Hello All:
I have a Samba server (running 3.0.11) that uses an LDAP SAM for
authentication. We now have AD (native mode) running in house.
Since everyone has a login there, I would like to use the AD
credentials for authentication. However, I would like to continue
to use the Unix user ids and group ids, etc.
All the documentation for AD authentication talks about ID mapping, etc.
I don't think I need this. I already have ids. I don't need to map
them.
Is there an easy way to do what I want?
I have tried to make it work by picking up the latest Blastwave
distribution
and I installed it with configurations like:
------------------------------------------------------------------------
--
[global]
unix charset = LOCALE
workgroup = ULTICOM
realm = ULTICOM.COM
netbios name = CARP
server string = Carp -- a test instance of Corp
interfaces = 172.25.0.9
bind interfaces only = Yes
security = ADS
smb passwd file = /etc/csw/samba/carp/private/smbpasswd
private dir = /etc/csw/samba/carp/private
log level = 1
syslog = 0
log file = /var/csw/samba/log/carp.smbd.log
max log size = 50
printcap name = CUPS
ldap ssl = no
lock directory = /etc/csw/samba/carp/locks
pid directory = /etc/csw/samba/carp/locks
include = /etc/csw/samba/carp/smb.conf.shares
[homes]
...
------------------------------------------------------------------------
--
With this configuration, I can do an "smbclient -L carp" just fine,
but I can't do "smbclient //carp/gaa". I get:
------------------------------------------------------------------------
--
Domain=[ULTICOM] OS=[Unix] Server=[Samba 3.0.23b]
tree connect failed: NT_STATUS_ACCESS_DENIED
------------------------------------------------------------------------
--
This sure sounds like the login works but the user ids don't allow
access.
(If I type my password wrong, I get a NT_STATUS_LOGON_FAILURE).
Any other ideas?
--
Gary Algier, WB2FWZ gaa at ulticom.com +1 856 787
2758
Ulticom Inc., 1020 Briggs Rd, Mt. Laurel, NJ 08054 Fax:+1 856 866
2033
Nielsen's First Law of Computer Manuals:
People don't read documentation voluntarily.
On Saturday 20 October 2007 02:21:53 Gary Algier wrote:> Hello All: > > I have a Samba server (running 3.0.11) that uses an LDAP SAM for > authentication. We now have AD (native mode) running in house. > Since everyone has a login there, I would like to use the AD > credentials for authentication. However, I would like to continue > to use the Unix user ids and group ids, etc. > > All the documentation for AD authentication talks about ID mapping, etc. > I don't think I need this. I already have ids. I don't need to map > them. > > Is there an easy way to do what I want? > > I have tried to make it work by picking up the latest Blastwave > distribution > and I installed it with configurations like: > > ------------------------------------------------------------------------ > -- > [global] > unix charset = LOCALE > workgroup = ULTICOM > realm = ULTICOM.COM > netbios name = CARP > server string = Carp -- a test instance of Corp > interfaces = 172.25.0.9 > bind interfaces only = Yes > security = ADS > smb passwd file = /etc/csw/samba/carp/private/smbpasswd > private dir = /etc/csw/samba/carp/private > log level = 1 > syslog = 0 > log file = /var/csw/samba/log/carp.smbd.log > max log size = 50 > printcap name = CUPS > ldap ssl = no > lock directory = /etc/csw/samba/carp/locks > pid directory = /etc/csw/samba/carp/locks > include = /etc/csw/samba/carp/smb.conf.shares > > [homes] > ... > ------------------------------------------------------------------------ > -- > With this configuration, I can do an "smbclient -L carp" just fine, > but I can't do "smbclient //carp/gaa". I get: > ------------------------------------------------------------------------ > -- > Domain=[ULTICOM] OS=[Unix] Server=[Samba 3.0.23b] > tree connect failed: NT_STATUS_ACCESS_DENIED > ------------------------------------------------------------------------ > -- > This sure sounds like the login works but the user ids don't allow > access. > (If I type my password wrong, I get a NT_STATUS_LOGON_FAILURE). > Any other ideas?Hello Gary, I'm a newbie, so pls pardon me if I'm saying something here. AFAIK, security = ADS is used when we want our samba to act as "middle-man" only, that is it forwards the authentication request to the AD. So, it's self doesn't do the authentication. You might want to set it up as Samba PDC instead and then do interdomain trust from there to the AD. CMIIW, -- Fajar Priyanto | Reg'd Linux User #327841 | Linux tutorial http://linux2.arinet.org 20:43:14 up 30 min, 2.6.20-16-generic GNU/Linux Let's use OpenOffice. http://www.openoffice.org The real challenge of teaching is getting your students motivated to learn. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : http://lists.samba.org/archive/samba/attachments/20071022/0c6362cd/attachment.bin
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Gary Algier wrote:> Hello All: > > I have a Samba server (running 3.0.11) that uses an LDAP SAM for > authentication. We now have AD (native mode) running in house. > Since everyone has a login there, I would like to use the AD > credentials for authentication. However, I would like to continue > to use the Unix user ids and group ids, etc. > > All the documentation for AD authentication talks about ID mapping, etc. > I don't think I need this. I already have ids. I don't need to map > them. > > Is there an easy way to do what I want?Yes. There are several ways. In Samba 3.0.25 and later there is the idmap_nss plugin for winbind. Prior to that is the "winbind trusted domains only" setting but that has some drawbacks. or you can possible forego Winbind and use something like nss_ldap. But you need to make sure that the user and group names in you directory match the AD environment. cheers, jerry ====================================================================Samba ------- http://www.samba.org Centeris ----------- http://www.centeris.com "What man is a man who does not make the world better?" --Balian -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFHHK3YIR7qMdg1EfYRAh0GAKCINcEPOwjpXWPyhDgNiMWi9/mnvQCfWty6 uqZRfbZHP7jHwVEzCkbpzEo=cO6d -----END PGP SIGNATURE-----