Hi to all, i'm facing some problem of integration with LDAP on the release in object. In my scenario i want to use Samba + LDAP to have all servers on the network to have all same UID and GID for all the shares on all Linux servers (included the shares on the main PDC server). Clients are mixed Windows and Linux. Samba + LDAP on the ubuntu server is acting as PDC for the domain (no windows servers on the domain) and all the other linux server should take the UID and GID form the PDC using samba+winbind using idmap backend on LDAP. What is happening is that i'm not able to have the PDC to join in the domain itself. Not even the wbinfo -u and wbinfo -t are working. Only the wbinfo -g is returning :
BUILTIN/users BUILTIN/administrators I was able to let the PDC join the domain (net rpc join) only after an upgrade of the samba packages through an apt-get install of samba packages itself. I saw during the process that the system performed something like an initialization of the passdb.tdb and secrets.tdb putting all the system and ldap users (recovered form the ldap DB) in it. After this join i tried to change some UID in the LDAP DB nut the OS was still taking the UID in the passdb.tdb and no the new one i updated in the LDAP. I'm wondering if this is correct and eventually how to reproduce this kind of initialization if it is correct. I'm trying every time to start form scratch and understand the way it works deleting all the content of the samba files (/var/lib/samba and var/run/samba) . As i know samba + LDAP should rely only on LDAP DB except for the LDAP Admin DN password that should be saved in the secrets.tdb with smbpasswd -w command. I understood that no use of passdb.tdb is made in LDAP config. Correct me if i'm wrong please. I used smbldap tools to populate the LDAP. I need that the PDC use winbind and idmap itself to get UID and GID of domain users so to have all aligned. If i put the ldap parameter in /etc/nsswitch.conf the resolution of UID and GID work perfectly (getent passwd and group) . If i put winbind it is not working. This is my config : [global] log level = 100 workgroup = DOMAIN server string = %h New Samba server wins support = yes dns proxy = no interfaces = eth0 bind interfaces only = true log file = /var/log/samba/log.%m max log size = 10000 syslog = 0 panic action = /usr/share/samba/panic-action %d security = user encrypt passwords = true passdb backend = ldapsam:ldap://localhost:389 ldap suffix = dc=domain,dc=locale ldap delete dn = yes ldap admin dn = cn=admin,dc=domain,dc=locale ldap group suffix = ou=Groups ldap user suffix = ou=Users ldap machine suffix = ou=Computers ldap idmap suffix = ou=Idmap ldap passwd sync = Yes ldapsam:trusted=yes ldapsam:editposix=yes idmap alloc backend = ldap idmap alloc config:ldap_url = ldap://localhost:389/ idmap alloc config:ldap_base_dn = ou=Idmap,dc=domain,dc=locale idmap backend = ldap:ldap://localhost:389 idmap uid = 10000-20000 idmap gid = 500-20000 idmap domains = BUILTIN DOMAIN idmap config DOMAIN:backend = ldap idmap config DOMAIN:readonly = no idmap config DOMAIN:default = yes idmap config BUILTIN:backend = ldap idmap config BUILTIN:readonly = no idmap config BUILTIN:default = no template shell = /bin/bash template homedir = /home/users/%U obey pam restrictions = no guest account = nobody add user script = /usr/sbin/smbldap-useradd -m "%u" delete user script = /usr/sbin/smbldap-userdel "%u" add machine script = /usr/sbin/smbldap-useradd -w "%u" add group script = /usr/sbin/smbldap-groupadd -p "%g" delete group script = /usr/sbin/smbldap-groupdel "%g" add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g" delete user from group script = /usr/sbin/smbldap-groupmod -x "%u" "%g" set primary group script = /usr/sbin/smbldap-usermod -g "%g" "%u" lanman auth = no unix password sync = no pam password change = no map to guest = bad user domain logons = yes logon path = \\%L\profiles\%U\.win-profile\%a logon drive = H: logon home = \\%L\profiles\%U\.win-profile\%a logon script = %m.bat socket options = TCP_NODELAY domain master = yes preferred master =yes winbind enum groups = yes winbind enum users = yes winbind use default domain = no winbind separator = / usershare allow guests = yes Any hint? Thank you all. Bye, Marcello -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba