Petteri Heinonen
2009-Mar-21 21:20 UTC
[Samba] Windows server 2003 SP2, SFU 3.5 and Samba 3.0.28
Hello list users,
I have been struggling with this combination in the subject field couple
of days now, so I decided to ask for some advice here. Hopefully someone
can point me to a right direction. The ultimate goal for me is to
authenticate users using AD, so that the UID/GID values configured for
users with SFU would also be in use in all our Linux machines. My
understanding is that using correctly configured winbind + pam +
nsswitch should produce the desired result.
I have been able to join a Linux box to our Windows server 2003 hosted
domain, but getting user/group info out of AD seems to cause some
trouble. I have been mostly experimenting with wbinfo tool. Running
"wbinfo -i someuser" results in "Could not get info for user
someuser",
with logs as below.
One specific question which has been troubling me is that what should be
the value in for winbind nss info? Googling has revealed that the two
possibilities are "sfu" and "rfc2307". But I haven't
been able to find
any decent documentation about when sfu should be used and when rfc2307.
Are these somehow related to what SFU version is in use at the AD side?
- Regards, Petteri Heinonen
log.winbindd:
[2009/03/21 22:59:04, 6] nsswitch/winbindd.c:new_connection(628)
accepted socket 18
[2009/03/21 22:59:04, 3]
nsswitch/winbindd_misc.c:winbindd_interface_version(491)
[ 1876]: request interface version
[2009/03/21 22:59:04, 3]
nsswitch/winbindd_misc.c:winbindd_priv_pipe_dir(524)
[ 1876]: request location of privileged pipe
[2009/03/21 22:59:04, 6] nsswitch/winbindd.c:new_connection(628)
accepted socket 19
[2009/03/21 22:59:04, 3] nsswitch/winbindd_user.c:winbindd_getpwnam(346)
[ 1876]: getpwnam someuser
[2009/03/21 22:59:05, 5]
nsswitch/winbindd_async.c:winbindd_sid2uid_recv(347)
sid2uid returned an error
[2009/03/21 22:59:05, 5]
nsswitch/winbindd_user.c:getpwsid_sid2uid_recv(266)
Could not query uid for user DOMAIN\someuser
log.winbindd-idmap:
[2009/03/21 22:59:04, 4]
nsswitch/winbindd_dual.c:fork_domain_child(1065)
child daemon request 48
[2009/03/21 22:59:04, 3]
nsswitch/winbindd_async.c:winbindd_dual_sid2uid(374)
[ 1862]: sid to uid S-1-5-21-2285760618-1546780000-830142390-7708
[2009/03/21 22:59:04, 7]
nsswitch/idmap_ad.c:ad_idmap_cached_connection_internal(77)
Current tickets expire in 35425 seconds (at 1237704569, time is now
1237669144)
[2009/03/21 22:59:05, 5]
libads/ldap_utils.c:ads_do_search_retry_internal(64)
Search for
(|(attributeId=1.3.6.1.1.1.1.0)(attributeId=1.3.6.1.1.1.1.1)(attributeId
=1.3.6.1.1.1.1.3)(attributeId=1.3.6.1.1.1.1.4)(attributeId=1.3.6.1.1.1.1
.2)) in <CN=Schema,CN=Configuration,DC=bothi,DC=fi> gave 0 replies
[2009/03/21 22:59:05, 3]
libads/ldap_schema.c:ads_check_posix_schema_mapping(243)
ads_check_posix_schema_mapping: failed NT_STATUS_NONE_MAPPED
[2009/03/21 22:59:05, 2]
nsswitch/idmap_ad.c:ad_idmap_cached_connection(152)
ad_idmap_cached_connection: Failed to obtain schema details!
[2009/03/21 22:59:05, 1]
nsswitch/idmap_ad.c:idmap_ad_sids_to_unixids(514)
ADS uninitialized
[2009/03/21 22:59:05, 2]
nsswitch/idmap.c:idmap_backends_sids_to_unixids(1163)
ERROR: NTSTATUS = 0xc0000001
smb.conf:
[global]
# general part
security = ADS
interfaces = eth0
realm = DOMAIN.FI
workgroup = DOMAIN
netbios name = LUPUS
domain master = no
local master = no
preferred master = no
server string = %h
encrypt passwords = yes
wins support = no
wins server = ad1.domain.fi
use kerberos keytab = yes
password server = ad1.domain.fi
# logging
log level = 8
log file = /var/log/samba/log.%m
max log size = 1000
syslog = 0
# disable printing
load printers = no
printing = bsd
printcap name = /dev/null
show add printer wizard = no
disable spoolss = yes
#winbind
winbind enum users = no
winbind enum groups = no
winbind use default domain = yes
winbind nested groups = yes
winbind separator = +
winbind nss info = rfc2307
winbind cache time = 120
idmap backend = ad
idmap uid = 2000-20000
idmap gid = 2000-20000
template shell = /bin/bash
template homedir = /home/%D/%U
client use spnego = yes
SASKEN BUSINESS DISCLAIMER
-------------------------
This message may contain confidential, proprietary or legally privileged
information. In
case you are not the original intended Recipient of the message, you must not,
directly or
indirectly, use, Disclose, distribute, print, or copy any part of this message
and you are
requested to delete it and inform the sender. Any views expressed in this
message are
those of the individual sender unless otherwise stated. Nothing contained in
this message
shall be construed as an offer or acceptance of any offer by Sasken
Communication
Technologies Limited ("Sasken") unless sent with that express intent
and with due
authority of Sasken. Sasken has taken enough precautions to prevent the spread
of
viruses. However the company accepts no liability for any damage caused by any
virus
transmitted by this email
Petteri Heinonen
2009-Mar-22 20:46 UTC
[Samba] Windows server 2003 SP2, SFU 3.5 and Samba 3.0.28
Ok after examining the source code for couple of hours, I found a
solution. Added this in smb.conf:
idmap config HOMELINUX:schema_mode = sfu
and now wbinfo -i <username> works as expected. It seems that merely
having this
winbind nss info = sfu
in config was not enough for idmap to start using SFU schema.
-Petteri Heinonen
-----Original Message-----
From: samba-bounces+petteri.heinonen=sasken.com@lists.samba.org
[mailto:samba-bounces+petteri.heinonen=sasken.com@lists.samba.org] On
Behalf Of Petteri Heinonen
Sent: 21. maaliskuuta 2009 23:09
To: samba@lists.samba.org
Subject: [Samba] Windows server 2003 SP2, SFU 3.5 and Samba 3.0.28
Hello list users,
I have been struggling with this combination in the subject field couple
of days now, so I decided to ask for some advice here. Hopefully someone
can point me to a right direction. The ultimate goal for me is to
authenticate users using AD, so that the UID/GID values configured for
users with SFU would also be in use in all our Linux machines. My
understanding is that using correctly configured winbind + pam +
nsswitch should produce the desired result.
I have been able to join a Linux box to our Windows server 2003 hosted
domain, but getting user/group info out of AD seems to cause some
trouble. I have been mostly experimenting with wbinfo tool. Running
"wbinfo -i someuser" results in "Could not get info for user
someuser",
with logs as below.
One specific question which has been troubling me is that what should be
the value in for winbind nss info? Googling has revealed that the two
possibilities are "sfu" and "rfc2307". But I haven't
been able to find
any decent documentation about when sfu should be used and when rfc2307.
Are these somehow related to what SFU version is in use at the AD side?
- Regards, Petteri Heinonen
log.winbindd:
[2009/03/21 22:59:04, 6] nsswitch/winbindd.c:new_connection(628)
accepted socket 18
[2009/03/21 22:59:04, 3]
nsswitch/winbindd_misc.c:winbindd_interface_version(491)
[ 1876]: request interface version
[2009/03/21 22:59:04, 3]
nsswitch/winbindd_misc.c:winbindd_priv_pipe_dir(524)
[ 1876]: request location of privileged pipe
[2009/03/21 22:59:04, 6] nsswitch/winbindd.c:new_connection(628)
accepted socket 19
[2009/03/21 22:59:04, 3] nsswitch/winbindd_user.c:winbindd_getpwnam(346)
[ 1876]: getpwnam someuser
[2009/03/21 22:59:05, 5]
nsswitch/winbindd_async.c:winbindd_sid2uid_recv(347)
sid2uid returned an error
[2009/03/21 22:59:05, 5]
nsswitch/winbindd_user.c:getpwsid_sid2uid_recv(266)
Could not query uid for user DOMAIN\someuser
log.winbindd-idmap:
[2009/03/21 22:59:04, 4]
nsswitch/winbindd_dual.c:fork_domain_child(1065)
child daemon request 48
[2009/03/21 22:59:04, 3]
nsswitch/winbindd_async.c:winbindd_dual_sid2uid(374)
[ 1862]: sid to uid S-1-5-21-2285760618-1546780000-830142390-7708
[2009/03/21 22:59:04, 7]
nsswitch/idmap_ad.c:ad_idmap_cached_connection_internal(77)
Current tickets expire in 35425 seconds (at 1237704569, time is now
1237669144)
[2009/03/21 22:59:05, 5]
libads/ldap_utils.c:ads_do_search_retry_internal(64)
Search for
(|(attributeId=1.3.6.1.1.1.1.0)(attributeId=1.3.6.1.1.1.1.1)(attributeId
=1.3.6.1.1.1.1.3)(attributeId=1.3.6.1.1.1.1.4)(attributeId=1.3.6.1.1.1.1
.2)) in <CN=Schema,CN=Configuration,DC=bothi,DC=fi> gave 0 replies
[2009/03/21 22:59:05, 3]
libads/ldap_schema.c:ads_check_posix_schema_mapping(243)
ads_check_posix_schema_mapping: failed NT_STATUS_NONE_MAPPED
[2009/03/21 22:59:05, 2]
nsswitch/idmap_ad.c:ad_idmap_cached_connection(152)
ad_idmap_cached_connection: Failed to obtain schema details!
[2009/03/21 22:59:05, 1]
nsswitch/idmap_ad.c:idmap_ad_sids_to_unixids(514)
ADS uninitialized
[2009/03/21 22:59:05, 2]
nsswitch/idmap.c:idmap_backends_sids_to_unixids(1163)
ERROR: NTSTATUS = 0xc0000001
smb.conf:
[global]
# general part
security = ADS
interfaces = eth0
realm = DOMAIN.FI
workgroup = DOMAIN
netbios name = LUPUS
domain master = no
local master = no
preferred master = no
server string = %h
encrypt passwords = yes
wins support = no
wins server = ad1.domain.fi
use kerberos keytab = yes
password server = ad1.domain.fi
# logging
log level = 8
log file = /var/log/samba/log.%m
max log size = 1000
syslog = 0
# disable printing
load printers = no
printing = bsd
printcap name = /dev/null
show add printer wizard = no
disable spoolss = yes
#winbind
winbind enum users = no
winbind enum groups = no
winbind use default domain = yes
winbind nested groups = yes
winbind separator = +
winbind nss info = rfc2307
winbind cache time = 120
idmap backend = ad
idmap uid = 2000-20000
idmap gid = 2000-20000
template shell = /bin/bash
template homedir = /home/%D/%U
client use spnego = yes
SASKEN BUSINESS DISCLAIMER
-------------------------
This message may contain confidential, proprietary or legally privileged
information. In
case you are not the original intended Recipient of the message, you
must not, directly or
indirectly, use, Disclose, distribute, print, or copy any part of this
message and you are
requested to delete it and inform the sender. Any views expressed in
this message are
those of the individual sender unless otherwise stated. Nothing
contained in this message
shall be construed as an offer or acceptance of any offer by Sasken
Communication
Technologies Limited ("Sasken") unless sent with that express intent
and
with due
authority of Sasken. Sasken has taken enough precautions to prevent the
spread of
viruses. However the company accepts no liability for any damage caused
by any virus
transmitted by this email
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
SASKEN BUSINESS DISCLAIMER
-------------------------
This message may contain confidential, proprietary or legally privileged
information. In
case you are not the original intended Recipient of the message, you must not,
directly or
indirectly, use, Disclose, distribute, print, or copy any part of this message
and you are
requested to delete it and inform the sender. Any views expressed in this
message are
those of the individual sender unless otherwise stated. Nothing contained in
this message
shall be construed as an offer or acceptance of any offer by Sasken
Communication
Technologies Limited ("Sasken") unless sent with that express intent
and with due
authority of Sasken. Sasken has taken enough precautions to prevent the spread
of
viruses. However the company accepts no liability for any damage caused by any
virus
transmitted by this email