Then it sounds like you need the AD integration. If the user's also
login to the linux workstation directly (or via ssh) then you will need
to configure winbind and nsswitch to support unix logins.
Why does nsswitch.conf include ldap? Is this the only linux/unix
machine? Are local users in ldap or /etc/passwd?
What version of samba? What version of linux?
Ideally "getent passwd" woudl show something like
ben:*:10001:10001:Ben George:/export/Home/SRE/ben/:bin/tcsh
or
SRE+ben:*:10001:10001:Ben George:/export/Home/SRE/ben:/bin/bash
I don't think you need a huge amount of AD experience to make this work
but I think you have to have general understanding of what WIndows
domains are about.
You should also review the smb.conf man page for the section on idmap_ad.
On 09/30/2010 09:24 AM, Ben George wrote:
Thanks for your replay..
yes my client told me like this that's Y..and the manager gave that
work to newly joined me.. :(
i don't have any AD and core unix experience..i have only experience
in linux.not much
may this project will affect my job.. :(
my nsswitch.conf
*/passwd: files ldap winbind
group: files ldap winbind
hosts: dns files
ipnodes: dns files/*
"*nsswitch+winbind (which I do) or the smb pam module*"..? :(
i don't know..my client's need is he has a linux machine..also a
ADS..from the unix machine, he want to share secure folder's to the AD
user's..so eash user can only access that particular shared
folder..when the password of user changed in AD, that will affect to
the smbpassword...means without changing that particular user's smb
password in the unix machine..
for this need which method is useful..from your experience
"*Does "getent passwd" show the windows users?*"
please check the output ..i think getent password only shows unix
system password
*/bash-3.00# getent passwd
root:x:0:0:Super-User:/:/sbin/sh
daemon:x:1:1::/:
bin:x:2:2::/usr/bin:
sys:x:3:3::/:
adm:x:4:4:Admin:/var/adm:
lp:x:71:8:Line Printer Admin:/usr/spool/lp:
uucp:x:5:5:uucp Admin:/usr/lib/uucp:
nuucp:x:9:9:uucp Admin:/var/spool/uucppublic:/usr/lib/uucp/uucico
smmsp:x:25:25:SendMail Message Submission Program:/:
listen:x:37:4:Network Admin:/usr/net/nls:
gdm:x:50:50:GDM Reserved UID:/:
webservd:x:80:80:WebServer Reserved UID:/:
postgres:x:90:90:PostgreSQL Reserved UID:/:/usr/bin/pfksh
svctag:x:95:12:Service Tag UID:/:
nobody:x:60001:60001:NFS Anonymous Access User:/:
noaccess:x:60002:60002:No Access User:/:
nobody4:x:65534:65534:SunOS 4.x NFS Anonymous Access User:/:
ramana:x:100:1::/export/home/ramana:/bin/sh
teju:x:101:1::/export/home/teju:/bin/sh
user1:x:102:1::/export/home/user1:/bin/sh
ben:x:103:1::/home/ben:/bin/sh/*
"you already have a "unix" ben and a "ADS" ben defined?"
Yes i defined the ben user in Unix and ADS...bcoz i don't have much
knowledge about that sorry
Hope u will help me
Thanks
Ben.T.George
On Thu, Sep 30, 2010 at 3:59 PM, Gaiseric Vandal
<gaiseric.van...@gmail.com <mailto:gaiseric.van...@gmail.com>> wrote:
disclaimer: I don't use Samba as an ADS member server. I use
samba as PDC with trusts to an ADS domain. So my observations may
not be valuid.
Did you try updating nsswitch.conf
passwd: files winbind
group: files winbind
If you are using a Windows domain and have a user defined in the
domain, you generally don't want to add the user as a local user.
Since the underlying unix OS needs to know about the domain
users you need to either use nsswitch+winbind (which I do) or the
smb pam module (which I don't use, and not sure if it really is
the correct approach.)
If you use nsswitch.conf+winbind you can then also OPTIONALLY
allow "windows" users "unix" access like ssh. My samba server
is a PDC- I have a domain trust with windows domains BUT the
default shell is "/bin/false." (It is still a little flaky...)
Does "getent passwd" show the windows users? It should show
something like
ben:*:10001:10001:Ben George:/home/SRE/ben/bin/false
or
SRE+ben:*:10001:10001:Ben George:/home/SRE/ben/bin/false
It looks like = you already have a "unix" ben and a "ADS" ben defined?
"wbinfo -s" and "wbinfo -n" are also useful for making sure that
the name-to-sid and sid-to-name mappings are correct for domain users.
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
