Re: [Samba] fetch passwords from AD and group membership from /etc/group
Hi, I want to use Active Directory for my samba users passwords and /etc/group for storing group membership. /etc/nsswitch.conf looks like: group: file Problem: the tests i ran show that the samba server does not know about group membership (deleting file from other user belonging to the same group fails). The same test works as expectet when winbindd is switched off. What do i have to do to fix this while having winbindd running? It wont know anything about your groups at all with NSSwitch like this. You need to make it group: files winbind OR configure NSS_LDAP and make it group: files ldap something seems to be still missing i made a test with /etc/nsswitch.conf group: files winbind without any different results. As I far as i understand nsswitch.conf this line tells nsswitch to look for group memberships in local files first and secound in AD via winbind. As i have no group definitions for my samba users in the AD (only passwords) i don't understand why nsswitch.conf needs to look that way. Could someone please explain? best regards, Marius -- Empfehlen Sie GMX DSL Ihren Freunden und Bekannten und wir belohnen Sie mit bis zu 50,- Euro! https://freundschaftswerbung.gmx.de -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] fetch passwords from AD and group membership from /etc/group
On 01/21/2011 4:54 AM, marius klausen wrote: Hi Takahashi, While you need not run winbindd if you want to use Active Directory for authentication, if you need to run, idmap_nss map help you? i want to use winbind to be able to log in just by providing the accountname, not domainname\accountname. i now added the following to my smb.conf: idmap domains = MYDOMAIN idmap uid = 6000-61000 idmap gid = 100-3000 idmap config MYDOMAIN: backend = nss which does not change anything so far (smb+winbind restarted). The uid/gid ranges cover values which are given to the account in /etc/passwd /etc/group - maybe that is wrong? That is correct. winbind generated uid's/gid's should not overlap the range of the local uid's/gid's. The idmap gid values that are currently set could cause problems on the low end; but I can't say with all certainty that that is the cause of the symptoms you are seeing. Dale best regard, Marius -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] fetch passwords from AD and group membership from /etc/group
Hi Takahashi, While you need not run winbindd if you want to use Active Directory for authentication, if you need to run, idmap_nss map help you? i want to use winbind to be able to log in just by providing the accountname, not domainname\accountname. i now added the following to my smb.conf: idmap domains = MYDOMAIN idmap uid = 6000-61000 idmap gid = 100-3000 idmap config MYDOMAIN: backend = nss which does not change anything so far (smb+winbind restarted). The uid/gid ranges cover values which are given to the account in /etc/passwd /etc/group - maybe that is wrong? best regard, Marius -- Neu: GMX De-Mail - Einfach wie E-Mail, sicher wie ein Brief! Jetzt De-Mail-Adresse reservieren: http://portal.gmx.net/de/go/demail -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] fetch passwords from AD and group membership from /etc/group
2011/1/21 marius klausen mariusklau...@gmx.net: Hi Takahashi, While you need not run winbindd if you want to use Active Directory for authentication, if you need to run, idmap_nss map help you? i want to use winbind to be able to log in just by providing the accountname, not domainname\accountname. winbind use default domain = yes is what you want ? --- TAKAHASHI Motonobu mo...@samba.gr.jp -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] fetch passwords from AD and group membership from /etc/group
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 20/01/2011, at 19:29, marius klausen wrote: Hi List, I want to use Active Directory for my samba users passwords and /etc/group for storing group membership. /etc/nsswitch.conf looks like: group: file Problem: the tests i ran show that the samba server does not know about group membership (deleting file from other user belonging to the same group fails). The same test works as expectet when winbindd is switched off. What do i have to do to fix this while having winbindd running? It wont know anything about your groups at all with NSSwitch like this. You need to make it group: files winbind OR configure NSS_LDAP and make it group: files ldap Samba4 (And active directory on windows also) supports posix schemas in its ldap objects by default, so using the samba-tool group add name, then doing an object modification on that in ldap to add your needed posix data is the most robust way (since GID's will be consistent and controllable on all workstations) Just be aware that AD does not allow anonymous reads, so your NSS_LDAP will need to be setup with a user account (preferably unprivileged) to read the ldap tree. You will need a Domain Admin account to actually do the modify operation also. Regards, Marius -- Empfehlen Sie GMX DSL Ihren Freunden und Bekannten und wir belohnen Sie mit bis zu 50,- Euro! https://freundschaftswerbung.gmx.de -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba William Brown Research Teaching, Technology Services The University of Adelaide, AUSTRALIA 5005 CRICOS Provider Number 00123M - - IMPORTANT: This message may contain confidential or legally privileged information. If you think it was sent to you by mistake, please delete all copies and advise the sender. For the purposes of the SPAM Act 2003, this email is authorised by The University of Adelaide. pgp.mit.edu -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.16 (Darwin) iQIcBAEBAgAGBQJNOZxoAAoJEDwKxtqy+Sii59UQAJDbWBkdTVWfY0pDdFVTt59T 94sRina2BgqVpFdGRUkEizQivTzIJL6Z30cqn4VSFNx660AsMtzyPrYkBMGgFKU9 wrX6PaKBcjOnnPVB0SHBeZV7pBjrInk2lbigpwFJQJlNV+Y1EnkvfCXqYgZfnUhP 8QwjzcpWRUqHOYC2qbC8g55vYTfG8eH36iHTisi2q2F44l8z3H7jEmT62TFkvT22 oFn7fvOQ1OMEbY+XNbZ8vKXMBdFO0TWUaPf04a5XVnXrExexjHutHe2HtYLUQtcD YtaxOIBMZlBeNXWIp3ExEBQtXu8Z4SlMz41loMtXUl4GOS4ZdWRIpgTC8/RHdeha +FncJ9CTgxG46d7EEpctdOSyeq+57N7UAWnLbGhqUMPQ5h385cxCUOp212hvzF+8 Bhxl3eOucg4mG20GQlb0J+RCITIjZornqKnWuqp2DufVp+UZwJd+VGJDuxKJeRJz 4cU9xNqEfxt+zDX9Yze3nFT5tv1JhNfCjMuiMir5gr9D+svHJv7Mn8sIBJiTlNLQ 2t5w4gQ70ZpKtdi2tLe9ZyUoSDcTDs0/hsoJ+aFnNIIxRylwReYvgmLHQfpAziF/ jKwTNSmVOkI9Fh7/ovAcG9MaD1guZylF1XyvJCEhbKnGA2eUY0Sdnl/isGOu9NAA 3hoe9QvFAMIdT7XV0Q/9 =WR8F -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] fetch passwords from AD and group membership from /etc/group
Hi, While you need not run winbindd if you want to use Active Directory for authentication, if you need to run, idmap_nss map help you? i want to use winbind to be able to log in just by providing the accountname, not domainname\accountname. winbind use default domain = yes is what you want ? logging in with only username not domainname\username already works fine. The missing part is that users cannot delete files in shares which are created by other users from the same unix group although the group has write ermissions. This starts working as soon as i switch winbind off, but then the domainname needs to be given during login, therefore i need change winbinds behavior. what i do not understand is that the logs show connected to service xy ... as user abc (uid=n gid=m) but the user still has problems deleting files although its gid seems right according to the logfile. Any mor hints? Marius -- Empfehlen Sie GMX DSL Ihren Freunden und Bekannten und wir belohnen Sie mit bis zu 50,- Euro! https://freundschaftswerbung.gmx.de -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] fetch passwords from AD and group membership from /etc/group
Hi List, I want to use Active Directory for my samba users passwords and /etc/group for storing group membership. /etc/nsswitch.conf looks like: group: file Problem: the tests i ran show that the samba server does not know about group membership (deleting file from other user belonging to the same group fails). The same test works as expectet when winbindd is switched off. What do i have to do to fix this while having winbindd running? Regards, Marius -- Empfehlen Sie GMX DSL Ihren Freunden und Bekannten und wir belohnen Sie mit bis zu 50,- Euro! https://freundschaftswerbung.gmx.de -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
