Dear all,

Since couple of weeks, I'm trying to configure Samba to get UID & GID
from Windows 2003 AD. I read samba documentation & how to, but it still
not working.

Here are the tasks I've perform:

- I installed SFU on my Windows 2003 Server
- I configure /etc/samba/smb.conf:

# Global parameters
[global]
workgroup =3D TOTO
netbios name =3D VENUS
encrypt passwords =3D yes
obey pam restrictions =3D No
pam password change =3D No
interfaces =3D eth0 10.1.0.0/16
wins server =3D 10.1.2.4
domain master =3D no
local master =3D no
preferred master =3D no
server string =3D VENUS Samba Services
lock directory =3D /var/lib/samba
load printers =3D no
socket options =3D TCP_NODELAY SO_SNDBUF=3D8192 SO_RCVBUF=3D8192
username map =3D /etc/samba/smbusers
admin users =3D @"Domain Admins"

#### ACTIVE DIRECTORY
realm =3D TOTO.COM
security =3D ADS
log level =3D 1 ads:10 auth:10 sam:10 rpc:10
winbind separator =3D +
ldap admin dn =3D cn=3DAdministrator,dc=3DTOTO,dc=3DCOM
ldap idmap suffix =3D ou=3DIdmap
ldap passwd sync =3D yes
ldap suffix =3D dc=3DTOTO,dc=3DCOM
idmap backend =3D ldap:ldap://ads-tst.toto.com <-- THIS IS THE =
IP
OF
MY WINDOWS 2003
SRV
10.1.3.9
idmap uid =3D 150000-550000
idmap gid =3D 150000-550000
#idmap backend =3D ldap:ldap://127.0.0.1
# ldap user suffix =3D ou=3DSherbrooke
# ldap machine suffix =3D ou=3DComputers

winbind enum users =3D yes
winbind enum groups =3D yes
winbind nested groups =3D yes
winbind use default domain =3D Yes
winbind nss info =3D template, sfu
#winbind use default domain =3D yes
template shell =3D /bin/bash
template homedir =3D /u/%D/%U
winbind cache time =3D 5

- I configured /etc/krb5.conf
[logging]
default =3D FILE:/var/log/krb5libs.log
kdc =3D FILE:/var/log/krb5kdc.log
admin_server =3D FILE:/var/log/kadmind.log

[libdefaults]
default_realm =3D TOTO.COM
dns_lookup_realm =3D false
dns_lookup_kdc =3D true

[realms]
TOTO.COM =3D {
kdc =3D ads-tst.toto.com <-- THIS IS THE NAME OF MY WINDOWS SERVER
(10.1.3.9)
default_domain =3D toto.com
}

[domain_realm]
.toto.com =3D TOTO.COM
toto.com =3D TOTO.COM

[appdefaults]
pam =3D {
debug =3D false
ticket_lifetime =3D 36000
renew_lifetime =3D 36000
forwardable =3D true
krb4_convert =3D false
}

- I configured /etc/ldap.conf
host 10.1.3.9 <-- THIS THE IP OF MY WINDOWS SERVER 2003
base dc=3Dtoto,dc=3Dcom
binddn cn=3DAdministrator,dc=3Dtoto,dc=3Dcom
bindpw password

pam_password exop

nss_base_passwd ou=3DPeople,dc=3Dtoto,dc=3Dcom?one
nss_base_shadow ou=3DPeople,dc=3Dtoto,dc=3Dcom?one
nss_base_group ou=3DGroups,dc=3Dtoto,dc=3Dcom?one
ssl no

- I configured nss_ldap-248 and install it
../configure --enable-rfc2307bis --enable-schema-mapping
make install


- I joined my samba to my Windows 2003 server (It worked fine)
root# net ads join -UAdministrator%password
Using short domain name -- TOTO
Joined 'VENUS' to realm 'TOTO.COM'

- I modified file /etc/nsswitch.conf as follow:
passwd: files ldap
shadow: files ldap
group: files ldap

- I stored the LDAP password (Windows 2003) info secret.tdb file:
smbpasswd -w password


Now when I'm starting winbind, I'm getting the following error:

Feb 9 08:58:29 venus winbindd[21018]: [2006/02/09 08:58:29, 0]
lib/debug.c:debug_lookup_classname(352)=20
Feb 9 08:58:29 venus winbindd[21018]: debug_lookup_classname(ads):
Unknown class=20
Feb 9 08:58:29 venus winbindd[21018]: [2006/02/09 08:58:29, 0]
lib/debug.c:debug_lookup_classname(352)=20
Feb 9 08:58:29 venus winbindd[21018]: debug_lookup_classname(rpc):
Unknown class=20
Feb 9 08:58:30 venus winbindd[21018]: [2006/02/09 08:58:30, 0]
lib/smbldap.c:smbldap_connect_system(890)=20
Feb 9 08:58:30 venus winbindd[21018]: failed to bind to server
ldap://ads-tst.toto.com with =
dn=3D"cn=3DAdministrator,dc=3DTOTO,dc=3DCOM" Error:
Invalid credentials=20
Feb 9 08:58:30 venus winbindd[21018]: 80090308: LdapErr:
DSID-0C090334, comment: AcceptSecurityContext error, data 525, vece=20
Feb 9 08:58:45 venus winbindd[21018]: [2006/02/09 08:58:45, 0]
sam/idmap.c:idmap_init(146)=20
Feb 9 08:58:45 venus winbindd[21018]: idmap_init: failed to
initialize remote backend!


If I'm doing a wbinfo -u and wbinfo -g I get the list from AD:

Administrator
Guest
SUPPORT_388945a0
ADS-TST$
krbtgt
yquirion
toto
venus$

[venus]:/# wbinfo -g
Domain Computers
Domain Controllers
Schema Admins
Enterprise Admins
Domain Admins
Domain Users
Domain Guests
Group Policy Creator Owners
sinfsyst

If I tried this command: chown toto nss_ldap-248/
chown: `toto': invalid user

If I tried getent passwd, I got following error in syslog:
Feb 9 09:03:57 venus getent: nss_ldap: failed to bind to LDAP server
ldap://10.32.3.9: Invalid credentials
Feb 9 09:03:57 venus getent: nss_ldap: failed to bind to LDAP server
ldap://10.32.3.9: Invalid credentials
Feb 9 09:03:57 venus getent: nss_ldap: reconnecting to LDAP server
(sleeping 4 seconds)...
Feb 9 09:04:01 venus getent: nss_ldap: failed to bind to LDAP server
ldap://10.32.3.9: Invalid credentials
Feb 9 09:04:01 venus getent: nss_ldap: reconnecting to LDAP server
(sleeping 8 seconds)...
Feb 9 09:04:09 venus getent: nss_ldap: failed to bind to LDAP server
ldap://10.32.3.9: Invalid credentials
Feb 9 09:04:09 venus getent: nss_ldap: reconnecting to LDAP server
(sleeping 16 seconds)...

Is somebody can tell me what's I'm doing bad? My first goal is to have
the same UID & GID from my active directory with all my Linux/Samba
system.

Thank you everybody for your help.

Best Regards,
Yanick

--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba