Matteo Calcagnini
2006-Oct-06 12:22 UTC
[Fwd: [Samba] Interdomain Trust: winbind not working]
Anyone? Could you write me the exact steps to have a working configuration of Samba/winbind domain trusting Windows 2000 Dom? I've followed the one proposed in the samba howtos but is not working. thanks -------- Original Message -------- Subject: [Samba] Interdomain Trust: winbind not working Date: Mon, 11 Sep 2006 16:09:49 +0200 From: Matteo Calcagnini <calcagnini@publinet.it> To: samba@lists.samba.org Hi there, i got a problem trying configuring an Interdomain trust, this is my scenario (very simple one): domain domA (windows 2000 mixed mode) trusting domB (samba 3.0.23a-1) and vice-versa. some wbinfo: ale:~# wbinfo -m RGM5 ale:~# wbinfo --sequence RGM5 : DISCONNECTED BUILTIN : 1157982872 SYS2 : 1157982872 ale:~# wbinfo -t checking the trust secret via RPC calls succeeded ale:~# wbinfo -u Error looking up domain users ale:~# wbinfo -g BUILTIN\administrators BUILTIN\users ale:~# wbinfo -a RGM5\\publinetrgm%******* plaintext password authentication succeeded challenge/response password authentication succeeded (this seems to authorise a user of the trusted domain...) I joined the samba pdc to his domain (SYS2) and made the trust with net rpc trustdom establish SYS2 everything seems working fine since i can smbclien with a user of the trusted domain, the only thing that's not working is winbind, i can't map the trusted dom users to the unix users. I noticed that samba creates a unix account everytime i log into it with a user of the trusted dom, but how i can get winbind work?? this is my smb.conf #======================= Global Settings ====================== [global] netbios name = ALE workgroup = SYS2 os level = 64 preferred master = yes domain master = yes local master = yes domain logons = yes nt acl support = yes logon path logon drive = H: logon home = \\ale\%U logon script = logon.bat ##### Add/Remove user scripts ##### add user script = /usr/sbin/useradd -m %u delete user script = /usr/sbin/userdel -r %u add group script = /usr/sbin/groupadd %g delete group script = /usr/sbin/groupdel %g add user to group script = /usr/sbin/groupmod -A %u %g delete user from group script = /usr/sbin/groupmod -R %u %g add machine script = /usr/sbin/useradd -s /bin/false -d /var/lib/nobody %u #### WINBINDD configuration ##### idmap uid = 10000-20000 idmap gid = 10000-20000 winbind enum users = yes winbind enum groups = yes winbind cache time = 30 winbind use default domain = Yes winbind trusted domains only = Yes winbind nested groups = Yes ## Browsing/Identification ### # Change this to the workgroup/NT-domain name your Samba server will part of # server string is the equivalent of the NT Description field server string = PDC Sys2 # Windows Internet Name Serving Support Section: # WINS Support - Tells the NMBD component of Samba to enable its WINS Server ; wins support = yes # WINS Server - Tells the NMBD components of Samba to be a WINS Client # Note: Samba can be either a WINS Server, or a WINS Client, but NOT both wins server = 192.168.92.205 192.168.92.206 # This will prevent nmbd to search for NetBIOS names through DNS. dns proxy = yes # What naming service and in what order should we use to resolve host names # to IP addresses ; name resolve order = lmhosts host wins bcast remote announce = 192.168.92.205 remote browse sync = 192.168.92.205 wins proxy = yes #### Debugging/Accounting #### # This tells Samba to use a separate log file for each machine # that connects log file = /var/log/samba/log.%m #log level = 3 # Put a capping on the size of the log files (in Kb). max log size = 1000 # If you want Samba to only log through syslog then set the following # parameter to 'yes'. ; syslog only = no # We want Samba to log a minimum amount of information to syslog. Everything # should go to /var/log/samba/log.{smbd,nmbd} instead. If you want to log # through syslog you should set the following parameter to something higher. syslog = 0 # Do something sensible when Samba crashes: mail the admin a backtrace panic action = /usr/share/samba/panic-action %d ####### Authentication ####### # "security = user" is always a good idea. This will require a Unix account # in this server for every user accessing the server. See # /usr/share/doc/samba-doc/htmldocs/ServerType.html in the samba-doc # package for details. security = user # You may wish to use password encryption. See the section on # 'encrypt passwords' in the smb.conf(5) manpage before enabling. encrypt passwords = true # If you are using encrypted passwords, Samba will need to know what # password database type you are using. passdb backend = tdbsam ; obey pam restrictions = yes guest account = nobody ; invalid users = root # This boolean parameter controls whether Samba attempts to sync the Unix # password with the SMB password when the encrypted SMB password in the # passdb is changed. ; unix password sync = no # For Unix password sync to work on a Debian GNU/Linux system, the following # parameters must be set (thanks to Augustin Luton <aluton@hybrigenics.fr> for # sending the correct chat script for the passwd program in Debian Potato). passwd program = /usr/bin/passwd %u passwd chat = *Enter\snew\sUNIX\spassword:* %n\n *Retype\snew\sUNIX\spassword:* %n\n . # This boolean controls whether PAM will be used for password changes # when requested by an SMB client instead of the program listed in # 'passwd program'. The default is 'no'. ; pam password change = no #### *********** Unix/Windows Username Mapping file *********** #### username map = /etc/samba/users.map ########## Printing ########## # If you want to automatically load your printer list rather # than setting them up individually then you'll need this load printers = yes # CUPS printing. See also the cupsaddsmb(8) manpage in the # cupsys-client package. printing = cups printcap name = cups ############ Misc ############ # Using the following line enables you to customise your configuration # on a per machine basis. The %m gets replaced with the netbios name # of the machine that is connecting ; include = /home/samba/etc/smb.conf.%m # Most people will find that this option gives better performance. # See smb.conf(5) and /usr/share/doc/samba-doc/htmldocs/speed.html # for details # You may want to add the following on a Linux system: # SO_RCVBUF=8192 SO_SNDBUF=8192 socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 #======================= Share Definitions ====================== [homes] comment = Home Directories browseable = no writable = yes create mask = 0700 directory mask = 0700 path = /home/%U/ # Un-comment the following and create the netlogon directory for Domain Logons # (you need to configure Samba to act as a domain controller too.) [netlogon] comment = Network Logon Service path = /var/lib/samba/netlogon guest ok = yes writable = no share modes = no browsable = no #[profiles] # path = /var/lib/samba/profiles # profile acls = yes # read only = no # create mask = 0600 # directory mask = 0700 # browsable = no # force user = %U [printers] comment = All Printers browseable = no path = /tmp printable = yes public = no writable = no create mode = 0700 # Windows clients look for this share name as a source of downloadable # printer drivers [print$] comment = Printer Drivers path = /var/lib/samba/printers browseable = yes read only = yes guest ok = no # Uncomment to allow remote administration of Windows print drivers. # Replace 'ntadmin' with the name of the group your admin users are # members of. write list = root, @ntadmins #### **************** Custom Shares for SYS2 ***************** #### [z] comment = risorsa condivisa z path = /home/shares/z admin users = @ntadmins, "@RGM5\Domain Admins" public = yes writable = yes printable = no create mask = 0110 directory mask = 0775 force create mode = 0664 force directory mode = 0775 thank you all -- __________________________________ Matteo Calcagnini -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- -- Matteo Calcagnini
Thorkil Olesen
2006-Oct-10 17:12 UTC
[Samba] Re: [Fwd: Interdomain Trust: winbind not working]
Matteo Calcagnini <calcagnini <at> publinet.it> writes:> > Anyone? > Could you write me the exact steps to have a working > configuration of Samba/winbind domain trusting Windows 2000 Dom? > I've followed the one proposed in the samba howtos but is not > working.I cannot make it better than the how-to. I have an interdomain trust working to a W2K3-server, and I just followed the how-to. Though I got a problem like yours when I upgraded to the 3.0.23-series. I tried a lot of things, and eventually I made it work again, but I'm not quite sure how. One step was a restart of the Windows-server. (I know it sounds strange for a *NIX-admin, but this is Windows...)> domain domA (windows 2000 mixed mode) trusting domB (samba 3.0.23a-1) > and vice-versa.I think you should upgrade to the latest version 3.0.23c. The first versions in the 3.0.23-series are buggy, and it might involve the interdomain trust.> ale:~# wbinfo --sequence > RGM5 : DISCONNECTEDIt looks like the problem I had.> ale:~# wbinfo -u > Error looking up domain usersThis one as well.> this is my smb.conf[...]> winbind use default domain = Yes > winbind trusted domains only = Yes > winbind nested groups = YesI don't use these. I think you should avoid "winbind trusted domains only" when you don't use LDAP. Good luck! -- Thorkil Olesen, Hanstholm, Denmark.