Re: [Samba] IDMAP dump and restore for second server.
On Fri, Mar 23, 2012 at 10:51:47AM +, Johan Hendriks wrote: > Thanks for the reply. > > probably my lack of understanding the whole thing is making it a little > confusing for me. > > Is there a way to get the same id's on a second server. You could move to using an LDAP backend, then it'll always be consistent between the servers. If you set up LDAP on both controllers, you can have replication and a solution that will scale well as you add servers. -- Bruce It is impolite to tell a man who is carrying you on his shoulders that his head smells. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Administrator cannot connect to samba on 2008 R2 ADS members
I have an odd situation where Samba 3.x domain members in an Active Directory 2008 R2 domain cannot authenticate the Administrator. All other users work, but if I try to connect to the samba services as the domain Administrator, authentication fails. The Windows domain controllers are happy to accept connections from the Administrator (e.g. using smbclient) but the Linux (Centos 5.5 and 5.6) domain members are not (I have encountered this problem with both Samba 3.3.8 and 3.5.4). Direct kerberos authentication using the Administrator account works just fine, as does ldap authentication (I am using ldap rather than winbind in nsswitch.conf and I can ssh into the Linux domain members just fine as the Administrator). I can attach detailed logs if wanted, but am not sure which detail is relevant. Here's the smb.conf: #=== Global Settings = [global] workgroup = HQ realm = HQ.CORP.COM server string = # --- Domain Members Options security = ADS passdb backend = tdbsam # - Winbind Options -- client ldap sasl wrapping = seal idmap backend = tdb idmap uid = 1-1 idmap gid = 1-1 idmap config HQ : backend = ad idmap config HQ : range = 1-1 winbind nss info = rfc2307 -- Bruce Hierophant: someone who remembers, when you are on the way down, everything you did to them on the way up. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] SSO's availability
On Tue, Aug 02, 2011 at 08:17:01PM +0200, Frédéric Bérard wrote: > Is it possible to configure a system of authentication based on SSO > samba (and certainly ldap and lot of others things) ? Which things need to authenticate? At my current workplace, I've set up Samba with an LDAP backend. Linux machines, switches, web applications and various devices authenticate directly against the LDAP backend; Windows machines (or anything which needs Windows authentication and file services) use Samba. It all plays nicely and satisfies all our current needs. What are your needs? Do you have a specific requirement for Active Directory (or equivalent)? > Is it possible to do this without any windows's system which act as > any authority ? Absolutely. > Wat I mean is that I would like to do this only one linux's computer Unless your network is very small, I'd recommend using a minimum of two, so that your whole system doesn't fail because of a problem on your only domain controller. -- Bruce It is impolite to tell a man who is carrying you on his shoulders that his head smells. signature.asc Description: Digital signature -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Fwd: getent group fails - fixed
On Thu, Jun 23, 2011 at 02:20:56PM +0100, Dermot wrote: > I would have thought, but I am no expert, that > samba would have used the config from smb.conf and that ldapsearch > (and anything else that didn't have hooks else where) would use > /etc/ldap/ldap.conf. In smb.conf you specify those things which have meaning only to samba. But the non-samba-specific bits are configured in /etc/ldap/ldap.conf. For example, if you are using ldaps or ldap+tls (which you really should), how are you going to tell samba where to find the CA cert that authenticated the certs of your ldap servers? Answer: you put the correct ssl-relevant config into /etc/ldap/ldap.conf (or /etc/openldap/ldap.conf on RedHat-based distributions). Samba is using the openldap client libraries, after all. -- Bruce The ice-caps are melting, tra-la-la-la. All the world is drowning, tra-la-la-la-la. -- Tiny Tim. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Fwd: getent group fails - fixed
On Thu, Jun 23, 2011 at 01:00:55PM +0100, Dermot wrote: > Found it. > > It turns out that the config file for libnss-ldap is > /etc/libnss-ldap.conf on my distro (Debian). So NSS was ignoring the > config that I had been in /etc/ldap/ldap.conf and taking it from > /etc/libnss-ldap.conf. As far as I'm aware, most of the distributions use a separate configuration file for libnss-ldap, allowing /etc/ldap/ldap.conf to be used for the generic configuration of user ldap searches (as it is intended) and not have those constrained by the very specific needs of nsswitch. This separation is more than just a convenience. At my workplace, I have an LDAP directory as the backing for nsswitch and as the passdb/idmap backend for Samba. Samba's ldap searches are affected by anything that goes into /etc/ldap/ldap.conf, which would cause problems if the nsswitch-specific settings had to be stored there. -- Bruce Vajazzle - giving new meaning to the phrase "I'll scratch your eyes out". -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] SOLVED: DFS root only works for more recent Windows clients
On Thu, Jun 09, 2011 at 10:39:50AM +0100, Bruce Richardson wrote: > I've been testing DFS roots and I'm finding that while Vista and 2008 > Server clients can connect with no problems, Windows XP Pro and 2003 > Server clients fail. This seems like it's the wrong way round - Samba > usually has more difficulties with recent Windows versions than older > ones - but I can only assume that there's some registry/policy change > between the versions. If anybody has seen similar issues or has an idea > of the likely cause, I'd be very glad of the help. The cause was having a global restriction on access to shares: > > # -- Share Default Options --- > valid users = @domadmins, @domusers, Moving that option from the global config into the share config enabled access for XP and 2003 DFS clients. It seems that older versions of Windows rely on public visibility of the IPC$ share for some things. -- Bruce What would Edward Woodward do? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] DFS root only works for more recent Windows clients
On Thu, Jun 09, 2011 at 10:47:26AM -0400, John Drescher wrote: > > There may be some difference between our set-up (LDAP-backed Samba 3.x > > domain) and yours, > > I am using a samba ldap domain. I wonder what is different about our configurations that makes the difference. I wonder, could you send me a copy of the samba configuration from the host you are using for a DFS root? I can try working through the differences. Also, can you tell me if you're using a regular member server or a PDC/BDC for your DFS root? -- Bruce Get thee behind me, Stan: for it is written, thou hast gotten me into another fine mess. -- Oliver 4:8 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] DFS root only works for more recent Windows clients
> > Have you tried using the real ip address in the links? I switched to > that years ago to allow cifs-msdfs links without a dns server. I am > not sure if that had any effect on XP clients though. Interesting idea, just tried it, didn't work. Shame. -- Bruce Explota!: miles de lemmings no pueden estar equivocados. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] DFS root only works for more recent Windows clients
On Thu, Jun 09, 2011 at 09:14:39AM -0400, John Drescher wrote: > > Its working for me for years at work with (xp, xp64, and now windows7 > 64 bit). I as of a few months I am running samba-3.5.8 on the dfs root > however I had 3.0.37 installed up until recently. > > Did you reboot the xp clients after enabling the dfs root? Yes. I have been rebooting windows workstations and laptops with every test, tweak and configuration change since I started testing DFS. It makes no difference (and I've tested both 3.0.x and 3.5.x on the server side, as well). There seems to be some policy setting on WinXP and 2003 which is blocking their access, something which is different on Vista, 2008 and Win7. There was a brief thread about this issue back in January which suggests that a recent security update may be to blame. There may be some difference between our set-up (LDAP-backed Samba 3.x domain) and yours, but the guys who reported the issue in January are both running their samba servers within Active Directory domains, so they aren't identical set-ups to ours. I can use the DFS admin tool on a Windows XP box to examine the DFS root and its links. It happily verifies the status of the links and the shares they point to. But any attempt to open the links gives me "\\Apps01\files\link refers to a location that is unavailable". Frustratingly, Windows XP doesn't log anything at all about this. -- Bruce Get thee behind me, Stan: for it is written, thou hast gotten me into another fine mess. -- Oliver 4:8 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] problem connecting DFS-share with winXP - successful with Vista & 7
On Mon, Dec 20, 2010 at 11:19:52AM +0100, Steffen Frömer wrote: > > Hi, > > i have problems connecting to DFS-Share from Client WindowsXP. Same > configuration works fine for Windows Vista and 7. On Windows 7 the > LMCompatibility Level is 3. I missed this in my previous search of the archives. Seems I have the same problem. Did you ever find a resolution to this? -- Bruce Hierophant: someone who remembers, when you are on the way down, everything you did to them on the way up. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] DFS root only works for more recent Windows clients
On Thu, Jun 09, 2011 at 12:42:48PM +0200, Daniel Müller wrote: > For me working without any trouble. Centos 5.5,5.4,5.6. > Did you: > host msdfs=yes??? That's the default setting for host msdfs, so there should be no need to set it. But yes, I did set it explicitly and it made no difference. It is now longer explicitly specified, but "testparm --parameter-name 'host msdfs' returns "Yes". Remember, this works for recent versions of windows, so msdfs *is* enabled. -- Bruce Hierophant: someone who remembers, when you are on the way down, everything you did to them on the way up. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] DFS root only works for more recent Windows clients
I've been testing DFS roots and I'm finding that while Vista and 2008 Server clients can connect with no problems, Windows XP Pro and 2003 Server clients fail. This seems like it's the wrong way round - Samba usually has more difficulties with recent Windows versions than older ones - but I can only assume that there's some registry/policy change between the versions. If anybody has seen similar issues or has an idea of the likely cause, I'd be very glad of the help. Using the Samba3x packages on Centos, so it's Samba 3.5.4. Very simple config: #=== Global Settings = [global] workgroup = OFFICE server string = # - Domain Members Options -- security = domain passdb backend = tdbsam password server = * # -- Share Default Options --- writeable = no browseable = yes printable = no write list = @domadmins, valid users = @domadmins, @domusers, # Share Definitions - [files] path = /dfsroot msdfs root = yes -- Bruce Bitterly it mathinketh me, that I spent mine wholle lyf in the lists against the ignorant. -- Roger Bacon, "Doctor Mirabilis" -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Shared directory contained within another shared directory
On Thu, Mar 17, 2011 at 09:50:14AM -0500, Chris Weiss wrote: > yes, filesystem permissions do override any share level permissions in > the conf. you'll need to adjust hrshared permissions as needed. Pedantically, it's not that one overrides the other; the restrictions in the two different components are additive. -- Bruce Explota!: miles de lemmings no pueden estar equivocados. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] ldap idmap backend
On Thu, Mar 17, 2011 at 05:06:03PM +0300, Vladimir Vassiliev wrote: > >Why have you created a local computer domain, out of interest? > > I didn't do it, Samba did. Really I dunno how to "add" extra domain to Samba. > How can I delete this domain? Something did it. Was this machine a domain controller before it was joined to the CORP domain? Can you show us the idmap-related section of your samba config? -- Bruce Explota!: miles de lemmings no pueden estar equivocados. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] ldap idmap backend
On Thu, Mar 17, 2011 at 04:02:29PM +0300, Vladimir Vassiliev wrote: > > Hi all, > > i use Samba 3.5.6 in ads mode (Windows 2008R2) with ldap idmap backend. > Servers run Centos 4 and 5. > I can't cope with next issue for long time. > > On all servers in domain winbind constantly tries to create mapping for > -513 > and fails because of already existing entry. > It just wastes gid range. -513 is the Domain Users group. > > Note that is not SID of main domain but another which name > equal to hostname. For example on host FMS in domain CORP I have: > > wbinfo --all-domains > BUILTIN > FMS > CORP Why have you created a local computer domain, out of interest? Windows does this, but you don't have to do it with samba. This has been the cause of your problem; winbind is trying to map both -513 and -513 to the same local group. -- Bruce Bitterly it mathinketh me, that I spent mine wholle lyf in the lists against the ignorant. -- Roger Bacon, "Doctor Mirabilis" -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba PDC adding new user, profile dir is not created
On Wed, Mar 16, 2011 at 12:01:52PM +, Bruce Richardson wrote: > > What do you have in your "logon path" setting in smb.conf? You never answered this question. You don't need to have anything there, because it defaults to "\\%N\%U\profile", but if you do have something there, what is it? Are you sure you have actually activated domain logins? It is possible that you have simply set up a stand-alone file server. For the PDC to be working properly, you need security = user domain master = yes domain logons = yes -- Bruce A problem shared brings the consolation that someone else is now feeling as miserable as you. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba PDC adding new user, profile dir is not created
On Wed, Mar 16, 2011 at 04:17:05PM +0100, J. Echter wrote: > Am 16.03.2011 13:01, schrieb Bruce Richardson: > >On Wed, Mar 16, 2011 at 12:16:52PM +0100, J. Echter wrote: > >>no, i want to have a profile dir created when a new created user > >>logs in. that's it. :) > > > >If you create these directories manually and then a user logs in, does > >the user's profile information then appear in their profile directory? > > > sorry didn't mention this, nothing is copied to the manually added dir. Does the manually added dir have the correct ownership? Has it been chown-ed to the right user and do they have write access? If the answer to those questions yes but nothing is being copied up, then your problem is that the user workstations are not looking in the correct place. Either your domain controller is not advertising the correct location, or it isn't advertising *any* location for profiles. -- Bruce I see a mouse. Where? There, on the stair. And its clumsy wooden footwear makes it easy to trap and kill. -- Harry Hill -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba PDC adding new user, profile dir is not created
On Wed, Mar 16, 2011 at 11:21:42AM +0100, Marco Ciampa wrote: > > IMHO you have to create it with a script. > In that script you will create the user (with useradd) and then the profile > dir... I think it is probably a bad idea to do this with a script unless you have some good reason to need it. The auto-creation of the directory shows you that profiles are working properly. -- Bruce I unfortunately do not know how to turn cheese into gold. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba PDC adding new user, profile dir is not created
On Wed, Mar 16, 2011 at 12:16:52PM +0100, J. Echter wrote: > no, i want to have a profile dir created when a new created user > logs in. that's it. :) Well, as long as you have the correct acls on the share and permissons on the directory, the user's workstation should try to create the user directory on the profiles share when the user first logs in. As far as I can see, your share definition and directory permissions are sufficient. What do you have in your "logon path" setting in smb.conf? And can you see anything in the logs? > > in my setup it doesnt get created. > > permission: > > drwxrwxrwx 4 root root4096 Feb 12 10:51 samba Um, if that's the /home/samba directory from your /home/samba/profile/%username profile path, then you've set the permissions there insecurely; ordinary users don't need to be creating directories in /home/samba, so you shouldn't need any more than 755 (or even 751) permissions there. > drwxrwxrwx 16 root root 4096 Mar 16 11:50 profile Assuming that is /home/samba/profile, then I would recommend you change the permissions from 777 to 1777. It's a minor point and doesn't have anything to do with your problem. If you create these directories manually and then a user logs in, does the user's profile information then appear in their profile directory? -- Bruce Explota!: miles de lemmings no pueden estar equivocados. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba PDC adding new user, profile dir is not created
On Wed, Mar 16, 2011 at 11:09:59AM +0100, J. Echter wrote: > Hi, > > i have a Samba PDC (no LDAP) and added add user script to my config. > > I can create the user with no problems, login is possible but the > /home/samba/profile/user dir is not created. It'll be created automatically when the user first logs in, if you have the right permissions on the profile share. It is possible to set the permissions/acls such that this doesn't allow users to read or interfere with each other's profiles. You only need to create it yourself if you want to preload it with some data. Is this what you need to do? -- Bruce Bitterly it mathinketh me, that I spent mine wholle lyf in the lists against the ignorant. -- Roger Bacon, "Doctor Mirabilis" -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] another question about account locking
On Fri, Jan 14, 2011 at 02:51:58AM +0900, TAKAHASHI Motonobu wrote: > 2011/1/13 Kevin Taylor : > > > > Is there a way that we can increment the samba bad password count, when a > > user fails a password on a linux system? I'm looking for ways to get both > > Windows and Linux to simultaneously lock out accounts if they fail so many > > times. We're using an LDAP backend. > > How about "obey pam restrictions = yes" ? > > "obey pam restrictions = yes" means Samba should obey PAM's restriction. This has other benefits, because it allows you to use the session components of various pam modules (e.g. pam_mkhomedir). -- Bruce What would Edward Woodward do? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] why the domain administrator has to has uid 0?
On Mon, Jan 10, 2011 at 07:05:54AM -0500, William E Jojo wrote: > > Look at: > > net rpc rights grant username SeMachineAccountPrivilege > > This will add users to the account_policy.tdb file with join rights in that > domain. When you upgrade or move to another machine, be sure to bring this > file along. For those of us using an LDAP backend on our Samba domains, this is the kind of setting which should be stored in LDAP as well. Is there any support for that at the moment? -- Bruce I must admit that the existence of Disneyland (which I know is real) proves that we are not living in Judea in AD 50. -- Philip K. Dick -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] getting error with setfacl
On Thu, Nov 04, 2010 at 11:50:03AM -0700, James D. Parra wrote: > Hello Bruce, > > Still can't get setfacl to get group or user info from the AD (Windows 2003) > > I have the following in nsswitch.conf; > > passwd: compat ldap > group: files ldap Have you put the correct details into the nss_ldap configuration file? On RedHat and Centos, this is /etc/ldap.conf (NOT /etc/ldap/ldap.conf), while on Debian-derived distributions it is /etc/libnss-ldap.conf. You will need to set the "uri" and "basedn" configuration options. You will also either have to enable anonymous LDAP searches on your domain controllers or (the more secure route) create a user with read-only access to the relevant parts of your active directory tree and add their details to the nss_ldap configuration file ("binddn" and "bindpw"). -- Bruce I must admit that the existence of Disneyland (which I know is real) proves that we are not living in Judea in AD 50. -- Philip K. Dick -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] getting error with setfacl
On Wed, Nov 03, 2010 at 05:05:28PM -0700, James D. Parra wrote: > Well it does if you're using winbindd to map DOMAIN\\groupname > to a group on the box :-). > ~ > > Thank you Jeremy. What is the best way to do that? The key tool is nsswitch. Winbind may or may not be necessary, depending on your precise set up. It's the nsswitch libraries and configuration file which tell Linux where to fetch user and group information. If your domain stores its user list in the tdb files on your PDC, then your only option is to use winbind (and the nss_winbind library) to provide user and group information to nsswitch. However, if you are using an LDAP directory as the data backend for your domain, you could use nss_ldap instead, and pull the information straight from LDAP. That's what I do, for several reasons, of which the best two are: 1. It allows me to have a consistent nsswitch configuration across all servers, whether or not they are running Samba, and have domain users able to access services consistently. 2. It simplifies the Samba configuration on servers which are domain members. You have this choice both if your domain controllers are LDAP-backed Samba ones (as mine are), or Windows Active Directory servers - all you have to do is make sure your AD servers have the extension to their schema to support POSIX user/group information. Given the choice, I would always go for the direct LDAP route, with users and groups that have intrinsic, permanent UIDs and GIDs; it's less fragile. I'll happily create those users and groups via Samba/Winbind on the PDC (love the whole "idmap alloc" and ldmapsam:editposix combination), but once they're in the LDAP directory, they're permanent, and available to anything that speaks LDAP. -- Bruce I must admit that the existence of Disneyland (which I know is real) proves that we are not living in Judea in AD 50. -- Philip K. Dick -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba3 registy based configuration and group policies!?
On Tue, Nov 02, 2010 at 10:09:16AM +0100, Daniel Müller wrote: > > > Dear all, > > after a lot of thinking about the registry way of configuring samba I came > about that group policies are especially stored things in the registry. Group policies alter the registry of Windows workstations and member servers. They don't interact with the Samba registry. > So my question is it possible to store this settings (group policies) at > status quo in samba3 registry!? Not in Samba 3 (don't know about 4). Samba 3 implements an NT4 domain; the windows workstations and member servers look for a file with a specific name in the netlogon share on the domain controller. You can't change that basic behaviour (I think you can change the name of the file that the client looks for, via a registry setting) and you can't serve files directly out of the Samba registry. -- Bruce It is impolite to tell a man who is carrying you on his shoulders that his head smells. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Workgroup compared to Domain
On Fri, Oct 29, 2010 at 06:50:08PM -0500, John H Terpstra wrote: > > > Please help use to understand exactly how ZeroConf helps with user and > group management. Confused by your answer! Are you one of the original posters alternate personalities? Otherwise, I'm a little confused by yours. The OP has said almost nothing about about what he's actually looking for; I think you're making some unwarranted assumptions about what those needs are. Did you even research the Amahi project? For a lot of it's common uses, UPnP-style solutions are actually appropriate. If the OP has something else in mind, maybe you could ask. -- Bruce Explota!: miles de lemmings no pueden estar equivocados. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Workgroup compared to Domain
On Thu, Oct 28, 2010 at 09:16:43PM -0400, Robert Moskowitz wrote: > Are there any good articles comparing features/functions of a > Workgroup compared to a Domain? If you don't want the centralised control of a Windows domain, leave Workgroups well alone; they are fragilel overly complex for what they do and quite obsolete. Better to look at Zero Configuration networking. http://en.wikipedia.org/wiki/Zero_configuration_networking -- Bruce Remember you're a Womble. signature.asc Description: Digital signature -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Trusted domain users unwantedly mapping onto local domain users
On Thu, Oct 21, 2010 at 05:02:55PM -0400, Gaiseric Vandal wrote: > > I have not tried ssh'ing in as a trusted domain user (I definately > don't want that available..) It's not something I want to make available, but it was an important test to prove that winbind was creating the correct idmap entries and that this was making functional POSIX accounts available to the Linux host. What I don't understand is why Samba isn't mapping the trusted domain users onto those accounts. > > Do you have an entry in krb5.conf for the trusted domain? I think > that is more of an issue for locating the DC. I do. > > At some point I changed the forest and domain modes on the Windows > 2003 DC from mixed to native. That may have broken something I'm surprised anything is working for you. I didn't think trust relationships between Samba or NT4 and AD would work at all if AD was in native mode. -- Bruce If the universe were simple enough to be understood, we would be too simple to understand it. signature.asc Description: Digital signature -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Trusted domain users unwantedly mapping onto local domain users
Having set up two way trust between a Samba domain (with LDAP backend) and an AD domain, I find that 1. Users from the trusted domain are authenticated against the proper DC (that is, their regular password works), but only if there is a corresponding local domain user. 2. Users from the trusted domain are being mapped onto Samba/POSIX users associated with the local Samba domain, despite the fact that the correct idmap objects are being created in the directory. If they connect to a share, they connect as the local domain user (although, oddly, they can create new files and directories but not delete old ones). More information: The local domain uses an LDAP backend, with ldapsam:editposix and ldapsam:trusted set. LDAP is used for all domain configs (BUILTIN, OFFICE domain and external domains). Winbind is used on the domain controllers for GID/UID allocation (and for id mappings for foreign domains), but nss_ldap is used on all the servers, DC or member, to provide the POSIX user information via nsswitch.conf. winbind is not currently running on the member servers (not needed for a single domain because of nss_ldap). All this was working perfectly. Adding the domain trust worked flawlessly. Then I tried - on the PDC and BDC only - to try have users from the trusted domain connecting to shares. So I changed nsswitch.conf from passwd: files ldap group: files ldap to passwd: files ldap winbind group: files ldap winbind I added details of the AD domain's PDC to krb5.conf, set the auth user file and restarted winbindd for luck. * "wbinfo -u" and "wbinfo -g" list the trusted domain users and groups. * "getent passwd" returns the trusted users in the list as TRUSTED\user.name. * The idmap OU in the directory now has two dozen entries (the AD domain is only used for one specialist part of the company). So far so good. "getent group" and "getent passwd" shows the TRUSTED domain users have been added and are visible as POSIX users. TRUSTED userr can authenticate to any OFFICE member servers using their own passwords (with the important caveat mentioned abouve). At this point, I'm at something of a loss. I can ssh into the domain controller as TRUSTED\test.user, whether or not there is a corresponding user in the local domain, and the correct UID and GID will be assigned, but I can only connect to Samba as that user if there is a corresponding local domain user and I am then assigned their UID and GID. Can anybody suggest what I may have missed? I can post the relevant domain controller configs. I don't know if it's relevant to this, but winbind keeps trying to write to krb5.conf and being blocked by selinux. Haven't had time to investigate that. -- Bruce I unfortunately do not know how to turn cheese into gold. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba