Kreitz, Christopher
2008-Apr-15 17:08 UTC
[Samba] Samba in Active-Drirector environements with centralized sid to uid mapping
Hello list! We have some problems while trying to integrate a group of linux-servers into our Active Directory. Our plan is, to connect these Machies via winbindto the AD. Our usere should be able to login on these machines with their windows credentials. We want the AD to do the mapping between windows SID and linux UID/GID For this purposes, we installed SFU 3.5 at our AD, and activated the UIDs for all allowed users. We successfully connected these machines (client0 up to client9) to the AD, wbinfo -u and wbinfo -g lists all domain members and all domain groups. We edited /etc/nsswitch.conf and enabled winbind passwd: files winbind ldap group: files winbind ldap shadow: files winbind ldap Note: The ldap-entries are made previously, to enable a LDAP-logon, but we want to replace the LDAP-logon with winbind/AD logon, to centralize the user-managenent. Now, the troubles begun. Our problems are: 1) if i want to check the uid of a user, not all servers act identically eg. Id kreitz server0: uid=32821(kreitz) gid=32002 groups=32001,32005,32003,32002 server1: uid=32821(kreitz) gid=32002 groups=32001,32002 server2: uid=32821(kreitz) gid=32002 groups=32000,32001,32002 ... 2) we tried to stop winbind, clear the winbind-cache /var/cache/idmap_cache.tdb and restart winbind id: kreitz: No such user I did not know, how to debug winbind, to find the problems in my configuration. Here some Informations about my systems: Linux: RHEL4 Samba: 3.0.25b-1.el4_6.4 Winbind: 3.0.25b-1.el4_6.4 My Configs (some) /etc/samba/smb.conf [global] workgroup = <SHORT-DOMAIN> # anonymized netbios name = client0 realm = <DOMAIN> # anonymized idmap uid = 10000-640000 idmap gid = 10000-640000 idmap backend = ad winbind separator = + winbind use default domain = Yes security = ADS encrypt passwords = yes password server = <AD-Server> # anonymized client use spnego = yes winbind enum users = yes winbind enum groups = yes unix password sync = yes template shell = /bin/bash winbind nss info = sfu /etc/nsswitch.conf passwd: files winbind ldap group: files winbind ldap shadow: files winbind ldap hosts: files dns networks: files dns services: files db protocols: files db rpc: files db ethers: files db netmasks: files netgroup: files publickey: files bootparams: files automount: ldap aliases: files /etc/krb5.conf [libdefaults] default_realm = <domain> clockskew = 300 [realms] <domain> = { kdc = <AD-Server> } [domain_realm] .<domain> = <DOMAIN> <domain> = <DOMAIN> [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/kdc.log kadmind = FILE:/var/log/kadmind.log [appdefaults] pam = { ticket_lifetime = 1d renew_lifetime = 1d forwardable = true proxiable = false retain_after_close = false minimum_uid = 0 debug = false } Greetings Christopher Kreitz