[Samba] Winbind Expand Groups option not fully funtional
I am trying to authenticate samba 3.3 running on Centos 5 to Windows 2003 R2 Active Directory. 95% of my setup is working. The only thing that doesn't work are expanded groups. Whenever a group is a member of another group the permissions in samba/nss/winbind are not communicated correctly to the windows client but seem to work on the linux end of things. Here's my scenario. (All hostnames are internal) AD Groups and Members - testgroup9 members: cjohnson,erodriguez,testuser11,testuser9 testgroup10 members: testgroup9 Getent group responds correctly populating the testgroup9 members into testgroup10 testgroup9:x:111265:cjohnson,erodriguez,testuser11,testuser9 testgroup10:x:111266:cjohnson,erodriguez,testuser11,testuser9 From the shell i can su testuser11 cd /storage/CME/test No problem. But when I try to access the same directory in windows I get these entries in my logs /var/log/samba/log.smbd -- [2010/01/04 16:08:25, 1] smbd/sesssetup.c:reply_spnego_kerberos(350) Failed to verify incoming ticket with error NT_STATUS_LOGON_FAILURE! log.winbindd reports no errors so it seems that the SIU/UID mapping seems to be working correctly. I know this because the minute I give access to this share to testgroup9 the windows users can immediately access the folder. ie. setfacl -m g:testgroup9:r-x /storage/CME/test Testshare on Samba FS - getfacl testshare # file: storage/CME/test # owner: root # group: Domain Users user::rwx group::rwx group:testgroup10:r-x mask::rwx other::--- I've poured through documentation for weeks including these articles among others: http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/idmapper.html#id2598913 http://www.samba.org/samba/history/samba-3.3.0.html man smb.conf Here are my final questions. Has anyone got the winbind expand groups option to funtion properly with Windows clients? Am I using the proper idmap settings? Would setting up an LDAP backend with the editposix option help anything? Is there something I need to do on the Windows server side? (I have installed Unix Extentions but not sure how to assign UID/GID's) It seems that everything is working how it's supposed to 'cept I'm probably missing something very simple. Anyone with any kind of help would be appreciated. SMB.CONF --- [global] workgroup = CME security = ads passdb backend = tdbsam:/etc/samba/passdb.tdb idmap backend = rid (have tested with tdb also with no luck) idmap uid = 11-11 idmap gid = 11-11 idmap cache time = 3600 idmap negative cache time = 300 winbind cache time = 900 winbind expand groups = 10 winbind enum users = Yes winbind enum groups = Yes winbind use default domain = true template shell = /bin/bash template homedir = /home/%D/%U machine password timeout = 2592000 realm = CME.COM use kerberos keytab = yes password server = prod-srv-8.cme.com nt acl support = yes map acl inherit = yes winbind nss info = rcf2307 allow trusted domains = no [CME] path = /storage/CME writeable = yes inherit acls = yes inherit permissions = yes security mask = 0770 force security mode = 0770 directory security mask = 0770 force directory security mode = 0770 force create mode = 0770 map archive = yes store dos attributes = yes NSSWITCH.CONF -- passwd: files winbind shadow: files winbind group: files winbind hosts: files wins dns bootparams: nisplus [NOTFOUND=return] files ethers: files netmasks: files networks: files protocols: files winbind rpc: files winbind services: files netgroup: files winbind publickey: nisplus automount: files aliases: files nisplus winbind KRB5.CONF -- [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = CME.COM dns_lookup_realm = true dns_lookup_kdc = true ticket_lifetime = 24h forwardable = yes [realms] CME.COM = { kdc = prod-srv-8.cme.com:88 admin_server = prod-srv-8.cme.com:749 default_domain = cme.com kdc = prod-srv-8.cme.com } [domain_realm] .cme.com = CME.COM cme.com = CME.COM [appdefaults] pam = { debug = false ticket_lifetime = 36000 renew_lifetime = 36000 forwardable = true krb4_convert = false } Joined Domain -- net ads testjoin Join is OK Time - NTP is setup on both Windows and Linux and time is always in sync. Samba Server's nameserver is the AD PDC. Authconfig --test output -- caching is disabled nss_files is always enabled nss_compat is disabled nss_db is disabled nss_hesiod is disabled hesiod LHS = hesiod RHS = nss_ldap is disabled LDAP+TLS is disabled LDAP server = ldap://127.0.0.1/; LDAP base DN = dc=example,dc=com nss_nis is disabled NIS server = NIS domain = nss_nisplus is
[Samba] winbind enum groups/users = no
After a bunch of reading, the most information I can find on turning these off is that they will speed up certain tasks, and this warning: Warning: Turning off group enumeration may cause some programs to behave oddly. Does anyone have any more information on what programs may behave oddly? Is this a server side odd-behaviour, client-side or both? (Using ls on some small directories seems to take a while presumably because it is busy getting the updated user/group information from the PDC, so I was wondering about turning these parameters off.) -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Winbind and groups
Hello Friendly Samba People, I have a working samba install that allows my AD users access to files on my linux box. The linux box is configured via Winbind as a domain member and uses Winbind as the local NSS. I can successfully resolve both users and groups from the AD. Users are currently able to access the samba shares without trouble. I am running into trouble when trying to use groups defined in the AD as valid users or ACLs on the linux box. Smb.conf: [global] security = ADS realm = CORP.CALLGLOBALCOM.COM workgroup = CORP log file = /var/log/samba/%m log level = 2 #winbind / AD stuff winbind enum users = Yes winbind enum groups = Yes winbind use default domain = Yes winbind expand groups = 2 winbind nss info = rfc2307 winbind nested groups = Yes idmap uid range = 1000 - 3000 idmap gid range = 100 - 3000 idmap domains = CORP idmap config CORP:backend = ad idmap config CORP:default = yes idmap config CORP:readonly = yes [homes] [sysadmins] path = /tmp writeable = yes comment = Globalcom Sysadmins share valid users = @gc_sysadmins create mask = 0775 directory mask = 0775 # getent group gc_sysadmins gc_sysadmins:*:10001:bvaughan # getent passwd bvaughan bvaughan:*:1812:100:Ben Vaughan, IT Systems Overlord:/home/bvaughan:/bin/bash When trying to access the [sysadmins] share defined as above, samba logging says this: user 'CORP\bvaughan' (from session setup) not permitted to access this share (sysadmins) I see the disconnect, the CORP\bvaughan that samba sees here, vs the bvaughan seen in the group entry. Is there a way to make these two come together so the valid users= line works? I am running samba version 3.0.25b-1.el5_1.4 as provided by RedHat. Any help would be appreciated. Ben Ben Vaughan Globalcom IT Infrastructure Support Team [EMAIL PROTECTED] 312 673 4116 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Winbind and groups
And the correct answer is... Using a valid users line that looks like this: Valid users = +DOMAIN\group Many thanks to irda on the #samba IRC channel. Ben Ben Vaughan Globalcom IT Infrastructure Support Team [EMAIL PROTECTED] 312 673 4116 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ben Vaughan Sent: Tuesday, December 11, 2007 10:30 AM To: samba@lists.samba.org Subject: [Samba] Winbind and groups Hello Friendly Samba People, I have a working samba install that allows my AD users access to files on my linux box. The linux box is configured via Winbind as a domain member and uses Winbind as the local NSS. I can successfully resolve both users and groups from the AD. Users are currently able to access the samba shares without trouble. I am running into trouble when trying to use groups defined in the AD as valid users or ACLs on the linux box. Smb.conf: [global] security = ADS realm = CORP.CALLGLOBALCOM.COM workgroup = CORP log file = /var/log/samba/%m log level = 2 #winbind / AD stuff winbind enum users = Yes winbind enum groups = Yes winbind use default domain = Yes winbind expand groups = 2 winbind nss info = rfc2307 winbind nested groups = Yes idmap uid range = 1000 - 3000 idmap gid range = 100 - 3000 idmap domains = CORP idmap config CORP:backend = ad idmap config CORP:default = yes idmap config CORP:readonly = yes [homes] [sysadmins] path = /tmp writeable = yes comment = Globalcom Sysadmins share valid users = @gc_sysadmins create mask = 0775 directory mask = 0775 # getent group gc_sysadmins gc_sysadmins:*:10001:bvaughan # getent passwd bvaughan bvaughan:*:1812:100:Ben Vaughan, IT Systems Overlord:/home/bvaughan:/bin/bash When trying to access the [sysadmins] share defined as above, samba logging says this: user 'CORP\bvaughan' (from session setup) not permitted to access this share (sysadmins) I see the disconnect, the CORP\bvaughan that samba sees here, vs the bvaughan seen in the group entry. Is there a way to make these two come together so the valid users= line works? I am running samba version 3.0.25b-1.el5_1.4 as provided by RedHat. Any help would be appreciated. Ben Ben Vaughan Globalcom IT Infrastructure Support Team [EMAIL PROTECTED] 312 673 4116 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Winbind and groups
You are welcome :-) On Tue, 2007-12-11 at 11:51 -0600, Ben Vaughan wrote: And the correct answer is... Using a valid users line that looks like this: Valid users = +DOMAIN\group Many thanks to irda on the #samba IRC channel. Ben Ben Vaughan Globalcom IT Infrastructure Support Team [EMAIL PROTECTED] 312 673 4116 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ben Vaughan Sent: Tuesday, December 11, 2007 10:30 AM To: samba@lists.samba.org Subject: [Samba] Winbind and groups Hello Friendly Samba People, I have a working samba install that allows my AD users access to files on my linux box. The linux box is configured via Winbind as a domain member and uses Winbind as the local NSS. I can successfully resolve both users and groups from the AD. Users are currently able to access the samba shares without trouble. I am running into trouble when trying to use groups defined in the AD as valid users or ACLs on the linux box. Smb.conf: [global] security = ADS realm = CORP.CALLGLOBALCOM.COM workgroup = CORP log file = /var/log/samba/%m log level = 2 #winbind / AD stuff winbind enum users = Yes winbind enum groups = Yes winbind use default domain = Yes winbind expand groups = 2 winbind nss info = rfc2307 winbind nested groups = Yes idmap uid range = 1000 - 3000 idmap gid range = 100 - 3000 idmap domains = CORP idmap config CORP:backend = ad idmap config CORP:default = yes idmap config CORP:readonly = yes [homes] [sysadmins] path = /tmp writeable = yes comment = Globalcom Sysadmins share valid users = @gc_sysadmins create mask = 0775 directory mask = 0775 # getent group gc_sysadmins gc_sysadmins:*:10001:bvaughan # getent passwd bvaughan bvaughan:*:1812:100:Ben Vaughan, IT Systems Overlord:/home/bvaughan:/bin/bash When trying to access the [sysadmins] share defined as above, samba logging says this: user 'CORP\bvaughan' (from session setup) not permitted to access this share (sysadmins) I see the disconnect, the CORP\bvaughan that samba sees here, vs the bvaughan seen in the group entry. Is there a way to make these two come together so the valid users= line works? I am running samba version 3.0.25b-1.el5_1.4 as provided by RedHat. Any help would be appreciated. Ben Ben Vaughan Globalcom IT Infrastructure Support Team [EMAIL PROTECTED] 312 673 4116 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- Simo Sorce Samba Team GPL Compliance Officer [EMAIL PROTECTED] Senior Software Engineer at Red Hat Inc. [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Winbind: limiting groups that can log-in
Hi, I am currently trying to configure AD (Windows 2003) + Linux (CentOS 4.4) to allow user logins for certain users, namely, developers. The winbind authentication part of it is working correctly, but every user in AD can login to the servers via ssh. I have tried to limit users by adding valid_users = @domain+developers (+ is the separator) on /etc/samba/smb.conf, but this does not seem to work for authentication. As a workaround, I can limit access to groups by adding account required pam_listfile.so file=/etc/samba/allowed_groups item=group sense=allow onerr=fail to pam.d/sshd (/etc/samba/allowed_groups contains developers), but it does not seem to get the group from AD, so no remote users can login. Is there any way to map windows groups to unix groups without installing SFU? I only want to map one group, so getting the data directly from AD shouldn't be a problem. Thanks Gabriel This e-mail and its attachments are confidential. If you are not the intended recipient of this e-mail message, please telephone or e-mail us immediately, delete this message from your system and do not read, copy, distribute, disclose or otherwise use this e-mail message and any attachments. Although RI3K believes this e-mail and any attachments to be free of any virus or other defect which may affect your computer, it is the responsibility of the recipient to ensure that it is virus free and RI3K does not accept any responsibility for any loss or damage in any way from its use. RI3K Limited is a company registered in England no: 3909745. Registered office 10, Ely Place, London, EC1N 6RY. VAT registration no: 769 0192 07 RI3K Asia Pte Ltd is a company registered in Singapore no. 200100326R. Registered address 50, Raffles Place, #24-05 Singapore Land Tower, Singapore 048623 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Winbind nested groups not working
On Jan 18, 2007, at 6:54 AM, Gerald (Jerry) Carter wrote: The nest group functionality is for a local BUILTIN\Administrators or MACHINE\localgrp type of group. The patch in question I was referring to was to expand local group membership in getgrnam(). These are different things. Not sure which one you are looking for if either. Hrm, then I'm not quite sure either. Here's the goal -- Samba is acting as a member file server in an AD domain. In addition to the domain containing Samba, there are two other domains in the AD forest. All three domains have full trust between them. Each domain has a Global Security Group called ACAD_ENGR. Samba sees them as DOM1 +ACAD_ENGR, DOM2+ACAD_ENGR, and DOM3+ACAD_ENGR. I'd like members from all three groups to have write access to a particular directory. This needs to be done with filesystem permissions, not share permissions, because underneath each directory there are further subdirectories that have varying access rights matched to other groups in the three domains. Thoughts? Is this possible with Samba? Under Windows there would be two ways to achieve it: 1) Assign all three ACAD_ENGR groups rights to each folder. In theory, this could be achieved in Linux by using ACLs. But it is not an easily manageable solution - should we add a fourth domain, we would have to go back and add it to every folder. 2) In the domain where the files are actually hosted, create a Domain Local group and then add the ACAD_ENGR groups from each domain to it. Then assign rights on the filesystem to the single Domain Local group. This is considered the best practice - down the road, adding or removing access is as simple as a group membership change. Number 2 is what I'm trying to do, but Samba doesn't seem to allow it. I cannot see the Domain Local group through wbinfo -g. I *can* explicitly pull its ID with getent group DOM1+localgroup, but it shows as having no members. Since getent sees it, I can assign it as group owner of a directory, but Samba will not let any of the members have access. Am I just doing something wrong? -- Joshua Penixhttp://www.binarytribe.com Binary Tribe Linux Integration Services Network Consulting -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Winbind nested groups not working
Is the winbind nested groups functionality not currently working in Samba 3.0.23d? The readme files seem to indicate it should be (since 3.0.3), but then this message by Jerry to the list... http://groups.google.com/group/linux.samba/msg/5ecc575f70af3c8c ...seems to indicate that there's some patch waiting for 3.0.24. Unfortunately he's not specific as to what it solves. I've actually tried it with the 3.0.10 that comes with RHEL4, 3.0.23d straight from Samba.org, and 3.0.22 from Ubuntu on three different servers. I have no trouble getting winbind talking to AD on any of them, but all of them absolutely refuse to resolve membership of anything nested in a local group. My smb.conf is as follows: [global] workgroup = DOM1 realm = DOM1.DOMAIN.COM security = ADS password server = 192.168.1.37 192.168.1.33 log file = /var/log/samba/%m.log max log size = 50 socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 dns proxy = No ldap ssl = no idmap uid = 1-2 idmap gid = 1-2 winbind separator = + winbind nested groups = yes winbind enum groups = yes winbind enum users = yes winbind use default domain = no allow trusted domains = yes The goal is to create a local group on DOM1 that contains a global group of users from DOM1 as well as a global group from trusted domain DOM2. I'd like to assign rights to the local group, and therefore allow anyone in either of the global groups access. Am I just missing something? -- Joshua Penixhttp://www.binarytribe.com Binary Tribe Linux Integration Services Network Consulting -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] winbind + nested groups in ssh = permission denied
so that anyone that is a member of one of the 4 groups should be able to create new files in the /data/workpapers directory. Getent group shows members of all groups, except the workpaper admins group You'll find that getent group doesn't list users within nested groups, but Samba should pick up nested groups and obey them with regard to filesystem permissions. Now the strange thing is, some members of the 4 groups can create new files in that folder, and some get permission denied. I can't find a pattern. When did you add the users to these groups? I have to completely shut down Samba and restart before any group changes are recognised, so if you added some users to this group after you started Samba that could explain why. Also make sure getent group works for all of the subgroups. I assume you have winbind nested groups = yes in smb.conf? Cheers, Adam. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Winbind and groups
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Do you have a valid users line? It may override write list. I'd recommend: valid users = bob, @GILMAN+techs read only = yes write list = @GILMAN+techs (There is also a param: read list or some such) - -Tom Mark Carrara wrote: | Yes getent group shows all of my Windows groups and users. Also wbinfo | -g shows all of the Windows groups | | Mark | | At 07:11 PM 9/8/2003 -0400, you wrote: | | -BEGIN PGP SIGNED MESSAGE- | Hash: SHA1 | | Does the command getent group work? | | You should see the group as a unix group with members. | | - -Tom | | Mark Carrara wrote: | | I am using Samba ver 2.2.8 as a domain member server. I am using | | Winbind for user authorization. I have my home shares working as they | | should but I am having trouble with a Share that should be read only | for | | most users and read write for members of the techs group | | (a NT group). | | | | in my smb.conf file I tired both: | | Write List = @GILMAN+techs (GILMAN is the domain, + is the winbind | | sererator) | | and | | Write List = @techs | | | | neither worked. What am I doing incorrectly? | | | | Note, when I do a smbstatus the group is reported as GILMAN+techs | | | | Mark | | | | Mark Carrara | | Technology Coordinator | | School District of Gilman | | Gilman, WI | -BEGIN PGP SIGNATURE- | Version: GnuPG v1.2.1 (GNU/Linux) | Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org | | iD8DBQE/XQy5RliD/69byygRAqP2AJ97w1noPXw1Ydra78qeZN7WxJvcRACeODBy | DegyFJTcHpCgT9vnZ5GwFaM= | =EzMZ | -END PGP SIGNATURE- | | | Mark Carrara | Technology Coordinator | School District of Gilman | Gilman, WI | -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.1 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQE/XlLjRliD/69byygRAh9/AJ9e3TeW3IkKdf6Dp+9m79DMUsL+VACdEws9 e7DHqUnRw9UE6dc0cif49jY= =2Uce -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Winbind and groups
I am using Samba ver 2.2.8 as a domain member server. I am using Winbind for user authorization. I have my home shares working as they should but I am having trouble with a Share that should be read only for most users and read write for members of the techs group (a NT group). in my smb.conf file I tired both: Write List = @GILMAN+techs (GILMAN is the domain, + is the winbind sererator) and Write List = @techs neither worked. What am I doing incorrectly? Note, when I do a smbstatus the group is reported as GILMAN+techs Mark Mark Carrara Technology Coordinator School District of Gilman Gilman, WI -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Winbind and groups
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Does the command getent group work? You should see the group as a unix group with members. - -Tom Mark Carrara wrote: | I am using Samba ver 2.2.8 as a domain member server. I am using | Winbind for user authorization. I have my home shares working as they | should but I am having trouble with a Share that should be read only for | most users and read write for members of the techs group | (a NT group). | | in my smb.conf file I tired both: | Write List = @GILMAN+techs (GILMAN is the domain, + is the winbind | sererator) | and | Write List = @techs | | neither worked. What am I doing incorrectly? | | Note, when I do a smbstatus the group is reported as GILMAN+techs | | Mark | | Mark Carrara | Technology Coordinator | School District of Gilman | Gilman, WI -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.1 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQE/XQy5RliD/69byygRAqP2AJ97w1noPXw1Ydra78qeZN7WxJvcRACeODBy DegyFJTcHpCgT9vnZ5GwFaM= =EzMZ -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Winbind and groups
Hi all, I'm trying to get a samba server which is all by itself, No Windows DCs, or even windows shares at all, to play nice with Linux clients. The server is authenticating Win9x, NT and 2000 clients fine and dandy, and now I have need to add linux clients to the scenario, and have dicovered an issue I can't seem to work through. Perhaps someone can help? On the linux client, I can login as a user that exists only on the samba server (TEST+testuser) , except I get the following message: id: cannot find name for group id 1 When I do wbinfo -t I get back: Secret is good. When I do wbinfo -u I get back: TEST+testuser When I do wbinfo -g I get back: TEST+Domain Admins TEST+Domain Users When I do getent passwd I get: root:x:0:0:root:/root:/bin/bash bin:x:1:1:bin:/bin:/sbin/nologin . . cut for brevity . . bub:x:500:500:Bub Slug:/home/bub:/bin/bash TEST+testuser:x:1:1::/home/testuser:/bin/bash So far so good, until I do getent group, which returns: root:x:0:root bin:x:1:bin . . cut for brevity again . . bub:x:500:bub So my net groups Domain Admins and Domain Users don't show up when I getent group, and there is no other network group that winbind can map to gid 1 when TEST+testuser logs in to the Linux client, and I suspect this is why I get the ID message on login (?) Once again, I am not using any Windows 9x, NT, 2000 servers, the Linux Samba server is the only PDC (and the only DC). Can anyone offer some help aside from the stuff that's around on the net. It all seems to deal with using Samba in a Domain with an actual windows DC, not as a standalone server being a DC. I wonder why my client linux box can't see the domain groups on login, and while I'm on the subject, where do Domain Admins and Domain Users come from in the first place, and how do I add, delete or modify domain groups or how do I make groups on the Linux Samba server display to linux clients? Both server and Client use RedHat 7.3 (Stock Kernel) Samba wasn't installed with the redhat setup, instead I downloaded the tarball for 2.2.5 I compiled the server software in the source directory with: ./configure make make install The server is set up as a PDC with an smb.conf file that looks like: [global] workgroup = TEST netbios name = LINUXSRV interfaces = 127.0.0.1 192.168.240.20 encrypt passwords = Yes domain logons = Yes os level = 64 preferred master = True domain master = True wins support = Yes [homes] path = /home/%U read only = No browseable = No [netlogon] path = /usr/local/samba/netlogon browseable = No I've configured the linux client and added it to the domain by: Setting it's host name to linuxclient, Compiling the samba software from source (2.2.5) in the source directory with: ./configure --with-winbind make make install make nsswitch Copied libnss_winbind.so to /lib Created a link: ln -s /lib/libnss_winbind.so /lib/libnss_winbind.so.2 copied pam_winbind.so to /lib/security Created an smb.conf file for winbind that looks like [global] workgroup = TEST winbind separator = + winbind uid = 1-2 winbind gid = 1-2 winbind enum users = yes winbind enum groups = yes template homedir = /home/%U template shell = /bin/bash winbind use default domain = yes wins server = 192.168.240.20 Created a init script to fire up winbind edited /etc/nsswitch.conf to change the lines: passwd: files winbind shadow: files group: files windbind added these lines to /etc/pam.d/login: auth sufficient /lib/security/pam_winbind.so account sufficient /lib/security/pam_winbind.so session required /lib/security/pam_mkhomedir.so skel=/etc/skel umask=022 did a: /sbin/ldconfig -v | grep winbind which returned: libnss_winbind.so - libnss_winbind.so I started up the winbindd daemon on the client. Then on the server, I did: useradd linuxclient$ passwd -l linuxclient$ smbpasswd -a -m linuxclient useradd testuser passwd -l testuser smbpasswd -a testuser On the linux client I did: smbpasswd -j TEST -r 192.168.240.20 Which reported I joined the domain successfully. Doing all this gets me the behaviour described above. Any help will be appreciated! Bub This tagline is umop ap!5dn _ MSN Photos is the easiest way to share and print your photos: http://photos.msn.com/support/worldwide.aspx -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Winbind and groups
Hi! Actually I had a similar situation and was using winbind, which showed up to be unreliable and _very_ moody. Recently, I've decided to give up winbind and move to NIS and I'm really happy with it - no problems with groups, delicate wb's tdb files and other stuff. For further info read NIS-HOWTO which can be found at (eg.) http://www.ibiblio.org/pub/Linux/docs/HOWTO/other-formats/html_single/NIS-HOWTO.html cheers :) konik -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba