John H Terpstra wrote:
On Tuesday 27 May 2008 02:22:15 pm Daniel L. Miller wrote:
I've almost got it. I swear I've almost got it (and I've been doing a
lot of swearing lately).
Swearing does not help much. :-)
It does too! I haven't broken a single keyboard!
I re-built my PDC, starting from scratch. I'm not using the editposix
extensions anymore - I'm using the smbldap tools as shown (I think) in
the Samba by Example.
Now that is a really good guide. (Biased opinion of course!) It is a pity that
this book is a little out of date. Someone really should contribute updates
to it I guess.
I'd be delighted to - but at the moment it'd be the blind leading the
totally clueless.
I really really thought I did everything right. Obviously I was wrong.
Ah, you mean you have been learning to swim. A good start to using Samba.
Unfortunately I still splash far too much without making efficient
forward progress. I can go sideways really good though!
First question: under this configuration, do I need winbind at all?
That depends! You can probably get away without winbind. If you do need it,
you should update the configuration since winbindd has changed since Samba
3.0.20 - the version the book was last updated for.
Something I haven't seen in print yet - so I'll ask the question. WHEN
is the appropriate time to use winbind with PDC's and BDC's? If the
only (intended) purpose is for member servers and joining Windows
NT/2000+ domains - please say so. The 3.2 Using Samba says "...in the
majority of cases |winbind| is of primary interest for use with domain
member servers (DMSs) and domain member clients (DMCs)." - but that's
not quite the same as, "In an exclusively Samba server environment, with
a common LDAP backend (replicated or single), winbind offers no
additional features and in fact can cause problems. Do NOT use winbind
in such a configuration."
If the answer is yes, second question:
wbinfo -t yields checking the trust secret via RPC calls succeeded
wbinfo -u yields Error looking up domain users
It is no longer possible to use wbinfo on the PDC itself. See Samba Bugzilla
bug no. 5453.
I should also mention that I can't add the built-in or local groups
using net.
Correct. For that you will need the new winbind configuration syntax - you are
running 3.0.28 aren't you? See man idmap_ldap, or man idmap_tdb.
Now I'm more confused. I'm reviewing those pages - and while I do see
some other parameters, they say in their absence they will default to
using the ones I've specified. I don't see what I'm missing. I've
revised to show:
idmap domains = AMFESLAN.LOCAL
idmap alloc backend = ldap
winbind enum users = Yes
winbind enum groups = Yes
idmap alloc config:range = 10000-20000
idmap alloc config:ldap_url = ldap://127.0.0.1
idmap alloc config:ldap_base_dn = ou=idmap,dc=amfeslan,dc=local
idmap config AMFESLAN.LOCAL:range = 10000-20000
idmap config AMFESLAN.LOCAL:ldap_url = ldap://127.0.0.1
idmap config AMFESLAN.LOCAL:ldap_base_dn =
ou=idmap,dc=amfeslan,dc=local
idmap config AMFESLAN.LOCAL:backend = ldap
idmap config AMFESLAN.LOCAL:default = yes
Functionality and error messages remain the same.
I hope that helps.
Helps a lot - but I'm needy and greedy and would still appreciate more
of your insight.
--
Daniel
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba