[Samba] Help needed. Samba 3.2.0rc2 - IDMAP - Windows 2008 Server - ADS Integration - Winbind - Samba

This is a discussion on [Samba] Help needed. Samba 3.2.0rc2 - IDMAP - Windows 2008 Server - ADS Integration - Winbind - Samba ; Hi, I read at least 100 different documentations during the last week and didn't get it. So I decided to ask the list for help Unfortunately we have to move to a Windows 2008 Server ADS in our company as ...

+ Reply to Thread
Results 1 to 12 of 12

Thread: [Samba] Help needed. Samba 3.2.0rc2 - IDMAP - Windows 2008 Server - ADS Integration - Winbind

  1. [Samba] Help needed. Samba 3.2.0rc2 - IDMAP - Windows 2008 Server - ADS Integration - Winbind

    Hi,

    I read at least 100 different documentations during the last week and
    didn't get it. So I decided to ask the list for help

    Unfortunately we have to move to a Windows 2008 Server ADS in our
    company as this is required for some other projects. But we want to
    keep our nice 5+ samba-server providing fast 50TB+ of storage.

    So we have to find a way to nicely integrate the storage with the new
    ADS installed. Therefor I installed a Testlab consisting of 2 debian
    etch storage-servers with each 12TB lvm-based storage attached. Also we
    have 2 MS 2008 Server SP1 as PDC and BDC. Further we have some Windows
    XP 32 and 64 Bit clients as workstations for testing.

    Now we setup everything and decided to use samba 3.2.0 as there are some
    bugs related to W2k8 server are solved. So I build debian packages from
    experimental for etch an installed them. Then I set up kerberos and
    samba using "security = ads". Everythings works great. I can get a
    kerberos ticket with kinit also I can join the ADS with "net ads join
    -Uadministrator". I set up /etc/nssswitch to use winbind and I can
    request user information successfully.

    But now I have to set up shared IDMAP for my samba servers to have the
    same UIDs and GIDs on all machines. As it would be nice to have all that
    on the ADS server I tried the following for days without success and
    that is where I need help:

    - I installed the "MS Identity Management for Unix"
    - I added UID, Homedir, Shell and "Default Group" to the AD User
    - I set "Unix Attr" for my groups
    - I configured samba to as followed:

    ----- snip -----

    [global]
    workgroup = TESTLAB
    realm = TESTLAB.COMPANY.COM
    netbios name = filesrv001
    server string = Samba Storage Fileserver 001 (%v)
    security = ADS
    idmap domains = BUILTIN, TESTLAB
    idmap config TESTLAB:backend = ad
    idmap config TESTLAB:default = yes
    idmap config TESTLAB:schema_mode = rfc2307
    idmap config BUILTIN:backend = tdb
    idmap config BUILTIN:base_rid = 800
    idmap config BUILTIN:range = 800-999
    winbind nss info = rfc2307
    winbind use default domain = yes
    winbind nested groups = Yes
    password server = WIN-RXYDW1KO5DH.testlab.company.com
    wins server = WIN-RXYDW1KO5DH.testlab.company.com
    socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
    hide unreadable = yes
    hide dot files = yes
    unix charset = LOCALE
    log level = 5

    [big_data]
    comment = Very Big Share
    path = /SERV
    browseable = yes
    guest ok = no
    valid users = "@STGT\entenhausen"
    create mask = 660
    directory mode = 770
    writeable = yes
    readonly = no
    force group = "STGT\entenhausen"

    ----- snip -----

    - I cleaned /var/run/samba, /var/log/samba, /var/lib/samba
    - I delete the Join on the ADS
    - Then I rebooted the Linux-Server, re-joined the ADS
    - And I can retrieve the user with getent and it has IT UID

    filesrv001:/var/log/samba# getent passwd tic.tic
    tic.tic:*:20007:10001::/home/STGT/tic.tic:/bin/false

    - But the default group, the home-dir and the shell is not right
    - seems like the values are not retrieved correctly from ADS
    - also strange: I set up the second storage with the same configs
    - only changed names
    - if I retrieve the user-information there
    - it looks like this

    getent passwd tic.tic
    tic.tic:*:20007:10000:Tic Tic:/home/STGT/tic.tic:/bin/false

    - so the default-group is changing
    - but its still not the value listed in the ADS

    Any ideas on that? Did I get something completely wrong? I'll now take a
    closer look to the Win 2008 logfiles and I'll check the communication
    with tcpdump. But I'm mostly stuck and really could need some hints.
    Or should I try another solution? IDMAP-RID cannot be used as we are
    planning a "trust domain" setup

    Thank you and best regards

    Daniel

    --
    To unsubscribe from this list go to the following URL and read the
    instructions: https://lists.samba.org/mailman/listinfo/samba

  2. [Samba] Re: Help needed. Samba 3.2.0rc2 - IDMAP - Windows 2008 Server - ADS Integration - Winbind

    Hi again,

    On Fri, 2008-06-27 at 13:31 +0200, Samba-Liste wrote:
    > Hi,
    >
    > I read at least 100 different documentations during the last week and
    > didn't get it. So I decided to ask the list for help
    >


    - the problem is solved now. I found this in the logs on linux-side:

    log.winbindd: Error loading module
    '/usr/lib/samba/nss_info/rfc2307.so': /usr/lib/samba/nss_info/rfc2307.so: cannot open shared object file: No such file or directory

    - which took me to this message of Jerry Carter:

    http://lists.samba.org/archive/samba...il/140030.html

    - So I went to /usr/lib/samba
    - created the nss_info directory
    - in there I made a symbolic link rfc2307.so to ../idmap/ad.so
    - restarted samba and winbind and all is fine

    I'll contact the maintainer of the debian experimental samba 3.2.0
    packages. Maybe he can fix this in the build description.

    Jerry, thanks for all your magic posts

    best regards

    Daniel

    --
    To unsubscribe from this list go to the following URL and read the
    instructions: https://lists.samba.org/mailman/listinfo/samba

  3. [Samba] Solaris blastwave.org Version 3.0.23b doesn't read new information from /etc/passwd and /etc/group

    Hi,

    How would I make samba re-read group and user information? Is there a .tdb file that needs to be deleted?

    I have recently added more supplementary groups for a user in /etc/group, but the information isn't coming through in the logs, all I get is this:

    [2008/06/27 07:51:24, 5] auth/auth_util.c474)
    UNIX token of user 11001
    Primary group is 11000 and contains 0 supplementary groups

    There should definitely be more than 0 supplementary groups.

    e.g.

    # grep 11001 /etc/passwd
    bob:x:11001:11000::/home/bob:/bin/bash

    # grep bob /etc/group
    everyone_otl::11000:bob
    operators_otl::11002:bob
    svneditors_otl::11003:bob

    Cheers
    --
    To unsubscribe from this list go to the following URL and read the
    instructions: https://lists.samba.org/mailman/listinfo/samba

  4. [Samba] Winbind 3.2.0rc2 Coredump [was: Re: Help needed. Samba 3.2.0rc2 - IDMAP - Windows 2008 Server - ADS Integration - Winbind]

    Hi,

    sorry, it's me again:

    On Fri, 2008-06-27 at 17:35 +0200, Samba-Liste wrote:
    > Hi again,
    >
    > On Fri, 2008-06-27 at 13:31 +0200, Samba-Liste wrote:
    > > Hi,
    > >
    > > I read at least 100 different documentations during the last week and
    > > didn't get it. So I decided to ask the list for help
    > >

    >
    > - the problem is solved now. I found this in the logs on linux-side:


    - but another problem occured now
    - the setup worked nice yesterday evening unitl ist stoppen working
    - as I tried a login this morning it didn't work anymore
    - if I try a "getnet passwd " I get nothing back
    - no login via pam_winbind is possible
    - But I see a winbind core-dump in the logs:

    ----- snip -----

    [2008/06/28 09:51:02, 0] lib/fault.c:fault_report(40)
    ================================================== =============
    [2008/06/28 09:51:02, 0] lib/fault.c:fault_report(41)
    INTERNAL ERROR: Signal 11 in pid 4897 (3.2.0rc2)
    Please read the Trouble-Shooting section of the Samba3-HOWTO
    [2008/06/28 09:51:02, 0] lib/fault.c:fault_report(43)

    From: http://www.samba.org/samba/docs/Samba3-HOWTO.pdf
    [2008/06/28 09:51:02, 0] lib/fault.c:fault_report(44)
    ================================================== =============
    [2008/06/28 09:51:02, 0] lib/util.c:smb_panic(1666)
    PANIC (pid 4897): internal error
    [2008/06/28 09:51:02, 0] lib/util.c:log_stack_trace(1770)
    BACKTRACE: 19 stack frames:
    #0 /usr/sbin/winbindd(log_stack_trace+0x2d) [0x815b36c]
    #1 /usr/sbin/winbindd(smb_panic+0x80) [0x815b4a8]
    #2 /usr/sbin/winbindd [0x8145fea]
    #3 [0xb7f13420]
    #4 /usr/lib/samba/nss_info/rfc2307.so [0xb787f8e9]
    #5 /usr/sbin/winbindd(nss_get_info+0x193) [0x83d30e0]
    #6 /usr/sbin/winbindd(nss_get_info_cached+0x180) [0x80a67a5]
    #7 /usr/sbin/winbindd [0x80c40d4]
    #8 /usr/sbin/winbindd [0x80a820e]
    #9 /usr/sbin/winbindd(winbindd_dual_userinfo+0x183) [0x8098372]
    #10 /usr/sbin/winbindd [0x80c89c5]
    #11 /usr/sbin/winbindd(async_request+0x1b2) [0x80c9fb3]
    #12 /usr/sbin/winbindd(init_child_connection+0x2bd) [0x809fa85]
    #13 /usr/sbin/winbindd(async_domain_request+0x139) [0x80ca23c]
    #14 /usr/sbin/winbindd [0x809fcfb]
    #15 /usr/sbin/winbindd(rescan_trusted_domains+0x49) [0x80a00f9]
    #16 /usr/sbin/winbindd(main+0xe00) [0x8095464]
    #17 /lib/tls/i686/cmov/libc.so.6(__libc_start_main+0xc8) [0xb7c72ea8]
    #18 /usr/sbin/winbindd [0x8092e11]
    [2008/06/28 09:51:02, 0] lib/fault.c:dump_core(201)
    dumping core in /var/log/samba/cores/winbindd

    ----- snip -----

    - I then did a "wbinfo -u" and "wbinfo -g"
    - both worked normally
    - afterwards "getent passwd " an pam-login worked again
    - but only for a few minutes then the same happend again

    ----- snip -----

    [2008/06/28 09:59:35, 0] lib/fault.c:fault_report(40)
    ================================================== =============
    [2008/06/28 09:59:35, 0] lib/fault.c:fault_report(41)
    INTERNAL ERROR: Signal 11 in pid 5265 (3.2.0rc2)
    Please read the Trouble-Shooting section of the Samba3-HOWTO
    [2008/06/28 09:59:35, 0] lib/fault.c:fault_report(43)

    From: http://www.samba.org/samba/docs/Samba3-HOWTO.pdf
    [2008/06/28 09:59:35, 0] lib/fault.c:fault_report(44)
    ================================================== =============
    [2008/06/28 09:59:35, 0] lib/util.c:smb_panic(1666)
    PANIC (pid 5265): internal error
    [2008/06/28 09:59:35, 0] lib/util.c:log_stack_trace(1770)
    BACKTRACE: 22 stack frames:
    #0 /usr/sbin/winbindd(log_stack_trace+0x2d) [0x815b36c]
    #1 /usr/sbin/winbindd(smb_panic+0x80) [0x815b4a8]
    #2 /usr/sbin/winbindd [0x8145fea]
    #3 [0xb7f13420]
    #4 /usr/lib/samba/nss_info/rfc2307.so [0xb785e8e9]
    #5 /usr/sbin/winbindd(nss_get_info+0x193) [0x83d30e0]
    #6 /usr/sbin/winbindd(nss_get_info_cached+0x180) [0x80a67a5]
    #7 /usr/sbin/winbindd [0x80c40d4]
    #8 /usr/sbin/winbindd [0x80a820e]
    #9 /usr/sbin/winbindd(winbindd_dual_userinfo+0x183) [0x8098372]
    #10 /usr/sbin/winbindd [0x80c89c5]
    #11 /usr/sbin/winbindd(async_request+0x1b2) [0x80c9fb3]
    #12 /usr/sbin/winbindd(async_domain_request+0x57) [0x80ca15a]
    #13 /usr/sbin/winbindd(do_async_domain+0x14e) [0x80cbfb6]
    #14 /usr/sbin/winbindd(winbindd_lookupname_async+0x29d) [0x80ccdf7]
    #15 /usr/sbin/winbindd(winbindd_getpwnam+0x37f) [0x8098044]
    #16 /usr/sbin/winbindd [0x8093b22]
    #17 /usr/sbin/winbindd [0x8093c39]
    #18 /usr/sbin/winbindd [0x8094598]
    #19 /usr/sbin/winbindd(main+0x1035) [0x8095699]
    #20 /lib/tls/i686/cmov/libc.so.6(__libc_start_main+0xc8) [0xb7c72ea8]
    #21 /usr/sbin/winbindd [0x8092e11]
    [2008/06/28 09:59:35, 0] lib/fault.c:dump_core(201)

    ----- snip -----

    - there's also this error in the logs I don't understand
    - but it seems not to be directly related to the core dump

    ----- snip -----

    [2008/06/28 09:56:11, 1] libsmb/clientgen.c:cli_rpc_pipe_close(554)
    cli_rpc_pipe_close: cli_close failed on pipe \lsarpc, fnum 0x400d to
    machine WIN-6P6G74VAOZ7.testlab.company.com. Error was SUCCESS - 0
    [2008/06/28 09:56:11, 1] libsmb/clientgen.c:cli_rpc_pipe_close(554)
    cli_rpc_pipe_close: cli_close failed on pipe \NETLOGON, fnum 0x400b to
    machine WIN-6P6G74VAOZ7.testlab.company.com. Error was SUCCESS - 0
    [2008/06/28 09:56:11, 1] libsmb/clikrb5.c:ads_krb5_mk_req(666)
    ads_krb5_mk_req: krb5_get_credentials failed for WIN-6P6G74VAOZ7
    $@TESTLAB (Cannot resolve network address for KDC in requested realm)
    [2008/06/28 09:56:11, 1]
    libsmb/cliconnect.c:cli_session_setup_kerberos(626)
    cli_session_setup_kerberos: spnego_gen_negTokenTarg failed: Cannot
    resolve network address for KDC in requested realm

    ----- snip -----

    - Here comes my final smb.conf

    ----- snip -----

    [global]
    workgroup = TESTLAB
    realm = TESTLAB.COMPANY.COM
    netbios name = filesrv001
    server string = Samba Storage Fileserver 001 (%v)
    security = ADS
    idmap domains = BUILTIN, TESTLAB
    idmap config TESTLAB:backend = ad
    idmap config TESTLAB:default = yes
    idmap config TESTLAB:schema_mode = rfc2307
    idmap config TESTLAB:base_rid = 10000
    idmap config TESTLAB:range = 10000-100000
    idmap config BUILTIN:backend = tdb
    idmap config BUILTIN:base_rid = 800
    idmap config BUILTIN:range = 800-999
    idmap uid = 800-100000
    idmap gid = 800-100000
    winbind nss info = rfc2307
    winbind use default domain = yes
    winbind nested groups = Yes
    winbind offline logon = yes
    password server = WIN-6P6G74VAOZ7.TESTLAB.COMPANY.COM
    wins server = WIN-6P6G74VAOZ7.TESTLAB.COMPANY.COM
    socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
    hide unreadable = yes
    hide dot files = yes
    unix charset = LOCALE
    log level = 1
    log file = /var/log/samba/log.%m

    [big_data]
    comment = Very Big Share
    path = /SERV
    browseable = yes
    guest ok = no
    valid users = "@TESTLAB\entenhausen"
    create mask = 660
    directory mode = 770
    writeable = yes
    readonly = no
    force group = "TESTLAB\entenhausen"

    ----- snip -----

    - Any Ideas what I can do now?
    - should I post more information as my pam.d files?
    - Is this a config issue or should I open a bug report?

    best regards

    Daniel

    --
    To unsubscribe from this list go to the following URL and read the
    instructions: https://lists.samba.org/mailman/listinfo/samba

  5. Re: [Samba] Winbind 3.2.0rc2 Coredump [was: Re: Help needed. Samba 3.2.0rc2 - IDMAP - Windows 2008 Server - ADS Integration - Winbind]

    Samba-Liste wrote:
    > Hi,
    >
    > sorry, it's me again:
    >
    > On Fri, 2008-06-27 at 17:35 +0200, Samba-Liste wrote:
    >
    >> Hi again,
    >>
    >> On Fri, 2008-06-27 at 13:31 +0200, Samba-Liste wrote:
    >>
    >>> Hi,
    >>>
    >>> I read at least 100 different documentations during the last week and
    >>> didn't get it. So I decided to ask the list for help
    >>>
    >>>

    >> - the problem is solved now. I found this in the logs on linux-side:
    >>

    >
    > - but another problem occured now
    > - the setup worked nice yesterday evening unitl ist stoppen working
    > - as I tried a login this morning it didn't work anymore
    > - if I try a "getnet passwd " I get nothing back
    > - no login via pam_winbind is possible
    > - But I see a winbind core-dump in the logs:
    >
    > ----- snip -----
    >
    > [2008/06/28 09:51:02, 0] lib/fault.c:fault_report(40)
    > ================================================== =============
    > [2008/06/28 09:51:02, 0] lib/fault.c:fault_report(41)
    > INTERNAL ERROR: Signal 11 in pid 4897 (3.2.0rc2)
    > Please read the Trouble-Shooting section of the Samba3-HOWTO
    > [2008/06/28 09:51:02, 0] lib/fault.c:fault_report(43)
    >
    > From: http://www.samba.org/samba/docs/Samba3-HOWTO.pdf
    > [2008/06/28 09:51:02, 0] lib/fault.c:fault_report(44)
    > ================================================== =============
    > [2008/06/28 09:51:02, 0] lib/util.c:smb_panic(1666)
    > PANIC (pid 4897): internal error
    > [2008/06/28 09:51:02, 0] lib/util.c:log_stack_trace(1770)
    > BACKTRACE: 19 stack frames:
    > #0 /usr/sbin/winbindd(log_stack_trace+0x2d) [0x815b36c]
    > #1 /usr/sbin/winbindd(smb_panic+0x80) [0x815b4a8]
    > #2 /usr/sbin/winbindd [0x8145fea]
    > #3 [0xb7f13420]
    > #4 /usr/lib/samba/nss_info/rfc2307.so [0xb787f8e9]
    > #5 /usr/sbin/winbindd(nss_get_info+0x193) [0x83d30e0]
    > #6 /usr/sbin/winbindd(nss_get_info_cached+0x180) [0x80a67a5]
    > #7 /usr/sbin/winbindd [0x80c40d4]
    > #8 /usr/sbin/winbindd [0x80a820e]
    > #9 /usr/sbin/winbindd(winbindd_dual_userinfo+0x183) [0x8098372]
    > #10 /usr/sbin/winbindd [0x80c89c5]
    > #11 /usr/sbin/winbindd(async_request+0x1b2) [0x80c9fb3]
    > #12 /usr/sbin/winbindd(init_child_connection+0x2bd) [0x809fa85]
    > #13 /usr/sbin/winbindd(async_domain_request+0x139) [0x80ca23c]
    > #14 /usr/sbin/winbindd [0x809fcfb]
    > #15 /usr/sbin/winbindd(rescan_trusted_domains+0x49) [0x80a00f9]
    > #16 /usr/sbin/winbindd(main+0xe00) [0x8095464]
    > #17 /lib/tls/i686/cmov/libc.so.6(__libc_start_main+0xc8) [0xb7c72ea8]
    > #18 /usr/sbin/winbindd [0x8092e11]
    > [2008/06/28 09:51:02, 0] lib/fault.c:dump_core(201)
    > dumping core in /var/log/samba/cores/winbindd
    >
    > ----- snip -----
    >
    > - I then did a "wbinfo -u" and "wbinfo -g"
    > - both worked normally
    > - afterwards "getent passwd " an pam-login worked again
    > - but only for a few minutes then the same happend again
    >
    > ----- snip -----
    >
    > [2008/06/28 09:59:35, 0] lib/fault.c:fault_report(40)
    > ================================================== =============
    > [2008/06/28 09:59:35, 0] lib/fault.c:fault_report(41)
    > INTERNAL ERROR: Signal 11 in pid 5265 (3.2.0rc2)
    > Please read the Trouble-Shooting section of the Samba3-HOWTO
    > [2008/06/28 09:59:35, 0] lib/fault.c:fault_report(43)
    >
    > From: http://www.samba.org/samba/docs/Samba3-HOWTO.pdf
    > [2008/06/28 09:59:35, 0] lib/fault.c:fault_report(44)
    > ================================================== =============
    > [2008/06/28 09:59:35, 0] lib/util.c:smb_panic(1666)
    > PANIC (pid 5265): internal error
    > [2008/06/28 09:59:35, 0] lib/util.c:log_stack_trace(1770)
    > BACKTRACE: 22 stack frames:
    > #0 /usr/sbin/winbindd(log_stack_trace+0x2d) [0x815b36c]
    > #1 /usr/sbin/winbindd(smb_panic+0x80) [0x815b4a8]
    > #2 /usr/sbin/winbindd [0x8145fea]
    > #3 [0xb7f13420]
    > #4 /usr/lib/samba/nss_info/rfc2307.so [0xb785e8e9]
    > #5 /usr/sbin/winbindd(nss_get_info+0x193) [0x83d30e0]
    > #6 /usr/sbin/winbindd(nss_get_info_cached+0x180) [0x80a67a5]
    > #7 /usr/sbin/winbindd [0x80c40d4]
    > #8 /usr/sbin/winbindd [0x80a820e]
    > #9 /usr/sbin/winbindd(winbindd_dual_userinfo+0x183) [0x8098372]
    > #10 /usr/sbin/winbindd [0x80c89c5]
    > #11 /usr/sbin/winbindd(async_request+0x1b2) [0x80c9fb3]
    > #12 /usr/sbin/winbindd(async_domain_request+0x57) [0x80ca15a]
    > #13 /usr/sbin/winbindd(do_async_domain+0x14e) [0x80cbfb6]
    > #14 /usr/sbin/winbindd(winbindd_lookupname_async+0x29d) [0x80ccdf7]
    > #15 /usr/sbin/winbindd(winbindd_getpwnam+0x37f) [0x8098044]
    > #16 /usr/sbin/winbindd [0x8093b22]
    > #17 /usr/sbin/winbindd [0x8093c39]
    > #18 /usr/sbin/winbindd [0x8094598]
    > #19 /usr/sbin/winbindd(main+0x1035) [0x8095699]
    > #20 /lib/tls/i686/cmov/libc.so.6(__libc_start_main+0xc8) [0xb7c72ea8]
    > #21 /usr/sbin/winbindd [0x8092e11]
    > [2008/06/28 09:59:35, 0] lib/fault.c:dump_core(201)
    >
    > ----- snip -----
    >
    > - there's also this error in the logs I don't understand
    > - but it seems not to be directly related to the core dump
    >
    > ----- snip -----
    >
    > [2008/06/28 09:56:11, 1] libsmb/clientgen.c:cli_rpc_pipe_close(554)
    > cli_rpc_pipe_close: cli_close failed on pipe \lsarpc, fnum 0x400d to
    > machine WIN-6P6G74VAOZ7.testlab.company.com. Error was SUCCESS - 0
    > [2008/06/28 09:56:11, 1] libsmb/clientgen.c:cli_rpc_pipe_close(554)
    > cli_rpc_pipe_close: cli_close failed on pipe \NETLOGON, fnum 0x400b to
    > machine WIN-6P6G74VAOZ7.testlab.company.com. Error was SUCCESS - 0
    > [2008/06/28 09:56:11, 1] libsmb/clikrb5.c:ads_krb5_mk_req(666)
    > ads_krb5_mk_req: krb5_get_credentials failed for WIN-6P6G74VAOZ7
    > $@TESTLAB (Cannot resolve network address for KDC in requested realm)
    > [2008/06/28 09:56:11, 1]
    > libsmb/cliconnect.c:cli_session_setup_kerberos(626)
    > cli_session_setup_kerberos: spnego_gen_negTokenTarg failed: Cannot
    > resolve network address for KDC in requested realm
    >
    > ----- snip -----
    >
    > - Here comes my final smb.conf
    >
    > ----- snip -----
    >
    > [global]
    > workgroup = TESTLAB
    > realm = TESTLAB.COMPANY.COM
    > netbios name = filesrv001
    > server string = Samba Storage Fileserver 001 (%v)
    > security = ADS
    > idmap domains = BUILTIN, TESTLAB
    > idmap config TESTLAB:backend = ad
    > idmap config TESTLAB:default = yes
    > idmap config TESTLAB:schema_mode = rfc2307
    > idmap config TESTLAB:base_rid = 10000
    > idmap config TESTLAB:range = 10000-100000
    > idmap config BUILTIN:backend = tdb
    > idmap config BUILTIN:base_rid = 800
    > idmap config BUILTIN:range = 800-999
    > idmap uid = 800-100000
    > idmap gid = 800-100000
    > winbind nss info = rfc2307
    > winbind use default domain = yes
    > winbind nested groups = Yes
    > winbind offline logon = yes
    > password server = WIN-6P6G74VAOZ7.TESTLAB.COMPANY.COM
    > wins server = WIN-6P6G74VAOZ7.TESTLAB.COMPANY.COM
    > socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
    > hide unreadable = yes
    > hide dot files = yes
    > unix charset = LOCALE
    > log level = 1
    > log file = /var/log/samba/log.%m
    >
    > [big_data]
    > comment = Very Big Share
    > path = /SERV
    > browseable = yes
    > guest ok = no
    > valid users = "@TESTLAB\entenhausen"
    > create mask = 660
    > directory mode = 770
    > writeable = yes
    > readonly = no
    > force group = "TESTLAB\entenhausen"
    >
    > ----- snip -----
    >
    > - Any Ideas what I can do now?
    > - should I post more information as my pam.d files?
    > - Is this a config issue or should I open a bug report?
    >
    > best regards
    >
    > Daniel
    >
    >

    Have you tried using the 'nss_ldap' with the entry 'ldap' in your
    nsswitch.conf? I found that to be the best way to interface the LDAP
    backend in my case. I tried the pam route, but since Slackware does not
    ship with it, I found the nss_ldap module to be the path of least
    resistance. It's worth a shot if you have troubles with PAM modules,
    but it won't allow syncing of *nix and Windows passwords, IIRC.
    nss_ldap is available from PADL.
    --
    To unsubscribe from this list go to the following URL and read the
    instructions: https://lists.samba.org/mailman/listinfo/samba

  6. Re: [Samba] Winbind 3.2.0rc2 Coredump [was: Re: Help needed. Samba 3.2.0rc2 - IDMAP - Windows 2008 Server - ADS Integration - Winbind]

    Hi Scott,

    thanks for the reply.

    On Sat, 2008-06-28 at 05:39 -0400, Scott Lovenberg wrote:
    > Samba-Liste wrote:
    > > Hi,


    [...]

    > >
    > >

    > Have you tried using the 'nss_ldap' with the entry 'ldap' in your
    > nsswitch.conf? I found that to be the best way to interface the LDAP
    > backend in my case. I tried the pam route, but since Slackware does


    that's how we do it right now as we have a Samba-LDAP-PDC. But didn't
    get it working against my new Windows 2008 ADS server. Can you provide
    sample configurations for nss_ldap to connect to an ADS server?

    thank you and best regards

    Daniel

    --
    To unsubscribe from this list go to the following URL and read the
    instructions: https://lists.samba.org/mailman/listinfo/samba

  7. [Samba] Solaris blastwave.org Version 3.0.23b doesn't read new information from /etc/passwd and /etc/group

    Hi,

    How would I make samba re-read group and user information? Is there a .tdb file that needs to be deleted?

    I have recently added more supplementary groups for a user in /etc/group, but the information isn't coming through in the logs, all I get is this:

    [2008/06/27 07:51:24, 5] auth/auth_util.c474)
    UNIX token of user 11001
    Primary group is 11000 and contains 0 supplementary groups

    There should definitely be more than 0 supplementary groups.

    e.g.

    # grep 11001 /etc/passwd
    bob:x:11001:11000::/home/bob:/bin/bash

    # grep bob /etc/group
    everyone_otl::11000:bob
    operators_otl::11002:bob
    svneditors_otl::11003:bob

    Cheers
    --
    To unsubscribe from this list go to the following URL and read the
    instructions: https://lists.samba.org/mailman/listinfo/samba

  8. Re: [Samba] Winbind 3.2.0rc2 Coredump [was: Re: Help needed. Samba 3.2.0rc2 - IDMAP - Windows 2008 Server - ADS Integration - Winbind]

    Samba-Liste wrote:
    > Hi Scott,
    >
    > thanks for the reply.
    >
    > On Sat, 2008-06-28 at 05:39 -0400, Scott Lovenberg wrote:
    >
    >> Samba-Liste wrote:
    >>
    >>> Hi,
    >>>

    >
    > [...]
    >
    >
    >>>
    >>>

    >> Have you tried using the 'nss_ldap' with the entry 'ldap' in your
    >> nsswitch.conf? I found that to be the best way to interface the LDAP
    >> backend in my case. I tried the pam route, but since Slackware does
    >>

    >
    > that's how we do it right now as we have a Samba-LDAP-PDC. But didn't
    > get it working against my new Windows 2008 ADS server. Can you provide
    > sample configurations for nss_ldap to connect to an ADS server?
    >
    > thank you and best regards
    >
    > Daniel
    >
    >

    Sorry for the delay, I think I jumbled my email boxes

    This is off the top of my head (as my official Samba book is at home and
    I'm at work), but, all you should need is the nss_ldap module and the
    following lines in your /etc/nsswitch.conf:
    [...]
    passwd files ldap winbind compat
    shadow files ldap winbind compat
    group files ldap winbind compat
    [...]


    This should enable getent passwd. IIRC, there are no dependencies for
    nss_ldap, it just needs to be compiled. At least on Slackware, as
    always, check with your upstream provider before compiling your own.
    --
    To unsubscribe from this list go to the following URL and read the
    instructions: https://lists.samba.org/mailman/listinfo/samba

  9. Re: [Samba] Winbind 3.2.0rc2 Coredump [was: Re: Help needed. Samba 3.2.0rc2 - IDMAP - Windows 2008 Server - ADS Integration - Winbind]

    Scott Lovenberg wrote:
    > Samba-Liste wrote:
    >> Hi Scott,
    >>
    >> thanks for the reply.
    >>
    >> On Sat, 2008-06-28 at 05:39 -0400, Scott Lovenberg wrote:
    >>
    >>> Samba-Liste wrote:
    >>>
    >>>> Hi,
    >>>>

    >>
    >> [...]
    >>
    >>
    >>>>
    >>>>
    >>> Have you tried using the 'nss_ldap' with the entry 'ldap' in your
    >>> nsswitch.conf? I found that to be the best way to interface the LDAP
    >>> backend in my case. I tried the pam route, but since Slackware does
    >>>

    >>
    >> that's how we do it right now as we have a Samba-LDAP-PDC. But didn't
    >> get it working against my new Windows 2008 ADS server. Can you provide
    >> sample configurations for nss_ldap to connect to an ADS server?
    >>
    >> thank you and best regards
    >>
    >> Daniel
    >>
    >>

    > Sorry for the delay, I think I jumbled my email boxes
    >
    > This is off the top of my head (as my official Samba book is at home
    > and I'm at work), but, all you should need is the nss_ldap module and
    > the following lines in your /etc/nsswitch.conf:
    > [...]
    > passwd files ldap winbind compat
    > shadow files ldap winbind compat
    > group files ldap winbind compat
    > [...]
    >
    >
    > This should enable getent passwd. IIRC, there are no dependencies for
    > nss_ldap, it just needs to be compiled. At least on Slackware, as
    > always, check with your upstream provider before compiling your own.

    Strange... I just noticed how you fixed the problem at first, are you
    sure that everything was compiled with the same libraries? Also, can
    you verify that ldap_nss was compiled with the "--enable-rfc2307bis"
    flag? Something isn't adding up. I fear I've missed something here.

    I was taking the missing nss directory to mean that you didn't have the
    correct nss modules installed, but I think you've just stumped me. Does
    anyone more qualified than myself have a feeling one way or the other on
    this? The fact that the library wasn't symlinked disturbs me a bit.
    Could this be conflicting libraries from different compiles?
    --
    To unsubscribe from this list go to the following URL and read the
    instructions: https://lists.samba.org/mailman/listinfo/samba

  10. Re: [Samba] Help needed. Samba 3.2.0rc2 - IDMAP - Windows 2008 Server - ADS Integration - Winbind

    Hi,

    did you try using nis instead of winbind ???
    i'm saying that because you are using MS Identity Management for Unix and this provides a nis server. this would provide you the same UIDs and GIDs onall machines.

    Marcos.


    --- Em sex, 27/6/08, Samba-Liste escreveu:

    > De: Samba-Liste
    > Assunto: [Samba] Help needed. Samba 3.2.0rc2 - IDMAP - Windows 2008 Server - ADS Integration - Winbind
    > Para: "samba"
    > Data: Sexta-feira, 27 de Junho de 2008, 8:31
    > Hi,
    >
    > I read at least 100 different documentations during the
    > last week and
    > didn't get it. So I decided to ask the list for help
    >
    > Unfortunately we have to move to a Windows 2008 Server ADS
    > in our
    > company as this is required for some other projects. But we
    > want to
    > keep our nice 5+ samba-server providing fast 50TB+ of
    > storage.
    >
    > So we have to find a way to nicely integrate the storage
    > with the new
    > ADS installed. Therefor I installed a Testlab consisting of
    > 2 debian
    > etch storage-servers with each 12TB lvm-based storage
    > attached. Also we
    > have 2 MS 2008 Server SP1 as PDC and BDC. Further we have
    > some Windows
    > XP 32 and 64 Bit clients as workstations for testing.
    >
    > Now we setup everything and decided to use samba 3.2.0 as
    > there are some
    > bugs related to W2k8 server are solved. So I build debian
    > packages from
    > experimental for etch an installed them. Then I set up
    > kerberos and
    > samba using "security = ads". Everythings works
    > great. I can get a
    > kerberos ticket with kinit also I can join the ADS with
    > "net ads join
    > -Uadministrator". I set up /etc/nssswitch to use
    > winbind and I can
    > request user information successfully.
    >
    > But now I have to set up shared IDMAP for my samba servers
    > to have the
    > same UIDs and GIDs on all machines. As it would be nice to
    > have all that
    > on the ADS server I tried the following for days without
    > success and
    > that is where I need help:
    >
    > - I installed the "MS Identity Management for
    > Unix"
    > - I added UID, Homedir, Shell and "Default Group"
    > to the AD User
    > - I set "Unix Attr" for my groups
    > - I configured samba to as followed:
    >
    > ----- snip -----
    >
    > [global]
    > workgroup = TESTLAB
    > realm = TESTLAB.COMPANY.COM
    > netbios name = filesrv001
    > server string = Samba Storage Fileserver 001 (%v)
    > security = ADS
    > idmap domains = BUILTIN, TESTLAB
    > idmap config TESTLAB:backend = ad
    > idmap config TESTLAB:default = yes
    > idmap config TESTLAB:schema_mode = rfc2307
    > idmap config BUILTIN:backend = tdb
    > idmap config BUILTIN:base_rid = 800
    > idmap config BUILTIN:range = 800-999
    > winbind nss info = rfc2307
    > winbind use default domain = yes
    > winbind nested groups = Yes
    > password server = WIN-RXYDW1KO5DH.testlab.company.com
    > wins server = WIN-RXYDW1KO5DH.testlab.company.com
    > socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
    > hide unreadable = yes
    > hide dot files = yes
    > unix charset = LOCALE
    > log level = 5
    >
    > [big_data]
    > comment = Very Big Share
    > path = /SERV
    > browseable = yes
    > guest ok = no
    > valid users = "@STGT\entenhausen"
    > create mask = 660
    > directory mode = 770
    > writeable = yes
    > readonly = no
    > force group = "STGT\entenhausen"
    >
    > ----- snip -----
    >
    > - I cleaned /var/run/samba, /var/log/samba, /var/lib/samba
    > - I delete the Join on the ADS
    > - Then I rebooted the Linux-Server, re-joined the ADS
    > - And I can retrieve the user with getent and it has IT UID
    >
    > filesrv001:/var/log/samba# getent passwd tic.tic
    > tic.tic:*:20007:10001::/home/STGT/tic.tic:/bin/false
    >
    > - But the default group, the home-dir and the shell is not
    > right
    > - seems like the values are not retrieved correctly from
    > ADS
    > - also strange: I set up the second storage with the same
    > configs
    > - only changed names
    > - if I retrieve the user-information there
    > - it looks like this
    >
    > getent passwd tic.tic
    > tic.tic:*:20007:10000:Tic Tic:/home/STGT/tic.tic:/bin/false
    >
    > - so the default-group is changing
    > - but its still not the value listed in the ADS
    >
    > Any ideas on that? Did I get something completely wrong?
    > I'll now take a
    > closer look to the Win 2008 logfiles and I'll check the
    > communication
    > with tcpdump. But I'm mostly stuck and really could
    > need some hints.
    > Or should I try another solution? IDMAP-RID cannot be used
    > as we are
    > planning a "trust domain" setup
    >
    > Thank you and best regards
    >
    > Daniel
    >
    > --
    > To unsubscribe from this list go to the following URL and
    > read the
    > instructions:
    > https://lists.samba.org/mailman/listinfo/samba



    Novos endereços, o Yahoo! que você conhece. Crie um email novo com a sua cara @ymail.com ou @rocketmail.com.
    http://br.new.mail.yahoo.com/addresses
    --
    To unsubscribe from this list go to the following URL and read the
    instructions: https://lists.samba.org/mailman/listinfo/samba

  11. Re: [Samba] Winbind 3.2.0rc2 Coredump [was: Re: Help needed. Samba 3.2.0rc2 - IDMAP - Windows 2008 Server - ADS Integration - Winbind]

    Hi again,

    On Sat, 2008-06-28 at 10:21 +0200, Samba-Liste wrote:
    > Hi,
    >
    > sorry, it's me again:


    I'm now using the 3.0.30-21 Samba from SerNET and disabled "winbind
    offline logon" in my setup. Since then I didn't get any more coredumps.
    If I enabled "winbind offline logon" I still get random coredumps. At
    the moment I don't really need the feature. Should I anyhow provide more
    information on that?

    But I also had to add the symlinks in /usr/lib/samba/nss_info again for
    the SerNET packages. Therefore my question:

    Is it a "supported configuration" providing IDMAP information directly
    on a Windows 2008 AD server with "Identity Service for Unix" running?
    Using winbind and rfc2307? I was wondering because a lot of packages
    seem to lack nss_info dir and not many seem to miss it

    I would really like to push this into production as I have all the ID
    stuff in one place (ADS) using one system (winbind/samba) for getting it
    into the unix world. But I need to be sure that this is a "supported
    configuration" which will be looked after in the ongoing development of
    samba. If not, what configuration is the recommended one in the scenario
    describe earlier in this thread.

    thank you and best regards


    Daniel



    --
    To unsubscribe from this list go to the following URL and read the
    instructions: https://lists.samba.org/mailman/listinfo/samba

  12. Re: [Samba] Winbind 3.2.0rc2 Coredump [was: Re: Help needed. Samba 3.2.0rc2 - IDMAP - Windows 2008 Server - ADS Integration - Winbind]

    Hi Daniel,

    On Fri, Jul 04, 2008 at 12:40:42PM +0200, Samba-Liste wrote:
    > But I also had to add the symlinks in /usr/lib/samba/nss_info again for
    > the SerNET packages. Therefore my question:


    that was a bug in the SerNet Samba packages for Debian. It is fixed with
    3.0.30-22 avaiable at [1] meanwhile.


    Please contact samba@sernet.de if you discover any packaging issues with
    our Samba packages.

    Thank you very much!

    [1] ftp://ftp.sernet.de/pub/samba/recent/debian/dists/


    Cheers,
    Karolin

    --
    SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen
    phone: +49-551-370000-0, fax: +49-551-370000-9
    AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen
    http://www.SerNet.DE, mailto: Info @ SerNet.DE


    --
    To unsubscribe from this list go to the following URL and read the
    instructions: https://lists.samba.org/mailman/listinfo/samba
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v2.0.4-svn0 (GNU/Linux)

    iD8DBQFIbgoIKGi9fisXk1ERAjuhAKCgMftsssGSRlqkZXzdqK dmHvP6yACgmJb0
    OrbMwZ9D9H0lgCQOZodVXdk=
    =JIRh
    -----END PGP SIGNATURE-----


+ Reply to Thread