Hi,
On 15 June 2011 18:56, Gaiseric Vandal <gaiseric.van...@gmail.com> wrote:
> On the BDC, does "pdbedit -L" show you all your domain users?
> On the BDC, does "getent passwd" show you all your users?
The output from pdbedit shows all the domain users but getent passwd
only shows the user in passwd.
>
> I use ldap for both samba and unix backends, so "pbedit -Lv" and "getent
> passwd" show me the same output for my domain users and local unix users.
> I don't need to use winbind/idmap to keep unix uid's and gid's consistent.
I installed winbind but have turn if off.
>
>
> On the BDC, did you ever join the domain? ("net join....")
Yes, several times.
Do you have any ideas why the `getent` isn't working? The
nsswitch.conf is below.
Thanks,
Dermot
passwd: ldap files
group: ldap files
shadow: files
#hosts: db files nisplus nis dns
hosts: files dns
bootparams: nisplus [NOTFOUND=return] files
ethers: files
netmasks: files
networks: files
protocols: files
rpc: files
services: files
netgroup: files
publickey: nisplus
automount: files
aliases: files nisplus
>
> On 06/15/2011 01:09 PM, Dermot wrote:
>>
>> Hi,
>>
>> I could use some confirmation on my approach to configuring my BDC. I
>> want the user to be able to access shares on the BDC and have their
>> domain credentials stamped on any files they create. I do not want to
>> add domain users to the /etc/passwd file. At the moment users can
>> authenticate onto the domain but once they try and access a share on
>> the BDC, these XP users get a dialogue box asking for a login. The log
>> for the machine reads:
>>
>> [2011/06/15 17:07:11.827697, 1]
>> auth/auth_util.c:580(make_server_info_sam)
>> User djohn in passdb, but getpwnam() fails!
>> [2011/06/15 17:07:11.827841, 0] auth/auth_sam.c:493(check_sam_security)
>> check_sam_security: make_server_info_sam() failed with
>> 'NT_STATUS_NO_SUCH_USER'
>> [2011/06/15 17:07:11.834014, 1]
>> auth/auth_util.c:580(make_server_info_sam)
>> User djohn in passdb, but getpwnam() fails!
>> [2011/06/15 17:07:11.834088, 0] auth/auth_sam.c:493(check_sam_security)
>> check_sam_security: make_server_info_sam() failed with
>> 'NT_STATUS_NO_SUCH_USER'
>>
>> At the same time on the ldap master (PDC) I see a search request
>> arrive for the same user and a successful response:
>>
>> Jun 15 17:04:03 rigel slapd[648]: conn=2838 op=3 SEARCH RESULT tag=101
>> err=0 nentries=1 text=
>> Jun 15 17:04:03 rigel slapd[648]: conn=2838 op=4 SRCH
>> base="dc=example,dc=com" scope=2 deref=0
>> filter="(&(uid=djohn)(objectClass=sambaSamAccount))"
>> Jun 15 17:04:03 rigel slapd[648]: conn=2838 op=4 SRCH attr=uid
>> uidNumber gidNumber homeDirectory sambaPwdLastSet sambaPwdCanChange
>> sambaPwdMustChange sambaLogonTime sambaLogoffTime sambaKickoffTime cn
>> sn displayName sambaHomeDrive sambaHomePath sambaLogonScript
>> sambaProfilePath description sambaUserWorkstations sambaSID
>> sambaPrimaryGroupSID sambaLMPassword sambaNTPassword sambaDomainName
>> objectClass sambaAcctFlags sambaMungedDial sambaBadPasswordCount
>> sambaBadPasswordTime sambaPasswordHistory modifyTimestamp
>> sambaLogonHours modifyTimestamp uidNumber gidNumber homeDirectory
>> loginShell gecos
>> Jun 15 17:04:03 rigel slapd[648]: conn=2838 op=4 SEARCH RESULT tag=101
>> err=0 nentries=1 text=
>> Jun 15 17:04:03 rigel slapd[648]: conn=2838 fd=18 closed (connection lost)
>>
>> The odd thing is this BDC is also in a replication system with the PDC
>> so if shouldn't need to forward the query.
>>
>> I thought that if I had added ldap to the nsswitch.conf for the passwd
>> and group items, then ldap would be used when the domain users failed
>> to be retrieved from the passwd file.
>>
>> The bigger confusion is around the configuration. Should I be able to
>> use an ldap backend and get the domain user's credentials when the
>> access a share?
>>
>> I have tried to follow the instructions from
>> http://wiki.samba.org/index.php/Samba_%26_LDAP#Let_Samba_use_LDAP The
>> PAM section doesn't match my distro and I ain't see any mention of
>> ldap in /etc/security/*
>>
>> Can anyone help iron out some of the creases in my set-up?
>> Thanks,
>> Dermot.
>>
>>
>>
>> ==== BDC conf =====
>>
>> [global]
>> unix charset = LOCALE
>> workgroup = MINE
>> server string = SMB Server
>> netbios name = antares
>> security = user # tried this as domain but it still fails
>> # hosts allow =
>>
>> load printers = no
>> ; printcap name = /etc/printcap
>> ; printcap name = lpstat
>> ; printing = cups
>> cups options = raw
>> ; guest account = pcguest
>> log file = /var/log/samba/%m.log
>> log level = 1
>> syslog = 0
>> max log size = 50
>> name resolve order = wins bcast hosts
>> printcap name = CUPS
>> show add printer wizard = no
>> domain master = no
>> # passdb backend = ldapsam:ldap://127.0.0.1
>> passdb backend = ldapsam:"ldap://127.0.0.1:389
>> ldap://rigel.example.com:389";
>> ldap passwd sync = yes
>> ldapsam:trusted = yes
>> ldapsam:editposix = yes
>> domain logons = yes
>> os level = 63
>> logon script = login.bat
>> logon path =
>> wins server = rigel.example.com
>> ldap ssl = off
>> client ldap sasl wrapping = plain
>> ldap suffix = dc=example,dc=com
>> ldap machine suffix = ou=Computers, ou=Users
>> ldap user suffix = ou=Users
>> ldap group suffix = ou=Group
>> ldap idmap suffix = ou=idmap
>> ldap admin dn = cn=admin,dc=example,dc=com
>> utmp = Yes
>> idmap backend = ldap://rigel.example.com
>> idmap uid = 15000-20000
>> idmap gid = 15000-20000
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
