samba - Jan 2011 - fetch passwords from AD and group membership from /etc/group

Hi List,

I want to use Active Directory for my samba users passwords and /etc/group for
storing group membership.

/etc/nsswitch.conf looks like:

group: file

Problem: the tests i ran show that the samba server does not know about group
membership  (deleting file from other user belonging to the same group fails).
The same test works as expectet when winbindd is switched off. What do i have to
do to fix this while having winbindd running?

Regards, Marius
-- 
Empfehlen Sie GMX DSL Ihren Freunden und Bekannten und wir
belohnen Sie mit bis zu 50,- Euro! https://freundschaftswerbung.gmx.de

2011/1/20 marius klausen <mariusklausen at
gmx.net>:
> Hi List,
>
> I want to use Active Directory for my samba users passwords and /etc/group
for storing group membership.
>
> /etc/nsswitch.conf looks like:
>
> group: file
>
> Problem: the tests i ran show that the samba server does not know about
group membership ?(deleting file from other user belonging to the same group
fails). The same test works as expectet when winbindd is switched off. What do i
have to do to fix this while having winbindd running?
While you need not run winbindd if you want to use Active Directory
for authentication, if you need to run, idmap_nss map help you?

---
TAKAHASHI Motonobu <monyo at samba.gr.jp>

Hi Takahashi,
> While you need not run winbindd if you want to use Active Directory
> for authentication, if you need to run, idmap_nss map help you?
> 
i want to use winbind to be able to log in just by providing the accountname,
not domainname\accountname.

i now added the following to my smb.conf:

idmap domains = MYDOMAIN
idmap uid = 6000-61000
idmap gid = 100-3000
idmap config MYDOMAIN: backend = nss

which does not change anything so far (smb+winbind restarted). The uid/gid
ranges cover values which are given to the account in /etc/passwd /etc/group -
maybe that is wrong?

best regard,

Marius
-- 
Neu: GMX De-Mail - Einfach wie E-Mail, sicher wie ein Brief!  
Jetzt De-Mail-Adresse reservieren: http://portal.gmx.net/de/go/demail

2011/1/21 marius klausen <mariusklausen at
gmx.net>:
> Hi Takahashi,
>
>> While you need not run winbindd if you want to use Active Directory
>> for authentication, if you need to run, idmap_nss map help you?
>
> i want to use winbind to be able to log in just by providing the
accountname, not domainname\accountname.
 "winbind use default domain = yes" is what you want ?

---
TAKAHASHI Motonobu <monyo at samba.gr.jp>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


On 20/01/2011, at 19:29, marius klausen wrote:
> Hi List,
> 
> I want to use Active Directory for my samba users passwords and /etc/group
for storing group membership.
> 
> /etc/nsswitch.conf looks like:
> 
> group: file
> 
> Problem: the tests i ran show that the samba server does not know about
group membership  (deleting file from other user belonging to the same group
fails). The same test works as expectet when winbindd is switched off. What do i
have to do to fix this while having winbindd running?
> 
It wont know anything about your groups at all with NSSwitch like this. You need
to make it

group: files winbind

OR configure NSS_LDAP and make it

group: files ldap

Samba4 (And active directory on windows also) supports posix schemas in its ldap
objects by default, so using the samba-tool group add <name>, then doing
an object modification on that in ldap to add your  needed posix data is the
most robust way (since GID's will be consistent and controllable on all
workstations)

Just be aware that AD does not allow anonymous reads, so your NSS_LDAP will need
to be setup with a user account (preferably unprivileged) to read the ldap tree.
You will need a Domain Admin account to actually do the modify operation also.
> Regards, Marius
> -- 
> Empfehlen Sie GMX DSL Ihren Freunden und Bekannten und wir
> belohnen Sie mit bis zu 50,- Euro! https://freundschaftswerbung.gmx.de
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
William Brown

Research & Teaching, Technology Services
The University of Adelaide, AUSTRALIA 5005

CRICOS Provider Number 00123M
- -----------------------------------------------------------------------------
IMPORTANT: This message may contain confidential or legally privileged
information. If you think it was sent to you by mistake, please delete all
copies and advise the sender. For the purposes of the SPAM Act 2003, this
email is authorised by The University of Adelaide.

pgp.mit.edu



-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.16 (Darwin)

iQIcBAEBAgAGBQJNOZxoAAoJEDwKxtqy+Sii59UQAJDbWBkdTVWfY0pDdFVTt59T
94sRina2BgqVpFdGRUkEizQivTzIJL6Z30cqn4VSFNx660AsMtzyPrYkBMGgFKU9
wrX6PaKBcjOnnPVB0SHBeZV7pBjrInk2lbigpwFJQJlNV+Y1EnkvfCXqYgZfnUhP
8QwjzcpWRUqHOYC2qbC8g55vYTfG8eH36iHTisi2q2F44l8z3H7jEmT62TFkvT22
oFn7fvOQ1OMEbY+XNbZ8vKXMBdFO0TWUaPf04a5XVnXrExexjHutHe2HtYLUQtcD
YtaxOIBMZlBeNXWIp3ExEBQtXu8Z4SlMz41loMtXUl4GOS4ZdWRIpgTC8/RHdeha
+FncJ9CTgxG46d7EEpctdOSyeq+57N7UAWnLbGhqUMPQ5h385cxCUOp212hvzF+8
Bhxl3eOucg4mG20GQlb0J+RCITIjZornqKnWuqp2DufVp+UZwJd+VGJDuxKJeRJz
4cU9xNqEfxt+zDX9Yze3nFT5tv1JhNfCjMuiMir5gr9D+svHJv7Mn8sIBJiTlNLQ
2t5w4gQ70ZpKtdi2tLe9ZyUoSDcTDs0/hsoJ+aFnNIIxRylwReYvgmLHQfpAziF/
jKwTNSmVOkI9Fh7/ovAcG9MaD1guZylF1XyvJCEhbKnGA2eUY0Sdnl/isGOu9NAA
3hoe9QvFAMIdT7XV0Q/9
=WR8F
-----END PGP SIGNATURE-----

Hi,
> >
> >> While you need not run winbindd if you want to use Active
Directory
> >> for authentication, if you need to run, idmap_nss map help you?
> >
> > i want to use winbind to be able to log in just by providing the
> accountname, not domainname\accountname.
> 
>  "winbind use default domain = yes" is what you want ?
logging in with only username not domainname\username already works fine. 

The missing part is that users cannot delete files in shares which are created
by other users from the same unix group although the group has write ermissions.

This starts working as soon as i switch winbind off, but then the domainname
needs to be given during login, therefore i need change winbinds behavior.

what i do not understand is that the logs show "connected to service xy ...
as user abc (uid=n gid=m)" but the user still has problems deleting files
although its gid seems right according to the logfile.

Any mor hints?

Marius 

-- 
Empfehlen Sie GMX DSL Ihren Freunden und Bekannten und wir
belohnen Sie mit bis zu 50,- Euro! https://freundschaftswerbung.gmx.de