[Samba] Retry: Mapping AD domain users to UNIX users - Samba

This is a discussion on [Samba] Retry: Mapping AD domain users to UNIX users - Samba ; I posted this last week but haven't heard anything. I'm not sure if this is because nobody knows the answer (can't believe that!) or I'm missing something obvious in the documentation and people are thinking "Read The Fine Manual". Whatever ...

+ Reply to Thread
Results 1 to 3 of 3

Thread: [Samba] Retry: Mapping AD domain users to UNIX users

  1. [Samba] Retry: Mapping AD domain users to UNIX users

    I posted this last week but haven't heard anything. I'm not sure if this
    is because nobody knows the answer (can't believe that!) or I'm missing
    something obvious in the documentation and people are thinking "Read The
    Fine Manual". Whatever the reason, if anyone has any insights into this
    problem I'd be very grateful for their comments.

    We're using Samba 3.0.23b (binaries downloaded from Sunfreeware) on
    Solaris 9 as a member server, using "security = DOMAIN" in an Active
    Directory 2003 domain. The server is primarily an application server,
    running SAS software, but we have a share to Windows to enable users to
    save programs and data from their Windows XP workstations. Historically
    we've been using PC Netlink, Sun's version of Lanman, but this isn't
    compatible with AD 2003 so we need to move to Samba.

    We're struggling to establish a mapping between domain user accounts and
    UNIX user accounts that are similarly named (the same naming convention
    is used for both). My understanding of Samba, albeit sketchy, was that
    it could automatically make a mapping between local and domain accounts
    of the same name. However, this doesn't appear to be happening. If I set
    a file's permissions for a specified user in Solaris it appears in the
    file's security within Windows, but the user is listed as a Unix User
    along the lines of:

    u123456 (Unix User\u123456)

    I was expecting that there should be an implicit mapping between u123456
    in Solaris and domain\u123456 but maybe I've got the wrong end of the
    stick. We need to maintain the local users so that we can control who
    has access to the server software, and we maintain password aging both
    on the server and the domain so maintaining a separate password database
    for Samba would be a complication. an Extract from nsswitch.conf and
    (edited) smb.conf and included below.

    As you will see from nsswitch.conf, we are using winbind.. wbinfo will
    resolve any domain information and getent passwd will return domain user
    accounts.

    Many thanks in advance.

    nsswitch.conf:

    passwd: files winbind
    group: files winbind

    hosts: files dns winbind

    smb.conf:

    [global]
    workgroup = our-domain-name
    netbios aliases = mc18unxa
    # dual nics: the netmask is correct for our network
    interfaces = xx.xx.xxx.xx/255.255.240.0,
    yy.yy.yyy.yy/255.255.240.0
    security = DOMAIN
    null passwords = Yes
    password server = *
    passdb backend = tdbsam
    lanman auth = No
    client NTLMv2 auth = Yes
    client lanman auth = No
    client plaintext auth = No
    log level = 1
    log file = /var/samba/log/log.%m
    max log size = 50000
    load printers = No
    dns proxy = No
    ldap ssl = no
    idmap uid = 10000-100000000
    idmap gid = 10000-100000000
    winbind enum users = Yes
    winbind enum groups = Yes
    winbind use default domain = Yes
    create mask = 0644
    directory mask = 0775
    hosts deny = none
    case sensitive = No
    preserve case = No
    domain master = no
    local master = no
    preferred master = no
    os level = 0

    [dosptn]
    path = /dosptn
    read only = No
    inherit permissions = Yes
    guest ok = Yes


    ----------------------------------------
    Nigel Pain
    The Scottish Government
    Corporate Systems Support
    Information Systems and Information Services (ISIS)
    Victoria Quay
    EDINBURGH
    EH6 6QQ
    UK




    ************************************************** ******

    This e-mail (and any files or other attachments transmitted with it) is intended solely for the attention of the addressee(s). Unauthorised use, disclosure, storage, copying or distribution of any part of this e-mail is not permitted. If you are not the intended recipient please destroy the email, remove any copies from your system and inform the sender immediately by return.



    Communications with the Scottish Government may be monitored or recorded in order to secure the effective operation of the system and for other lawful purposes. The views or opinions contained within this e-mail may not necessarily reflect those of the Scottish Government.

    ************************************************** ******


    The original of this email was scanned for viruses by the Government Secure Intranet virus scanning service supplied by Cable&Wireless in partnership with MessageLabs. (CCTM Certificate Number 2007/11/0032.) On leaving the GSi this email was certified virus free.
    Communications via the GSi may be automatically logged, monitored and/or recorded for legal purposes.
    --
    To unsubscribe from this list go to the following URL and read the
    instructions: https://lists.samba.org/mailman/listinfo/samba

  2. Re: [Samba] Retry: Mapping AD domain users to UNIX users

    perhaps it is not a good idea to use the same names for a Unix User and
    the AD User.

    If for example you have unix-user xyz with uid=7738

    and an AD-User xyz so the AD-USer xyz gets via winbind perhaps uid=199300

    What answer should
    id xyz

    give?

    Bardo

    Nigel.Pain@scotland.gsi.gov.uk schrieb:
    > I posted this last week but haven't heard anything. I'm not sure if this
    > is because nobody knows the answer (can't believe that!) or I'm missing
    > something obvious in the documentation and people are thinking "Read The
    > Fine Manual". Whatever the reason, if anyone has any insights into this
    > problem I'd be very grateful for their comments.
    >
    > We're using Samba 3.0.23b (binaries downloaded from Sunfreeware) on
    > Solaris 9 as a member server, using "security = DOMAIN" in an Active
    > Directory 2003 domain. The server is primarily an application server,
    > running SAS software, but we have a share to Windows to enable users to
    > save programs and data from their Windows XP workstations. Historically
    > we've been using PC Netlink, Sun's version of Lanman, but this isn't
    > compatible with AD 2003 so we need to move to Samba.
    >
    > We're struggling to establish a mapping between domain user accounts and
    > UNIX user accounts that are similarly named (the same naming convention
    > is used for both). My understanding of Samba, albeit sketchy, was that
    > it could automatically make a mapping between local and domain accounts
    > of the same name. However, this doesn't appear to be happening. If I set
    > a file's permissions for a specified user in Solaris it appears in the
    > file's security within Windows, but the user is listed as a Unix User
    > along the lines of:
    >
    > u123456 (Unix User\u123456)
    >
    > I was expecting that there should be an implicit mapping between u123456
    > in Solaris and domain\u123456 but maybe I've got the wrong end of the
    > stick. We need to maintain the local users so that we can control who
    > has access to the server software, and we maintain password aging both
    > on the server and the domain so maintaining a separate password database
    > for Samba would be a complication. an Extract from nsswitch.conf and
    > (edited) smb.conf and included below.
    >
    > As you will see from nsswitch.conf, we are using winbind. wbinfo will
    > resolve any domain information and getent passwd will return domain user
    > accounts.
    >
    > Many thanks in advance.
    >
    > nsswitch.conf:
    >
    > passwd: files winbind
    > group: files winbind
    >
    > hosts: files dns winbind
    >
    > smb.conf:
    >
    > [global]
    > workgroup = our-domain-name
    > netbios aliases = mc18unxa
    > # dual nics: the netmask is correct for our network
    > interfaces = xx.xx.xxx.xx/255.255.240.0,
    > yy.yy.yyy.yy/255.255.240.0
    > security = DOMAIN
    > null passwords = Yes
    > password server = *
    > passdb backend = tdbsam
    > lanman auth = No
    > client NTLMv2 auth = Yes
    > client lanman auth = No
    > client plaintext auth = No
    > log level = 1
    > log file = /var/samba/log/log.%m
    > max log size = 50000
    > load printers = No
    > dns proxy = No
    > ldap ssl = no
    > idmap uid = 10000-100000000
    > idmap gid = 10000-100000000
    > winbind enum users = Yes
    > winbind enum groups = Yes
    > winbind use default domain = Yes
    > create mask = 0644
    > directory mask = 0775
    > hosts deny = none
    > case sensitive = No
    > preserve case = No
    > domain master = no
    > local master = no
    > preferred master = no
    > os level = 0
    >
    > [dosptn]
    > path = /dosptn
    > read only = No
    > inherit permissions = Yes
    > guest ok = Yes
    >
    >
    > ----------------------------------------
    > Nigel Pain
    > The Scottish Government
    > Corporate Systems Support
    > Information Systems and Information Services (ISIS)
    > Victoria Quay
    > EDINBURGH
    > EH6 6QQ
    > UK
    >
    >
    >
    >
    > ************************************************** ******
    >
    > This e-mail (and any files or other attachments transmitted with it) is intended solely for the attention of the addressee(s). Unauthorised use, disclosure, storage, copying or distribution of any part of this e-mail is not permitted. If you are not the intended recipient please destroy the email, remove any copies from your system and inform the sender immediately by return.
    >
    >
    >
    > Communications with the Scottish Government may be monitored or recorded in order to secure the effective operation of the system and for other lawful purposes. The views or opinions contained within this e-mail may not necessarily reflect those of the Scottish Government.
    >
    > ************************************************** ******
    >
    >
    > The original of this email was scanned for viruses by the Government Secure Intranet virus scanning service supplied by Cable&Wireless in partnership with MessageLabs. (CCTM Certificate Number 2007/11/0032.) On leaving the GSi this email was certified virus free.
    > Communications via the GSi may be automatically logged, monitored and/or recorded for legal purposes.

    --
    To unsubscribe from this list go to the following URL and read the
    instructions: https://lists.samba.org/mailman/listinfo/samba

  3. Re: [Samba] Retry: Mapping AD domain users to UNIX users

    On Wed, 23 Jan 2008, Nigel.Pain@scotland.gsi.gov.uk wrote:

    > We're using Samba 3.0.23b (binaries downloaded from Sunfreeware) on
    > Solaris 9 as a member server, using "security = DOMAIN" in an Active
    > Directory 2003 domain. The server is primarily an application server,
    > running SAS software, but we have a share to Windows to enable users to
    > save programs and data from their Windows XP workstations. Historically
    > we've been using PC Netlink, Sun's version of Lanman, but this isn't
    > compatible with AD 2003 so we need to move to Samba.
    >
    > We're struggling to establish a mapping between domain user accounts and
    > UNIX user accounts that are similarly named (the same naming convention
    > is used for both). My understanding of Samba, albeit sketchy, was that
    > it could automatically make a mapping between local and domain accounts
    > of the same name. However, this doesn't appear to be happening. If I set
    > a file's permissions for a specified user in Solaris it appears in the
    > file's security within Windows, but the user is listed as a Unix User
    > along the lines of:
    >
    > u123456 (Unix User\u123456)
    >
    > I was expecting that there should be an implicit mapping between u123456
    > in Solaris and domain\u123456 but maybe I've got the wrong end of the
    > stick. We need to maintain the local users so that we can control who
    > has access to the server software, and we maintain password aging both
    > on the server and the domain so maintaining a separate password database
    > for Samba would be a complication. an Extract from nsswitch.conf and
    > (edited) smb.conf and included below.
    >
    > As you will see from nsswitch.conf, we are using winbind. wbinfo will
    > resolve any domain information and getent passwd will return domain user
    > accounts.


    If your Solaris system already has unix system accounts with the same
    usernames as the Windows accounts, then you do not need to run winbind.
    That's how we run our Solaris and Linux systems here. Unix users are
    populated from ldap using the nss_ldap module, and Samba is a member of
    the domain (security=domain).

    Andy
    --
    To unsubscribe from this list go to the following URL and read the
    instructions: https://lists.samba.org/mailman/listinfo/samba

+ Reply to Thread