes
>> browseable = yes
>> writeable = yes
>> read only = no
>> public = yes
>>
>>
>> [home]
>> comment = User Home Directories
>> user = %S
>> path = /odin/home/%S
>> inherit acls = Yes
>> writeable = yes
>> read only = no
>> public = no
>> browseable = yes
>>
>> [krb5.conf]
>> [libdefaults]
>> default_realm = DOMAIN.COM
>> clockskew = 300
>>
>> [realms]
>> UTAH.EDU = {
>> kdc = 192.168.0.10
>> default_domain = domain.com
>> admin_server = 192.168.0.10
>> }
>>
>>
>> [logging]
>> kdc = FILE:/var/log/krb5kdc.log
>> admin_server = FILE:/var/log/kadmin.log
>> default = FILE:/var/log/krb5lib.log
>>
>> [domain_realm]
>> .domain.com = DOMAIN.COM
>> domain.com = DOMAIN.COM
>>
>> [appdefaults]
>> pam = {
>> ticket_lifetime = 1d
>> renew_lifetime = 1d
>> forwardable = true
>> proxiable = false
>> retain_after_close = false
>> minimum_uid = 0
>> }
>>
>> [nsswitch.conf]
>> passwd: files winbind
>> shadow: files winbind
>> group: files winbind
>>
>> hosts: files dns winbind
>> networks: files dns
>>
>> services: files
>> protocols: files
>> rpc: files
>> ethers: files
>> netmasks: files
>> netgroup: files
>> publickey: files
>>
>> bootparams: files
>> automount: files nis
>> aliases: files
>>
>
>
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
