On Mon, 17 Apr 2017 14:28:12 -0300 Luiz Guilherme Nunes Fernandes <narutospinal at gmail.com> wrote:> This problem, in the computer park there is a domain controller > microsoft without shared printers, I need to use another server with > samba shares + cups, but with authentication in the microsoft active > directory. I try parameters securty = ads (join machine in domain) > and user ( cant read users with nslcd and nsswitch , but only work > with ssh and apache. > > Topology > > 1 server microsoft windows ( Have user and groups tree and shared > paste) ( This server ok, work with pdc, and shared paste ) > 1 Linux with samba and need only shared printers with authentication > in previous server . ( No work ) > > > Rowland Penny > What I basically want to do is use the users and groups from the > active directory in my new samba with shared printers. What I can not > do this authentication. > > This question is, i can use winbind for new shared printers? i join > the machine in domain, and cups work with anonymous. But any idea? > > > # My mini tutorial > > ######################### > (First test) > ######################### > > realm join --client-software=winbind -U login NONAME.COM.BR > realm list > authconfig --enablewinbindusedefaultdomain --update > > wbinfo -t > wbinfo -g > wbinfo -u > > Work (join in domain, and list groups and users) > > i can use for authentication ssh and apache (work) > > ### My problem > Acually File with winbind > > workgroup = NONAME > realm = NONAME.COM.BR > security = ads > idmap config * : range = 16777216-33554431 > template homedir = /home/%U@%D > template shell = /bin/bash > kerberos method = secrets only > winbind use default domain = true > winbind offline logon = true > log file = /var/log/samba/log.%m > log level = 3 > > > passdb backend = tdbsam > printing = cups > printcap name = cups > load printers = yes > cups options = raw > winbind refresh tickets = yes > winbind enum groups = no > winbind enum users = no > > [homes] > comment = Home Directories > valid users = %S, %D%w%S > browseable = No > read only = No > inherit acls = Yes > > [printers] > comment = All Printers > path = /var/tmp > printable = Yes > create mask = 0600 > browseable = No > valid users = abc, bcd, dce, @grups_printers > > [print$] > comment = Printer Drivers > path = /var/lib/samba/drivers > write list = root > create mask = 0664 > directory mask = 0775 > > ######################### > (Second test) > > ### My problem > ######################### > > yum install -y nss-pam-ldapd nscd > > ldapsearch ( work, i can search and groups and users too) > > nslcd.conf work too > > i can use for authentication ssh and apache (work) > > ### My problem > Acually File with samba > [global] > > workgroup = NOMEDOMINIO > netbios name = MADAGASCAR > server string = Servidor de Arquivos > > security = user > encrypt passwords = true > enable privileges = yes > passdb backend = tdbsam > > printing = cups > load printers = yes > > enable privileges = yes > > [homes] > comment = Home Directories > browseable = no > writable = yes > > [print$] > > path = /var/samba/printers > read only = yes > write list = printer > inherit permissions = yes > > [printers] > comment = All Printers > path = /var/spool/samba > browseable = yes > guest ok = yes > writable = no > printable = yes > valid users = abc, bcd, dce, @grups_printers > > >Are you using sssd as well ? If so, you should decide which to use, sssd or winbind, you cannot use both. If you are not using sssd, you haven't set up the smb.conf correctly, see the pages I pointed you to. If you are using sssd and want to continue using it, you should remove winbind and then contact the sssd-users mailing list, this is not a Samba problem. Rowland
Well, i dont have sssd installed. With winbind i install this packages: yum install realmd oddjob oddjob-mkhomedir adcli samba-common samba-common-tools krb5-workstation openldap-clients policycoreutils-python samba-winbind-clients My nsswitch.conf passwd: files ldap winbind shadow: files ldap winbind group: files ldap winbind 2017-04-17 14:35 GMT-03:00 Rowland Penny <rpenny at samba.org>:> On Mon, 17 Apr 2017 14:28:12 -0300 > Luiz Guilherme Nunes Fernandes <narutospinal at gmail.com> wrote: > > > This problem, in the computer park there is a domain controller > > microsoft without shared printers, I need to use another server with > > samba shares + cups, but with authentication in the microsoft active > > directory. I try parameters securty = ads (join machine in domain) > > and user ( cant read users with nslcd and nsswitch , but only work > > with ssh and apache. > > > > Topology > > > > 1 server microsoft windows ( Have user and groups tree and shared > > paste) ( This server ok, work with pdc, and shared paste ) > > 1 Linux with samba and need only shared printers with authentication > > in previous server . ( No work ) > > > > > > Rowland Penny > > What I basically want to do is use the users and groups from the > > active directory in my new samba with shared printers. What I can not > > do this authentication. > > > > This question is, i can use winbind for new shared printers? i join > > the machine in domain, and cups work with anonymous. But any idea? > > > > > > # My mini tutorial > > > > ######################### > > (First test) > > ######################### > > > > realm join --client-software=winbind -U login NONAME.COM.BR > > realm list > > authconfig --enablewinbindusedefaultdomain --update > > > > wbinfo -t > > wbinfo -g > > wbinfo -u > > > > Work (join in domain, and list groups and users) > > > > i can use for authentication ssh and apache (work) > > > > ### My problem > > Acually File with winbind > > > > workgroup = NONAME > > realm = NONAME.COM.BR > > security = ads > > idmap config * : range = 16777216-33554431 > > template homedir = /home/%U@%D > > template shell = /bin/bash > > kerberos method = secrets only > > winbind use default domain = true > > winbind offline logon = true > > log file = /var/log/samba/log.%m > > log level = 3 > > > > > > passdb backend = tdbsam > > printing = cups > > printcap name = cups > > load printers = yes > > cups options = raw > > winbind refresh tickets = yes > > winbind enum groups = no > > winbind enum users = no > > > > [homes] > > comment = Home Directories > > valid users = %S, %D%w%S > > browseable = No > > read only = No > > inherit acls = Yes > > > > [printers] > > comment = All Printers > > path = /var/tmp > > printable = Yes > > create mask = 0600 > > browseable = No > > valid users = abc, bcd, dce, @grups_printers > > > > [print$] > > comment = Printer Drivers > > path = /var/lib/samba/drivers > > write list = root > > create mask = 0664 > > directory mask = 0775 > > > > ######################### > > (Second test) > > > > ### My problem > > ######################### > > > > yum install -y nss-pam-ldapd nscd > > > > ldapsearch ( work, i can search and groups and users too) > > > > nslcd.conf work too > > > > i can use for authentication ssh and apache (work) > > > > ### My problem > > Acually File with samba > > [global] > > > > workgroup = NOMEDOMINIO > > netbios name = MADAGASCAR > > server string = Servidor de Arquivos > > > > security = user > > encrypt passwords = true > > enable privileges = yes > > passdb backend = tdbsam > > > > printing = cups > > load printers = yes > > > > enable privileges = yes > > > > [homes] > > comment = Home Directories > > browseable = no > > writable = yes > > > > [print$] > > > > path = /var/samba/printers > > read only = yes > > write list = printer > > inherit permissions = yes > > > > [printers] > > comment = All Printers > > path = /var/spool/samba > > browseable = yes > > guest ok = yes > > writable = no > > printable = yes > > valid users = abc, bcd, dce, @grups_printers > > > > > > > > Are you using sssd as well ? > If so, you should decide which to use, sssd or winbind, you cannot use > both. > > If you are not using sssd, you haven't set up the smb.conf correctly, > see the pages I pointed you to. > > If you are using sssd and want to continue using it, you should remove > winbind and then contact the sssd-users mailing list, this is not a > Samba problem. > > Rowland >-- <<<<<<<<<<<<<<<<<<<------------------------------------------------------------------->>>>>>>>>>>>>>>>>>> < Disse-lhe Jesus: Eu sou o caminho, e a verdade e a vida; ninguém vem ao Pai, senão por mim > (João 14:6) Att. ♪ ♫ Luiz Guilherme Nunes Fernandes ♫ ♪ <<<<<<<<<<<<<<<<<<<------------------------------------------------------------------->>>>>>>>>>>>>>>>>>>
On Mon, 17 Apr 2017 14:57:45 -0300 Luiz Guilherme Nunes Fernandes <narutospinal at gmail.com> wrote:> Well, i dont have sssd installed.OK, now we know that ;-)> > With winbind i install this packages: > yum install realmd oddjob oddjob-mkhomedir adcli samba-common > samba-common-tools krb5-workstation openldap-clients > policycoreutils-python samba-winbind-clientsI use Devuan and install these: samba acl attr quota fam winbind libpam-winbind libpam-krb5 libnss-winbind krb5-config krb5-user ntp dnsutils ldb-tools You probably have the red-hat versions of these packages installed, but it might be worth checking.> > My nsswitch.conf > > passwd: files ldap winbind > shadow: files ldap winbind > group: files ldap winbindRemove 'ldap' you do not need it and it will use 'ldap' before 'winbind'> > > # My mini tutorial > > > > > > ######################### > > > (First test) > > > ######################### > > > > > > realm join --client-software=winbind -U login NONAME.COM.BR > > > realm list > > > authconfig --enablewinbindusedefaultdomain --update > > > > > > wbinfo -t > > > wbinfo -g > > > wbinfo -u > > > > > > Work (join in domain, and list groups and users)You need to get 'getent' to show your users & groups, until they are shown, your OS doesn't know them.> > > > > > i can use for authentication ssh and apache (work)Use the info on the wiki page I posted for apache.> > > > > > ### My problem > > > Acually File with winbind > > > > > > workgroup = NONAME > > > realm = NONAME.COM.BR > > > security = ads > > > idmap config * : range = 16777216-33554431 > > > template homedir = /home/%U@%D > > > template shell = /bin/bash > > > kerberos method = secrets only > > > winbind use default domain = true > > > winbind offline logon = trueUse 'security = ads' and add something like idmap config * : backend = tdb idmap config * : range = 3000-7999 idmap config NONAME : backend = rid idmap config NONAME : range = 10000-999999 You can change the ranges if you like, but there is no real point. Incidentally, the range you used '167777216-33554431' looks like the numbers sssd uses. Please read the wiki pages I pointed you to, if you follow them, you should end up with a working system that does what you require. Rowland