Re: [Samba] Does anybody use idmap_adex?
Hi Nico, Yes shell, home, geco are all stored in AD and can be retrieved by idmap_ad. I have looked that up in the header files and it works for me. Tobias Mit freundlichen Grüßen Tobias Mucke LFK-Lenkflugkörpersysteme GmbH Serverpool, FCI4 Landshuter Straße 26, 85716 Unterschleißheim, GERMANY Phone: +49 89 3179 8438 Fax: +49 89 3179 8927 Mobile: +49 170 635 3830 E-Mail: tobias.mu...@mbda-systems.de http://www.mbda.net Chairman of the Supervisory Board: Antoine Bouvier Managing Director: Werner Kaltenegger Registered Office: Schrobenhausen Commercial Register: Amtsgericht Ingolstadt, HRB 4365 Message sent from handheld via BlackBerry Server. - Originalnachricht - Von: Nico De Ranter An: Mucke, Tobias, FCI4 Cc: sa...@samba.org Gesendet: Thu Jul 29 09:50:57 2010 Betreff: Re: [Samba] Does anybody use idmap_adex? Hi Tobias, do you store your users' homedirectory and shell in AD? I tought idmap_ad couldn't do that? (will have another look) Nico On Wed, 2010-07-28 at 23:39 +0200, Mucke, Tobias, FCI4 wrote: > Hi, > > Actually I am using the Backend Idmap_AD. I thought Idmap_adex is still under > heavy development. > > Tobias > > > Mit freundlichen Grüßen > > Tobias Mucke > -- With kind regards Nico De Ranter Senior System Administrator Techsoft Centre Technology and Software Centre Europe The Corporate Village - Da Vincilaan 7-D1 - B-1935 Zaventem - Belgium Phone:+32 (0)2 700 8641 Fax: +32 (0)2 700 8622 E-mail:nico.deran...@eu.sony.com A division of Sony Europe (Belgium) N.V. VAT BE 0413.825.160 - RPR Brussels Fortis - BIC GEBABEBB - IBAN BE41293037680010 The information contained in this message or any of its attachments may be confidential and is intended for the exclusive use of the addressee(s). Any disclosure, reproduction, distribution or other dissemination or use of this communication is strictly prohibited without the express permission of the sender. The views expressed in this email are those of the individual and not necessarily those of Sony or Sony affiliated companies. Sony email is for business use only. This email and any response may be monitored by Sony to be in compliance with Sony's global policies and standards -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Does anybody use idmap_adex?
Hi, Actually I am using the Backend Idmap_AD. I thought Idmap_adex is still under heavy development. Tobias Mit freundlichen Grüßen Tobias Mucke LFK-Lenkflugkörpersysteme GmbH Serverpool, FCI4 Landshuter Straße 26, 85716 Unterschleißheim, GERMANY Phone: +49 89 3179 8438 Fax: +49 89 3179 8927 Mobile: +49 170 635 3830 E-Mail: tobias.mu...@mbda-systems.de http://www.mbda.net Chairman of the Supervisory Board: Antoine Bouvier Managing Director: Werner Kaltenegger Registered Office: Schrobenhausen Commercial Register: Amtsgericht Ingolstadt, HRB 4365 Message sent from handheld via BlackBerry Server. - Originalnachricht - Von: samba-boun...@lists.samba.org An: Nico De Ranter Cc: simo ; sa...@samba.org ; samba-techni...@samba.org Gesendet: Wed Jul 28 17:48:37 2010 Betreff: Re: [Samba] Does anybody use idmap_adex? Hi Nico, Nico De Ranter wrote: > > Actually I was just about to start using it. Guess I shouldn't? > > I'm looking for a solution to integrate an existing linux environment > into a Windows AD environment. I already added all rc2307 info on the > AD server. Now I need a way for the linux systems to fetch the > username, uid, gif, shell and homedir from AD. Using LDAP directly is > not an option as I can't do anonymous binds so that would require a > hardcoded AD user and password on all systems (correct me if I'm wrong) > According to the man pages it looks like idmap_adex will do exactly what > I want. However I haven't been able to get it to work. > > Will idmap_adex disappear (if so, I won't invest anymore time in it)? > Is there another way I can do this? The older "ad" idmap and nss backend is there. (man idmap_ad) This is also maintained. I guess this would also suit your needs. Cheers - Michael > Nico > > > On Mon, 2010-06-28 at 20:31 +0200, Volker Lendecke wrote: > > On Mon, Jun 28, 2010 at 11:00:49AM -0500, Gerald Carter wrote: > > > Correct. I just reused a lot of the Likewise code here. > > > My intent was originally to minimize change between the > > > version that we shipped in Likewise Identity 4.x and what > > > was in Samba and to leverage the Likewise QA team on both > > > fronts. > > > > Ok, the question still remains: > > > > Anybody actually using the module? > > > > How many people do we offend if we remove it? > > > > Volker > > -- > > To unsubscribe from this list go to the following URL and read the > > instructions: https://lists.samba.org/mailman/options/samba > > > -- > With kind regards > > Nico De Ranter > Senior System Administrator > Techsoft Centre > > Technology and Software Centre Europe > The Corporate Village - Da Vincilaan 7-D1 - B-1935 Zaventem - Belgium > > Phone:+32 (0)2 700 8641 > Fax: +32 (0)2 700 8622 > E-mail:nico.deran...@eu.sony.com > > A division of Sony Europe (Belgium) N.V. > VAT BE 0413.825.160 - RPR Brussels > Fortis - BIC GEBABEBB - IBAN BE41293037680010 > > > > > The information contained in this message or any of its attachments may be > confidential and is intended for the exclusive use of the addressee(s). Any > disclosure, reproduction, distribution or other dissemination or use of this > communication is strictly prohibited without the express permission of the > sender. The views expressed in this email are those of the individual and > not necessarily those of Sony or Sony affiliated companies. Sony email is > for business use only. > > This email and any response may be monitored by Sony to be in compliance with > Sony's global policies and standards > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba + Winbind + Windows 2003 AD
Hi, I found a working Winbind version which is 3.4.7 coming with SLES-11 SP1. I managed to configure Winbind with backend AD to authenticate and authorize users based on Winbind and SFU3.5. Thanks for this Opensoure product. Tobias Mit freundlichen Grüßen Tobias Mucke LFK-Lenkflugkörpersysteme GmbH Serverpool, FCI4 Landshuter Straße 26, 85716 Unterschleißheim, GERMANY Phone: +49 89 3179 8438 Fax: +49 89 3179 8927 Mobile: +49 170 635 3830 E-Mail: tobias.mu...@mbda-systems.de http://www.mbda.net Chairman of the Supervisory Board: Antoine Bouvier Managing Director: Werner Kaltenegger Registered Office: Schrobenhausen Commercial Register: Amtsgericht Ingolstadt, HRB 4365 Message sent from handheld via BlackBerry Server. Von: Mucke, Tobias, FCI4 An: 'samba@lists.samba.org' Gesendet: Mon Jul 19 18:09:24 2010 Betreff: AW: Re: [Samba] Samba + Winbind + Windows 2003 AD Hi Michael, which version of Samba do you have? Are you able to post your Samba configuration? Thank you. Tobias Mit freundlichen Grüßen Tobias Mucke LFK-Lenkflugkörpersysteme GmbH Serverpool, FCI4 Landshuter Straße 26, 85716 Unterschleißheim, GERMANY Phone: +49 89 3179 8438 Fax: +49 89 3179 8927 Mobile: +49 170 635 3830 E-Mail: tobias.mu...@mbda-systems.de http://www.mbda.net Chairman of the Supervisory Board: Antoine Bouvier Managing Director: Werner Kaltenegger Registered Office: Schrobenhausen Commercial Register: Amtsgericht Ingolstadt, HRB 4365 Message sent from handheld via BlackBerry Server. Von: Michael Lyon An: Mucke, Tobias, FCI4; samba@lists.samba.org Gesendet: Mon Jul 19 14:22:37 2010 Betreff: Re: [Samba] Samba + Winbind + Windows 2003 AD I'm in a 2k8 r2 domain with SFU and home shells managed through the ADUC console. I'm using Samba/WInbind and use samba shares as user home directories that are mounted at login-time on Windows 7 machines. This is a first attempt as we migrated to Windows 2k8r2 in order to have better support for Win7 clients, as we had too many issues with Samba as our PDC. Mike On Mon, Jul 19, 2010 at 3:08 AM, Mucke, Tobias, FCI4 wrote: Hi, I'am afraid this is a general issue with Winbind. I am experiencing the same problems and my logs look quite similar to Henrik's logs. I am using Samba 3.5.4 and tried to resolve this issue without luck. In fact I have a working lab environment with Winbind 3.5.4, AD based on Windows Server 2008 R2 with IDMU. I set idmap backend = ad and winbind nss info = rfc2307. Unfortunately I was not able to port this setup back to the actual production environment with Winbind 3.5.4 and AD based on Windows Server 2003 with SFU 3.5. Besides AD "versions" there is another large difference between the production and the lab. In production the domain structure is far more complex ... Actually I am deploying a lab more close to the actual production environment. Another important thing to me would be a configuration example of somebody out there using Winbind in an actual version 3.5.x with backend ad and SFU for Shell and Home Directories. Anybody? Thank you. Tobias LFK-Lenkflugkörpersysteme GmbH Serverpool, FCI4 Landshuter Straße 26, 85716 Unterschleißheim, GERMANY Phone: +49 89 3179 8438 Fax: +49 89 3179 8927 Mobile: +49 170 635 3830 E-Mail: tobias.mu...@mbda-systems.de http://www.mbda.net Chairman of the Supervisory Board: Antoine Bouvier Managing Director: Werner Kaltenegger Registered Office: Schrobenhausen Commercial Register: Amtsgericht Ingolstadt, HRB 4365 -Ursprüngliche Nachricht- Von: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] Im Auftrag von Necos Secon Gesendet: Montag, 19. Juli 2010 01:50 An: samba@lists.samba.org Betreff: Re: [Samba] Samba + Winbind + Windows 2003 AD I accidentally deleted the first set of messages in my email for this thread, but does your DNS resolve properly? What does your resolv.conf look like? Also, what do these files look like: krb5.conf smb.conf There's an option in smb.conf, winbind enum users, which needs to be set in order for getent to function properly. There is a corresponding option for groups as well. Look at them and let us know. > Date: Mon, 19 Jul 2010 01:12:41 +0200 > From: h...@semark.dk > To: esiot...@gmail.com > CC: samba@lists.samba.org > Subject: Re: [Samba] Samba + Winbind + Windows 2003 AD > > Hi Micheal > > Sorry for not sending that informat
Re: [Samba] Samba + Winbind + Windows 2003 AD
Hi Michael, which version of Samba do you have? Are you able to post your Samba configuration? Thank you. Tobias Mit freundlichen Grüßen Tobias Mucke LFK-Lenkflugkörpersysteme GmbH Serverpool, FCI4 Landshuter Straße 26, 85716 Unterschleißheim, GERMANY Phone: +49 89 3179 8438 Fax: +49 89 3179 8927 Mobile: +49 170 635 3830 E-Mail: tobias.mu...@mbda-systems.de http://www.mbda.net Chairman of the Supervisory Board: Antoine Bouvier Managing Director: Werner Kaltenegger Registered Office: Schrobenhausen Commercial Register: Amtsgericht Ingolstadt, HRB 4365 Message sent from handheld via BlackBerry Server. Von: Michael Lyon An: Mucke, Tobias, FCI4; samba@lists.samba.org Gesendet: Mon Jul 19 14:22:37 2010 Betreff: Re: [Samba] Samba + Winbind + Windows 2003 AD I'm in a 2k8 r2 domain with SFU and home shells managed through the ADUC console. I'm using Samba/WInbind and use samba shares as user home directories that are mounted at login-time on Windows 7 machines. This is a first attempt as we migrated to Windows 2k8r2 in order to have better support for Win7 clients, as we had too many issues with Samba as our PDC. Mike On Mon, Jul 19, 2010 at 3:08 AM, Mucke, Tobias, FCI4 wrote: Hi, I'am afraid this is a general issue with Winbind. I am experiencing the same problems and my logs look quite similar to Henrik's logs. I am using Samba 3.5.4 and tried to resolve this issue without luck. In fact I have a working lab environment with Winbind 3.5.4, AD based on Windows Server 2008 R2 with IDMU. I set idmap backend = ad and winbind nss info = rfc2307. Unfortunately I was not able to port this setup back to the actual production environment with Winbind 3.5.4 and AD based on Windows Server 2003 with SFU 3.5. Besides AD "versions" there is another large difference between the production and the lab. In production the domain structure is far more complex ... Actually I am deploying a lab more close to the actual production environment. Another important thing to me would be a configuration example of somebody out there using Winbind in an actual version 3.5.x with backend ad and SFU for Shell and Home Directories. Anybody? Thank you. Tobias LFK-Lenkflugkörpersysteme GmbH Serverpool, FCI4 Landshuter Straße 26, 85716 Unterschleißheim, GERMANY Phone: +49 89 3179 8438 Fax: +49 89 3179 8927 Mobile: +49 170 635 3830 E-Mail: tobias.mu...@mbda-systems.de http://www.mbda.net Chairman of the Supervisory Board: Antoine Bouvier Managing Director: Werner Kaltenegger Registered Office: Schrobenhausen Commercial Register: Amtsgericht Ingolstadt, HRB 4365 -Ursprüngliche Nachricht- Von: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] Im Auftrag von Necos Secon Gesendet: Montag, 19. Juli 2010 01:50 An: samba@lists.samba.org Betreff: Re: [Samba] Samba + Winbind + Windows 2003 AD I accidentally deleted the first set of messages in my email for this thread, but does your DNS resolve properly? What does your resolv.conf look like? Also, what do these files look like: krb5.conf smb.conf There's an option in smb.conf, winbind enum users, which needs to be set in order for getent to function properly. There is a corresponding option for groups as well. Look at them and let us know. > Date: Mon, 19 Jul 2010 01:12:41 +0200 > From: h...@semark.dk > To: esiot...@gmail.com > CC: samba@lists.samba.org > Subject: Re: [Samba] Samba + Winbind + Windows 2003 AD > > Hi Micheal > > Sorry for not sending that information in the first place, but I > though that it was so basic that it wasn't necessary. > > My nsswitch.conf: > # cat /etc/nsswitch.conf > # /etc/nsswitch.conf > # > # Example configuration of GNU Name Service Switch functionality. > # If you have the `glibc-doc-reference' and `info' packages installed, try: > # `info libc "Name Service Switch"' for information about this file. > > passwd: compat winbind > group: compat winbind > shadow: compat winbind > > hosts: files mdns4_minimal [NOTFOUND=return] dns mdns4 > networks: files > > services: db files > ethers: db files > protocols: db files > rpc:db files &
Re: [Samba] Samba + Winbind + Windows 2003 AD
Hi, I'am afraid this is a general issue with Winbind. I am experiencing the same problems and my logs look quite similar to Henrik's logs. I am using Samba 3.5.4 and tried to resolve this issue without luck. In fact I have a working lab environment with Winbind 3.5.4, AD based on Windows Server 2008 R2 with IDMU. I set idmap backend = ad and winbind nss info = rfc2307. Unfortunately I was not able to port this setup back to the actual production environment with Winbind 3.5.4 and AD based on Windows Server 2003 with SFU 3.5. Besides AD "versions" there is another large difference between the production and the lab. In production the domain structure is far more complex ... Actually I am deploying a lab more close to the actual production environment. Another important thing to me would be a configuration example of somebody out there using Winbind in an actual version 3.5.x with backend ad and SFU for Shell and Home Directories. Anybody? Thank you. Tobias LFK-Lenkflugkörpersysteme GmbH Serverpool, FCI4 Landshuter Straße 26, 85716 Unterschleißheim, GERMANY Phone: +49 89 3179 8438 Fax: +49 89 3179 8927 Mobile: +49 170 635 3830 E-Mail: tobias.mu...@mbda-systems.de http://www.mbda.net Chairman of the Supervisory Board: Antoine Bouvier Managing Director: Werner Kaltenegger Registered Office: Schrobenhausen Commercial Register: Amtsgericht Ingolstadt, HRB 4365 -Ursprüngliche Nachricht- Von: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] Im Auftrag von Necos Secon Gesendet: Montag, 19. Juli 2010 01:50 An: samba@lists.samba.org Betreff: Re: [Samba] Samba + Winbind + Windows 2003 AD I accidentally deleted the first set of messages in my email for this thread, but does your DNS resolve properly? What does your resolv.conf look like? Also, what do these files look like: krb5.conf smb.conf There's an option in smb.conf, winbind enum users, which needs to be set in order for getent to function properly. There is a corresponding option for groups as well. Look at them and let us know. > Date: Mon, 19 Jul 2010 01:12:41 +0200 > From: h...@semark.dk > To: esiot...@gmail.com > CC: samba@lists.samba.org > Subject: Re: [Samba] Samba + Winbind + Windows 2003 AD > > Hi Micheal > > Sorry for not sending that information in the first place, but I > though that it was so basic that it wasn't necessary. > > My nsswitch.conf: > # cat /etc/nsswitch.conf > # /etc/nsswitch.conf > # > # Example configuration of GNU Name Service Switch functionality. > # If you have the `glibc-doc-reference' and `info' packages installed, try: > # `info libc "Name Service Switch"' for information about this file. > > passwd: compat winbind > group: compat winbind > shadow: compat winbind > > hosts: files mdns4_minimal [NOTFOUND=return] dns mdns4 > networks: files > > services: db files > ethers: db files > protocols: db files > rpc:db files > > netgroup: nis > > I will mean that it is the way to do this (and it works just fine on > the UNIX servers that run there own Domain Controller) > > Med Venlig Hilsen / Best Regards > Henrik Dige Semark > > Den 18-07-2010 17:03, Michael Wood skrev: > > On 18 July 2010 01:34, Henrik Dige Semark wrote: > > > >> Hey out there. > >> > >> I have to join my UNIX server with an existing Win2k3 AD network. > >> > >> My system info: > >> Debian Lenny > >> Samba - 3.4.8 > >> Winbind - 3.4.8 > >> > >> Windows Server 2003 with 2000-style-AD > >> > >> My problem is that, I have en UNIX server that have to run auth up > >> against our existing windows 2003 AD. > >> > >> I have successfully joined my UNIX server to the AD, without problems. > >> # net ads join -U Administrator > >> Enter Administrator's password: > >> Using short domain name -- TEST > >> Joined 'MAIL' to realm 'TEST.LOCAL' > >> > >> My Samba config: http://pastebin.com/ZqaA0Ypn > >> > >> After the join I'm able to lookup peoples with # wbinfo -u > >> > > [...] > > > >> # wbinfo -g > >> > > [...] > > > >> Now the problem, getent only returns the local users and not the > >> users from the AD The funny thing is that if a user is local on the > >> UNIX and in the AD, I can login with the password from both local > >> and AD, so I know that it can lookup people and passwords > >> > >> # getent passwd hs ; echo $? > >> 2 > >> > >> When I debug on getent it returns 2, witch means that it can't find > >> the user. > >> > > Do you have winbind specified in your nsswitch.conf file as mentioned here: > > > > http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/winbind.h > > tml#id2654732 > > > > _ The New Busy is not the old busy. Search, chat and e-mail from your inbox. http://www.windowslive.com/campaign/thenewbusy?ocid=PID28326::T:WLMTAGL:ON:WL:en-US:WM_HMP:042010_3 -- To
Re: [Samba] Samba + Winbind + Windows 2003 AD
Hi Henrik, I am also fighting with Winbind for a few days now experiencing some weird behaviour. Regarding your explanation I assume you have SFU running in your AD Domain. Do you really have a RFC2307 complaint schema in AD or do you still stick to SFU schema? For debugging the winbind it was helpful to me to start it in a shell as a foreground process with debugging on, e. g. /usr/sbin/winbindd -SFi -d3 Now you should be able to see the different Winbind behaviour regarding the login and getent. Good luck. Tobias Mucke LFK-Lenkflugkörpersysteme GmbH Serverpool, FCI4 Landshuter Straße 26, 85716 Unterschleißheim, GERMANY Phone: +49 89 3179 8438 Fax: +49 89 3179 8927 Mobile: +49 170 635 3830 E-Mail: tobias.mu...@mbda-systems.de http://www.mbda.net Chairman of the Supervisory Board: Antoine Bouvier Managing Director: Werner Kaltenegger Registered Office: Schrobenhausen Commercial Register: Amtsgericht Ingolstadt, HRB 4365 -Original Message- From: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] On Behalf Of Henrik Dige Semark Sent: Sunday, July 18, 2010 1:35 AM To: samba@lists.samba.org Subject: [Samba] Samba + Winbind + Windows 2003 AD Hey out there. I have to join my UNIX server with an existing Win2k3 AD network. My system info: Debian Lenny Samba - 3.4.8 Winbind - 3.4.8 Windows Server 2003 with 2000-style-AD My problem is that, I have en UNIX server that have to run auth up against our existing windows 2003 AD. I have successfully joined my UNIX server to the AD, without problems. # net ads join -U Administrator Enter Administrator's password: Using short domain name -- TEST Joined 'MAIL' to realm 'TEST.LOCAL' My Samba config: http://pastebin.com/ZqaA0Ypn After the join I'm able to lookup peoples with # wbinfo -u [...] XX hds XXX [...] # wbinfo -g [...] bg XX bg hds bg XXX [...] Now the problem, getent only returns the local users and not the users from the AD The funny thing is that if a user is local on the UNIX and in the AD, I can login with the password from both local and AD, so I know that it can lookup people and passwords # getent passwd hs ; echo $? 2 When I debug on getent it returns 2, witch means that it can't find the user. I know there can be a problem with this if the resolv-names is not working # ping addc.UNDERVISNING.LOCAL PING addc.birke-gym.dk (10.3.17.1) 56(84) bytes of data. 64 bytes from bgdc.birke-gym.dk (10.3.17.1): icmp_seq=1 ttl=128 time=0.211 ms 64 bytes from bgdc.birke-gym.dk (10.3.17.1): icmp_seq=2 ttl=128 time=0.207 ms # ping mail.UNDERVISNING.LOCAL PING mail.birke-gym.dk (127.0.1.1) 56(84) bytes of data. 64 bytes from mail.birke-gym.dk (127.0.1.1): icmp_seq=1 ttl=64 time=0.099 ms 64 bytes from mail.birke-gym.dk (127.0.1.1): icmp_seq=2 ttl=64 time=0.094 ms Is there anyone that can see where I have done something rung in my samba-config.? -- Med Venlig Hilsen / Best Regards Henrik Dige Semark -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba