id EU15\\test1 gives:
id: invalid user name: "EU15\test1" When running the id command, nothing written on the winbind debug Nir -----Original Message----- From: Michael Gasch [mailto:[EMAIL PROTECTED] Sent: Monday, July 03, 2006 2:31 PM To: Nir Barkan Cc: samba@lists.samba.org Subject: Re: [Samba] Samba and trusted domains looks good, but the log isn´t very informative. what does now "id EU15\\test1" on the member server say? winbindd has to allocate an uidnumber for this user. greez Nir Barkan wrote: > Now I don't have idmap errors, but the user from the trusted domain still > can't connect, this is what the debug logs when the user from the trusted > domain tries to connect: > > Added domain EU15 wineur.EU15.com S-1-5-21-2139401007-2349514585-891123631 > [ 0]: request interface version > [ 0]: request location of privileged pipe > [ 0]: domain_info [EU15] > [ 8520]: Get DC name for EU15 > cm_get_ipc_userpass: No auth-user defined > Doing spnego session setup (blob length=122) > got OID=1 2 840 48018 1 2 2 > got OID=1 2 840 113554 1 2 2 > got OID=1 2 840 113554 1 2 2 3 > got OID=1 3 6 1 4 1 311 2 2 10 > got [EMAIL PROTECTED] > Doing kerberos session setup > Ticket in ccache[MEMORY:cliconnect] expiration Tue, 04 Jul 2006 00:07:28 IDT > rpc_pipe_bind: Remote machine EUR-DC04-LON pipe \lsarpc fnum 0xe bind > request returned ok. > rpc_pipe_bind: Remote machine EUR-DC04-LON pipe \lsarpc fnum 0xf bind > request returned ok. > lsa_io_sec_qos: length c does not match size 8 > [ 0]: pam auth crap domain: [EU15] user: test1 > [ 8520]: pam auth crap domain: EU15 user: test1 > [ 0]: request interface version > [ 0]: request location of privileged pipe > [ 0]: domain_info [EU15] > [ 0]: pam auth crap domain: [EU15] user: test1 > [ 8520]: pam auth crap domain: EU15 user: test1 > [ 0]: request interface version > [ 0]: request location of privileged pipe > [ 0]: domain_info [EU15] > [ 0]: pam auth crap domain: [EU15] user: test1 > [ 8520]: pam auth crap domain: EU15 user: test1 > [ 0]: request interface version > [ 0]: request location of privileged pipe > [ 0]: domain_info [EU15] > [ 0]: pam auth crap domain: [EU15] user: test1 > [ 8520]: pam auth crap domain: EU15 user: test1 > [ 0]: domain_info [EU15] > [ 0]: pam auth crap domain: [EU15] user: test1 > [ 8520]: pam auth crap domain: EU15 user: test1 > > -----Original Message----- > From: Michael Gasch [mailto:[EMAIL PROTECTED] > Sent: Monday, July 03, 2006 1:19 PM > To: Nir Barkan > Cc: samba@lists.samba.org > Subject: Re: [Samba] Samba and trusted domains > > for trusted domains to work you have to use either tdbsam or ldap > backend. don´t know whether ad works, though. > > this should work for you: > # idmap backend = # please comment out for tdbsam > idmap uid = 10000-100000 > idmap gid = 10000-100000 > winbind use default domain = Yes # your choice > winbind trusted domains only = no # must > allow trusted domains = yes # must > > > greez > > > Nir Barkan wrote: >> I tried all the combinations on the "idmap backend" line and still have >> errors. >> >> What is the exact "idmap backend" line that I should add to my smb.conf > file >> when "ITGIL" = my domain and "EU15" = my trusted domain? >> >> Thanks, >> >> Nir >> >> -----Original Message----- >> From: Michael Gasch [mailto:[EMAIL PROTECTED] >> Sent: Monday, July 03, 2006 11:22 AM >> To: Nir Barkan >> Cc: samba@lists.samba.org >> Subject: Re: [Samba] Samba and trusted domains >> >> :) >> >> > idmap backend = ITGIL=10000-19999,EU15=20000-30000 >> this is not correct semantic ;) >> >> example: >> idmap backend = rid:"BUILTIN=1000-1999,DOMNAME=2000-100000000" >> >> this should work >> >> greez >> >> >> Nir Barkan wrote: >>> I added the idmap backend to my smb.conf as you suggested >>> >>> >>> idmap backend = ITGIL=10000-19999,EU15=20000-30000 >>> >>> I get the following (on the winbind debug): >>> >>> idmap_init: using 'ITGIL=10000-19999' as remote backend >>> Error loading module '/opt/local/lib/idmap/ITGIL=10000-19999.so': > ld.so.1: >>> ./winbindd: fatal: /opt/local/lib/idmap/ITGIL=10000-19999.so: open > failed: >>> No such file or directory >>> idmap_init: could not load remote backend 'ITGIL=10000-19999' >>> Could not init idmap -- netlogon proxy only >>> >>> The idmap directory exists; do I need to run something manually? >>> >>> P.S >>> >>> ITGIL = my domain >>> EU15 = my trusted domain >>> >>> Thanks, >>> >>> Nir >>> >>> >>> -----Original Message----- >>> From: Michael Gasch [mailto:[EMAIL PROTECTED] >>> Sent: Sunday, July 02, 2006 9:46 PM >>> To: Nir Barkan >>> Cc: samba@lists.samba.org >>> Subject: Re: [Samba] Samba and trusted domains >>> >>> you should do something like >>> >>> idmap backend = "MYDOMAIN=10000-19999,TRUSTEDDOMAINNAME=20000-100000000" >>> >>> as i already wrote in a posting before. this won't work with idmap_rid, >>> but with all other backend. >>> i think you can stay with "winbind trusted domains only". >>> >>> you should also run winbindd in interactive mode and debug level 3. >>> then you should see something like "init idmap backend for DOMAIN >>> MYDOMAIN, init idmap backend for DOMAIN TRUSTEDDOMAINNAME" >>> >>> greez >>> >>> >>> Nir Barkan wrote: >>>> Id test1 not working >>>> >>>> Wbinfo -u return DomainName username (EUROPE test1) >>>> >>>> The user is from trusted domain >>>> >>>> I defined idmap uid = 10000-2000 and idmap gid = 10000-20000 on my >>>> smb.conf, Do I need to define something more? >>>> >>>> Thanks, >>>> >>>> Nir >>>> >>>> -----Original Message----- >>>> From: Michael Gasch [mailto:[EMAIL PROTECTED] >>>> Sent: Friday, June 30, 2006 4:12 PM >>>> To: Nir Barkan >>>> Cc: samba@lists.samba.org >>>> Subject: Re: [Samba] Samba and trusted domains >>>> >>>> > Id test1 not working >>>> but wbinfo -u shows it? >>>> if so you have a problem with with mapping samba accounts to unix >>> accounts. >>>> is it a user from a trusted domain (to get back to the thread title)? >>>> >>>> > My dc is windows 2003 DC, do I need to install something on it? >>>> no >>>> >>>> greez >>>> >>>> Nir Barkan wrote: >>>> >>>>> Id test1 not working >>>>> >>>>> I tried without "winbind trusted domains only = Yes" and got the same >>>>> results. >>>>> >>>>> My dc is windows 2003 DC, do I need to install something on it? >>>>> >>>>> P.S >>>>> >>>>> Thanks much for your help :-) >>>>> >>>>> -----Original Message----- >>>>> From: Michael Gasch [mailto:[EMAIL PROTECTED] >>>>> Sent: Thursday, June 29, 2006 1:19 PM >>>>> To: Nir Barkan >>>>> Cc: samba@lists.samba.org >>>>> Subject: Re: [Samba] Samba and trusted domains >>>>> >>>>> >>>>>> "Id <username_from_local_domain_without_prefix_domainname" give me the >>>>> user >>>>> >>>>>> uid and gid. >>>>> good >>>>> >>>>> some further questions: >>>>> - does "id test1" work? >>>>> - why did you set "winbind trusted domains only = Yes" >>>>> >>>>> for trusted domains to work, you have to use winbind on your DC. >>>>> furthermore on each member server you have to specify an idmap range > for >>>>> each domain, like >>>>> >>>>> idmap backend = "MYDOMAIN=10000-19999,TRUSTEDDOMAIN=20000-100000000" >>>>> >>>>> greez >>>>> >>>>> >>>>> >>> >>> > -- Michael Gasch Max Planck Institute for Evolutionary Anthropology Department of Human Evolution (IT Staff) Deutscher Platz 6 D-04103 Leipzig Germany Phone: 49 (0)341 - 3550 137 49 (0)341 - 3550 374 Fax: 49 (0)341 - 3550 399 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba