Hi, I'm running 3.0.28a on Ubuntu 8.04 (their package). I've got security ads and idmap backend = ad (smb.conf is posted below). I'm using libnss-ldap and have ldap in nsswitch.conf (also posted below) and ldap connected to the AD server. I have the drive mounted using acl and xattr_user options in fstab (acl is installed). I can connect to the share, I see in the logs that it's picking up the uid and gid from SFU in AD, however, when I go into the explorer security tab (on the client) and try to add a user it fails. I don't get an error message within windows (the user adding another user is the owner of the file/folder), the user just disappears from the list as it refreshes! On the server I'm seeing a lot of this in log.winbindd-idmap [2008/07/18 09:32:59, 1] nsswitch/idmap_ad.c:idmap_ad_unixids_to_sids(294) ADS uninitialized Now I don't know if this is related, but if I wbinfo -n wsd\\rippls I get a long SID number, if I do wbinfo -s [same SID number] I get wsd \rippls. However, if I do wbinfo -U [uid for same user] I get a different SID from before! I'm trying very hard this summer to make this work so I can retire our MS file server, so any help would be appreciated. I tried this initially in Etch, but I that version wasn't handling the connection to AD for nss and winbind very well at all, hence I'm trying in Ubuntu. Thanks! ====smb.conf==== [global] workgroup = WSD realm = woodland.wednet.edu server string = %h server log file = /var/log/samba/log.%m max log size = 1000 syslog = 0 panic action = /usr/share/samba/panic-action %d security = ads encrypt passwords = true passdb backend = tdbsam obey pam restrictions = yes invalid users = root socket options = TCP_NODELAY idmap backend = ad winbind nss info = sfu winbind nested groups = yes winbind use default domain = yes [Student] path = /srv/Student read only = no store dos attributes = yes nt acl support = yes map acl inherit = yes inherit acls = yes acl map full control = yes dos filemode = yes =====nsswitch.conf==== passwd: files ldap group: files ldap shadow: files ldap hosts: files mdns4_minimal [NOTFOUND=return] dns mdns4 networks: files protocols: db files services: db files ethers: db files rpc: db files netgroup: nis
Have you tried to add "winbind" at the file nsswitch.conf for the fields passwd, group and shadow? So, if you have SFU at your DC, you don't need winbind to authenticate users, you can configure the system for a LDAP binding. Read the PDFs of this web, the last 2 are very interesting for your problem: http://www.interopsystems.com/learning.htm They work with 2003 R2 and Fedora, but it's the same, because R2 version has the SFU integrated. And by the way, a time ago I tried to make a LDAP binding with an Ubuntu 7.10, but it didn't work. May be with Hardy it's different. Luck! David Molina On Fri, Jul 18, 2008 at 8:11 PM, Steve Rippl <rippls@woodlandschools.org> wrote:> Hi, > > I'm running 3.0.28a on Ubuntu 8.04 (their package). I've got security > ads and idmap backend = ad (smb.conf is posted below). I'm using > libnss-ldap and have ldap in nsswitch.conf (also posted below) and ldap > connected to the AD server. I have the drive mounted using acl and > xattr_user options in fstab (acl is installed). I can connect to the > share, I see in the logs that it's picking up the uid and gid from SFU > in AD, however, when I go into the explorer security tab (on the client) > and try to add a user it fails. I don't get an error message within > windows (the user adding another user is the owner of the file/folder), > the user just disappears from the list as it refreshes! On the server > I'm seeing a lot of this in log.winbindd-idmap > > [2008/07/18 09:32:59, 1] > nsswitch/idmap_ad.c:idmap_ad_unixids_to_sids(294) > ADS uninitialized > > Now I don't know if this is related, but if I wbinfo -n wsd\\rippls I > get a long SID number, if I do wbinfo -s [same SID number] I get wsd > \rippls. However, if I do wbinfo -U [uid for same user] I get a > different SID from before! > > I'm trying very hard this summer to make this work so I can retire our > MS file server, so any help would be appreciated. I tried this > initially in Etch, but I that version wasn't handling the connection to > AD for nss and winbind very well at all, hence I'm trying in Ubuntu. > > Thanks! > > > ====smb.conf====> > [global] > > workgroup = WSD > realm = woodland.wednet.edu > server string = %h server > > log file = /var/log/samba/log.%m > max log size = 1000 > syslog = 0 > > panic action = /usr/share/samba/panic-action %d > > security = ads > encrypt passwords = true > passdb backend = tdbsam > obey pam restrictions = yes > invalid users = root > > socket options = TCP_NODELAY > > idmap backend = ad > winbind nss info = sfu > winbind nested groups = yes > winbind use default domain = yes > > > [Student] > path = /srv/Student > read only = no > store dos attributes = yes > nt acl support = yes > map acl inherit = yes > inherit acls = yes > acl map full control = yes > dos filemode = yes > > > =====nsswitch.conf====> > passwd: files ldap > group: files ldap > shadow: files ldap > > hosts: files mdns4_minimal [NOTFOUND=return] dns mdns4 > networks: files > > protocols: db files > services: db files > ethers: db files > rpc: db files > > netgroup: nis > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/listinfo/samba >
Thanks David, yes I have tried all these and nothing seems to be working! Here's where I'm at... libnss-ldap is working with my AD server, with just 'files ldap' in nsswitch.conf a getent passwd returns local users and users from AD, but they seem to be treated as local, ie they are 'admin' rather than 'wsd\admin'. So, on a windows client I go to my test share as a domain user, in the log I see that it picks up the uid/gid from AD, but in the security tab the user is 'Unix User \2009test' NOT 'wsd\2009test'. If I try to add a user through this tab they are wsd\username, and then I get [2008/07/23 09:30:45, 0] smbd/posix_acls.c:create_canon_ace_lists(1438) create_canon_ace_lists: unable to map SID S-1-5-21-3668144929-636610183-3299198910-1120 to uid or gid. in the log file when I hit apply. I'm also still getting [2008/07/23 09:30:45, 1] nsswitch/idmap_ad.c:idmap_ad_unixids_to_sids(294) ADS uninitialized in log.winbindd-idmap. If I add winbind to the list in nsswitch it makes no difference, if I have just 'file winbind' nothing works! This is all with idmap backend = ad, if I set it to tdb winbind does work correctly. What do I have to do to configure idmap backend = ad correctly???? I've now complied 3.0.31 with --with-shared-modules=idmap_ad, I've tried winbind nss info = sfu and leaving it out. Some people said use rfc2307 even though they claimed to be using SFU not R2, tried that and it didn't make any difference (I'm using SFU 3.5). David's references seem to be using ldap to store idmap info rather than getting uid/gid info from ad. Has someone out there got this working? The Samba-3 Howto for this says to just use 'files ldap' in nsswitch, but to reiterate, if I do that I'm not getting connected users recognised as domain user?!!> > Have you tried to add "winbind" at the file nsswitch.conf for the > fields > passwd, group and shadow? > > So, if you have SFU at your DC, you don't need winbind to authenticate > users, you can configure the system for a LDAP binding. > Read the PDFs of this web, the last 2 are very interesting for your > problem: > http://www.interopsystems.com/learning.htm > > They work with 2003 R2 and Fedora, but it's the same, because R2 > version has > the SFU integrated. > > And by the way, a time ago I tried to make a LDAP binding with an > Ubuntu > 7.10, but it didn't work. May be with Hardy it's different. > > Luck! > David Molina > > > On Fri, 2008-07-18 at 11:11 -0700, Steve Rippl wrote: > > Hi, > > > > I'm running 3.0.28a on Ubuntu 8.04 (their package). I've got > security > > ads and idmap backend = ad (smb.conf is posted below). I'm using > > libnss-ldap and have ldap in nsswitch.conf (also posted below) and > ldap > > connected to the AD server. I have the drive mounted using acl and > > xattr_user options in fstab (acl is installed). I can connect to > the > > share, I see in the logs that it's picking up the uid and gid from > SFU > > in AD, however, when I go into the explorer security tab (on the > client) > > and try to add a user it fails. I don't get an error message within > > windows (the user adding another user is the owner of the > file/folder), > > the user just disappears from the list as it refreshes! On the > server > > I'm seeing a lot of this in log.winbindd-idmap > > > > [2008/07/18 09:32:59, 1] > > nsswitch/idmap_ad.c:idmap_ad_unixids_to_sids(294) > > ADS uninitialized > > > > Now I don't know if this is related, but if I wbinfo -n wsd\\rippls > I > > get a long SID number, if I do wbinfo -s [same SID number] I get wsd > > \rippls. However, if I do wbinfo -U [uid for same user] I get a > > different SID from before! > > > > I'm trying very hard this summer to make this work so I can retire > our > > MS file server, so any help would be appreciated. I tried this > > initially in Etch, but I that version wasn't handling the connection > to > > AD for nss and winbind very well at all, hence I'm trying in Ubuntu. > > > > Thanks! > > > > > > ====smb.conf====> > > > [global] > > > > workgroup = WSD > > realm = woodland.wednet.edu > > server string = %h server > > > > log file = /var/log/samba/log.%m > > max log size = 1000 > > syslog = 0 > > > > panic action = /usr/share/samba/panic-action %d > > > > security = ads > > encrypt passwords = true > > passdb backend = tdbsam > > obey pam restrictions = yes > > invalid users = root > > > > socket options = TCP_NODELAY > > > > idmap backend = ad > > winbind nss info = sfu > > winbind nested groups = yes > > winbind use default domain = yes > > > > > > [Student] > > path = /srv/Student > > read only = no > > store dos attributes = yes > > nt acl support = yes > > map acl inherit = yes > > inherit acls = yes > > acl map full control = yes > > dos filemode = yes > > > > > > =====nsswitch.conf====> > > > passwd: files ldap > > group: files ldap > > shadow: files ldap > > > > hosts: files mdns4_minimal [NOTFOUND=return] dns mdns4 > > networks: files > > > > protocols: db files > > services: db files > > ethers: db files > > rpc: db files > > > > netgroup: nis > > > >
Steve Rippl wrote:> On Wed, 2008-07-23 at 10:22 -0700, Howard Wilkinson wrote: >[snip]>> Have you put POSIX attributes onto the users in the active directory? >> >> idmap backend = ad:ldap://domain.fqdn >> winbind nss info = rfc2307 >> >> >> Should work. You also need >> use kerberos keytab = yes >> >> Howard. >> >> > Yep, I've got posix attributes for users in AD. I added the keytab (net > ads keytab create -P) and changed smb.conf to reflect the lines you have > above (with my actual fqdn for the AD server), and now I get this in > log.winbindd-idmap > > [2008/07/23 15:33:25, 1] nsswitch/idmap.c:idmap_init(377) > Initializing idmap domains > [2008/07/23 15:33:25, 2] lib/module.c:do_smb_load_module(64) > Module '/usr/local/samba/lib/idmap/ad.so' loaded > [2008/07/23 15:33:25, 2] lib/module.c:do_smb_load_module(64) > Module '/usr/local/samba/lib/idmap/ad.so' loaded > [2008/07/23 15:33:25, 2] nsswitch/idmap.c:idmap_init(779) > idmap_init: Unable to get methods for alloc backend ad >The line above look suspicious! It looks as though your build does not do the dynamic linking properly! I would need to get to this release and build it locally to find out what is going wrong. Perhaps somebody else could tell us what is going on here.> [2008/07/23 15:33:25, 2] > nsswitch/idmap_ad.c:ad_idmap_cached_connection(152) > ad_idmap_cached_connection: Failed to obtain schema details! > [2008/07/23 15:33:25, 1] > nsswitch/idmap_ad.c:idmap_ad_sids_to_unixids(514) > ADS uninitialized > [2008/07/23 15:33:25, 2] > nsswitch/idmap.c:idmap_backends_sids_to_unixids(1233) > ERROR: NTSTATUS = 0xc0000001 > > > I can wbinfo -a|n|s, that works, but getent is still not returning the > user. I copied libnss_winbind into /lib and ran ldconfig but it seems > as though getent isn't using it?! > > Also, maybe I'm wrong but I though that to query ldap attributes in AD > you had to bind with a valid user, how is the idmap backend doing that? >The way I do this is to use kerberos keytabs in my nss_ldap lookups. I take the machine keytab (or specially created ones) and add them to the nss_Ldap setup. This needs at least nss_ldap 259 and my latest patches which I published about 2 weeks ago. I have not yet tried the libnss-ldapd software as I need to write patches for that as well. My systems are all Fedora Linux (7,8,9 with some bleeding edge backports) so similar but not the same as yours. However, I can confirm the pam_krb5, nss_ldap, samba combination can be made to work with an AD backend just about seamlessly. SO keep plugging away and you will get it to work. Howard.