Ben Love on 26 Mar 2010 19:07:43 -0700

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] using OpenLDAP with Active Directory

* Mike Leone wrote on [2010-03-26 21:44:40 -0400]:
> Ben Love had this to say:
> > $ cat /etc/samba/smb.conf
> >         use kerberos keytab = true
> >         client use spnego = true
> Those are new to me .. OK ...
> > 
> >         # WINBIND
> >         #idmap domains = COMPANY
> >         idmap config COMPANY: default = true
> >         idmap config COMPANY: backend = rid
> I have "idmap backend = ad"
> The Samba part is working fine, I think. I have it joined to the AD:

I have to admit I'm not sure what all the options in smb.conf do.  My
coworker created that part, and I just copy his file around.  I'll try
to find out what idmap backend really does.

> > <edit nsswitch.conf to add winbind to group and passwd>
> > $ head -3 /etc/nsswitch.conf
> > passwd:    compat winbind
> > group:     compat winbind
> I have "compat winbind ldap"
> > shadow:    compat
> > 
> > <test winbind/nss/AD integration with getent>
> > $ getent passwd
> > <SNIP: lots of output, including AD users>
> > $ getend group
> > <SNIP: lots of output, including AD groups>
> I don't see the AD users  ... but I *do* see AD groups ...

This stuff is key.  If getent passwd isn't working, pam most certainly
won't be able to find the users.  This is your problem for sure.  I'm
fairly certain that winbind will do all the user/group lookups you need,
so no need for ldap in "compat winbind ldap" list.  Indeed, I would
remove any nss-ldap packages you have installed entirely.  We never
use/need them.

So, your problem is with winbind (or potentially samba/winbind
interaction).  I think your next goal is to understand exactly what the
idmap options in smb.conf do.  In general, they map AD users to linux
uids.  Once you know your options are set right, make sure you restart
samba and winbind both (possibly several times each!)

Sometimes winbind "messes up".  I don't know how to describe it better
than that.  When it does, we have to remove the idmap cache files,
restart samba and winbind, and then it /should/ work.  The cache files
are in /var/lib/samba/{group_mapping,winbindd_idmap}.tdb.  I'm not sure
what secrets.tdb does, so don't remove that one.

You'll know it's working when getent passwd and getent group are both
returning AD entries.


Ben Love

Attachment: signature.asc
Description: Digital signature

Philadelphia Linux Users Group         --
Announcements -
General Discussion  --