I disabled the nscd. Restarted winbind (with debug=5) Running id give the same results = id: invalid user name: "EU15\test1" Nothing written on the winbind debug
Nir -----Original Message----- From: Michael Gasch [mailto:[EMAIL PROTECTED] Sent: Monday, July 03, 2006 5:32 PM To: Nir Barkan Cc: samba@lists.samba.org Subject: Re: [Samba] Samba and trusted domains if you´re running winbindd there´s no need to run nscd. it´s a common problem and you should really avoid using it, unless you have a real reason. disable it and run id again greez Nir Barkan wrote: > Nscd is running > > This is my nsswitch.conf: > > # /etc/nsswitch.nis: > # > # An example file that could be copied over to /etc/nsswitch.conf; it > # uses NIS (YP) in conjunction with files. > # > # "hosts:" and "services:" in this file are used only if the > # /etc/netconfig file has a "-" for nametoaddr_libs of "inet" transports. > > # the following two lines obviate the "+" entry in /etc/passwd and > /etc/group. > passwd: files winbind nis > group: files winbind nis > > # consult /etc "files" only if nis is down. > hosts: files nis dns > ipnodes: files > # Uncomment the following line and comment out the above to resolve > # both IPv4 and IPv6 addresses from the ipnodes databases. Note that > # IPv4 addresses are searched in all of the ipnodes databases before > # searching the hosts databases. Before turning this option on, consult > # the Network Administration Guide for more details on using IPv6. > #ipnodes: nis [NOTFOUND=return] files > > networks: nis [NOTFOUND=return] files > protocols: nis [NOTFOUND=return] files > rpc: nis [NOTFOUND=return] files > ethers: nis [NOTFOUND=return] files > netmasks: nis [NOTFOUND=return] files > bootparams: nis [NOTFOUND=return] files > publickey: nis [NOTFOUND=return] files > > netgroup: nis > > automount: files nis > aliases: files nis > > # for efficient getservbyname() avoid nis > services: files nis > sendmailvars: files > printers: user files nis > > auth_attr: files nis > prof_attr: files nis > project: files nis > project: files nis > > -----Original Message----- > From: Michael Gasch [mailto:[EMAIL PROTECTED] > Sent: Monday, July 03, 2006 4:06 PM > To: Nir Barkan > Cc: samba@lists.samba.org > Subject: Re: [Samba] Samba and trusted domains > > > When running the id command, nothing written on the winbind debug > looks like a prob with NSS and winbindd... > what looks your nsswitch.conf like? > do you use nscd? > > greez > > Nir Barkan wrote: >> id EU15\\test1 >> >> gives: >> >> id: invalid user name: "EU15\test1" >> >> When running the id command, nothing written on the winbind debug >> >> Nir >> >> -----Original Message----- >> From: Michael Gasch [mailto:[EMAIL PROTECTED] >> Sent: Monday, July 03, 2006 2:31 PM >> To: Nir Barkan >> Cc: samba@lists.samba.org >> Subject: Re: [Samba] Samba and trusted domains >> >> looks good, but the log isn´t very informative. >> >> what does now "id EU15\\test1" on the member server say? >> winbindd has to allocate an uidnumber for this user. >> >> greez >> >> >> >> Nir Barkan wrote: >>> Now I don't have idmap errors, but the user from the trusted domain still >>> can't connect, this is what the debug logs when the user from the trusted >>> domain tries to connect: >>> >>> Added domain EU15 wineur.EU15.com > S-1-5-21-2139401007-2349514585-891123631 >>> [ 0]: request interface version >>> [ 0]: request location of privileged pipe >>> [ 0]: domain_info [EU15] >>> [ 8520]: Get DC name for EU15 >>> cm_get_ipc_userpass: No auth-user defined >>> Doing spnego session setup (blob length=122) >>> got OID=1 2 840 48018 1 2 2 >>> got OID=1 2 840 113554 1 2 2 >>> got OID=1 2 840 113554 1 2 2 3 >>> got OID=1 3 6 1 4 1 311 2 2 10 >>> got [EMAIL PROTECTED] >>> Doing kerberos session setup >>> Ticket in ccache[MEMORY:cliconnect] expiration Tue, 04 Jul 2006 00:07:28 >> IDT >>> rpc_pipe_bind: Remote machine EUR-DC04-LON pipe \lsarpc fnum 0xe bind >>> request returned ok. >>> rpc_pipe_bind: Remote machine EUR-DC04-LON pipe \lsarpc fnum 0xf bind >>> request returned ok. >>> lsa_io_sec_qos: length c does not match size 8 >>> [ 0]: pam auth crap domain: [EU15] user: test1 >>> [ 8520]: pam auth crap domain: EU15 user: test1 >>> [ 0]: request interface version >>> [ 0]: request location of privileged pipe >>> [ 0]: domain_info [EU15] >>> [ 0]: pam auth crap domain: [EU15] user: test1 >>> [ 8520]: pam auth crap domain: EU15 user: test1 >>> [ 0]: request interface version >>> [ 0]: request location of privileged pipe >>> [ 0]: domain_info [EU15] >>> [ 0]: pam auth crap domain: [EU15] user: test1 >>> [ 8520]: pam auth crap domain: EU15 user: test1 >>> [ 0]: request interface version >>> [ 0]: request location of privileged pipe >>> [ 0]: domain_info [EU15] >>> [ 0]: pam auth crap domain: [EU15] user: test1 >>> [ 8520]: pam auth crap domain: EU15 user: test1 >>> [ 0]: domain_info [EU15] >>> [ 0]: pam auth crap domain: [EU15] user: test1 >>> [ 8520]: pam auth crap domain: EU15 user: test1 >>> >>> -----Original Message----- >>> From: Michael Gasch [mailto:[EMAIL PROTECTED] >>> Sent: Monday, July 03, 2006 1:19 PM >>> To: Nir Barkan >>> Cc: samba@lists.samba.org >>> Subject: Re: [Samba] Samba and trusted domains >>> >>> for trusted domains to work you have to use either tdbsam or ldap >>> backend. don´t know whether ad works, though. >>> >>> this should work for you: >>> # idmap backend = # please comment out for tdbsam >>> idmap uid = 10000-100000 >>> idmap gid = 10000-100000 >>> winbind use default domain = Yes # your choice >>> winbind trusted domains only = no # must >>> allow trusted domains = yes # must >>> >>> >>> greez >>> >>> >>> Nir Barkan wrote: >>>> I tried all the combinations on the "idmap backend" line and still have >>>> errors. >>>> >>>> What is the exact "idmap backend" line that I should add to my smb.conf >>> file >>>> when "ITGIL" = my domain and "EU15" = my trusted domain? >>>> >>>> Thanks, >>>> >>>> Nir >>>> >>>> -----Original Message----- >>>> From: Michael Gasch [mailto:[EMAIL PROTECTED] >>>> Sent: Monday, July 03, 2006 11:22 AM >>>> To: Nir Barkan >>>> Cc: samba@lists.samba.org >>>> Subject: Re: [Samba] Samba and trusted domains >>>> >>>> :) >>>> >>>> > idmap backend = ITGIL=10000-19999,EU15=20000-30000 >>>> this is not correct semantic ;) >>>> >>>> example: >>>> idmap backend = rid:"BUILTIN=1000-1999,DOMNAME=2000-100000000" >>>> >>>> this should work >>>> >>>> greez >>>> >>>> >>>> Nir Barkan wrote: >>>>> I added the idmap backend to my smb.conf as you suggested >>>>> >>>>> >>>>> idmap backend = ITGIL=10000-19999,EU15=20000-30000 >>>>> >>>>> I get the following (on the winbind debug): >>>>> >>>>> idmap_init: using 'ITGIL=10000-19999' as remote backend >>>>> Error loading module '/opt/local/lib/idmap/ITGIL=10000-19999.so': >>> ld.so.1: >>>>> ./winbindd: fatal: /opt/local/lib/idmap/ITGIL=10000-19999.so: open >>> failed: >>>>> No such file or directory >>>>> idmap_init: could not load remote backend 'ITGIL=10000-19999' >>>>> Could not init idmap -- netlogon proxy only >>>>> >>>>> The idmap directory exists; do I need to run something manually? >>>>> >>>>> P.S >>>>> >>>>> ITGIL = my domain >>>>> EU15 = my trusted domain >>>>> >>>>> Thanks, >>>>> >>>>> Nir >>>>> >>>>> >>>>> -----Original Message----- >>>>> From: Michael Gasch [mailto:[EMAIL PROTECTED] >>>>> Sent: Sunday, July 02, 2006 9:46 PM >>>>> To: Nir Barkan >>>>> Cc: samba@lists.samba.org >>>>> Subject: Re: [Samba] Samba and trusted domains >>>>> >>>>> you should do something like >>>>> >>>>> idmap backend = > "MYDOMAIN=10000-19999,TRUSTEDDOMAINNAME=20000-100000000" >>>>> as i already wrote in a posting before. this won't work with idmap_rid, > >>>>> but with all other backend. >>>>> i think you can stay with "winbind trusted domains only". >>>>> >>>>> you should also run winbindd in interactive mode and debug level 3. >>>>> then you should see something like "init idmap backend for DOMAIN >>>>> MYDOMAIN, init idmap backend for DOMAIN TRUSTEDDOMAINNAME" >>>>> >>>>> greez >>>>> >>>>> >>>>> Nir Barkan wrote: >>>>>> Id test1 not working >>>>>> >>>>>> Wbinfo -u return DomainName username (EUROPE test1) >>>>>> >>>>>> The user is from trusted domain >>>>>> >>>>>> I defined idmap uid = 10000-2000 and idmap gid = 10000-20000 on my >>>>>> smb.conf, Do I need to define something more? >>>>>> >>>>>> Thanks, >>>>>> >>>>>> Nir >>>>>> >>>>>> -----Original Message----- >>>>>> From: Michael Gasch [mailto:[EMAIL PROTECTED] >>>>>> Sent: Friday, June 30, 2006 4:12 PM >>>>>> To: Nir Barkan >>>>>> Cc: samba@lists.samba.org >>>>>> Subject: Re: [Samba] Samba and trusted domains >>>>>> >>>>>> > Id test1 not working >>>>>> but wbinfo -u shows it? >>>>>> if so you have a problem with with mapping samba accounts to unix >>>>> accounts. >>>>>> is it a user from a trusted domain (to get back to the thread title)? >>>>>> >>>>>> > My dc is windows 2003 DC, do I need to install something on it? >>>>>> no >>>>>> >>>>>> greez >>>>>> >>>>>> Nir Barkan wrote: >>>>>> >>>>>>> Id test1 not working >>>>>>> >>>>>>> I tried without "winbind trusted domains only = Yes" and got the same >>>>>>> results. >>>>>>> >>>>>>> My dc is windows 2003 DC, do I need to install something on it? >>>>>>> >>>>>>> P.S >>>>>>> >>>>>>> Thanks much for your help :-) >>>>>>> >>>>>>> -----Original Message----- >>>>>>> From: Michael Gasch [mailto:[EMAIL PROTECTED] >>>>>>> Sent: Thursday, June 29, 2006 1:19 PM >>>>>>> To: Nir Barkan >>>>>>> Cc: samba@lists.samba.org >>>>>>> Subject: Re: [Samba] Samba and trusted domains >>>>>>> >>>>>>> >>>>>>>> "Id <username_from_local_domain_without_prefix_domainname" give me >> the >>>>>>> user >>>>>>> >>>>>>>> uid and gid. >>>>>>> good >>>>>>> >>>>>>> some further questions: >>>>>>> - does "id test1" work? >>>>>>> - why did you set "winbind trusted domains only = Yes" >>>>>>> >>>>>>> for trusted domains to work, you have to use winbind on your DC. >>>>>>> furthermore on each member server you have to specify an idmap range >>> for >>>>>>> each domain, like >>>>>>> >>>>>>> idmap backend = "MYDOMAIN=10000-19999,TRUSTEDDOMAIN=20000-100000000" >>>>>>> >>>>>>> greez >>>>>>> >>>>>>> >>>>>>> > -- Michael Gasch Max Planck Institute for Evolutionary Anthropology Department of Human Evolution (IT Staff) Deutscher Platz 6 D-04103 Leipzig Germany Phone: 49 (0)341 - 3550 137 49 (0)341 - 3550 374 Fax: 49 (0)341 - 3550 399 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba