Hi,
We are having some issues with LDAP authentication. Here is our setup
PDC and LDAP(samba classic) = dc01
SambaClassic domain = stdom
Member server = fs01
We migrated from TDB to LDAP. The old TDB users are able to login to the domain
and access file shares without issues. Any new user created in LDAP is not able
to access the shares. When trying to create shared drives for the new users in
fs01 we get
chown: invalid user: `stdom\\ldaptest01:stdom\\domain users'
the smb.conf for fs01 is
Global parameters
[global]
workgroup = stdom
netbios name = fs01
security = domain
wins server = 192.168.1.18
# password server = 192.168.1.18
local master = no
domain master = no
preferred master = no
domain logons = no
passdb backend = ldapsam:ldap://192.168.1.18
ldap admin dn = cn=admin,dc=stdom
ldap suffix = dc=stdom
ldap group suffix = ou=groups
ldap machine suffix = ou=computers
ldap user suffix = ou=users
idmap backend = ldap
ldap idmap suffix = ou=idmap
idmap config * : backend = ldap
idmap config * : range = 20000-29999
idmap config * : ldap_url = ldap://192.168.1.18
idmap config * : ldap_base_dn = ou=idmap,dc=stdom
idmap config * : ldap_user_dn = cn=admin,dc=stdom
ldap delete dn = no
#ldap password sync = yes
ldap ssl = off
#winbind expand groups = 1
#winbind trusted domains only = yes
winbind use default domain = yes
winbind enum users = yes
winbind enum groups = yes
the /etc/nsswitch.conf is
#passwd: compat
#group: compat
shadow: compat
passwd: winbind files
group: winbind files
We have tried the files winbind too
Other info:
- fs01 is joined to the pdc using net rpc join.
- getent password doesn't list the new users.
- wbinfo -u list all the users in LDAP
- we are using lib-nss in PDC to authenticate the users
- ufw is disabled in both
Any suggestions?
Regards,
Praveen Ghimire
On Fri, 6 Apr 2018 07:07:24 +0000 Praveen Ghimire via samba <samba at lists.samba.org> wrote:> Hi, > > We are having some issues with LDAP authentication. Here is our setup > > PDC and LDAP(samba classic) = dc01 > SambaClassic domain = stdom > Member server = fs01 > > - fs01 is joined to the pdc using net rpc join. > - getent password doesn't list the new users. > - wbinfo -u list all the users in LDAP > - we are using lib-nss in PDC to authenticate the users > - ufw is disabled in both >I can confirm that a Unix domain member of an NT4-style domain doesn't work for users, groups yes, users no. I have tried every permutation of 'idmap config' lines I can think of including the deprecated 'idmap uid & idmap gid'. Most of the time 'winbind' crashed, but this probably down to the settings in smb.conf, even though 'testparm' showed no errors. One very strange thing I had to do (and I have never had to do before), I had to set the 'netbios name' to the same value as the 'workgroup' parameter. Without this, neither 'wbinfo -u' or 'wbinfo -g' worked. The reason seems to be that 'winbind' cannot find a Unix account for the users. Adding a Unix user doesn't help either. Rowland
Hi,
I've gone through the following link about member server and also the samba
3 by example and can confirm that nsdc is not enabled.
https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member
We are having some issues with LDAP authentication. Here is our setup
PDC and LDAP(samba classic) = dc01
SambaClassic domain = stdom
Member server = fs01
We migrated from TDB to LDAP. The old TDB users are able to login to the domain
and access file shares without issues. Any new user created in LDAP is not able
to access the shares. When trying to create shared drives for the new users in
fs01 we get
chown: invalid user: `stdom\\ldaptest01:stdom\\domain users'
the smb.conf for fs01 is
Global parameters
[global]
workgroup = stdom
netbios name = fs01
security = domain
wins server = 192.168.1.18
# password server = 192.168.1.18
local master = no
domain master = no
preferred master = no
domain logons = no
passdb backend = ldapsam:ldap://192.168.1.18
ldap admin dn = cn=admin,dc=stdom
ldap suffix = dc=stdom
ldap group suffix = ou=groups
ldap machine suffix = ou=computers
ldap user suffix = ou=users
idmap backend = ldap
ldap idmap suffix = ou=idmap
idmap config * : backend = ldap
idmap config * : range = 20000-29999
idmap config * : ldap_url = ldap://192.168.1.18
idmap config * : ldap_base_dn = ou=idmap,dc=stdom
idmap config * : ldap_user_dn = cn=admin,dc=stdom
ldap delete dn = no
#ldap password sync = yes
ldap ssl = off
#winbind expand groups = 1
#winbind trusted domains only = yes
winbind use default domain = yes
winbind enum users = yes
winbind enum groups = yes
the /etc/nsswitch.conf is
#passwd: compat
#group: compat
shadow: compat
passwd: winbind files
group: winbind files
We have tried the files winbind too
Other info:
- The getent passwd and group seem to be listing outputs from the local
passwd and group
- fs01 is joined to the pdc using net rpc join.
- getent password doesn't list the new users.
- wbinfo -u list all the users in LDAP
- we are using lib-nss in PDC to authenticate the users
- ufw is disabled in both
Any suggestions?
Regards,
Praveen Ghimire
On Sun, 8 Apr 2018 05:55:18 +0000 Praveen Ghimire via samba <samba at lists.samba.org> wrote:> Hi, > > I've gone through the following link about member server and also the > samba 3 by example and can confirm that nsdc is not enabled. > https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member > > > We are having some issues with LDAP authentication. Here is our setup > > > Any suggestions? >Hi, I take it you missed my post yesterday, where I agreed with you that using winbind on a Unix domain member doesn't work for users. You seem to have two options here, file a bug report about the problem and then wait to see if it gets fixed, or do the sensible thing and upgrade to an AD domain. Rowland
On Mon, 9 Apr 2018 11:17:25 +0000 Praveen Ghimire <PGhimire at sundata.com.au> wrote:> Hi Rowland, > > Will file a bug report even though we are upgrading to AD. Might help > others. Can you please confirm that it affects any Unix domain member > server using winbind regardless of tdb/ldap? >Never tried it against tdbsam, just ldapsam. Rowland