Re: [Samba] Winbind problem revisited
On Tue, Dec 21, 2004 at 01:49:46PM -0600, Brian Kesting wrote: | ---/etc/nsswitch.conf- | | passwd: compat winbind | group: files dns compat winbind | shadow: files winbind [digression about nsswitch] On various nsswitch implementations (including the canonical implementation on Solaris, and the NetBSD version), it's not supported to list any other sources for a given database at the same time as "compat", and "compat" only makes sense for the databases "passwd" and "group". If you're not using the "+/-" syntax in /etc/passwd and /etc/group, just use "files" instead of "compat". Otherwise, you should try something like: passwd: compat passwd_compat: winbind group: compat group_compat: dns winbind passwd_compat and group_compat specify the sources to lookup stuff for the "+" and "-" entries in /etc/passwd & /etc/group (respectively). I suspect you don't want "dns" in group/group_compat either, unless you're running Hesiod at your site. (You can't list "files" or "compat" as sources for "passwd_compat" or "group_compat" as it doesn't make sense). pgp0bcP8MG1aF.pgp Description: PGP signature -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Winbind + NIS + winbind trusted domains
On Wed, Dec 15, 2004 at 10:14:12AM -, Plant, Dean wrote: | I need to setup a samba file server with user access from a Windows AD | domain and a separate Solaris NIS domain. All of our users have an account | on the AD domain but only some of our users have a Unix account. I would | like Windows users that have a Unix account to have files written as per | their Unix uid and users that do not have an account to have a uid assigned | from winbind. | | [...] | | Can anyone confirm that what I am trying to do is possible and if so any | idea's what I have missed. It's not possible with Samba "as-is". I worked out a solution by implementing a new option -- "trim default domain", and posted the patches to samba-technical. See: http://www.dragoninc.on.ca/mail-archives/samba-technical/2004-10/0342.html Maybe the Samba team will consider the patch (or another way to solve this problem), as it's apparent that I'm not the only person who needs to do this. Cheers, Luke. pgpRxdQQ1sfi0.pgp Description: PGP signature -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Winbind + NIS + winbind trusted domains
On Wed, Dec 15, 2004 at 11:36:38AM +0100, Christoph Scheeder wrote: | Hi, | that behavior is logical correct, i would say. | What happens is: | the user is found from nis, and gets an userid not from the winbind-range. | As a result samba is not able to verify this uid against the AD, as it | is not an AD-user-id. | i guess to achive what you want you would have to add the nis-users to | the local smbpasswd-database with the correct username and password and | tell samba to loock up users first in local database and then in AD. | But i don't know if this is possible, i never tried it. That's not quite correct. If you have _all_ of your ADS users in NIS (without the leading "DOMAIN\") then you can use NIS for the username->UID mapping and ADS for samba password authentication. You don't need winbind in nsswitch.conf for this. (I.e, just "passwd: files nis") The problem is if you only have _some_ of your ADS users in NIS, and want to use "passwd: files nis winbind" to take advantage of winbindd's "fake up a UID" behaviour, then you currently can't do this with samba, due to reasons I have detailed in other posts. As far as I can tell, no other "usermapper" product solves this problem either (e.g, EMC's NAS product, etc). Which doesn't make it an invalid problem, just one that hasn't been solved elsewhere. Luke. pgpampgtbxe1R.pgp Description: PGP signature -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Re: winbind: authenticating UNIX user before Win Domain user
On Thu, Nov 18, 2004 at 10:49:39AM -0800, Matt Seitz wrote: | Luke Mewburn wrote: | > I have the same requirement; except samba can't currently do this. See: | > http://lists.samba.org/archive/samba/2004-October/094981.html | > | >I implemented a "trim default domain" option and provided a patch in: | > http://www.dragoninc.on.ca/mail-archives/samba-technical/2004-10/0342.html | | What about the following scenario? | | 1. User1 is not in NIS. | 2. DOMAIN\User1 logs into Samba | 3. Winbind creates UID for User1 | 4. NIS administrator then adds User1 to NIS | | It appears you could end up with conflicting UIDs for User1, unless Winbind | automatically added the user to NIS at the same time. For my usage model, the conflicting UIDs are acceptable, and this possibility is/will be documented as such. If your UNIX & ADS admins are communicating, it is be a simple matter of creating the NIS account and using find && chown to change the perms from the original Winbind-allocated-UID to the new UID. If your UNIX & ADS admins aren't communicating in that scenario, you're in more trouble than I care to think about. Seriously. pgpCIYcO1XVkK.pgp Description: PGP signature -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] winbind: authenticating UNIX user before Win Domain user
On Wed, Nov 17, 2004 at 03:48:06PM -0500, Greg Chavez wrote: | We have a samba 3.0.7 server on RHEL-3 (rain) joined as a domain | member (security = domain) to a win2k pdc (clouds) for the domain DOM. | We have several unix users and two Win-only users. The unix users | have matching AD accounts on the win2k, but the Win-only users do not | have unix accounts (and we want to keep it that way). So, it seemed | that winbind would be the best way to bridge the gap: | | 1. UNIX users could access shares on the samba server in the same way | whether logged on to windows workstation or the samba server itself | 2. Files created on the shares would be controlled via permissions | for UNIX users and groups. | 3. Win users would not need to have UNIX accounts created, but could | access the samba shares as easily as the UNIX users. | 4. Home directories and profiles will be pulled from the samba server. | | It works well exept that winbind does not authenticate the UNIX users | as expected when they logon from Windows. I have the same requirement; except samba can't currently do this. See: http://lists.samba.org/archive/samba/2004-October/094981.html I implemented a "trim default domain" option and provided a patch in: http://www.dragoninc.on.ca/mail-archives/samba-technical/2004-10/0342.html (I would suggest the "canonical" mailing list URL http://lists.samba.org/archive/samba-technical/2004-October/037813.html except the mailing list archive software there borked the message.) The rest of the thread on samba-technical has more details. Cheers, Luke. pgpnGp4Ee55Cx.pgp Description: PGP signature -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Unable to join AD (FreeBSD)
On Tue, Nov 09, 2004 at 04:46:40PM -0500, Josh Kropf wrote: | I am trying to get samba 3.0.7 working with our win2k DC. I installed samba | from the ports collection, so the kerberos library looks to be the heimdel | version. Which version of FreeBSD ? Which version of heimdal ? Are you 100% certain that samba is compiling & linking against krb5? | I can use kinit to create a ticket and it authenticates against the DC just | fine. Once you do that, can you use smbclient -k //someotherCIFSserver/share to connect? (That can help test Samba's krb5 support) Actually, have you tried k5init instead of kinit ? | However when I attempt to use "net ads join" it fails with the | following response: | | [2004/11/09 16:32:30, 0] utils/net_ads.c:ads_startup(183) | ads_connect: Unknown error: -1765328343 According to http://unix.newark.rutgers.edu/krb5_error.html that is -1765328343 KRB5KRB_AP_ERR_MODIFIED Message stream modified No idea what triggers that. Cheers, Luke. pgpvLuTEXkZrf.pgp Description: PGP signature -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] winbind name service required for active directory (ADS) authentication and group-based authorization?
On Fri, Oct 29, 2004 at 09:16:02AM -0700, DeStefano, Paul wrote: | Solution: ADS, perhaps? | | I've read lots of documents and they seem to indicated | that, when using ADS authentication (by which I mean | security=ADS and the proper relm, etc.) winbind is NOT | involved in the authentication process. It says smbd | participates in Kerberos ticketing, like a normal "Domain | Member", to authorize samba clients. (Details found here: | http://us1.samba.org/samba/docs/man/Samba-HOWTO-Collection/domain-me | mber.html) I think means it gets the client user authorization | directly from ADS; winbind is not involved. | | Well, if that's true, then samba has everything it needs to | authorize clients by group membership, not just authenticate users, | without consulting winbind. The Kerberos ticket that it receives | during authentication includes all sorts of information about the | user...including the users group memberships. Is that right? | | This isn't particular to ADS, I suppose, now that I think about it; | probably the same as before ADS. But, I couldn't find any examples | of samba using windows authentication without winbind. | | You're probably wondering what is going to happen after | authentication and authorization without winbind to map users to | UNIX UIDs. Me too. That's my follow up question. I hope that samba | can use the unqualified username (without the 'DOMAIN\' prefix) | to find a match using the normal resolution so that we can just | populate /etc/passwd. Think that will work? Actually, we intend to | use "force user =", as in the past, so it really doesn't matter what | happens with the UID mappings, but samba might not be that clever. | It may insist on successfully resolving usernames before checking | options like "force user". If you have a mapping in the passwd(5) file between the username (without 'DOMAIN\' prefix) and a UID, things should work without needing "winbind" in nsswitch.conf; the user's password is checked against ADS and the passwd(5) entry is used to provide a UID. If there is not a matching entry in passwd(5) for the ADS user, they will not be able to connect. Cheers, Luke. pgpDJj8YVlSmr.pgp Description: PGP signature -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] winbind: using idmap only if user doesn't exist in UNIX getpw*(3) ?
On Wed, Oct 27, 2004 at 01:23:43PM -0500, Gerald (Jerry) Carter wrote: | On Wed, 27 Oct 2004, Luke Mewburn wrote: | > | > I have a requirement to use winbind to allocate UID/GIDs for | > users but only if they aren't in the non-winbind nsswitch sources. | > | > I have had no succes so far configuring samba 3.0.7 to do this. | | Because winbindd is not designed to do this. It's currently an all or | none thing. Ok. I'm working on a solution for this in my private tree. I'll feed back the changes if the samba team is interested. pgpBObY7Wn25j.pgp Description: PGP signature -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] winbind: using idmap only if user doesn't exist in UNIX getpw*(3) ?
Greetings all. I have a requirement to use winbind to allocate UID/GIDs for users but only if they aren't in the non-winbind nsswitch sources. I.e, given smb.conf; samba 3.0.7 realm = DOMAIN workgroup = DOMAIN log level = 3 idmap:10 winbind:10 idmap gid = 5-5 idmap uid = 5-5 ADS users: DOMAIN\adsuser1 ; only in ADS, not NIS DOMAIN\adsuser2 ; only in ADS, not NIS DOMAIN\user1 DOMAIN\user2 NIS passwd: user1:*:10001:2:&:/home/user1:/bin/sh user2:*:10002:2:&:/home/user2:/bin/sh I want name<->uid loops to return "10001" for user1 and a winbind allocated UID for adsuser* (e.g, 5). I have had no succes so far configuring samba 3.0.7 to do this. What I've tried so far (stopping smbd/nmbd/winbindd and removing winbindd_idmap.tdb between tests) a) nsswitch.conf passwd: files nis winbind group: files nis winbind smb.conf winbind trusted domains only = no nsswitch test results: % id user1 uid=10001(user1) gid=2(group0) groups=2(group0) % id adsuser1 id: adsuser1: No such user % id 'DOMAIN\adsuser1' uid=5(DOMAIN\adsuser1) gid=50005(DOMAIN\Domain Users) groups=50005(DOMAIN\Domain Users) Accessing as DOMAIN\adsuser1 connects as uid=5,gid=50005. This is expected; we want winbind to fake a UID/GID. Accessing as DOMAIN\user1 connects as uid=50001,gid=50005. This is NOT expected. As far as I can tell, it's because samba first tries getpwnam("DOMAIN\user1") which isn't found by NIS but winbind(8) fakes up an entry. b) nsswitch.conf passwd: files nis group: files nis smb.conf winbind trusted domains only = no nsswitch test results: % id user1 uid=10001(user1) gid=2(group0) groups=2(group0) % id adsuser1 id: adsuser1: No such user % id 'DOMAIN\adsuser1' id: DOMAIN\adsuser1: No such user Accessing as DOMAIN\user1 connects as uid=10001,gid=2. This is expected. Accessing as DOMAIN\adsuser1 fails, because there's no corresponding name->UID mapping in NIS. This is expected based on the nsswitch.conf configuration, but not what I want. c) nsswitch.conf passwd: files nis winbind group: files nis winbind smb.conf winbind trusted domains only = yes nsswitch test results: % id user1 uid=10001(user1) gid=2(group0) groups=2(group0) % id adsuser1 id: adsuser1: No such user % id 'DOMAIN\adsuser1' id: DOMAIN\adsuser1: No such user Accessing as DOMAIN\user1 connects as uid=10001,gid=2. This is expected. Accessing as DOMAIN\adsuser1 fails, because there's no corresponding name->UID mapping in NIS, and winbind refuses to fake one up: winbindd_getpwnam: My domain -- rejecting getpwnam() for DOMAIN\ADSUSER1 What can I do to get winbind to fake one up? At this point, I'm lost for a solution based on existing functionality. I am considering hacking in another option which changes the behaviour of "winbind trusted domains only" so that winbind will provide a fallback mapping for users in the trusted domain that aren't found by getpwnam(3) (i.e, the other UNIX getpw*() nsswitch sources, such as "files nis".). Is there any way to achieve what I want, or do I need to hack the functionality into samba? Thanks, Luke. pgpgByoX7ffYn.pgp Description: PGP signature -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Problem Enumerating AD users
On Sat, Oct 23, 2004 at 04:45:41PM +0100, George Trigg wrote: | However when doing a getent passwd I am only returned the local unix users | and I get the following error in the syslog. | | Oct 23 16:23:40 ecto winbindd[2089]: [2004/10/23 16:23:40, 0] | sam/idmap_tdb.c:db_allocate_id(106) | Oct 23 16:23:40 ecto winbindd[2089]: idmap Fatal Error: UID range full!! | (max: 2) | | [...] | Below is my smb.conf file | [...] | |idmap uid = 1-2 |idmap gid = 2-3 How many users do you have in ADS? Can you successfully map between SIDs and UIDs for users listed with wbinfo? (It would be nice if wbinfo could map directly from name<->uid; that's a separate issue). pgptv3XiuAzYb.pgp Description: PGP signature -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: map_username() inconsistencies [was Re: [Samba] Re: ADS valid users can't map share]
On Wed, Oct 20, 2004 at 09:21:09PM -0500, Gerald (Jerry) Carter wrote: | I've done some more digging and the username map stuff is a little | worse than I initially thought. | | (a) when 'security = user', the username map is applied before | the password is checked is checked. | (b) when 'security = ads', the username map is applied to | fully qualified names (domain\user) after the krb5 ticket | is checked. (see the next comment for NTLM). | (c) when 'security = domain' (or NTLM auth for ADS security), | the username map is applied to the login name only. The original | domain\user is still authenticated but the UNIX identify | is looked up in the username map. | | So I guess that the cleanest way to fix this is to apply the username | map before checking authentication when validating user locally | and apply it after authentication for domain users (krb5 & ntlm). | | How do people feel about this? We need to fix it and document that security={domain,ads} requires the leading "DOMAIN\" in `username map' and `admin users'; I got bitten by this recently (trying to map "DOMAIN\administrator" to root AKA uid==0). There's a related issue though. Right now, it's hard to support: * ADS for authentication * NIS for username<->UID mapping (or another nsswitch.conf source) * winbindd for IDmap faked UIDs as a fallback for people not in NIS. * nsswitch.conf passwd: files nis winbind because it appears that smbd looks up DOMAIN\user, gets a miss in NIS (via getpwnam(3)) and then winbindd fakes up a UID _before_ smbd gets a chance to try getpwnam(3) on the name with the leading "DOMAIN\" stripped. Is there a workaround for this configuration? pgp1TWt5YAVGx.pgp Description: PGP signature -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Winbindd on FreeBSD 4.10 Help
On Thu, Sep 23, 2004 at 08:53:22AM -0400, Elijah Savage wrote: | When I installed this box I specifically installed it for this task and | installed linux compatibilty during intstall, the /etc/nsswitch.conf was | created and everything. I can join my AD domain as NT4 style but not | with ADS which is strange and it works with NT4 style as long as the | usernames are local to the samba machine. It was recommended that I run | the latest heimdal 0.6.1 so I mad world last night everything went great | and I am running the latest 4.10 stable with heimdal 0.6.1 and I get | these errors when I try to join the AD domain as ADS. But if I use the | rpc join for nt4 style it joins right up I can see all my shares on the | samba box and get to them. One good thing out of all this it is on a lab | LAN so I am glad I got a chance to test it before trying to implement | it. | | ns1# kinit [EMAIL PROTECTED] | FreeBSD Inc. (luke.digitalrage.org) | Kerberos Initialization for "[EMAIL PROTECTED]" | Password: | kinit: Can't send request (send_to_kdc) Try k5init instead of kinit, And k5list/k5destroy/... ("mmm, FreeBSD" . . . ) | ns1# net ads join -U Administrator%XX | [2004/09/23 07:15:57, 0] libads/kerberos.c:ads_kinit_password(136) | kerberos_kinit_password [EMAIL PROTECTED] failed: | Unknown error -1765328228 | [2004/09/23 07:15:57, 0] utils/net_ads.c:ads_startup(183) | ads_connect: Unknown error -1765328228 According to http://www.net.berkeley.edu/kerberos/k5msgs.html error -1765328228 is Cannot contact any KDC for requested realm. I know that on NetBSD 2.0_RC1 (which has Heimdal 0.6.3) with Samba 3.0.7 I can do % kinit [EMAIL PROTECTED] (enter password; note that kinit on NetBSD is krb5 kinit) % net ads join -U Administrator and the computer account gets created in the ADS. Also, once this is done I can kinit as a user of the realm and use 'smbclient -k -L //someserver/' and things Just Work. I'm still working on getting libnss_winbind.so ported to NetBSD-current, Luke. pgpobij2BcN0y.pgp Description: PGP signature -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Winbindd on FreeBSD 4.10 Help
On Thu, Sep 23, 2004 at 07:45:57AM -0400, Elijah Savage wrote: | Even with linux compatibilty installed it has no nsswitch support? I | thought if you installed linux compatibilty then nsswitch support works. Oh, right; binaries within the Linux compat heirarchy should probably work if the appropriate Linux libraries are install there too. At least, that's the theory in NetBSD (and the Linux emulation code in FreeBSD has a common heritage). pgpmhQhlMsk5p.pgp Description: PGP signature -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Winbindd on FreeBSD 4.10 Help
On Wed, Sep 22, 2004 at 03:30:35PM -0400, Elijah Savage wrote: | Yes I did edit the nsswitch.conf just as you have it which looks just | like the way it does in the book. FreeBSD 4.10 doesn't appear to have nsswitch support, at least on the version I have installed under VMware. FreeBSD 5.x should have nsswitch support. The original import of nsswitch into FreeBSD 5.x (from NetBSD) didn't have support for dynamic nsswitch modules, so you couldn't use winbind. I understand that FreeBSD 5.3 has dynamic nsswitch support, but as I've been unable to install 5.3 under VMware I cannot confirm this. Cheers, Luke. pgpf28K8Hy4XQ.pgp Description: PGP signature -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba