samba - Jan 2010 - Samba as domain member to another samba PDC

Hello,

we have a somewhat unusual setup:
- currently, Windows 2000 workstations in a NT4-Style domain with a
samba 3 server as PDC. User account data for both UNIX and Samba is kept
in LDAP.
- now, several workstations should be migrated to Ubuntu, using the same
LDAP directory (and NFS homes) for User account data. Users need to be
able to share files with windows workstations, using samba.

I have managed to join samba on the Ubuntu test machines to the domain,
and any manually created shares in smb.conf can be accessed by windows
users as well as other users on other Ubuntu clients.
I have set in smb.conf on the client:
security = domain
password server = *
domain = MYDOM
(passdb backend is not set)

But I'd like to use system-config-samba from Ubuntu as a GUI to let the
users create their own shares (somewhat risky, I know, but currently the
best solution). system-config-samba relies on the output of "pdbedit
-L"
to let the user choose which users can access which share. In the above
setup, the output of "pdbedit -L" is empty.

I tried adding
passdb backend = ldapsam:ldap://1.2.3.4
and the neccessary ldap options to smb.conf on the client and have set
the LDAP admin password using "smbpasswd -W". Now, "pdbedit
-L"
complains "SID 1-2-3-4-5 does not belong to our domain", and
system-config-samba shows the same line instead of the users name for
every user in the database.

So, essentially, the question is: how can a samba domain member get a
list of users using "pdbedit -L"?
As I understand it, the whole winbind/idmap stuff is neccessary only for
mapping users on a windows PDC to (temporary) UNIX users, but we already
have real permanent UNIX users, so I do not need winbind/idmap, right?

Thanks,
Andreas

Daniel M?ller schrieb:
> Hello,
> when i have read wright. You joined an ubuntu samba pc to your samba
> domain!
> testparm gives you: ROLE_DOMAIN_MEMBER?
Correct.
> First of all your domain member must have exactly the same users and
> passwords as your pdc/ldap.
> You can do that with installing ldapclient. Configure it with
> ldapserver: your pdc/ldap.
> Now getent passwd and getend group should show you all your
> users/groups kept on you pdc/ldap.
I did that using libpam-ldap/libnsswitch-ldap. getent group/passwd
returns what you say, and user authentication on the UNIX side works
well.
> If you succed with this. You need in your smb.conf:
> security=DOMAIN
> password server=YOUR-PDC-LDAP
I have password server = *, but explicitly setting the PDC changes
nothing.
> For me I had to copy my ladp config section from my smb.conf on my PDC
> here:
> ldap....
> idmap backend=ldap:ldap://YOUR-PDC-LDAP
> idmap uid...
> idmap gid....
>
I do not currently have the idmap... things, since I thought I do not
need them. I tried, and it changed nothing. "pdbedit -L" still returns
"SID ... does not belong to our domain". What does it return on your
machine?

Bye,
Andreas

Daniel M?ller schrieb:
> Hello,
> with pdbedit -L on my MemberServer (Samba) I could not list the domain
> users and groups!
> With pdbedit -L it is only working on my PDC(Samba)
I assume then this is - at least at the moment - "normal" behaviour of
pdbedit. Perhaps someone else on this list can tell me if this is going
to change or has already changed e.g. with Samba 4.
> Try getent passwd and getent group instead. If there show up your
> users and groups.
> try example:  touch test.txt and then  chown
> yourdomainuser:thisuserdomaingroup.
> If this function you can test next: Make a share on your
> SambaMemberServer. Give the rights to a user
> only known in your SambaDomain (no local user!!!!) . Try to connect
> the share as this user.
> If this is working you got it.
I already did that, and it works. That's not the point I'm asking for.
As I wrote in my first post, I want to use a GUI for creating samba
shares that relies on the output of pdbedit -L for listing users which
are allowed/denied access. If pdbedit -L does not work, I will either
have to write my own "pdbedit" which wil mimic the expected output by
calling ldapsearch and formatting the output like pdbedit does. Or I
will have to find another suitable GUI.

Thank you for your help,
Andreas