You should note that I'm not using ADS, I'm in an NT4 domain. OK, from memory this is what I did. (If anyone can see any errors in this, please let me know!)
First I compiled Samba with the following - ./configure --with-winbind --with-pam --with-pam_smbpass --with-included-popt make make install I then created these links in /usr/lib, I think I had to copy libnss_winbind.so from samba/sources/nsswitch directory (compile directory) to /usr/lib libnss_winbind.so libnss_winbind.so.1 -> libnss_winbind.so nss_winbind.so.1 -> libnss_winbind.so After that I dropped in my smb.conf from an Linux machine I had already built with samba 3. Here is what it looks like - # Global parameters [global] workgroup = MYDOMAIN server string = SUN001 log file = /var/log/samba/log.%m max log size = 50 name resolve order = wins lmhosts bcast socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 printcap name = /etc/printcap local master = No dns proxy = No wins server = 192.168.224.25 ldap suffix = dc=uk,dc=trt,dc=thales ldap machine suffix = dc=uk,dc=trt,dc=thales ldap user suffix = dc=uk,dc=trt,dc=thales ldap group suffix = dc=uk,dc=trt,dc=thales ldap idmap suffix = ou=idmap,dc=uk,dc=trt,dc=thales ldap admin dn = cn=root,dc=uk,dc=trt,dc=thales idmap backend = ldap:ldap://lnxs001 idmap uid = 10000-20000 idmap gid = 10000-20000 template homedir = /mnt/spare/%U template shell = /bin/bash winbind separator = - winbind use default domain = Yes [homes] comment = Home Directories read only = No browseable = No [printers] comment = All Printers path = /var/spool/samba printable = Yes browseable = No [public] path = /public read only = No guest ok = Yes My LDAP server is a separate Redhat 9.0 machine with OpenLDAP running. Next I ran 'smbpasswd -w xxxxx' where xxxxx is my LDAP admin password, this gives samba write access to your LDAP server. Then I had to make my samba server a member of my domain - net rpc join -S NT4PDC -w DOMNAME -U Administrator%passwd Now I edited nsswitch.conf Passwd: files winbind Group: files winbind Then I created the startup scripts for samba and winbind (don't for get to chmod it to make it executable) - #!/sbin/sh ## ## samba.server ## if [ ! -d /usr/bin ] then # /usr not mounted exit fi killproc() { # kill the named process(es) pid=`/usr/bin/ps -e | /usr/bin/grep -w $1 | /usr/bin/sed -e 's/^ *//' -e 's/ .*//'` [ "$pid" != "" ] && kill $pid } # Start/stop processes required for Samba server case "$1" in 'start') # # Edit these lines to suit your installation (paths, workgroup, host) # echo Starting SMBD /usr/local/samba/sbin/smbd -D -d 10 -s /usr/local/samba/lib/smb.conf echo Starting NMBD /usr/local/samba/sbin/nmbd -D -l /usr/local/samba/var/log -s /usr/local/samba/lib/smb.conf echo Starting Winbind Daemon /usr/local/samba/sbin/winbindd -B -d 10 -s /usr/local/samba/lib/smb.conf ;; 'stop') killproc nmbd killproc smbd killproc winbindd ;; *) echo "Usage: /etc/init.d/samba.server { start | stop }" ;; esac After I started samba up with this script and ran getent it worked. I could type out all of my OpenLDAP config for you too but at this stage it probably isn't very useful to you. What I think you should try first is using a simpler idmap backend first. Make that work and then do the LDAP stuff. -----Original Message----- From: Wright, Tim (ANTS) [mailto:[EMAIL PROTECTED] Sent: 21 January 2004 16:37 To: 'Ganguly, Sapan ' Subject: RE: [Samba] winbind and Solaris 9 with AD hi I've been looking at my problem and compring the Solaris 9 box to a working Linux box. I noticed that if I take the winbind entry out of nsswitch.conf on the linux box then samba will no longer accept connections from users with no unix account or relevanr username map. So I'm assuming that if I can get getent working on the Solaris box then the samba authentication problem will be solved as well. So would you be able to provide me with a step by step of how you built and configured samba/winbind on the host where getent works ( including other stuff like kerberos and openldap compiles )? I can't offer much in return but if I can get getent working then I will look at getting logging on to the box working as well ( unless of course you 've already cracked it yourself ). anyway any help you could give me would be greatly appreciated. thanks tim -----Original Message----- From: Ganguly, Sapan [mailto:[EMAIL PROTECTED] Sent: 19 January 2004 13:06 To: 'Unix Service (ANTS)'; '[EMAIL PROTECTED]' Subject: RE: [Samba] winbind and Solaris 9 with AD I'm having trouble with this too but getent works for me, I'm not using AD though. Have you edited nsswitch.conf? Passwd: files winbind Group: files winbind I'm stuck on getting logging in working...Sun seems to think there may be some bug with PAM. -----Original Message----- From: Unix Service (ANTS) [mailto:[EMAIL PROTECTED] Sent: 19 January 2004 12:13 To: '[EMAIL PROTECTED]' Subject: [Samba] winbind and Solaris 9 with AD Hi have been trying to get winbind working on Solaris 9 but to no effect. version info: samba: 3.0.0 openldap: 2.1.23 kerberos: MIT 1.3.1 Have followed the instructions in every howto, usenet posting I could find: nscd not running created relevant links in /lib and /lib/security/sparcv9 applied patch for nsswitch as recommended kinit -e works net ads join works wbinfo -t works wbinfo -u gives list of all users in all trusted domains getent doesn't work samba authentication doesn't work - get the following in winbindd.log: [2004/01/19 10:59:27, 5] nsswitch/winbindd_pam.c:(379) NTLM CRAP authentication for user [DEV]\[test7] returned NT_STATUS_OK (PAM: 0) [2004/01/19 10:59:27, 3] nsswitch/winbindd_acct.c:(875) [ 3551]: create_user: user=>(test7), group=>() [2004/01/19 10:59:27, 5] nsswitch/winbindd_acct.c:(521) wb_getgrnam: Did not find group (nobody) my smb.conf is: workgroup = DEV #workgroup = DEV.ANTS.AD.ANPLC.CO.UK realm = DEV.ANTS.AD.ANPLC.CO.UK security = ADS password server = lonsd010.dev.ants.ad.anplc.co.uk dns proxy = no idmap gid = 70000-80000 idmap uid = 800000-900000 winbind cache time = 15 winbind use default domain = yes winbind enum users = yes winbind enum groups = yes encrypt passwords = yes log level = 9 [temp] path = /tmp read list = @users [docs] path = /var/tmp/samba-3.0.0 read list = @users I would appreciate any pointers as to further debugging I could do or possible problems as being able to use winbind to deal with samba authentication would make life a great deal easier. *************************************************************************** This communication (including any attachments) contains confidential information. If you are not the intended recipient and you have received this communication in error, you should destroy it without copying, disclosing or otherwise using its contents. Please notify the sender immediately of the error. Internet communications are not necessarily secure and may be intercepted or changed after they are sent. Abbey National Treasury Services plc does not accept liability for any loss you may suffer as a result of interception or any liability for such changes. If you wish to confirm the origin or content of this communication, please contact the sender by using an alternative means of communication. This communication does not create or modify any contract and, unless otherwise stated, is not intended to be contractually binding. Abbey National Treasury Services plc. Registered Office: Abbey National House, 2 Triton Square, Regents Place, London NW1 3AN. Registered in England under Company Registration Number: 2338548. Regulated by the Financial Services Authority (FSA). *************************************************************************** -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba *************************************************************************** This communication (including any attachments) contains confidential information. If you are not the intended recipient and you have received this communication in error, you should destroy it without copying, disclosing or otherwise using its contents. Please notify the sender immediately of the error. Internet communications are not necessarily secure and may be intercepted or changed after they are sent. Abbey National Treasury Services plc does not accept liability for any loss you may suffer as a result of interception or any liability for such changes. If you wish to confirm the origin or content of this communication, please contact the sender by using an alternative means of communication. This communication does not create or modify any contract and, unless otherwise stated, is not intended to be contractually binding. Abbey National Treasury Services plc. Registered Office: Abbey National House, 2 Triton Square, Regents Place, London NW1 3AN. Registered in England under Company Registration Number: 2338548. Regulated by the Financial Services Authority (FSA). *************************************************************************** -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba