[Samba] Winbind Expand Groups option not fully funtional

[Charles Johnson]

I am trying to authenticate samba 3.3 running on Centos 5 to Windows 2003 R2 
Active Directory. 

95% of my setup is working. 

The only thing that doesn't work are expanded groups. 
Whenever a group is a member of another group the permissions in 
samba/nss/winbind are not communicated 
correctly to the windows client but seem to work on the linux end of things. 

Here's my scenario. (All hostnames are internal) 

AD Groups and Members 
- 
testgroup9 members: cjohnson,erodriguez,testuser11,testuser9 
testgroup10 members: testgroup9 

Getent group responds correctly populating the testgroup9 members into 
testgroup10 

testgroup9:x:111265:cjohnson,erodriguez,testuser11,testuser9 
testgroup10:x:111266:cjohnson,erodriguez,testuser11,testuser9 

From the shell i can 

su testuser11 
cd /storage/CME/test 

No problem. But when I try to access the same directory in windows I get these 
entries in my logs 

/var/log/samba/log.smbd 
-- 
[2010/01/04 16:08:25, 1] smbd/sesssetup.c:reply_spnego_kerberos(350) 
Failed to verify incoming ticket with error NT_STATUS_LOGON_FAILURE! 

log.winbindd reports no errors so it seems that the SIU/UID mapping seems to be 
working correctly. 
I know this because the minute I give access to this share to testgroup9 the 
windows users can immediately access the folder. ie. setfacl -m 
g:testgroup9:r-x /storage/CME/test 


Testshare on Samba FS 
- 
getfacl testshare 

# file: storage/CME/test 
# owner: root 
# group: Domain Users 
user::rwx 
group::rwx 
group:testgroup10:r-x 
mask::rwx 
other::--- 

I've poured through documentation for weeks including these articles among 
others: 
http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/idmapper.html#id2598913
 
http://www.samba.org/samba/history/samba-3.3.0.html 
man smb.conf 

Here are my final questions. 

Has anyone got the winbind expand groups option to funtion properly with 
Windows clients? 
Am I using the proper idmap settings? 
Would setting up an LDAP backend with the editposix option help anything? 
Is there something I need to do on the Windows server side? (I have installed 
Unix Extentions but not sure how to assign UID/GID's) 

It seems that everything is working how it's supposed to 'cept I'm probably 
missing something very simple. Anyone with any kind of help would be 
appreciated. 

SMB.CONF 
--- 
[global] 
workgroup = CME 
security = ads 
passdb backend = tdbsam:/etc/samba/passdb.tdb 
idmap backend = rid (have tested with tdb also with no luck) 
idmap uid = 11-11 
idmap gid = 11-11 
idmap cache time = 3600 
idmap negative cache time = 300 
winbind cache time = 900 
winbind expand groups = 10 
winbind enum users = Yes 
winbind enum groups = Yes 
winbind use default domain = true 
template shell = /bin/bash 
template homedir = /home/%D/%U 
machine password timeout = 2592000 
realm = CME.COM 
use kerberos keytab = yes 
password server = prod-srv-8.cme.com 
nt acl support = yes 
map acl inherit = yes 
winbind nss info = rcf2307 
allow trusted domains = no 

[CME] 
path = /storage/CME 
writeable = yes 
inherit acls = yes 
inherit permissions = yes 
security mask = 0770 
force security mode = 0770 
directory security mask = 0770 
force directory security mode = 0770 
force create mode = 0770 
map archive = yes 
store dos attributes = yes 



NSSWITCH.CONF 
-- 
passwd: files winbind 
shadow: files winbind 
group: files winbind 
hosts: files wins dns 
bootparams: nisplus [NOTFOUND=return] files 
ethers: files 
netmasks: files 
networks: files 
protocols: files winbind 
rpc: files winbind 
services: files 
netgroup: files winbind 
publickey: nisplus 
automount: files 
aliases: files nisplus winbind 


KRB5.CONF 
-- 
[logging] 
default = FILE:/var/log/krb5libs.log 
kdc = FILE:/var/log/krb5kdc.log 
admin_server = FILE:/var/log/kadmind.log 

[libdefaults] 
default_realm = CME.COM 
dns_lookup_realm = true 
dns_lookup_kdc = true 
ticket_lifetime = 24h 
forwardable = yes 

[realms] 
CME.COM = { 
kdc = prod-srv-8.cme.com:88 
admin_server = prod-srv-8.cme.com:749 
default_domain = cme.com 
kdc = prod-srv-8.cme.com 
} 

[domain_realm] 
.cme.com = CME.COM 
cme.com = CME.COM 

[appdefaults] 
pam = { 
debug = false 
ticket_lifetime = 36000 
renew_lifetime = 36000 
forwardable = true 
krb4_convert = false 
} 


Joined Domain 
-- 
net ads testjoin 
Join is OK 


Time 
- 
NTP is setup on both Windows and Linux and time is always in sync. 


Samba Server's nameserver is the AD PDC. 

Authconfig --test output 
-- 
caching is disabled 
nss_files is always enabled 
nss_compat is disabled 
nss_db is disabled 
nss_hesiod is disabled 
hesiod LHS =  
hesiod RHS =  
nss_ldap is disabled 
LDAP+TLS is disabled 
LDAP server = ldap://127.0.0.1/; 
LDAP base DN = dc=example,dc=com 
nss_nis is disabled 
NIS server =  
NIS domain =  
nss_nisplus is 

[Samba] winbind enum groups/users = no

[Andrew Masterson]

After a bunch of reading, the most information I can find on turning
these off is that they will speed up certain tasks, and this warning:

Warning: Turning off group enumeration may cause some programs to
behave oddly.

Does anyone have any more information on what programs may behave
oddly?  Is this a server side odd-behaviour, client-side or both?

(Using ls on some small directories seems to take a while presumably
because it is busy getting the updated user/group information from the
PDC, so I was wondering about turning these parameters off.)
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Winbind and groups

[Ben Vaughan]

Hello Friendly Samba People,

I have a working samba install that allows my AD users access to files on my 
linux box.  The linux box is configured via Winbind as a domain member and uses 
Winbind as the local NSS.  I can successfully resolve both users and groups 
from the AD.  Users are currently able to access the samba shares without 
trouble.

I am running into trouble when trying to use groups defined in the AD as valid 
users or ACLs on the linux box.

Smb.conf:
[global]
  security = ADS
  realm = CORP.CALLGLOBALCOM.COM
  workgroup = CORP
  log file = /var/log/samba/%m
  log level = 2

  #winbind / AD stuff
  winbind enum users = Yes
  winbind enum groups = Yes
  winbind use default domain = Yes
  winbind expand groups = 2
  winbind nss info = rfc2307
  winbind nested groups = Yes
  idmap uid range = 1000 - 3000
  idmap gid range = 100 - 3000
  idmap domains = CORP
  idmap config CORP:backend = ad
  idmap config CORP:default = yes
  idmap config CORP:readonly = yes

[homes]

[sysadmins]
   path = /tmp
   writeable = yes
   comment = Globalcom Sysadmins share
   valid users = @gc_sysadmins
   create mask = 0775
   directory mask = 0775

# getent group gc_sysadmins
gc_sysadmins:*:10001:bvaughan

# getent passwd bvaughan
bvaughan:*:1812:100:Ben Vaughan, IT Systems Overlord:/home/bvaughan:/bin/bash

When trying to access the [sysadmins] share defined as above, samba logging 
says this:

user 'CORP\bvaughan' (from session setup) not permitted to access this share 
(sysadmins)


I see the disconnect, the CORP\bvaughan that samba sees here, vs the 
bvaughan seen in the group entry.  Is there a way to make these two come 
together so the valid users= line works?

I am running samba version 3.0.25b-1.el5_1.4 as provided by RedHat.

Any help would be appreciated.

Ben



Ben Vaughan
Globalcom IT Infrastructure Support Team
[EMAIL PROTECTED]
312 673 4116

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

RE: [Samba] Winbind and groups

[Ben Vaughan]

And the correct answer is...

Using a valid users line that looks like this:

 Valid users = +DOMAIN\group

Many thanks to irda on the #samba IRC channel.

Ben


Ben Vaughan
Globalcom IT Infrastructure Support Team
[EMAIL PROTECTED]
312 673 4116


-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ben Vaughan
Sent: Tuesday, December 11, 2007 10:30 AM
To: samba@lists.samba.org
Subject: [Samba] Winbind and groups

Hello Friendly Samba People,

I have a working samba install that allows my AD users access to files on my 
linux box.  The linux box is configured via Winbind as a domain member and uses 
Winbind as the local NSS.  I can successfully resolve both users and groups 
from the AD.  Users are currently able to access the samba shares without 
trouble.

I am running into trouble when trying to use groups defined in the AD as valid 
users or ACLs on the linux box.

Smb.conf:
[global]
  security = ADS
  realm = CORP.CALLGLOBALCOM.COM
  workgroup = CORP
  log file = /var/log/samba/%m
  log level = 2

  #winbind / AD stuff
  winbind enum users = Yes
  winbind enum groups = Yes
  winbind use default domain = Yes
  winbind expand groups = 2
  winbind nss info = rfc2307
  winbind nested groups = Yes
  idmap uid range = 1000 - 3000
  idmap gid range = 100 - 3000
  idmap domains = CORP
  idmap config CORP:backend = ad
  idmap config CORP:default = yes
  idmap config CORP:readonly = yes

[homes]

[sysadmins]
   path = /tmp
   writeable = yes
   comment = Globalcom Sysadmins share
   valid users = @gc_sysadmins
   create mask = 0775
   directory mask = 0775

# getent group gc_sysadmins
gc_sysadmins:*:10001:bvaughan

# getent passwd bvaughan
bvaughan:*:1812:100:Ben Vaughan, IT Systems Overlord:/home/bvaughan:/bin/bash

When trying to access the [sysadmins] share defined as above, samba logging 
says this:

user 'CORP\bvaughan' (from session setup) not permitted to access this share 
(sysadmins)


I see the disconnect, the CORP\bvaughan that samba sees here, vs the 
bvaughan seen in the group entry.  Is there a way to make these two come 
together so the valid users= line works?

I am running samba version 3.0.25b-1.el5_1.4 as provided by RedHat.

Any help would be appreciated.

Ben



Ben Vaughan
Globalcom IT Infrastructure Support Team
[EMAIL PROTECTED]
312 673 4116

--

To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

RE: [Samba] Winbind and groups

[simo]

You are welcome :-)

On Tue, 2007-12-11 at 11:51 -0600, Ben Vaughan wrote:
 And the correct answer is...
 
 Using a valid users line that looks like this:
 
  Valid users = +DOMAIN\group
 
 Many thanks to irda on the #samba IRC channel.
 
 Ben
 
 
 Ben Vaughan
 Globalcom IT Infrastructure Support Team
 [EMAIL PROTECTED]
 312 673 4116
 
 
 -Original Message-
 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ben Vaughan
 Sent: Tuesday, December 11, 2007 10:30 AM
 To: samba@lists.samba.org
 Subject: [Samba] Winbind and groups
 
 Hello Friendly Samba People,
 
 I have a working samba install that allows my AD users access to files on my 
 linux box.  The linux box is configured via Winbind as a domain member and 
 uses Winbind as the local NSS.  I can successfully resolve both users and 
 groups from the AD.  Users are currently able to access the samba shares 
 without trouble.
 
 I am running into trouble when trying to use groups defined in the AD as 
 valid users or ACLs on the linux box.
 
 Smb.conf:
 [global]
   security = ADS
   realm = CORP.CALLGLOBALCOM.COM
   workgroup = CORP
   log file = /var/log/samba/%m
   log level = 2
 
   #winbind / AD stuff
   winbind enum users = Yes
   winbind enum groups = Yes
   winbind use default domain = Yes
   winbind expand groups = 2
   winbind nss info = rfc2307
   winbind nested groups = Yes
   idmap uid range = 1000 - 3000
   idmap gid range = 100 - 3000
   idmap domains = CORP
   idmap config CORP:backend = ad
   idmap config CORP:default = yes
   idmap config CORP:readonly = yes
 
 [homes]
 
 [sysadmins]
path = /tmp
writeable = yes
comment = Globalcom Sysadmins share
valid users = @gc_sysadmins
create mask = 0775
directory mask = 0775
 
 # getent group gc_sysadmins
 gc_sysadmins:*:10001:bvaughan
 
 # getent passwd bvaughan
 bvaughan:*:1812:100:Ben Vaughan, IT Systems Overlord:/home/bvaughan:/bin/bash
 
 When trying to access the [sysadmins] share defined as above, samba logging 
 says this:
 
 user 'CORP\bvaughan' (from session setup) not permitted to access this share 
 (sysadmins)
 
 
 I see the disconnect, the CORP\bvaughan that samba sees here, vs the 
 bvaughan seen in the group entry.  Is there a way to make these two come 
 together so the valid users= line works?
 
 I am running samba version 3.0.25b-1.el5_1.4 as provided by RedHat.
 
 Any help would be appreciated.
 
 Ben
 
 
 
 Ben Vaughan
 Globalcom IT Infrastructure Support Team
 [EMAIL PROTECTED]
 312 673 4116
 
 --
 
 To unsubscribe from this list go to the following URL and read the
 instructions:  https://lists.samba.org/mailman/listinfo/samba
-- 
Simo Sorce
Samba Team GPL Compliance Officer [EMAIL PROTECTED]
Senior Software Engineer at Red Hat Inc. [EMAIL PROTECTED]

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] Winbind: limiting groups that can log-in

[Gabriel Tabares-Barreiro]

Hi,

I am currently trying to configure AD (Windows 2003) + Linux (CentOS
4.4) to allow user logins for certain users, namely, developers.

The winbind authentication part of it is working correctly, but every
user in AD can login to the servers via ssh.

I have tried to limit users by adding 

valid_users = @domain+developers (+ is the separator) 

on /etc/samba/smb.conf, but this does not seem to work for
authentication.

As a workaround, I can limit access to groups by adding 

account required pam_listfile.so file=/etc/samba/allowed_groups
item=group sense=allow onerr=fail

to pam.d/sshd (/etc/samba/allowed_groups contains developers), but it
does not seem to get the group from AD, so no remote users can login.

Is there any way to map windows groups to unix groups without
installing SFU? I only want to map one group, so getting the data
directly from AD shouldn't be a problem.

Thanks

Gabriel


This e-mail and its attachments are confidential. If you are not the intended 
recipient of this e-mail message, please telephone or e-mail us immediately, 
delete this message from your system and do not read, copy, distribute, 
disclose or otherwise use this e-mail message and any attachments. 

Although RI3K believes this e-mail and any attachments to be free of any virus 
or other defect which may affect your computer, it is the responsibility of the 
recipient to ensure that it is virus free and RI3K does not accept any 
responsibility for any loss or damage in any way from its use.

RI3K Limited is a company registered in England no: 3909745.  Registered office 
10, Ely Place, London, EC1N 6RY.   VAT registration no: 769 0192 07

RI3K Asia Pte Ltd is a company registered in Singapore no. 200100326R.
Registered address 50, Raffles Place, #24-05 Singapore Land Tower, Singapore 
048623
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Winbind nested groups not working

[Joshua Penix]

On Jan 18, 2007, at 6:54 AM, Gerald (Jerry) Carter wrote:


The nest group functionality is for a local BUILTIN\Administrators
or MACHINE\localgrp type of group.  The patch in question I was
referring to was to expand local group membership in getgrnam().
These are different things.  Not sure which one you are looking for
if either.


Hrm, then I'm not quite sure either.  Here's the goal --

Samba is acting as a member file server in an AD domain.  In addition  
to the domain containing Samba, there are two other domains in the AD  
forest.  All three domains have full trust between them.  Each domain  
has a Global Security Group called ACAD_ENGR.  Samba sees them as DOM1 
+ACAD_ENGR, DOM2+ACAD_ENGR, and DOM3+ACAD_ENGR.  I'd like members  
from all three groups to have write access to a particular  
directory.  This needs to be done with filesystem permissions, not  
share permissions, because underneath each directory there are  
further subdirectories that have varying access rights matched to  
other groups in the three domains.


Thoughts?  Is this possible with Samba?

Under Windows there would be two ways to achieve it:

1) Assign all three ACAD_ENGR groups rights to each folder.  In  
theory, this could be achieved in Linux by using ACLs.  But it is not  
an easily manageable solution - should we add a fourth domain, we  
would have to go back and add it to every folder.


2) In the domain where the files are actually hosted, create a Domain  
Local group and then add the ACAD_ENGR groups from each domain to  
it.  Then assign rights on the filesystem to the single Domain Local  
group.  This is considered the best practice - down the road,  
adding or removing access is as simple as a group membership change.


Number 2 is what I'm trying to do, but Samba doesn't seem to allow  
it.  I cannot see the Domain Local group through wbinfo -g.  I  
*can* explicitly pull its ID with getent group DOM1+localgroup, but  
it shows as having no members.  Since getent sees it, I can assign it  
as group owner of a directory, but Samba will not let any of the  
members have access.


Am I just doing something wrong?

--
Joshua Penixhttp://www.binarytribe.com
Binary Tribe   Linux Integration Services  Network Consulting


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] Winbind nested groups not working

[Joshua Penix]

Is the winbind nested groups functionality not currently working in  
Samba 3.0.23d?  The readme files seem to indicate it should be (since  
3.0.3), but then this message by Jerry to the list...


http://groups.google.com/group/linux.samba/msg/5ecc575f70af3c8c

...seems to indicate that there's some patch waiting for 3.0.24.   
Unfortunately he's not specific as to what it solves.


I've actually tried it with the 3.0.10 that comes with RHEL4, 3.0.23d  
straight from Samba.org, and 3.0.22 from Ubuntu on three different  
servers.  I have no trouble getting winbind talking to AD on any of  
them, but all of them absolutely refuse to resolve membership of  
anything nested in a local group.


My smb.conf is as follows:

[global]
workgroup = DOM1
realm = DOM1.DOMAIN.COM
security = ADS
password server = 192.168.1.37 192.168.1.33
log file = /var/log/samba/%m.log
max log size = 50
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
dns proxy = No
ldap ssl = no
idmap uid = 1-2
idmap gid = 1-2
winbind separator = +
winbind nested groups = yes
winbind enum groups = yes
winbind enum users = yes
winbind use default domain = no
allow trusted domains = yes

The goal is to create a local group on DOM1 that contains a global  
group of users from DOM1 as well as a global group from trusted  
domain DOM2.  I'd like to assign rights to the local group, and  
therefore allow anyone in either of the global groups access.


Am I just missing something?

--
Joshua Penixhttp://www.binarytribe.com
Binary Tribe   Linux Integration Services  Network Consulting


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] winbind + nested groups in ssh = permission denied

[Adam Nielsen]

 so that anyone that is a member of one of the 4 groups should be able
 to create new files in the /data/workpapers directory.
 
 Getent group shows members of all groups, except the workpaper admins
 group

You'll find that getent group doesn't list users within nested
groups, but Samba should pick up nested groups and obey them with
regard to filesystem permissions.

 Now the strange thing is, some members of the 4 groups can create new
 files in that folder, and some get permission denied.
 I can't find a pattern.

When did you add the users to these groups?  I have to completely shut
down Samba and restart before any group changes are recognised, so if
you added some users to this group after you started Samba that could
explain why.

Also make sure getent group works for all of the subgroups.

I assume you have winbind nested groups = yes in smb.conf?

Cheers,
Adam.
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Winbind and groups

[Tom Dickson]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Do you have a valid users line? It may override write list.

I'd recommend:

valid users = bob, @GILMAN+techs
read only = yes
write list = @GILMAN+techs
(There is also a param: read list or some such)

- -Tom

Mark Carrara wrote:
| Yes getent group shows all of my Windows groups and users.  Also wbinfo
| -g shows all of the Windows groups
|
| Mark
|
| At 07:11 PM 9/8/2003 -0400, you wrote:
|
| -BEGIN PGP SIGNED MESSAGE-
| Hash: SHA1
|
| Does the command getent group work?
|
| You should see the group as a unix group with members.
|
| - -Tom
|
| Mark Carrara wrote:
| | I am using Samba ver 2.2.8 as a domain member server.  I am using
| | Winbind for user authorization.  I have my home shares working as they
| | should but I am having trouble with a Share that should be read only
| for
| | most users and read write for members of the techs group
| | (a NT group).
| |
| | in my smb.conf file I tired both:
| | Write List = @GILMAN+techs (GILMAN is the domain, + is the winbind
| | sererator)
| | and
| | Write List = @techs
| |
| | neither worked.  What am I doing incorrectly?
| |
| | Note, when I do a smbstatus the group is reported as GILMAN+techs
| |
| | Mark
| |
| | Mark Carrara
| | Technology Coordinator
| | School District of Gilman
| | Gilman, WI
| -BEGIN PGP SIGNATURE-
| Version: GnuPG v1.2.1 (GNU/Linux)
| Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
|
| iD8DBQE/XQy5RliD/69byygRAqP2AJ97w1noPXw1Ydra78qeZN7WxJvcRACeODBy
| DegyFJTcHpCgT9vnZ5GwFaM=
| =EzMZ
| -END PGP SIGNATURE-
|
|
| Mark Carrara
| Technology Coordinator
| School District of Gilman
| Gilman, WI
|
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.1 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQE/XlLjRliD/69byygRAh9/AJ9e3TeW3IkKdf6Dp+9m79DMUsL+VACdEws9
e7DHqUnRw9UE6dc0cif49jY=
=2Uce
-END PGP SIGNATURE-
--
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

[Samba] Winbind and groups

[Mark Carrara]

I am using Samba ver 2.2.8 as a domain member server.  I am using Winbind 
for user authorization.  I have my home shares working as they should but I 
am having trouble with a Share that should be read only for most users and 
read write for members of the techs group
(a NT group).

in my smb.conf file I tired both:
Write List = @GILMAN+techs (GILMAN is the domain, + is the winbind sererator)
and
Write List = @techs
neither worked.  What am I doing incorrectly?

Note, when I do a smbstatus the group is reported as GILMAN+techs

Mark

Mark Carrara
Technology Coordinator
School District of Gilman
Gilman, WI 

--
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Winbind and groups

[Tom Dickson]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Does the command getent group work?

You should see the group as a unix group with members.

- -Tom

Mark Carrara wrote:
| I am using Samba ver 2.2.8 as a domain member server.  I am using
| Winbind for user authorization.  I have my home shares working as they
| should but I am having trouble with a Share that should be read only for
| most users and read write for members of the techs group
| (a NT group).
|
| in my smb.conf file I tired both:
| Write List = @GILMAN+techs (GILMAN is the domain, + is the winbind
| sererator)
| and
| Write List = @techs
|
| neither worked.  What am I doing incorrectly?
|
| Note, when I do a smbstatus the group is reported as GILMAN+techs
|
| Mark
|
| Mark Carrara
| Technology Coordinator
| School District of Gilman
| Gilman, WI
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.1 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQE/XQy5RliD/69byygRAqP2AJ97w1noPXw1Ydra78qeZN7WxJvcRACeODBy
DegyFJTcHpCgT9vnZ5GwFaM=
=EzMZ
-END PGP SIGNATURE-
--
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

[Samba] Winbind and groups

[Bub Slug]

Hi all,

I'm trying to get a samba server which is all by itself, No Windows DCs, or 
even windows shares at all, to play nice with Linux clients.

The server is authenticating Win9x, NT and 2000 clients fine and dandy, and 
now I have need to add linux clients to the scenario, and have dicovered an 
issue I can't seem to work through.  Perhaps someone can help?

On the linux client, I can login as a user that exists only on the samba 
server (TEST+testuser) , except I get the following message:

	id: cannot find name for group id 1

When I do wbinfo -t I get back:
	Secret is good.

When I do wbinfo -u I get back:
	TEST+testuser

When I do wbinfo -g I get back:
	TEST+Domain Admins
	TEST+Domain Users

When I do getent passwd I get:

	root:x:0:0:root:/root:/bin/bash
	bin:x:1:1:bin:/bin:/sbin/nologin
		.
		.
	   cut for brevity
		.
		.
	bub:x:500:500:Bub Slug:/home/bub:/bin/bash
	TEST+testuser:x:1:1::/home/testuser:/bin/bash

So far so good, until I do getent group, which returns:

	root:x:0:root
	bin:x:1:bin
		.
		.
	   cut for brevity again
		.
		.

	bub:x:500:bub

So my net groups Domain Admins and Domain Users don't show up when I 
getent group, and there is no other network group that winbind can map to 
gid 1 when TEST+testuser logs in to the Linux client, and I suspect this 
is why I get the ID message on login (?)

Once again, I am not using any Windows 9x, NT, 2000 servers, the Linux Samba 
server is the only PDC (and the only DC).

Can anyone offer some help aside from the stuff that's around on the net.  
It all seems to deal with using Samba in a Domain with an actual windows DC, 
not as a standalone server being a DC.

I wonder why my client linux box can't see the domain groups on login, and 
while I'm on the subject, where do Domain Admins and Domain Users come 
from in the first place, and how do I add, delete or modify domain groups or 
how do I make groups on the Linux Samba server display to linux clients?


Both server and Client use RedHat 7.3 (Stock Kernel)  Samba wasn't installed 
with the redhat setup, instead I downloaded the tarball for 2.2.5

I compiled the server software in the source directory with:

	./configure
	make
	make install

The server is set up as a PDC with an smb.conf file that looks like:

	[global]
   workgroup = TEST
   netbios name = LINUXSRV
   interfaces = 127.0.0.1 192.168.240.20
   encrypt passwords = Yes
   domain logons = Yes
   os level = 64
   preferred master = True
   domain master = True
   wins support = Yes

	[homes]
   path = /home/%U
   read only = No
   browseable = No

	[netlogon]
   path = /usr/local/samba/netlogon
   browseable = No


I've configured the linux client and added it to the domain by:

Setting it's host name to linuxclient,

Compiling the samba software from source (2.2.5) in the source directory 
with:
	./configure --with-winbind
	make
	make install
	make nsswitch

	Copied libnss_winbind.so to /lib
	Created a link:
		ln -s /lib/libnss_winbind.so /lib/libnss_winbind.so.2
	copied pam_winbind.so to /lib/security


	Created an smb.conf file for winbind that looks like
		[global]
		workgroup = TEST
		winbind separator = +
	winbind uid = 1-2
	winbind gid = 1-2
   	winbind enum users = yes
	winbind enum groups = yes
	template homedir = /home/%U
   	template shell = /bin/bash
	winbind use default domain = yes
	wins server = 192.168.240.20


	Created a init script to fire up winbind

	edited /etc/nsswitch.conf to change the lines:
		passwd:	files winbind
		shadow: files
		group:	files windbind

added these lines to /etc/pam.d/login:
	auth sufficient /lib/security/pam_winbind.so
	account sufficient /lib/security/pam_winbind.so
	session required /lib/security/pam_mkhomedir.so skel=/etc/skel umask=022

did a: /sbin/ldconfig -v | grep winbind which returned:
   libnss_winbind.so - libnss_winbind.so

I started up the winbindd daemon on the client.


Then on the server, I did:
	useradd linuxclient$
	passwd -l linuxclient$
	smbpasswd -a -m linuxclient

	useradd testuser
	passwd -l testuser
	smbpasswd -a testuser

On the linux client I did:
	smbpasswd -j TEST -r 192.168.240.20
Which reported I joined the domain successfully.

Doing all this gets me the behaviour described above.


Any help will be appreciated!

Bub

This tagline is umop ap!5dn




_
MSN Photos is the easiest way to share and print your photos: 
http://photos.msn.com/support/worldwide.aspx

--
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Winbind and groups

[Grzegorz Kusnierz]

Hi!
Actually I had a similar situation and was using winbind, which showed up to be 
unreliable and _very_ moody. Recently, I've decided to give up winbind and move to NIS 
and I'm really happy with it - no problems with groups, delicate wb's tdb files and 
other stuff.
For further info read NIS-HOWTO which can be found at (eg.)
http://www.ibiblio.org/pub/Linux/docs/HOWTO/other-formats/html_single/NIS-HOWTO.html

cheers :)
konik
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba