[Samba] winbind idmap question
Hi, how do I tell winbind to use UserId from AD, and not doing own mapping of ID's ? AD is win2003 R2 Std with sfu. What I did/tried: current (this did not work): # winbind separator = \ winbind use default domain = Yes winbind nested groups = Yes # winbind cache time = 600 template shell = /bin/bash # template homedir = /home/%D/%U template homedir = /home/%U idmap uid = 1-2 idmap gid = 1-2 winbind enum groups = Yes winbind enum users = Yes security = domain # security = ads # Where do we get our user information from? password server = srv-001.domain.local tried (did not work, too, and is very slow finding users): winbind use default domain = Yes winbind nested groups = Yes winbind nss info = rfc2307 idmap domains = DOMAIN idmap config DOMAIN:backend = ad idmap config DOMAIN:default = Yes idmap config DOMAIN:range = 1 - 1 idmap config DOMAIN:schema_mode = rfc2307 security = domain # security = ads # Where do we get our user information from? password server = srv-001.domain.local samba version is 3.2.7 Thanks for your ideas Kind Regards Chris -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] winbind idmap question
-Original Message- From: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] On Behalf Of Christian Sent: Thursday, 17 September, 2009 10:01 To: samba Subject: [Samba] winbind idmap question Hi, how do I tell winbind to use UserId from AD, and not doing own mapping of ID's ? AD is win2003 R2 Std with sfu. What I did/tried: current (this did not work): # winbind separator = \ winbind use default domain = Yes winbind nested groups = Yes # winbind cache time = 600 template shell = /bin/bash # template homedir = /home/%D/%U template homedir = /home/%U idmap uid = 1-2 idmap gid = 1-2 winbind enum groups = Yes winbind enum users = Yes security = domain # security = ads # Where do we get our user information from? password server = srv-001.domain.local tried (did not work, too, and is very slow finding users): winbind use default domain = Yes winbind nested groups = Yes winbind nss info = rfc2307 idmap domains = DOMAIN idmap config DOMAIN:backend = ad idmap config DOMAIN:default = Yes idmap config DOMAIN:range = 1 - 1 idmap config DOMAIN:schema_mode = rfc2307 security = domain # security = ads # Where do we get our user information from? password server = srv-001.domain.local samba version is 3.2.7 Thanks for your ideas Kind Regards Chris From Samba version 3.2.5 (Debian Lenny) and 3.3.6 (Lenny backports). This config works for me in both versions, so I'm confident it will work in 3.2.7: idmap domains = YOUR_DOMAIN idmap config YOUR_DOMAIN:backend = rid idmap config YOUR_DOMAIN:base_rid = 0 idmap config YOUR_DOMAIN:range = 1 - 4 We have a Server 2003 native forest/domain not 2003 R2, and we do not have sfu deployed. So the environment is a little different. James ZuelowCBJ MIS (907)586-0236 Network Specialist...Registered Linux User No. 186591 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Winbind IDMAP question.
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Chavez, James R. wrote: Hello all, I have joined my linux boxes to AD and can authenticate using Active Directory usernames and passwords using Winbind. I want to Authenticate to AD but have that user mapped to a local Unix or NIS ID otherwise the AD authentication is useless and only hinders with file permissions and such. Are you asking about local login via pam_winbind? or just via smbd? If the latter, then the username map should solve it. If the former, then I could probably do this in in likewise-open using the name alias support and some NSS ordering tricks. PS: The same patches are pending for upstream Samba. I just keep getting distracted everytime I try to prepare then to push. cheers, jerry - -- = Samba--- http://www.samba.org Likewise Software - http://www.likewisesoftware.com What man is a man who does not make the world better? --Balian -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFInDHxIR7qMdg1EfYRAuqsAKDbjZTac3IGqhBso75J1BHAO9jSOQCfUHik NvIzOIqM5kOWKae6BjwPKyk= =jK/y -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Winbind IDMAP question.
Jerry, Thanks for the reply. I am using pam_winbind with my Active Directory or Kerberos credentials to login. I have an existing UNIX (NIS) infrastructure. We are being forced to join our Linux boxes to AD. This creates a problem with unix permissions when logging into the machines with AD credemtials since the UID is dynamically assigned from Winbind and not valid against existing Unix permissions. example [EMAIL PROTECTED] which translates to DOMAIN\joe_montana. The desired UNIX user id is jmontana. The username map does not work in the case of logging into the box, but does work correctly when accessing shares on the box. I am sure this is the expected behavior of the username map. I have always used the username map for accessing shares and not logging in. What I want to know is in the case of logging into the box via ssh or telnet or locally, can I control the Unix UID that Winbind assigns? Can Winbind be configured to map my DOMAIN\jmontana AD credentials to a local UNIX or NIS user jmontana instead of the dynamic UID? This would alleviate the issue with permissions when logged into the box. My reading led me to believe that using idmap_ldap made this possible but I am unsure. Please point me in the right direction. Again I appreciate the reply. Thank You James -Original Message- From: Gerald (Jerry) Carter [mailto:[EMAIL PROTECTED] Sent: Friday, August 08, 2008 4:46 AM To: Chavez, James R. Cc: samba@lists.samba.org Subject: Re: [Samba] Winbind IDMAP question. -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Chavez, James R. wrote: Hello all, I have joined my linux boxes to AD and can authenticate using Active Directory usernames and passwords using Winbind. I want to Authenticate to AD but have that user mapped to a local Unix or NIS ID otherwise the AD authentication is useless and only hinders with file permissions and such. Are you asking about local login via pam_winbind? or just via smbd? If the latter, then the username map should solve it. If the former, then I could probably do this in in likewise-open using the name alias support and some NSS ordering tricks. PS: The same patches are pending for upstream Samba. I just keep getting distracted everytime I try to prepare then to push. cheers, jerry - -- = Samba--- http://www.samba.org Likewise Software - http://www.likewisesoftware.com What man is a man who does not make the world better? --Balian -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFInDHxIR7qMdg1EfYRAuqsAKDbjZTac3IGqhBso75J1BHAO9jSOQCfUHik NvIzOIqM5kOWKae6BjwPKyk= =jK/y -END PGP SIGNATURE- CONFIDENTIALITY This e-mail message and any attachments thereto, is intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail message, you are hereby notified that any dissemination, distribution or copying of this e-mail message, and any attachments thereto, is strictly prohibited. If you have received this e-mail message in error, please immediately notify the sender and permanently delete the original and any copies of this email and any prints thereof. ABSENT AN EXPRESS STATEMENT TO THE CONTRARY HEREINABOVE, THIS E-MAIL IS NOT INTENDED AS A SUBSTITUTE FOR A WRITING. Notwithstanding the Uniform Electronic Transactions Act or the applicability of any other law of similar substance and effect, absent an express statement to the contrary hereinabove, this e-mail message its contents, and any attachments hereto are not intended to represent an offer or acceptance to enter into a contract and are not otherwise intended to bind the sender, Sanmina-SCI Corporation (or any of its subsidiaries), or any other person or entity. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Winbind IDMAP question.
Hello all, I have joined my linux boxes to AD and can authenticate using Active Directory usernames and passwords using Winbind. I want to Authenticate to AD but have that user mapped to a local Unix or NIS ID otherwise the AD authentication is useless and only hinders with file permissions and such. My first questions in regards to an ADS domain member server. Can Winbind be used to map a SPECIFIC unix uid to a SPECIFIC Windows RID? I thought I was onto something with idmap_rid but it seems that uses a predefined pool of UID's. However from what I am reading it seems that idmap_ldap can be used to accomplish this. Am I wrong about that? . Can Samba and Winbind accomplish this? 2nd question is in regards to ADS, can I use a local UID to RID map somewhat similar to usernamemap for smbpasswd backend? Also if possible any how to or links are appreciated. Thank you for your time. James CONFIDENTIALITY This e-mail message and any attachments thereto, is intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail message, you are hereby notified that any dissemination, distribution or copying of this e-mail message, and any attachments thereto, is strictly prohibited. If you have received this e-mail message in error, please immediately notify the sender and permanently delete the original and any copies of this email and any prints thereof. ABSENT AN EXPRESS STATEMENT TO THE CONTRARY HEREINABOVE, THIS E-MAIL IS NOT INTENDED AS A SUBSTITUTE FOR A WRITING. Notwithstanding the Uniform Electronic Transactions Act or the applicability of any other law of similar substance and effect, absent an express statement to the contrary hereinabove, this e-mail message its contents, and any attachments hereto are not intended to represent an offer or acceptance to enter into a contract and are not otherwise intended to bind the sender, Sanmina-SCI Corporation (or any of its subsidiaries), or any other person or entity. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
