Hi guys, First time poster so I do apologize if this question has been asked before. In a test set up we are trying to use samba4 to authenticate a small network with Linux, Win, and OSX clients. I have successfully deployed samba4 in domain controller mode, can attach windows machines to it, manage the DC via windows tools. We can also join Linux servers to the domain, however my problem is as follows, When attempting to log into a Linux server, excluding local users, the only directory user that can log in is the Administrator. Any other directory user that attempts to log in gets a "No Logon Servers", however if move that same user into the Domain Admins group they can log in with no issues (yes as UID=0) as reported in /var/log/secure. Can someone please explain why this happens, and what step have i missed that would allow regular users to log in? That being said, my second question is, if it possible to have the samba4 server in domain controller mode, but have Linux clients authenticate via ldap as appose to winbind? For example, when configuring an authentication method if it would possible to use LDAP instead of samba/winbind? I tried to configure LDAP (correct base, host, uri, etc..) but when it doesn't seem to pull any info? eg id or getent doesn't work. Any pointers are greatly appreciated, I am just testing out the capabilities of 4, i understand its still in Alpha but hope you guys might have some experience with it. Thanks Aly
On 04/03/2011 07:24 PM, Aly Khimji wrote:> Hi guys, > > First time poster so I do apologize if this question has been asked before. > > In a test set up we are trying to use samba4 to authenticate a small network > with Linux, Win, and OSX clients. I have successfully deployed samba4 in > domain controller mode, can attach windows machines to it, manage the DC via > windows tools. > We can also join Linux servers to the domain, however my problem is as > follows, When attempting to log into a Linux server, excluding local users, > the only directory user that can log in is the Administrator. Any other > directory user that attempts to log in gets a "No Logon Servers", however if > move that same user into the Domain Admins group they can log in with no > issues (yes as UID=0) as reported in /var/log/secure. > > Can someone please explain why this happens, and what step have i missed > that would allow regular users to log in? >In smb.conf set template shell = /bin/bash> That being said, my second question is, if it possible to have the samba4 > server in domain controller mode, but have Linux clients authenticate via > ldap as appose to winbind?You have to use winbind or you will not get the right id mapping. [global] workgroup = EXAMPLE realm = EXAMPLE.COM security = ADS password server = 192.168.173.10 log file = /var/log/samba/samba3.log ldap ssl = no idmap backend = idmap_rid:EXAMPLE=500-4000000 idmap uid = 500-4000000 idmap gid = 500-4000000 template homedir = /home/%U template shell = /bin/bash winbind enum users = Yes winbind enum groups = Yes winbind use default domain = Yes winbind offline logon = Yes> For example, when configuring an authentication method if it would possible > to use LDAP instead of samba/winbind? I tried to configure LDAP (correct > base, host, uri, etc..) but when it doesn't seem to pull any info? eg id or > getent doesn't work.In /etc/nsswitch.conf passwd: files winbind shadow: files winbind group: files winbind and link 2 modules, these are for a 64 bit system, if yours is not just remove 64 from the links ln -s /usr/local/samba/lib/libnss_winbind.so.2 /lib64/libnss_winbind.so ln -s /usr/local/samba/lib/pam_winbind.so /lib64/security/pam_winbind.so> Any pointers are greatly appreciated, I am just testing out > the capabilities of 4, i understand its still in Alpha but hope you guys > might have some experience with it. > > Thanks > > Aly
Hi, as far as I know samba4 does not support local users yet. So your linux boxes must use samba winbind in some kind. I don't think that a samba ads to ldap sync is working by now. However on some linux boxes esp. suse I think has the support to manage ads auth by yast. This should be working against samba 4 ads or windows ads. Good Luck Danile ----------------------------------------------- EDV Daniel M?ller Leitung EDV Tropenklinik Paul-Lechler-Krankenhaus Paul-Lechler-Str. 24 72076 T?bingen Tel.: 07071/206-463, Fax: 07071/206-499 eMail: mueller at tropenklinik.de Internet: www.tropenklinik.de ----------------------------------------------- -----Urspr?ngliche Nachricht----- Von: samba-bounces at lists.samba.org [mailto:samba-bounces at lists.samba.org] Im Auftrag von Aly Khimji Gesendet: Montag, 4. April 2011 02:24 An: samba at lists.samba.org Betreff: [Samba] Samba4 AD/LDAP question Hi guys, First time poster so I do apologize if this question has been asked before. In a test set up we are trying to use samba4 to authenticate a small network with Linux, Win, and OSX clients. I have successfully deployed samba4 in domain controller mode, can attach windows machines to it, manage the DC via windows tools. We can also join Linux servers to the domain, however my problem is as follows, When attempting to log into a Linux server, excluding local users, the only directory user that can log in is the Administrator. Any other directory user that attempts to log in gets a "No Logon Servers", however if move that same user into the Domain Admins group they can log in with no issues (yes as UID=0) as reported in /var/log/secure. Can someone please explain why this happens, and what step have i missed that would allow regular users to log in? That being said, my second question is, if it possible to have the samba4 server in domain controller mode, but have Linux clients authenticate via ldap as appose to winbind? For example, when configuring an authentication method if it would possible to use LDAP instead of samba/winbind? I tried to configure LDAP (correct base, host, uri, etc..) but when it doesn't seem to pull any info? eg id or getent doesn't work. Any pointers are greatly appreciated, I am just testing out the capabilities of 4, i understand its still in Alpha but hope you guys might have some experience with it. Thanks Aly -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba