On 30/08/13 23:14, Luca Olivetti wrote:
Al 30/08/13 23:44, En/na steve ha escrit:
Interesting point; you've now sampled winbind, nslcd and sssd to the
same end. Have you made a decision as to which you'll be going with?
Well, the real deployment will take some time (measured in months rather
Am 31.08.2013 00:14, schrieb Luca Olivetti:
I'm not still 100% convinced that I need to migrate from samba 3 to
samba 4, and once I am I have to explain it to my boss.
Samba 4 != AD only
Samba 4 is the the next version after the 3.6 tree and contains
everything + AD DC functionality.
On Sat, 2013-08-31 at 00:14 +0200, Luca Olivetti wrote:
Al 30/08/13 23:44, En/na steve ha escrit:
Interesting point; you've now sampled winbind, nslcd and sssd to the
same end. Have you made a decision as to which you'll be going with?
Well, the real deployment will take some time
On Sat, 2013-08-31 at 11:47 +0200, Marc Muehlfeld wrote:
Am 31.08.2013 00:14, schrieb Luca Olivetti:
I'm not still 100% convinced that I need to migrate from samba 3 to
samba 4, and once I am I have to explain it to my boss.
Samba 4 != AD only
Hi
I think the OP realises that. His main
Al 31/08/13 15:23, En/na steve ha escrit:
I feel we've made progress. Next time a winbind problem gets posted,
we'll be able to refer to 3 democratically produced howtos. Thanks to
Marc for listening to us and inviting us in on hos howtos, Luca his
patience in hearing us out 'till EOT and to
Al 31/08/13 15:23, En/na steve ha escrit:
On Sat, 2013-08-31 at 11:47 +0200, Marc Muehlfeld wrote:
Am 31.08.2013 00:14, schrieb Luca Olivetti:
I'm not still 100% convinced that I need to migrate from samba 3 to
samba 4, and once I am I have to explain it to my boss.
Samba 4 != AD only
On Sat, 2013-08-31 at 17:25 +0200, Luca Olivetti wrote:
Al 31/08/13 15:23, En/na steve ha escrit:
I feel we've made progress. Next time a winbind problem gets posted,
we'll be able to refer to 3 democratically produced howtos. Thanks to
Marc for listening to us and inviting us in on hos
On Sat, 2013-08-31 at 17:53 +0200, steve wrote:
On Sat, 2013-08-31 at 17:25 +0200, Luca Olivetti wrote:
Al 31/08/13 15:23, En/na steve ha escrit:
I feel we've made progress. Next time a winbind problem gets posted,
we'll be able to refer to 3 democratically produced howtos. Thanks to
Al 31/08/13 18:00, En/na steve ha escrit:
Hi
It doesn't work here either. The only way we can get it to authenicate
or join the domain is to add:
I.P.ADD.RRESS f.q.d.n short-hostname
of the DC to /etc/hosts
Steve
Oh, and:
127.0.0.1 localhost f.q.d.n
127.0.0.1 short-hostname
That
On Sat, 2013-08-31 at 20:17 +0200, Luca Olivetti wrote:
Al 31/08/13 18:00, En/na steve ha escrit:
Hi
It doesn't work here either. The only way we can get it to authenicate
or join the domain is to add:
I.P.ADD.RRESS f.q.d.n short-hostname
of the DC to /etc/hosts
Steve
On Fri, 2013-08-30 at 00:34 +0200, Luca Olivetti wrote:
Al 29/08/13 21:54, En/na Rowland Penny ha escrit:
Yes, I was trying sssd, but I forgot that I switched back nsswitch.conf
to ldap, so I thought your suggestion was working while it actually
wasn't (same error with Administrator as
On 29/08/13 23:34, Luca Olivetti wrote:
Al 29/08/13 21:54, En/na Rowland Penny ha escrit:
Yes, I was trying sssd, but I forgot that I switched back nsswitch.conf
to ldap, so I thought your suggestion was working while it actually
wasn't (same error with Administrator as with HP$).
Bye
Hi, I
Al 30/08/13 10:11, En/na steve ha escrit:
On Fri, 2013-08-30 at 00:34 +0200, Luca Olivetti wrote:
Al 29/08/13 21:54, En/na Rowland Penny ha escrit:
Yes, I was trying sssd, but I forgot that I switched back nsswitch.conf
to ldap, so I thought your suggestion was working while it actually
On 30/08/13 17:15, steve wrote:
On Fri, 2013-08-30 at 16:05 +0100, Rowland Penny wrote:
On 30/08/13 15:48, Luca Olivetti wrote:
Al 30/08/13 11:41, En/na Rowland Penny ha escrit:
OK, try this sssd.conf that I have altered for your setup, it is based
on the sssd.conf on the machine that I am
Al 30/08/13 19:00, En/na Rowland Penny ha escrit:
The above was taken from:
https://wiki.samba.org/index.php/Samba_4/OS_Requirements#Red_Hat_Enterprise_Linux_or_CentOS
Yes, I read the wiki before starting, I have all the dependencies installed
Check that you have all the above installed
On Fri, 2013-08-30 at 18:58 +0100, Rowland Penny wrote:
On 30/08/13 18:21, Luca Olivetti wrote:
Al 30/08/13 18:54, En/na steve ha escrit:
Bueno, a ver:
We can say for certain that /etc/krb5.keytab contains the key for
nslcd-connect
make sure you have:
ldap_sasl_mech = gssapi
Al 30/08/13 17:05, En/na Rowland Penny ha escrit:
Correct, though I do not understand why you are using the full path to
samba-tool
Because it's not in PATH
Where did you get samba4 from, did you compile it yourself?
Yes
what
version?
4.0.8 (4.0.9 wasn't yet available when I started the
Al 30/08/13 18:15, En/na steve ha escrit:
On Fri, 2013-08-30 at 16:05 +0100, Rowland Penny wrote:
On 30/08/13 15:48, Luca Olivetti wrote:
Al 30/08/13 11:41, En/na Rowland Penny ha escrit:
OK, try this sssd.conf that I have altered for your setup, it is based
on the sssd.conf on the machine
On 30/08/13 21:10, Luca Olivetti wrote:
Al 30/08/13 21:53, En/na Luca Olivetti ha escrit:
Al 30/08/13 21:49, En/na steve ha escrit:
On Fri, 2013-08-30 at 20:45 +0200, Luca Olivetti wrote:
Casi, casi...
Bueno. Algo es algo, pero todavía nos falta los atributos procedentes de
AD.
Saludos,
Ya,
Al 30/08/13 22:18, En/na Rowland Penny ha escrit:
The reason why I suggested that you try another distro is that, as far
as I can see, nobody else uses Mageia on this list, at least nobody came
forward offering help. If you had tried another distro like Ubuntu then
other Ubuntu users could
On 30/08/13 21:28, Luca Olivetti wrote:
Al 30/08/13 22:18, En/na Rowland Penny ha escrit:
The reason why I suggested that you try another distro is that, as far
as I can see, nobody else uses Mageia on this list, at least nobody came
forward offering help. If you had tried another distro like
On Fri, 2013-08-30 at 22:28 +0200, Luca Olivetti wrote:
Al 30/08/13 22:18, En/na Rowland Penny ha escrit:
I take it that everything is now working ok and you can see all your
users, if so, I suggest you write up how you did it and get it published
somewhere.
Hi
That's a good idea.
Al 30/08/13 23:44, En/na steve ha escrit:
Interesting point; you've now sampled winbind, nslcd and sssd to the
same end. Have you made a decision as to which you'll be going with?
Well, the real deployment will take some time (measured in months rather
than weeks), I have a lot more to learn
On Fri, 2013-08-30 at 19:30 +0200, Luca Olivetti wrote:
Al 30/08/13 19:00, En/na Rowland Penny ha escrit:
The above was taken from:
https://wiki.samba.org/index.php/Samba_4/OS_Requirements#Red_Hat_Enterprise_Linux_or_CentOS
Yes, I read the wiki before starting, I have all the
On Fri, 2013-08-30 at 17:45 +0100, Rowland Penny wrote:
Hi Steve, lets just get something to work for the OP first.
Agreed.
It seems we now at least have a keytab that we can use for certain. Pls
see my interim post.
--
To unsubscribe from this list go to the following URL and read the
Al 30/08/13 21:49, En/na steve ha escrit:
On Fri, 2013-08-30 at 20:45 +0200, Luca Olivetti wrote:
Casi, casi...
Bueno. Algo es algo, pero todavía nos falta los atributos procedentes de
AD.
Saludos,
Ya, el SIGSEV parece que sea debido a un problema con cyrus-sasl-2.1.25
(for the non
On Fri, 2013-08-30 at 19:44 +0100, Rowland Penny wrote:
On 30/08/13 19:14, steve wrote:
On Fri, 2013-08-30 at 18:58 +0100, Rowland Penny wrote:
On 30/08/13 18:21, Luca Olivetti wrote:
Al 30/08/13 18:54, En/na steve ha escrit:
Bueno, a ver:
We can say for certain that /etc/krb5.keytab
Am 30.08.2013 23:44, schrieb steve:
That's a good idea. Often, when we've been in production for while
without errors, we lose sight of what it was like at the beginning. If
there's anything here or in my sssd howto you would change it would be
great if you could let us have it as a real user
On 30/08/13 19:14, steve wrote:
On Fri, 2013-08-30 at 18:58 +0100, Rowland Penny wrote:
On 30/08/13 18:21, Luca Olivetti wrote:
Al 30/08/13 18:54, En/na steve ha escrit:
Bueno, a ver:
We can say for certain that /etc/krb5.keytab contains the key for
nslcd-connect
make sure you have:
On Fri, 2013-08-30 at 20:45 +0200, Luca Olivetti wrote:
Casi, casi...
Bueno. Algo es algo, pero todavía nos falta los atributos procedentes de
AD.
Saludos,
Steve
--
To unsubscribe from this list go to the following URL and read the
instructions:
On 30/08/13 15:48, Luca Olivetti wrote:
Al 30/08/13 11:41, En/na Rowland Penny ha escrit:
OK, try this sssd.conf that I have altered for your setup, it is based
on the sssd.conf on the machine that I am typing this on and it works,
you just need the krb5.keytab that I told you how to create
Al 30/08/13 11:41, En/na Rowland Penny ha escrit:
OK, try this sssd.conf that I have altered for your setup, it is based
on the sssd.conf on the machine that I am typing this on and it works,
you just need the krb5.keytab that I told you how to create earlier.
That was
On 30/08/13 18:21, Luca Olivetti wrote:
Al 30/08/13 18:54, En/na steve ha escrit:
Bueno, a ver:
We can say for certain that /etc/krb5.keytab contains the key for
nslcd-connect
make sure you have:
ldap_sasl_mech = gssapi
ldap_sasl_authid = nslcd-conn...@wetron.es
ldap_krb5_keytab =
Al 30/08/13 19:43, En/na steve ha escrit:
Now go through everything in the thread, clear everything
in /var/lib/sss/db/* and restart sssd. Make sure that nscd is not
running.
Casi, casi...
OK, I found the problem of the server not found in kerberos database
(well, actually it was google
On Fri, 2013-08-30 at 19:21 +0200, Luca Olivetti wrote:
Al 30/08/13 18:54, En/na steve ha escrit:
Bueno, a ver:
We can say for certain that /etc/krb5.keytab contains the key for
nslcd-connect
make sure you have:
ldap_sasl_mech = gssapi
ldap_sasl_authid = nslcd-conn...@wetron.es
Al 30/08/13 21:53, En/na Luca Olivetti ha escrit:
Al 30/08/13 21:49, En/na steve ha escrit:
On Fri, 2013-08-30 at 20:45 +0200, Luca Olivetti wrote:
Casi, casi...
Bueno. Algo es algo, pero todavía nos falta los atributos procedentes de
AD.
Saludos,
Ya, el SIGSEV parece que sea debido a
On Fri, 2013-08-30 at 21:53 +0200, Luca Olivetti wrote:
http://www.spinics.net/lists/cyrus-sasl/msg02004.html
I'll try to build a version with the fix
Suerte. Good luck.
ftp://ftp.cyrusimap.org/cyrus-sasl/cyrus-sasl-2.1.26.tar.gz
--
To unsubscribe from this list go to the following
On Fri, 2013-08-30 at 16:05 +0100, Rowland Penny wrote:
On 30/08/13 15:48, Luca Olivetti wrote:
Al 30/08/13 11:41, En/na Rowland Penny ha escrit:
OK, try this sssd.conf that I have altered for your setup, it is based
on the sssd.conf on the machine that I am typing this on and it works,
Al 30/08/13 18:54, En/na steve ha escrit:
Bueno, a ver:
We can say for certain that /etc/krb5.keytab contains the key for
nslcd-connect
make sure you have:
ldap_sasl_mech = gssapi
ldap_sasl_authid = nslcd-conn...@wetron.es
ldap_krb5_keytab = /etc/krb5.keytab
(note, I think you had a
On Fri, Aug 30, 2013 at 08:14:56PM +0200, steve wrote:
Hi, How about this for an idea, get the OP to create a VM on Mageia,
install Ubuntu 12.04 or Centos 6.4 in it and then compile samba 4 on the
VM. Then setup winbind or nslcd or sssd on it, once this is working the
OP can work out to
On Fri, 2013-08-30 at 18:42 +0200, Luca Olivetti wrote:
Al 30/08/13 18:15, En/na steve ha escrit:
On Fri, 2013-08-30 at 16:05 +0100, Rowland Penny wrote:
On 30/08/13 15:48, Luca Olivetti wrote:
Al 30/08/13 11:41, En/na Rowland Penny ha escrit:
OK, try this sssd.conf that I have altered
On 30/08/13 17:26, Luca Olivetti wrote:
Al 30/08/13 17:05, En/na Rowland Penny ha escrit:
Correct, though I do not understand why you are using the full path to
samba-tool
Because it's not in PATH
Then you need to alter your PATH environmental variable, I do this on
Ubuntu:
echo
Al 29/08/13 01:30, En/na Marc Muehlfeld ha escrit:
Am 29.08.2013 00:10, schrieb Luca Olivetti:
Yeah, nslcd works well, but for AD funcionality and speed, sssd is the
only way to go for nss on Samba4 or any m$ server.
Just my €0.02
I'll try it. I only used nslcd because that's what was
On Thu, 2013-08-29 at 01:30 +0200, Marc Muehlfeld wrote:
Am 29.08.2013 00:10, schrieb Luca Olivetti:
Yeah, nslcd works well, but for AD funcionality and speed, sssd is the
only way to go for nss on Samba4 or any m$ server.
Just my €0.02
I'll try it. I only used nslcd because that's what
Al 29/08/13 12:06, En/na steve ha escrit:
We have sssd covered here:
http://linuxcostablanca.blogspot.com.es/2013/04/sssd-in-samba-40.html
Well, that's doesn't seem to be complete (at least to a kerberos newbie
like me).
For example, it's missing the step to create /etc/krb5.keytab
I used
On Thu, 2013-08-29 at 20:17 +0200, Luca Olivetti wrote:
but then sssd complains that
[[sssd[ldap_child[2300 [ldap_child_get_tgt_sync] (0x0100):
Principal
name is: [HP$@WETRON.ES]
[[sssd[ldap_child[2300 [ldap_child_get_tgt_sync] (0x0100): Using
keytab [/etc/krb5.keytab]
On 29/08/13 19:17, Luca Olivetti wrote:
Al 29/08/13 12:06, En/na steve ha escrit:
We have sssd covered here:
http://linuxcostablanca.blogspot.com.es/2013/04/sssd-in-samba-40.html
Well, that's doesn't seem to be complete (at least to a kerberos newbie
like me).
For example, it's missing the
Al 29/08/13 21:02, En/na Rowland Penny ha escrit:
Hi, that should be 'samba-tool domain exportkeytab /etc/krb5.keytab -U
Administrator'
Thank you, that worked *but* we're back to square one: migrated users
(with the posixAccount class) show up but new users don't.
Bye
--
Luca Olivetti
Wetron
Al 29/08/13 21:15, En/na Luca Olivetti ha escrit:
Al 29/08/13 21:02, En/na Rowland Penny ha escrit:
Hi, that should be 'samba-tool domain exportkeytab /etc/krb5.keytab -U
Administrator'
Thank you, that worked *but* we're back to square one: migrated users
(with the posixAccount class)
On 29/08/13 20:17, Luca Olivetti wrote:
Al 29/08/13 21:15, En/na Luca Olivetti ha escrit:
Al 29/08/13 21:02, En/na Rowland Penny ha escrit:
Hi, that should be 'samba-tool domain exportkeytab /etc/krb5.keytab -U
Administrator'
Thank you, that worked *but* we're back to square one: migrated
On 29/08/13 20:41, Luca Olivetti wrote:
Al 29/08/13 21:20, En/na Rowland Penny ha escrit:
On 29/08/13 20:17, Luca Olivetti wrote:
Al 29/08/13 21:15, En/na Luca Olivetti ha escrit:
Al 29/08/13 21:02, En/na Rowland Penny ha escrit:
Hi, that should be 'samba-tool domain exportkeytab
Al 29/08/13 21:54, En/na Rowland Penny ha escrit:
Yes, I was trying sssd, but I forgot that I switched back nsswitch.conf
to ldap, so I thought your suggestion was working while it actually
wasn't (same error with Administrator as with HP$).
Bye
Hi, I am replying to you on list, could you
On Wed, 2013-08-28 at 00:06 +0200, Luca Olivetti wrote:
Al 27/08/13 23:02, En/na Rowland Penny ha escrit:
If nslcd needs the posix objectclasses, then that is their bug, windows
does not use them so Samba 4 doesn't either.
I wouldn't be so sure, since many (all?) of the attributes
On Wed, 2013-08-28 at 00:30 +0200, Luca Olivetti wrote:
Al 27/08/13 23:56, En/na Gary Greene ha escrit:
If you set it up with '--use-rfc2307', nslcd needs configured as though it
is talking to an SFU 3.5 DC. The RFC 2307bis attributes never add
additional classes to the AD member
On 27/08/13 23:06, Luca Olivetti wrote:
Al 27/08/13 23:02, En/na Rowland Penny ha escrit:
If nslcd needs the posix objectclasses, then that is their bug, windows
does not use them so Samba 4 doesn't either.
I wouldn't be so sure, since many (all?) of the attributes specified by
rfc2307 are
Al 28/08/13 09:58, En/na steve ha escrit:
filter passwd (objectclass=user)
to /etc/nslcd.conf
and that gave me the missing users.
I suppose I should add also a
filter group (objectclass=group)
[...]
With recent versions of nslcd, neither of the filters are needed and
serve only to slow
On Wed, 2013-08-28 at 13:17 +0200, Luca Olivetti wrote:
Al 28/08/13 09:58, En/na steve ha escrit:
filter passwd (objectclass=user)
to /etc/nslcd.conf
and that gave me the missing users.
I suppose I should add also a
filter group (objectclass=group)
[...]
With recent
Al 28/08/13 13:43, En/na steve ha escrit:
0.8.12 is not recent enough and those filters are needed.
I'll try 0.8.12 later but I doubt it will have changed:
I have 0.8.12
$ rpm -q nss-pam-ldapd
nss-pam-ldapd-0.8.12-3.mga3
With the filter (aimaretti is a migrated user, pruebaunix is a new
On Wed, 2013-08-28 at 19:15 +0200, Luca Olivetti wrote:
Without the filter
$ id aimaretti
uid=1234(aimaretti) gid=513(Domain Users) grups=513(Domain
Users),675(intranet),676(portal),507(devel)
$ id pruebaunix
id: pruebaunix: l’usuari no existeix
$ LC_ALL=en id pruebaunix
id:
Al 28/08/13 19:30, En/na steve ha escrit:
On Wed, 2013-08-28 at 19:15 +0200, Luca Olivetti wrote:
Without the filter
$ id aimaretti
uid=1234(aimaretti) gid=513(Domain Users) grups=513(Domain
Users),675(intranet),676(portal),507(devel)
$ id pruebaunix
id: pruebaunix: l’usuari no
On Wed, 2013-08-28 at 19:15 +0200, Luca Olivetti wrote:
Al 28/08/13 13:43, En/na steve ha escrit:
0.8.12 is not recent enough and those filters are needed.
I'll try 0.8.12 later but I doubt it will have changed:
I have 0.8.12
$ rpm -q nss-pam-ldapd
nss-pam-ldapd-0.8.12-3.mga3
Al 28/08/13 20:11, En/na steve ha escrit:
Hi
Without objectClass: posixAccount
you need the filter for nslcd.
IOW, for AD, you either must add it yourself or use the nslcd filter.
Windows does not need the objectClass. nslcd does unless you want to
filter everything.
Thank you, I
On Wed, 2013-08-28 at 20:18 +0200, Luca Olivetti wrote:
Al 28/08/13 20:11, En/na steve ha escrit:
Hi
Without objectClass: posixAccount
you need the filter for nslcd.
IOW, for AD, you either must add it yourself or use the nslcd filter.
Windows does not need the objectClass.
Al 28/08/13 23:09, En/na steve ha escrit:
Yeah, nslcd works well, but for AD funcionality and speed, sssd is the
only way to go for nss on Samba4 or any m$ server.
Just my €0.02
I'll try it. I only used nslcd because that's what was suggested in the
samba wiki.
Bye
--
Luca Olivetti
Wetron
Am 29.08.2013 00:10, schrieb Luca Olivetti:
Yeah, nslcd works well, but for AD funcionality and speed, sssd is the
only way to go for nss on Samba4 or any m$ server.
Just my €0.02
I'll try it. I only used nslcd because that's what was suggested in the
samba wiki.
The Winbind and sssd Howto
Hello,
I start a new thread, because the other one meanwhile drifted far away
from what the OP asked. :-)
Am 27.08.2013 17:02, schrieb Luca Olivetti:
If you provisioned your domain with --use-rfc2307, then in
Win7 ADUC you can see the posixAccount (UNIX Attributes) of
the users.
I did a
On Tue, 2013-08-27 at 20:11 +0200, Marc Muehlfeld wrote:
Do posixAccount/posixGroup
objectClasses have to be there normally?
No. With the AD schema, you can use all of rfc2307 without the need for
the objectclassed which define them. Just add the attributes.
HTH
Steve
--
To unsubscribe
Al 27/08/13 20:46, En/na steve ha escrit:
On Tue, 2013-08-27 at 20:11 +0200, Marc Muehlfeld wrote:
Do posixAccount/posixGroup
objectClasses have to be there normally?
No. With the AD schema, you can use all of rfc2307 without the need for
the objectclassed which define them. Just add the
On 27/08/13 19:56, Luca Olivetti wrote:
Al 27/08/13 20:46, En/na steve ha escrit:
On Tue, 2013-08-27 at 20:11 +0200, Marc Muehlfeld wrote:
Do posixAccount/posixGroup
objectClasses have to be there normally?
No. With the AD schema, you can use all of rfc2307 without the need for
the
] objectClass:posixAccount missing
On 27/08/13 19:56, Luca Olivetti wrote:
Al 27/08/13 20:46, En/na steve ha escrit:
On Tue, 2013-08-27 at 20:11 +0200, Marc Muehlfeld wrote:
Do posixAccount/posixGroup
objectClasses have to be there normally?
No. With the AD schema, you can use all of rfc2307 without the need
Al 27/08/13 23:56, En/na Gary Greene ha escrit:
If you set it up with '--use-rfc2307', nslcd needs configured as though it is
talking to an SFU 3.5 DC. The RFC 2307bis attributes never add additional
classes to the AD member objects, even in an SFU environment.
Thank you, that gave me an
71 matches
Mail list logo