|
»
»
Help needed. Samba 3.2.0rc2 - IDMAP - Windows 2008 Server - ADS Integration - Winbind
|
View:
New views
14 Messages
—
Rating Filter:
Alert me
|
 |
Help needed. Samba 3.2.0rc2 - IDMAP - Windows 2008 Server - ADS Integration - Winbind
by Samba-Liste
::
Rate this Message:
Hi,
I read at least 100 different documentations during the last week and didn't get it. So I decided to ask the list for help :) Unfortunately we have to move to a Windows 2008 Server ADS in our company as this is required for some other projects. But we want to keep our nice 5+ samba-server providing fast 50TB+ of storage. So we have to find a way to nicely integrate the storage with the new ADS installed. Therefor I installed a Testlab consisting of 2 debian etch storage-servers with each 12TB lvm-based storage attached. Also we have 2 MS 2008 Server SP1 as PDC and BDC. Further we have some Windows XP 32 and 64 Bit clients as workstations for testing. Now we setup everything and decided to use samba 3.2.0 as there are some bugs related to W2k8 server are solved. So I build debian packages from experimental for etch an installed them. Then I set up kerberos and samba using "security = ads". Everythings works great. I can get a kerberos ticket with kinit also I can join the ADS with "net ads join -Uadministrator". I set up /etc/nssswitch to use winbind and I can request user information successfully. But now I have to set up shared IDMAP for my samba servers to have the same UIDs and GIDs on all machines. As it would be nice to have all that on the ADS server I tried the following for days without success and that is where I need help: - I installed the "MS Identity Management for Unix" - I added UID, Homedir, Shell and "Default Group" to the AD User - I set "Unix Attr" for my groups - I configured samba to as followed: ----- snip ----- [global] workgroup = TESTLAB realm = TESTLAB.COMPANY.COM netbios name = filesrv001 server string = Samba Storage Fileserver 001 (%v) security = ADS idmap domains = BUILTIN, TESTLAB idmap config TESTLAB:backend = ad idmap config TESTLAB:default = yes idmap config TESTLAB:schema_mode = rfc2307 idmap config BUILTIN:backend = tdb idmap config BUILTIN:base_rid = 800 idmap config BUILTIN:range = 800-999 winbind nss info = rfc2307 winbind use default domain = yes winbind nested groups = Yes password server = WIN-RXYDW1KO5DH.testlab.company.com wins server = WIN-RXYDW1KO5DH.testlab.company.com socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 hide unreadable = yes hide dot files = yes unix charset = LOCALE log level = 5 [big_data] comment = Very Big Share path = /SERV browseable = yes guest ok = no valid users = "@STGT\entenhausen" create mask = 660 directory mode = 770 writeable = yes readonly = no force group = "STGT\entenhausen" ----- snip ----- - I cleaned /var/run/samba, /var/log/samba, /var/lib/samba - I delete the Join on the ADS - Then I rebooted the Linux-Server, re-joined the ADS - And I can retrieve the user with getent and it has IT UID filesrv001:/var/log/samba# getent passwd tic.tic tic.tic:*:20007:10001::/home/STGT/tic.tic:/bin/false - But the default group, the home-dir and the shell is not right - seems like the values are not retrieved correctly from ADS - also strange: I set up the second storage with the same configs - only changed names - if I retrieve the user-information there - it looks like this getent passwd tic.tic tic.tic:*:20007:10000:Tic Tic:/home/STGT/tic.tic:/bin/false - so the default-group is changing - but its still not the value listed in the ADS Any ideas on that? Did I get something completely wrong? I'll now take a closer look to the Win 2008 logfiles and I'll check the communication with tcpdump. But I'm mostly stuck and really could need some hints. Or should I try another solution? IDMAP-RID cannot be used as we are planning a "trust domain" setup Thank you and best regards Daniel -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba |
|
|
Re: Help needed. Samba 3.2.0rc2 - IDMAP - Windows 2008 Server - ADS Integration - Winbind
by Samba-Liste
::
Rate this Message:
Hi again,
On Fri, 2008-06-27 at 13:31 +0200, Samba-Liste wrote: > Hi, > > I read at least 100 different documentations during the last week and > didn't get it. So I decided to ask the list for help :) > - the problem is solved now. I found this in the logs on linux-side: log.winbindd: Error loading module '/usr/lib/samba/nss_info/rfc2307.so': /usr/lib/samba/nss_info/rfc2307.so: cannot open shared object file: No such file or directory - which took me to this message of Jerry Carter: http://lists.samba.org/archive/samba/2008-April/140030.html - So I went to /usr/lib/samba - created the nss_info directory - in there I made a symbolic link rfc2307.so to ../idmap/ad.so - restarted samba and winbind and all is fine I'll contact the maintainer of the debian experimental samba 3.2.0 packages. Maybe he can fix this in the build description. Jerry, thanks for all your magic posts :) best regards Daniel -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba |
|
|
Solaris blastwave.org Version 3.0.23b doesn't read new information from /etc/passwd and /etc/group
by Bob-290
::
Rate this Message:
Hi,
How would I make samba re-read group and user information? Is there a .tdb file that needs to be deleted? I have recently added more supplementary groups for a user in /etc/group, but the information isn't coming through in the logs, all I get is this: [2008/06/27 07:51:24, 5] auth/auth_util.c:(474) UNIX token of user 11001 Primary group is 11000 and contains 0 supplementary groups There should definitely be more than 0 supplementary groups. e.g. # grep 11001 /etc/passwd bob:x:11001:11000::/home/bob:/bin/bash # grep bob /etc/group everyone_otl::11000:bob operators_otl::11002:bob svneditors_otl::11003:bob Cheers -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba |
|
|
Winbind 3.2.0rc2 Coredump [was: Re: Help needed. Samba 3.2.0rc2 - IDMAP - Windows 2008 Server - ADS Integration - Winbind]
by Samba-Liste
::
Rate this Message:
Hi,
sorry, it's me again: On Fri, 2008-06-27 at 17:35 +0200, Samba-Liste wrote: > Hi again, > > On Fri, 2008-06-27 at 13:31 +0200, Samba-Liste wrote: > > Hi, > > > > I read at least 100 different documentations during the last week and > > didn't get it. So I decided to ask the list for help :) > > > > - the problem is solved now. I found this in the logs on linux-side: - but another problem occured now - the setup worked nice yesterday evening unitl ist stoppen working - as I tried a login this morning it didn't work anymore - if I try a "getnet passwd <user>" I get nothing back - no login via pam_winbind is possible - But I see a winbind core-dump in the logs: ----- snip ----- [2008/06/28 09:51:02, 0] lib/fault.c:fault_report(40) =============================================================== [2008/06/28 09:51:02, 0] lib/fault.c:fault_report(41) INTERNAL ERROR: Signal 11 in pid 4897 (3.2.0rc2) Please read the Trouble-Shooting section of the Samba3-HOWTO [2008/06/28 09:51:02, 0] lib/fault.c:fault_report(43) From: http://www.samba.org/samba/docs/Samba3-HOWTO.pdf [2008/06/28 09:51:02, 0] lib/fault.c:fault_report(44) =============================================================== [2008/06/28 09:51:02, 0] lib/util.c:smb_panic(1666) PANIC (pid 4897): internal error [2008/06/28 09:51:02, 0] lib/util.c:log_stack_trace(1770) BACKTRACE: 19 stack frames: #0 /usr/sbin/winbindd(log_stack_trace+0x2d) [0x815b36c] #1 /usr/sbin/winbindd(smb_panic+0x80) [0x815b4a8] #2 /usr/sbin/winbindd [0x8145fea] #3 [0xb7f13420] #4 /usr/lib/samba/nss_info/rfc2307.so [0xb787f8e9] #5 /usr/sbin/winbindd(nss_get_info+0x193) [0x83d30e0] #6 /usr/sbin/winbindd(nss_get_info_cached+0x180) [0x80a67a5] #7 /usr/sbin/winbindd [0x80c40d4] #8 /usr/sbin/winbindd [0x80a820e] #9 /usr/sbin/winbindd(winbindd_dual_userinfo+0x183) [0x8098372] #10 /usr/sbin/winbindd [0x80c89c5] #11 /usr/sbin/winbindd(async_request+0x1b2) [0x80c9fb3] #12 /usr/sbin/winbindd(init_child_connection+0x2bd) [0x809fa85] #13 /usr/sbin/winbindd(async_domain_request+0x139) [0x80ca23c] #14 /usr/sbin/winbindd [0x809fcfb] #15 /usr/sbin/winbindd(rescan_trusted_domains+0x49) [0x80a00f9] #16 /usr/sbin/winbindd(main+0xe00) [0x8095464] #17 /lib/tls/i686/cmov/libc.so.6(__libc_start_main+0xc8) [0xb7c72ea8] #18 /usr/sbin/winbindd [0x8092e11] [2008/06/28 09:51:02, 0] lib/fault.c:dump_core(201) dumping core in /var/log/samba/cores/winbindd ----- snip ----- - I then did a "wbinfo -u" and "wbinfo -g" - both worked normally - afterwards "getent passwd <user>" an pam-login worked again - but only for a few minutes then the same happend again ----- snip ----- [2008/06/28 09:59:35, 0] lib/fault.c:fault_report(40) =============================================================== [2008/06/28 09:59:35, 0] lib/fault.c:fault_report(41) INTERNAL ERROR: Signal 11 in pid 5265 (3.2.0rc2) Please read the Trouble-Shooting section of the Samba3-HOWTO [2008/06/28 09:59:35, 0] lib/fault.c:fault_report(43) From: http://www.samba.org/samba/docs/Samba3-HOWTO.pdf [2008/06/28 09:59:35, 0] lib/fault.c:fault_report(44) =============================================================== [2008/06/28 09:59:35, 0] lib/util.c:smb_panic(1666) PANIC (pid 5265): internal error [2008/06/28 09:59:35, 0] lib/util.c:log_stack_trace(1770) BACKTRACE: 22 stack frames: #0 /usr/sbin/winbindd(log_stack_trace+0x2d) [0x815b36c] #1 /usr/sbin/winbindd(smb_panic+0x80) [0x815b4a8] #2 /usr/sbin/winbindd [0x8145fea] #3 [0xb7f13420] #4 /usr/lib/samba/nss_info/rfc2307.so [0xb785e8e9] #5 /usr/sbin/winbindd(nss_get_info+0x193) [0x83d30e0] #6 /usr/sbin/winbindd(nss_get_info_cached+0x180) [0x80a67a5] #7 /usr/sbin/winbindd [0x80c40d4] #8 /usr/sbin/winbindd [0x80a820e] #9 /usr/sbin/winbindd(winbindd_dual_userinfo+0x183) [0x8098372] #10 /usr/sbin/winbindd [0x80c89c5] #11 /usr/sbin/winbindd(async_request+0x1b2) [0x80c9fb3] #12 /usr/sbin/winbindd(async_domain_request+0x57) [0x80ca15a] #13 /usr/sbin/winbindd(do_async_domain+0x14e) [0x80cbfb6] #14 /usr/sbin/winbindd(winbindd_lookupname_async+0x29d) [0x80ccdf7] #15 /usr/sbin/winbindd(winbindd_getpwnam+0x37f) [0x8098044] #16 /usr/sbin/winbindd [0x8093b22] #17 /usr/sbin/winbindd [0x8093c39] #18 /usr/sbin/winbindd [0x8094598] #19 /usr/sbin/winbindd(main+0x1035) [0x8095699] #20 /lib/tls/i686/cmov/libc.so.6(__libc_start_main+0xc8) [0xb7c72ea8] #21 /usr/sbin/winbindd [0x8092e11] [2008/06/28 09:59:35, 0] lib/fault.c:dump_core(201) ----- snip ----- - there's also this error in the logs I don't understand - but it seems not to be directly related to the core dump ----- snip ----- [2008/06/28 09:56:11, 1] libsmb/clientgen.c:cli_rpc_pipe_close(554) cli_rpc_pipe_close: cli_close failed on pipe \lsarpc, fnum 0x400d to machine WIN-6P6G74VAOZ7.testlab.company.com. Error was SUCCESS - 0 [2008/06/28 09:56:11, 1] libsmb/clientgen.c:cli_rpc_pipe_close(554) cli_rpc_pipe_close: cli_close failed on pipe \NETLOGON, fnum 0x400b to machine WIN-6P6G74VAOZ7.testlab.company.com. Error was SUCCESS - 0 [2008/06/28 09:56:11, 1] libsmb/clikrb5.c:ads_krb5_mk_req(666) ads_krb5_mk_req: krb5_get_credentials failed for WIN-6P6G74VAOZ7 $@TESTLAB (Cannot resolve network address for KDC in requested realm) [2008/06/28 09:56:11, 1] libsmb/cliconnect.c:cli_session_setup_kerberos(626) cli_session_setup_kerberos: spnego_gen_negTokenTarg failed: Cannot resolve network address for KDC in requested realm ----- snip ----- - Here comes my final smb.conf ----- snip ----- [global] workgroup = TESTLAB realm = TESTLAB.COMPANY.COM netbios name = filesrv001 server string = Samba Storage Fileserver 001 (%v) security = ADS idmap domains = BUILTIN, TESTLAB idmap config TESTLAB:backend = ad idmap config TESTLAB:default = yes idmap config TESTLAB:schema_mode = rfc2307 idmap config TESTLAB:base_rid = 10000 idmap config TESTLAB:range = 10000-100000 idmap config BUILTIN:backend = tdb idmap config BUILTIN:base_rid = 800 idmap config BUILTIN:range = 800-999 idmap uid = 800-100000 idmap gid = 800-100000 winbind nss info = rfc2307 winbind use default domain = yes winbind nested groups = Yes winbind offline logon = yes password server = WIN-6P6G74VAOZ7.TESTLAB.COMPANY.COM wins server = WIN-6P6G74VAOZ7.TESTLAB.COMPANY.COM socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 hide unreadable = yes hide dot files = yes unix charset = LOCALE log level = 1 log file = /var/log/samba/log.%m [big_data] comment = Very Big Share path = /SERV browseable = yes guest ok = no valid users = "@TESTLAB\entenhausen" create mask = 660 directory mode = 770 writeable = yes readonly = no force group = "TESTLAB\entenhausen" ----- snip ----- - Any Ideas what I can do now? - should I post more information as my pam.d files? - Is this a config issue or should I open a bug report? best regards Daniel -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba |
|
|
Re: Winbind 3.2.0rc2 Coredump [was: Re: Help needed. Samba 3.2.0rc2 - IDMAP - Windows 2008 Server - ADS Integration - Winbind]
by Scott Lovenberg
::
Rate this Message:
Samba-Liste wrote:
> Hi, > > sorry, it's me again: > > On Fri, 2008-06-27 at 17:35 +0200, Samba-Liste wrote: > >> Hi again, >> >> On Fri, 2008-06-27 at 13:31 +0200, Samba-Liste wrote: >> >>> Hi, >>> >>> I read at least 100 different documentations during the last week and >>> didn't get it. So I decided to ask the list for help :) >>> >>> >> - the problem is solved now. I found this in the logs on linux-side: >> > > - but another problem occured now > - the setup worked nice yesterday evening unitl ist stoppen working > - as I tried a login this morning it didn't work anymore > - if I try a "getnet passwd <user>" I get nothing back > - no login via pam_winbind is possible > - But I see a winbind core-dump in the logs: > > ----- snip ----- > > [2008/06/28 09:51:02, 0] lib/fault.c:fault_report(40) > =============================================================== > [2008/06/28 09:51:02, 0] lib/fault.c:fault_report(41) > INTERNAL ERROR: Signal 11 in pid 4897 (3.2.0rc2) > Please read the Trouble-Shooting section of the Samba3-HOWTO > [2008/06/28 09:51:02, 0] lib/fault.c:fault_report(43) > > From: http://www.samba.org/samba/docs/Samba3-HOWTO.pdf > [2008/06/28 09:51:02, 0] lib/fault.c:fault_report(44) > =============================================================== > [2008/06/28 09:51:02, 0] lib/util.c:smb_panic(1666) > PANIC (pid 4897): internal error > [2008/06/28 09:51:02, 0] lib/util.c:log_stack_trace(1770) > BACKTRACE: 19 stack frames: > #0 /usr/sbin/winbindd(log_stack_trace+0x2d) [0x815b36c] > #1 /usr/sbin/winbindd(smb_panic+0x80) [0x815b4a8] > #2 /usr/sbin/winbindd [0x8145fea] > #3 [0xb7f13420] > #4 /usr/lib/samba/nss_info/rfc2307.so [0xb787f8e9] > #5 /usr/sbin/winbindd(nss_get_info+0x193) [0x83d30e0] > #6 /usr/sbin/winbindd(nss_get_info_cached+0x180) [0x80a67a5] > #7 /usr/sbin/winbindd [0x80c40d4] > #8 /usr/sbin/winbindd [0x80a820e] > #9 /usr/sbin/winbindd(winbindd_dual_userinfo+0x183) [0x8098372] > #10 /usr/sbin/winbindd [0x80c89c5] > #11 /usr/sbin/winbindd(async_request+0x1b2) [0x80c9fb3] > #12 /usr/sbin/winbindd(init_child_connection+0x2bd) [0x809fa85] > #13 /usr/sbin/winbindd(async_domain_request+0x139) [0x80ca23c] > #14 /usr/sbin/winbindd [0x809fcfb] > #15 /usr/sbin/winbindd(rescan_trusted_domains+0x49) [0x80a00f9] > #16 /usr/sbin/winbindd(main+0xe00) [0x8095464] > #17 /lib/tls/i686/cmov/libc.so.6(__libc_start_main+0xc8) [0xb7c72ea8] > #18 /usr/sbin/winbindd [0x8092e11] > [2008/06/28 09:51:02, 0] lib/fault.c:dump_core(201) > dumping core in /var/log/samba/cores/winbindd > > ----- snip ----- > > - I then did a "wbinfo -u" and "wbinfo -g" > - both worked normally > - afterwards "getent passwd <user>" an pam-login worked again > - but only for a few minutes then the same happend again > > ----- snip ----- > > [2008/06/28 09:59:35, 0] lib/fault.c:fault_report(40) > =============================================================== > [2008/06/28 09:59:35, 0] lib/fault.c:fault_report(41) > INTERNAL ERROR: Signal 11 in pid 5265 (3.2.0rc2) > Please read the Trouble-Shooting section of the Samba3-HOWTO > [2008/06/28 09:59:35, 0] lib/fault.c:fault_report(43) > > From: http://www.samba.org/samba/docs/Samba3-HOWTO.pdf > [2008/06/28 09:59:35, 0] lib/fault.c:fault_report(44) > =============================================================== > [2008/06/28 09:59:35, 0] lib/util.c:smb_panic(1666) > PANIC (pid 5265): internal error > [2008/06/28 09:59:35, 0] lib/util.c:log_stack_trace(1770) > BACKTRACE: 22 stack frames: > #0 /usr/sbin/winbindd(log_stack_trace+0x2d) [0x815b36c] > #1 /usr/sbin/winbindd(smb_panic+0x80) [0x815b4a8] > #2 /usr/sbin/winbindd [0x8145fea] > #3 [0xb7f13420] > #4 /usr/lib/samba/nss_info/rfc2307.so [0xb785e8e9] > #5 /usr/sbin/winbindd(nss_get_info+0x193) [0x83d30e0] > #6 /usr/sbin/winbindd(nss_get_info_cached+0x180) [0x80a67a5] > #7 /usr/sbin/winbindd [0x80c40d4] > #8 /usr/sbin/winbindd [0x80a820e] > #9 /usr/sbin/winbindd(winbindd_dual_userinfo+0x183) [0x8098372] > #10 /usr/sbin/winbindd [0x80c89c5] > #11 /usr/sbin/winbindd(async_request+0x1b2) [0x80c9fb3] > #12 /usr/sbin/winbindd(async_domain_request+0x57) [0x80ca15a] > #13 /usr/sbin/winbindd(do_async_domain+0x14e) [0x80cbfb6] > #14 /usr/sbin/winbindd(winbindd_lookupname_async+0x29d) [0x80ccdf7] > #15 /usr/sbin/winbindd(winbindd_getpwnam+0x37f) [0x8098044] > #16 /usr/sbin/winbindd [0x8093b22] > #17 /usr/sbin/winbindd [0x8093c39] > #18 /usr/sbin/winbindd [0x8094598] > #19 /usr/sbin/winbindd(main+0x1035) [0x8095699] > #20 /lib/tls/i686/cmov/libc.so.6(__libc_start_main+0xc8) [0xb7c72ea8] > #21 /usr/sbin/winbindd [0x8092e11] > [2008/06/28 09:59:35, 0] lib/fault.c:dump_core(201) > > ----- snip ----- > > - there's also this error in the logs I don't understand > - but it seems not to be directly related to the core dump > > ----- snip ----- > > [2008/06/28 09:56:11, 1] libsmb/clientgen.c:cli_rpc_pipe_close(554) > cli_rpc_pipe_close: cli_close failed on pipe \lsarpc, fnum 0x400d to > machine WIN-6P6G74VAOZ7.testlab.company.com. Error was SUCCESS - 0 > [2008/06/28 09:56:11, 1] libsmb/clientgen.c:cli_rpc_pipe_close(554) > cli_rpc_pipe_close: cli_close failed on pipe \NETLOGON, fnum 0x400b to > machine WIN-6P6G74VAOZ7.testlab.company.com. Error was SUCCESS - 0 > [2008/06/28 09:56:11, 1] libsmb/clikrb5.c:ads_krb5_mk_req(666) > ads_krb5_mk_req: krb5_get_credentials failed for WIN-6P6G74VAOZ7 > $@TESTLAB (Cannot resolve network address for KDC in requested realm) > [2008/06/28 09:56:11, 1] > libsmb/cliconnect.c:cli_session_setup_kerberos(626) > cli_session_setup_kerberos: spnego_gen_negTokenTarg failed: Cannot > resolve network address for KDC in requested realm > > ----- snip ----- > > - Here comes my final smb.conf > > ----- snip ----- > > [global] > workgroup = TESTLAB > realm = TESTLAB.COMPANY.COM > netbios name = filesrv001 > server string = Samba Storage Fileserver 001 (%v) > security = ADS > idmap domains = BUILTIN, TESTLAB > idmap config TESTLAB:backend = ad > idmap config TESTLAB:default = yes > idmap config TESTLAB:schema_mode = rfc2307 > idmap config TESTLAB:base_rid = 10000 > idmap config TESTLAB:range = 10000-100000 > idmap config BUILTIN:backend = tdb > idmap config BUILTIN:base_rid = 800 > idmap config BUILTIN:range = 800-999 > idmap uid = 800-100000 > idmap gid = 800-100000 > winbind nss info = rfc2307 > winbind use default domain = yes > winbind nested groups = Yes > winbind offline logon = yes > password server = WIN-6P6G74VAOZ7.TESTLAB.COMPANY.COM > wins server = WIN-6P6G74VAOZ7.TESTLAB.COMPANY.COM > socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 > hide unreadable = yes > hide dot files = yes > unix charset = LOCALE > log level = 1 > log file = /var/log/samba/log.%m > > [big_data] > comment = Very Big Share > path = /SERV > browseable = yes > guest ok = no > valid users = "@TESTLAB\entenhausen" > create mask = 660 > directory mode = 770 > writeable = yes > readonly = no > force group = "TESTLAB\entenhausen" > > ----- snip ----- > > - Any Ideas what I can do now? > - should I post more information as my pam.d files? > - Is this a config issue or should I open a bug report? > > best regards > > Daniel > > nsswitch.conf? I found that to be the best way to interface the LDAP backend in my case. I tried the pam route, but since Slackware does not ship with it, I found the nss_ldap module to be the path of least resistance. It's worth a shot if you have troubles with PAM modules, but it won't allow syncing of *nix and Windows passwords, IIRC. nss_ldap is available from PADL. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba |
|
|
Re: Winbind 3.2.0rc2 Coredump [was: Re: Help needed. Samba 3.2.0rc2 - IDMAP - Windows 2008 Server - ADS Integration - Winbind]
by Samba-Liste
::
Rate this Message:
Hi Scott,
thanks for the reply. On Sat, 2008-06-28 at 05:39 -0400, Scott Lovenberg wrote: > Samba-Liste wrote: > > Hi, [...] > > > > > Have you tried using the 'nss_ldap' with the entry 'ldap' in your > nsswitch.conf? I found that to be the best way to interface the LDAP > backend in my case. I tried the pam route, but since Slackware does that's how we do it right now as we have a Samba-LDAP-PDC. But didn't get it working against my new Windows 2008 ADS server. Can you provide sample configurations for nss_ldap to connect to an ADS server? thank you and best regards Daniel -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba |
|
|
Solaris blastwave.org Version 3.0.23b doesn't read new information from /etc/passwd and /etc/group
by Bob-290
::
Rate this Message:
Hi,
How would I make samba re-read group and user information? Is there a .tdb file that needs to be deleted? I have recently added more supplementary groups for a user in /etc/group, but the information isn't coming through in the logs, all I get is this: [2008/06/27 07:51:24, 5] auth/auth_util.c:(474) UNIX token of user 11001 Primary group is 11000 and contains 0 supplementary groups There should definitely be more than 0 supplementary groups. e.g. # grep 11001 /etc/passwd bob:x:11001:11000::/home/bob:/bin/bash # grep bob /etc/group everyone_otl::11000:bob operators_otl::11002:bob svneditors_otl::11003:bob Cheers -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba |
|
|
Re: Winbind 3.2.0rc2 Coredump [was: Re: Help needed. Samba 3.2.0rc2 - IDMAP - Windows 2008 Server - ADS Integration - Winbind]
by Scott Lovenberg
::
Rate this Message:
Samba-Liste wrote:
> Hi Scott, > > thanks for the reply. > > On Sat, 2008-06-28 at 05:39 -0400, Scott Lovenberg wrote: > >> Samba-Liste wrote: >> >>> Hi, >>> > > [...] > > >>> >>> >> Have you tried using the 'nss_ldap' with the entry 'ldap' in your >> nsswitch.conf? I found that to be the best way to interface the LDAP >> backend in my case. I tried the pam route, but since Slackware does >> > > that's how we do it right now as we have a Samba-LDAP-PDC. But didn't > get it working against my new Windows 2008 ADS server. Can you provide > sample configurations for nss_ldap to connect to an ADS server? > > thank you and best regards > > Daniel > > This is off the top of my head (as my official Samba book is at home and I'm at work), but, all you should need is the nss_ldap module and the following lines in your /etc/nsswitch.conf: [...] passwd files ldap winbind compat shadow files ldap winbind compat group files ldap winbind compat [...] This should enable getent passwd. IIRC, there are no dependencies for nss_ldap, it just needs to be compiled. At least on Slackware, as always, check with your upstream provider before compiling your own. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba |
|
|
Re: Winbind 3.2.0rc2 Coredump [was: Re: Help needed. Samba 3.2.0rc2 - IDMAP - Windows 2008 Server - ADS Integration - Winbind]
by Scott Lovenberg
::
Rate this Message:
Scott Lovenberg wrote:
> Samba-Liste wrote: >> Hi Scott, >> >> thanks for the reply. >> >> On Sat, 2008-06-28 at 05:39 -0400, Scott Lovenberg wrote: >> >>> Samba-Liste wrote: >>> >>>> Hi, >>>> >> >> [...] >> >> >>>> >>>> >>> Have you tried using the 'nss_ldap' with the entry 'ldap' in your >>> nsswitch.conf? I found that to be the best way to interface the LDAP >>> backend in my case. I tried the pam route, but since Slackware does >>> >> >> that's how we do it right now as we have a Samba-LDAP-PDC. But didn't >> get it working against my new Windows 2008 ADS server. Can you provide >> sample configurations for nss_ldap to connect to an ADS server? >> >> thank you and best regards >> >> Daniel >> >> > Sorry for the delay, I think I jumbled my email boxes :) > > This is off the top of my head (as my official Samba book is at home > and I'm at work), but, all you should need is the nss_ldap module and > the following lines in your /etc/nsswitch.conf: > [...] > passwd files ldap winbind compat > shadow files ldap winbind compat > group files ldap winbind compat > [...] > > > This should enable getent passwd. IIRC, there are no dependencies for > nss_ldap, it just needs to be compiled. At least on Slackware, as > always, check with your upstream provider before compiling your own. sure that everything was compiled with the same libraries? Also, can you verify that ldap_nss was compiled with the "--enable-rfc2307bis" flag? Something isn't adding up. I fear I've missed something here. I was taking the missing nss directory to mean that you didn't have the correct nss modules installed, but I think you've just stumped me. Does anyone more qualified than myself have a feeling one way or the other on this? The fact that the library wasn't symlinked disturbs me a bit. Could this be conflicting libraries from different compiles? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba |
|
|
Re: Help needed. Samba 3.2.0rc2 - IDMAP - Windows 2008 Server - ADS Integration - Winbind
by x-14
::
Rate this Message:
Hi,
did you try using nis instead of winbind ??? i'm saying that because you are using MS Identity Management for Unix and this provides a nis server. this would provide you the same UIDs and GIDs on all machines. Marcos. --- Em sex, 27/6/08, Samba-Liste <samba@...> escreveu: > De: Samba-Liste <samba@...> > Assunto: [Samba] Help needed. Samba 3.2.0rc2 - IDMAP - Windows 2008 Server - ADS Integration - Winbind > Para: "samba" <samba@...> > Data: Sexta-feira, 27 de Junho de 2008, 8:31 > Hi, > > I read at least 100 different documentations during the > last week and > didn't get it. So I decided to ask the list for help :) > > Unfortunately we have to move to a Windows 2008 Server ADS > in our > company as this is required for some other projects. But we > want to > keep our nice 5+ samba-server providing fast 50TB+ of > storage. > > So we have to find a way to nicely integrate the storage > with the new > ADS installed. Therefor I installed a Testlab consisting of > 2 debian > etch storage-servers with each 12TB lvm-based storage > attached. Also we > have 2 MS 2008 Server SP1 as PDC and BDC. Further we have > some Windows > XP 32 and 64 Bit clients as workstations for testing. > > Now we setup everything and decided to use samba 3.2.0 as > there are some > bugs related to W2k8 server are solved. So I build debian > packages from > experimental for etch an installed them. Then I set up > kerberos and > samba using "security = ads". Everythings works > great. I can get a > kerberos ticket with kinit also I can join the ADS with > "net ads join > -Uadministrator". I set up /etc/nssswitch to use > winbind and I can > request user information successfully. > > But now I have to set up shared IDMAP for my samba servers > to have the > same UIDs and GIDs on all machines. As it would be nice to > have all that > on the ADS server I tried the following for days without > success and > that is where I need help: > > - I installed the "MS Identity Management for > Unix" > - I added UID, Homedir, Shell and "Default Group" > to the AD User > - I set "Unix Attr" for my groups > - I configured samba to as followed: > > ----- snip ----- > > [global] > workgroup = TESTLAB > realm = TESTLAB.COMPANY.COM > netbios name = filesrv001 > server string = Samba Storage Fileserver 001 (%v) > security = ADS > idmap domains = BUILTIN, TESTLAB > idmap config TESTLAB:backend = ad > idmap config TESTLAB:default = yes > idmap config TESTLAB:schema_mode = rfc2307 > idmap config BUILTIN:backend = tdb > idmap config BUILTIN:base_rid = 800 > idmap config BUILTIN:range = 800-999 > winbind nss info = rfc2307 > winbind use default domain = yes > winbind nested groups = Yes > password server = WIN-RXYDW1KO5DH.testlab.company.com > wins server = WIN-RXYDW1KO5DH.testlab.company.com > socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 > hide unreadable = yes > hide dot files = yes > unix charset = LOCALE > log level = 5 > > [big_data] > comment = Very Big Share > path = /SERV > browseable = yes > guest ok = no > valid users = "@STGT\entenhausen" > create mask = 660 > directory mode = 770 > writeable = yes > readonly = no > force group = "STGT\entenhausen" > > ----- snip ----- > > - I cleaned /var/run/samba, /var/log/samba, /var/lib/samba > - I delete the Join on the ADS > - Then I rebooted the Linux-Server, re-joined the ADS > - And I can retrieve the user with getent and it has IT UID > > filesrv001:/var/log/samba# getent passwd tic.tic > tic.tic:*:20007:10001::/home/STGT/tic.tic:/bin/false > > - But the default group, the home-dir and the shell is not > right > - seems like the values are not retrieved correctly from > ADS > - also strange: I set up the second storage with the same > configs > - only changed names > - if I retrieve the user-information there > - it looks like this > > getent passwd tic.tic > tic.tic:*:20007:10000:Tic Tic:/home/STGT/tic.tic:/bin/false > > - so the default-group is changing > - but its still not the value listed in the ADS > > Any ideas on that? Did I get something completely wrong? > I'll now take a > closer look to the Win 2008 logfiles and I'll check the > communication > with tcpdump. But I'm mostly stuck and really could > need some hints. > Or should I try another solution? IDMAP-RID cannot be used > as we are > planning a "trust domain" setup > > Thank you and best regards > > Daniel > > -- > To unsubscribe from this list go to the following URL and > read the > instructions: > https://lists.samba.org/mailman/listinfo/samba Novos endereços, o Yahoo! que você conhece. Crie um email novo com a sua cara @ymail.com ou @rocketmail.com. http://br.new.mail.yahoo.com/addresses -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba |
|
|
Re: Winbind 3.2.0rc2 Coredump [was: Re: Help needed. Samba 3.2.0rc2 - IDMAP - Windows 2008 Server - ADS Integration - Winbind]
by Samba-Liste
::
Rate this Message:
Hi again,
On Sat, 2008-06-28 at 10:21 +0200, Samba-Liste wrote: > Hi, > > sorry, it's me again: I'm now using the 3.0.30-21 Samba from SerNET and disabled "winbind offline logon" in my setup. Since then I didn't get any more coredumps. If I enabled "winbind offline logon" I still get random coredumps. At the moment I don't really need the feature. Should I anyhow provide more information on that? But I also had to add the symlinks in /usr/lib/samba/nss_info again for the SerNET packages. Therefore my question: Is it a "supported configuration" providing IDMAP information directly on a Windows 2008 AD server with "Identity Service for Unix" running? Using winbind and rfc2307? I was wondering because a lot of packages seem to lack nss_info dir and not many seem to miss it :) I would really like to push this into production as I have all the ID stuff in one place (ADS) using one system (winbind/samba) for getting it into the unix world. But I need to be sure that this is a "supported configuration" which will be looked after in the ongoing development of samba. If not, what configuration is the recommended one in the scenario describe earlier in this thread. thank you and best regards Daniel -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba |
|
|
Re: Winbind 3.2.0rc2 Coredump [was: Re: Help needed. Samba 3.2.0rc2 - IDMAP - Windows 2008 Server - ADS Integration - Winbind]
by Karolin Seeger
::
Rate this Message:
Hi Daniel,
On Fri, Jul 04, 2008 at 12:40:42PM +0200, Samba-Liste wrote: > But I also had to add the symlinks in /usr/lib/samba/nss_info again for > the SerNET packages. Therefore my question: that was a bug in the SerNet Samba packages for Debian. It is fixed with 3.0.30-22 avaiable at [1] meanwhile. Please contact samba@... if you discover any packaging issues with our Samba packages. Thank you very much! [1] ftp://ftp.sernet.de/pub/samba/recent/debian/dists/ Cheers, Karolin -- SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen phone: +49-551-370000-0, fax: +49-551-370000-9 AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen http://www.SerNet.DE, mailto: Info @ SerNet.DE -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba |
|
|
Re: Winbind 3.2.0rc2 Coredump [was: Re: Help needed. Samba 3.2.0rc2 - IDMAP - Windows 2008 Server - ADS Integration - Winbind]
by Samba-Liste
::
Rate this Message:
Hi,
On Fri, 2008-07-04 at 12:40 +0200, Samba-Liste wrote: > Hi again, > [...] > > Is it a "supported configuration" providing IDMAP information directly > on a Windows 2008 AD server with "Identity Service for Unix" running? > Using winbind and rfc2307? I was wondering because a lot of packages > seem to lack nss_info dir and not many seem to miss it :) > > I would really like to push this into production as I have all the ID > stuff in one place (ADS) using one system (winbind/samba) for getting it > into the unix world. But I need to be sure that this is a "supported > configuration" which will be looked after in the ongoing development of > samba. If not, what configuration is the recommended one in the scenario > describe earlier in this thread. Sorry for asking again :( Even after testing for two weeks without extensive problems I'm still unsure if the above solution is a good one. Any comments on that? Thank You and best regards Daniel -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba |
|
|
Re: Winbind 3.2.0rc2 Coredump [was: Re: Help needed. Samba 3.2.0rc2 - IDMAP - Windows 2008 Server - ADS Integration - Winbind]
by Volker Lendecke
::
Rate this Message:
On Wed, Jul 16, 2008 at 10:28:09PM +0200, Samba-Liste wrote:
> Hi, > > On Fri, 2008-07-04 at 12:40 +0200, Samba-Liste wrote: > > Hi again, > > > > [...] > > > > > Is it a "supported configuration" providing IDMAP information directly > > on a Windows 2008 AD server with "Identity Service for Unix" running? > > Using winbind and rfc2307? I was wondering because a lot of packages > > seem to lack nss_info dir and not many seem to miss it :) > > > > I would really like to push this into production as I have all the ID > > stuff in one place (ADS) using one system (winbind/samba) for getting it > > into the unix world. But I need to be sure that this is a "supported > > configuration" which will be looked after in the ongoing development of > > samba. If not, what configuration is the recommended one in the scenario > > describe earlier in this thread. > > Sorry for asking again :( Even after testing for two weeks without extensive > problems I'm still unsure if the above solution is a good one. > > Any comments on that? you can make use of the SFU info stored in AD? Sure, this should work. It might be hairy to set up (I'm right now in the process of trying to simplify the setup), but that definitely sounds like a supported config. Volker -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba |
attachment0 (201 bytes) 
| Free Forum Powered by Nabble | Forum Help |