Hi,
This is the environment:
PDC - samba 3.0.14a (Debian Sarge)
passdb backend = ldapsam
Member server - Win2003
Joined domain and this one works correctly
Member server - samba 3.0.23d (Debian Etch)
Joined domain and this one displays the domain as "Unix User" or "Unix
Group" when looking on the security tab on a WinXP machine that has
logged into the domain and is accessing a share on the member server. A
linux client using smbcacls also shows the domain as "Unix User"/"Unix
Group".
Authentication works fine and I can access shares on the samba member
server. If I add 'hide unreadable = yes' to the [Data] share then I am
no longer able to see any files or directories on the share and I can't
access a directory I have access to. NSS/PAM are configured and are
working correctly. No user accounts are created locally on the member
server.
Winbind - Winbind isn't running on the PDC. I've tried it without
winbindd on the member server, winbindd running as 'netlogon proxy only'
on the member server and full winbindd with it creating idmap entries in
ldap. The Win2003 server works fine without the idmap entries in ldap so
I'm assuming samba should be able to work without idmap entries and
winbinnd running as 'netlogon proxy only' on the member server. wbinfo
-t (-u & -g) all work correctly displaying the domain users and groups
on the member server.
'Samba-3 by Example' in the 'Adding Domain Member Servers and Clients'
chapter makes it sound like you don't need to use winbindd since the
information is in ldap and we aren't using any foreign domains.
Samba release notes for 3.0.23b say:
"If the member server is not running winbindd at all, domain
accounts will be implicitly mapped to local accounts and their
tokens will be modified appropriately to reflect the local
SID and group membership." which seems to indicate I need winbindd.
Questions:
1. Do I need winbindd?
2. If I do need winbindd is 'netlogon proxy only' enough? Remember - the
Win2003 member server is working fine without any idmap entries in ldap.
3. How do I get the users to be seen as Domain users and not as local
unix users?
smb.conf on the member server:
[global]
unix charset = LOCALE
workgroup = MYDOMAIN
server string = %h
security = DOMAIN
log level = 2
syslog = 0
log file = /var/log/samba/log.%m
max log size = 1000
name resolve order = wins host bcast
wins server = 172.16.1.8
ldap admin dn = cn=samba,ou=dsa,dc=domain,dc=ca
ldap group suffix = ou=groups
ldap idmap suffix = ou=idmap
ldap machine suffix = ou=computers
ldap suffix = dc=domain, dc=ca
ldap user suffix = ou=people
panic action = /usr/share/samba/panic-action %d
idmap backend = ldap:ldap://main.domain.ca
[Data]
comment = Data share
path = /srv
read only = No
create mask = 0660
directory mask = 02770
Some log entries:
log.wb-mydomain - seen when winbindd is first started
[2006/12/22 10:38:33, 2] libsmb/namequery.c:name_query(577)
Got a positive name query response from 172.16.1.8 ( 172.16.1.8 )
[2006/12/22 10:38:33, 1]
rpc_client/cli_pipe.c:cli_pipe_validate_current_pdu(625)
cli_pipe_validate_current_pdu: RPC fault code
DCERPC_FAULT_OP_RNG_ERROR received from remote machine PDC pipe \lsarpc
fnum 0x749e!
log.computername - seen when a client computer connects to the share
on the member server.
[2006/12/22 10:39:47, 2] auth/auth.c:check_ntlm_password(309)
check_ntlm_password: authentication for user [user1] -> [user1] ->
[user1] succeeded
[2006/12/22 10:39:47, 0] auth/auth_util.c:create_builtin_administrators(785)
create_builtin_administrators: Failed to create Administrators
[2006/12/22 10:39:47, 2] auth/auth_util.c:create_local_nt_token(899)
create_local_nt_token: Failed to create BUILTIN\Administrators group!
[2006/12/22 10:39:47, 0] auth/auth_util.c:create_builtin_users(751)
create_builtin_users: Failed to create Users
.
.
.
[2006/12/22 10:39:48, 2] smbd/reply.c:reply_tcon_and_X(711)
Serving IPC$ as a Dfs root
[2006/12/22 10:39:48, 1] smbd/service.c:make_connection_snum(950)
computername (172.16.1.174) connect to service Data initially as user
user1 (uid=2001, gid=2001) (pid 8649)
Thanks,
Bill
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
