if you´re running winbindd there´s no need to run nscd.
it´s a common problem and you should really avoid using it, unless you
have a real reason.
disable it and run id again
greez
Nir Barkan wrote:
Nscd is running
This is my nsswitch.conf:
# /etc/nsswitch.nis:
#
# An example file that could be copied over to /etc/nsswitch.conf; it
# uses NIS (YP) in conjunction with files.
#
# "hosts:" and "services:" in this file are used only if the
# /etc/netconfig file has a "-" for nametoaddr_libs of "inet" transports.
# the following two lines obviate the "+" entry in /etc/passwd and
/etc/group.
passwd: files winbind nis
group: files winbind nis
# consult /etc "files" only if nis is down.
hosts: files nis dns
ipnodes: files
# Uncomment the following line and comment out the above to resolve
# both IPv4 and IPv6 addresses from the ipnodes databases. Note that
# IPv4 addresses are searched in all of the ipnodes databases before
# searching the hosts databases. Before turning this option on, consult
# the Network Administration Guide for more details on using IPv6.
#ipnodes: nis [NOTFOUND=return] files
networks: nis [NOTFOUND=return] files
protocols: nis [NOTFOUND=return] files
rpc: nis [NOTFOUND=return] files
ethers: nis [NOTFOUND=return] files
netmasks: nis [NOTFOUND=return] files
bootparams: nis [NOTFOUND=return] files
publickey: nis [NOTFOUND=return] files
netgroup: nis
automount: files nis
aliases: files nis
# for efficient getservbyname() avoid nis
services: files nis
sendmailvars: files
printers: user files nis
auth_attr: files nis
prof_attr: files nis
project: files nis
project: files nis
-----Original Message-----
From: Michael Gasch [mailto:[EMAIL PROTECTED]
Sent: Monday, July 03, 2006 4:06 PM
To: Nir Barkan
Cc: samba@lists.samba.org
Subject: Re: [Samba] Samba and trusted domains
> When running the id command, nothing written on the winbind debug
looks like a prob with NSS and winbindd...
what looks your nsswitch.conf like?
do you use nscd?
greez
Nir Barkan wrote:
id EU15\\test1
gives:
id: invalid user name: "EU15\test1"
When running the id command, nothing written on the winbind debug
Nir
-----Original Message-----
From: Michael Gasch [mailto:[EMAIL PROTECTED]
Sent: Monday, July 03, 2006 2:31 PM
To: Nir Barkan
Cc: samba@lists.samba.org
Subject: Re: [Samba] Samba and trusted domains
looks good, but the log isn´t very informative.
what does now "id EU15\\test1" on the member server say?
winbindd has to allocate an uidnumber for this user.
greez
Nir Barkan wrote:
Now I don't have idmap errors, but the user from the trusted domain still
can't connect, this is what the debug logs when the user from the trusted
domain tries to connect:
Added domain EU15 wineur.EU15.com
S-1-5-21-2139401007-2349514585-891123631
[ 0]: request interface version
[ 0]: request location of privileged pipe
[ 0]: domain_info [EU15]
[ 8520]: Get DC name for EU15
cm_get_ipc_userpass: No auth-user defined
Doing spnego session setup (blob length=122)
got OID=1 2 840 48018 1 2 2
got OID=1 2 840 113554 1 2 2
got OID=1 2 840 113554 1 2 2 3
got OID=1 3 6 1 4 1 311 2 2 10
got [EMAIL PROTECTED]
Doing kerberos session setup
Ticket in ccache[MEMORY:cliconnect] expiration Tue, 04 Jul 2006 00:07:28
IDT
rpc_pipe_bind: Remote machine EUR-DC04-LON pipe \lsarpc fnum 0xe bind
request returned ok.
rpc_pipe_bind: Remote machine EUR-DC04-LON pipe \lsarpc fnum 0xf bind
request returned ok.
lsa_io_sec_qos: length c does not match size 8
[ 0]: pam auth crap domain: [EU15] user: test1
[ 8520]: pam auth crap domain: EU15 user: test1
[ 0]: request interface version
[ 0]: request location of privileged pipe
[ 0]: domain_info [EU15]
[ 0]: pam auth crap domain: [EU15] user: test1
[ 8520]: pam auth crap domain: EU15 user: test1
[ 0]: request interface version
[ 0]: request location of privileged pipe
[ 0]: domain_info [EU15]
[ 0]: pam auth crap domain: [EU15] user: test1
[ 8520]: pam auth crap domain: EU15 user: test1
[ 0]: request interface version
[ 0]: request location of privileged pipe
[ 0]: domain_info [EU15]
[ 0]: pam auth crap domain: [EU15] user: test1
[ 8520]: pam auth crap domain: EU15 user: test1
[ 0]: domain_info [EU15]
[ 0]: pam auth crap domain: [EU15] user: test1
[ 8520]: pam auth crap domain: EU15 user: test1
-----Original Message-----
From: Michael Gasch [mailto:[EMAIL PROTECTED]
Sent: Monday, July 03, 2006 1:19 PM
To: Nir Barkan
Cc: samba@lists.samba.org
Subject: Re: [Samba] Samba and trusted domains
for trusted domains to work you have to use either tdbsam or ldap
backend. don´t know whether ad works, though.
this should work for you:
# idmap backend = # please comment out for tdbsam
idmap uid = 10000-100000
idmap gid = 10000-100000
winbind use default domain = Yes # your choice
winbind trusted domains only = no # must
allow trusted domains = yes # must
greez
Nir Barkan wrote:
I tried all the combinations on the "idmap backend" line and still have
errors.
What is the exact "idmap backend" line that I should add to my smb.conf
file
when "ITGIL" = my domain and "EU15" = my trusted domain?
Thanks,
Nir
-----Original Message-----
From: Michael Gasch [mailto:[EMAIL PROTECTED]
Sent: Monday, July 03, 2006 11:22 AM
To: Nir Barkan
Cc: samba@lists.samba.org
Subject: Re: [Samba] Samba and trusted domains
:)
> idmap backend = ITGIL=10000-19999,EU15=20000-30000
this is not correct semantic ;)
example:
idmap backend = rid:"BUILTIN=1000-1999,DOMNAME=2000-100000000"
this should work
greez
Nir Barkan wrote:
I added the idmap backend to my smb.conf as you suggested
idmap backend = ITGIL=10000-19999,EU15=20000-30000
I get the following (on the winbind debug):
idmap_init: using 'ITGIL=10000-19999' as remote backend
Error loading module '/opt/local/lib/idmap/ITGIL=10000-19999.so':
ld.so.1:
./winbindd: fatal: /opt/local/lib/idmap/ITGIL=10000-19999.so: open
failed:
No such file or directory
idmap_init: could not load remote backend 'ITGIL=10000-19999'
Could not init idmap -- netlogon proxy only
The idmap directory exists; do I need to run something manually?
P.S
ITGIL = my domain
EU15 = my trusted domain
Thanks,
Nir
-----Original Message-----
From: Michael Gasch [mailto:[EMAIL PROTECTED]
Sent: Sunday, July 02, 2006 9:46 PM
To: Nir Barkan
Cc: samba@lists.samba.org
Subject: Re: [Samba] Samba and trusted domains
you should do something like
idmap backend =
"MYDOMAIN=10000-19999,TRUSTEDDOMAINNAME=20000-100000000"
as i already wrote in a posting before. this won't work with idmap_rid,
but with all other backend.
i think you can stay with "winbind trusted domains only".
you should also run winbindd in interactive mode and debug level 3.
then you should see something like "init idmap backend for DOMAIN
MYDOMAIN, init idmap backend for DOMAIN TRUSTEDDOMAINNAME"
greez
Nir Barkan wrote:
Id test1 not working
Wbinfo -u return DomainName username (EUROPE test1)
The user is from trusted domain
I defined idmap uid = 10000-2000 and idmap gid = 10000-20000 on my
smb.conf, Do I need to define something more?
Thanks,
Nir
-----Original Message-----
From: Michael Gasch [mailto:[EMAIL PROTECTED]
Sent: Friday, June 30, 2006 4:12 PM
To: Nir Barkan
Cc: samba@lists.samba.org
Subject: Re: [Samba] Samba and trusted domains
> Id test1 not working
but wbinfo -u shows it?
if so you have a problem with with mapping samba accounts to unix
accounts.
is it a user from a trusted domain (to get back to the thread title)?
> My dc is windows 2003 DC, do I need to install something on it?
no
greez
Nir Barkan wrote:
Id test1 not working
I tried without "winbind trusted domains only = Yes" and got the same
results.
My dc is windows 2003 DC, do I need to install something on it?
P.S
Thanks much for your help :-)
-----Original Message-----
From: Michael Gasch [mailto:[EMAIL PROTECTED]
Sent: Thursday, June 29, 2006 1:19 PM
To: Nir Barkan
Cc: samba@lists.samba.org
Subject: Re: [Samba] Samba and trusted domains
"Id <username_from_local_domain_without_prefix_domainname" give me
the
user
uid and gid.
good
some further questions:
- does "id test1" work?
- why did you set "winbind trusted domains only = Yes"
for trusted domains to work, you have to use winbind on your DC.
furthermore on each member server you have to specify an idmap range
for
each domain, like
idmap backend = "MYDOMAIN=10000-19999,TRUSTEDDOMAIN=20000-100000000"
greez
--
Michael Gasch
Max Planck Institute for Evolutionary Anthropology
Department of Human Evolution (IT Staff)
Deutscher Platz 6
D-04103 Leipzig
Germany
Phone: 49 (0)341 - 3550 137
49 (0)341 - 3550 374
Fax: 49 (0)341 - 3550 399
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
