Ben Love on 26 Mar 2010 19:07:43 -0700 |
* Mike Leone wrote on [2010-03-26 21:44:40 -0400]: > Ben Love had this to say: > > $ cat /etc/samba/smb.conf > > > use kerberos keytab = true > > client use spnego = true > > Those are new to me .. OK ... > > > > > # WINBIND > > #idmap domains = COMPANY > > idmap config COMPANY: default = true > > idmap config COMPANY: backend = rid > > I have "idmap backend = ad" > > The Samba part is working fine, I think. I have it joined to the AD: I have to admit I'm not sure what all the options in smb.conf do. My coworker created that part, and I just copy his file around. I'll try to find out what idmap backend really does. > > <edit nsswitch.conf to add winbind to group and passwd> > > $ head -3 /etc/nsswitch.conf > > passwd: compat winbind > > group: compat winbind > > I have "compat winbind ldap" > > > shadow: compat > > > > <test winbind/nss/AD integration with getent> > > $ getent passwd > > <SNIP: lots of output, including AD users> > > $ getend group > > <SNIP: lots of output, including AD groups> > > I don't see the AD users ... but I *do* see AD groups ... > This stuff is key. If getent passwd isn't working, pam most certainly won't be able to find the users. This is your problem for sure. I'm fairly certain that winbind will do all the user/group lookups you need, so no need for ldap in "compat winbind ldap" list. Indeed, I would remove any nss-ldap packages you have installed entirely. We never use/need them. So, your problem is with winbind (or potentially samba/winbind interaction). I think your next goal is to understand exactly what the idmap options in smb.conf do. In general, they map AD users to linux uids. Once you know your options are set right, make sure you restart samba and winbind both (possibly several times each!) Sometimes winbind "messes up". I don't know how to describe it better than that. When it does, we have to remove the idmap cache files, restart samba and winbind, and then it /should/ work. The cache files are in /var/lib/samba/{group_mapping,winbindd_idmap}.tdb. I'm not sure what secrets.tdb does, so don't remove that one. You'll know it's working when getent passwd and getent group are both returning AD entries. Ben -- Ben Love http://www.kylimar.com/ Attachment:
signature.asc ___________________________________________________________________________ Philadelphia Linux Users Group -- http://www.phillylinux.org Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug
|
|