Andreas Heinlein
2010-Jan-04 12:40 UTC
[Samba] Samba as domain member to another samba PDC
Hello, we have a somewhat unusual setup: - currently, Windows 2000 workstations in a NT4-Style domain with a samba 3 server as PDC. User account data for both UNIX and Samba is kept in LDAP. - now, several workstations should be migrated to Ubuntu, using the same LDAP directory (and NFS homes) for User account data. Users need to be able to share files with windows workstations, using samba. I have managed to join samba on the Ubuntu test machines to the domain, and any manually created shares in smb.conf can be accessed by windows users as well as other users on other Ubuntu clients. I have set in smb.conf on the client: security = domain password server = * domain = MYDOM (passdb backend is not set) But I'd like to use system-config-samba from Ubuntu as a GUI to let the users create their own shares (somewhat risky, I know, but currently the best solution). system-config-samba relies on the output of "pdbedit -L" to let the user choose which users can access which share. In the above setup, the output of "pdbedit -L" is empty. I tried adding passdb backend = ldapsam:ldap://1.2.3.4 and the neccessary ldap options to smb.conf on the client and have set the LDAP admin password using "smbpasswd -W". Now, "pdbedit -L" complains "SID 1-2-3-4-5 does not belong to our domain", and system-config-samba shows the same line instead of the users name for every user in the database. So, essentially, the question is: how can a samba domain member get a list of users using "pdbedit -L"? As I understand it, the whole winbind/idmap stuff is neccessary only for mapping users on a windows PDC to (temporary) UNIX users, but we already have real permanent UNIX users, so I do not need winbind/idmap, right? Thanks, Andreas
Andreas Heinlein
2010-Jan-04 13:56 UTC
[Samba] Samba as domain member to another samba PDC
Daniel M?ller schrieb:> Hello, > when i have read wright. You joined an ubuntu samba pc to your samba > domain! > testparm gives you: ROLE_DOMAIN_MEMBER?Correct.> First of all your domain member must have exactly the same users and > passwords as your pdc/ldap. > You can do that with installing ldapclient. Configure it with > ldapserver: your pdc/ldap. > Now getent passwd and getend group should show you all your > users/groups kept on you pdc/ldap.I did that using libpam-ldap/libnsswitch-ldap. getent group/passwd returns what you say, and user authentication on the UNIX side works well.> If you succed with this. You need in your smb.conf: > security=DOMAIN > password server=YOUR-PDC-LDAPI have password server = *, but explicitly setting the PDC changes nothing.> For me I had to copy my ladp config section from my smb.conf on my PDC > here: > ldap.... > idmap backend=ldap:ldap://YOUR-PDC-LDAP > idmap uid... > idmap gid.... >I do not currently have the idmap... things, since I thought I do not need them. I tried, and it changed nothing. "pdbedit -L" still returns "SID ... does not belong to our domain". What does it return on your machine? Bye, Andreas
Andreas Heinlein
2010-Jan-05 12:19 UTC
[Samba] Samba as domain member to another samba PDC
Daniel M?ller schrieb:> Hello, > with pdbedit -L on my MemberServer (Samba) I could not list the domain > users and groups! > With pdbedit -L it is only working on my PDC(Samba)I assume then this is - at least at the moment - "normal" behaviour of pdbedit. Perhaps someone else on this list can tell me if this is going to change or has already changed e.g. with Samba 4.> Try getent passwd and getent group instead. If there show up your > users and groups. > try example: touch test.txt and then chown > yourdomainuser:thisuserdomaingroup. > If this function you can test next: Make a share on your > SambaMemberServer. Give the rights to a user > only known in your SambaDomain (no local user!!!!) . Try to connect > the share as this user. > If this is working you got it.I already did that, and it works. That's not the point I'm asking for. As I wrote in my first post, I want to use a GUI for creating samba shares that relies on the output of pdbedit -L for listing users which are allowed/denied access. If pdbedit -L does not work, I will either have to write my own "pdbedit" which wil mimic the expected output by calling ldapsearch and formatting the output like pdbedit does. Or I will have to find another suitable GUI. Thank you for your help, Andreas