Re: [PLUG] using OpenLDAP with Active Directory

Mike Leone on 26 Mar 2010 19:19:07 -0700

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] using OpenLDAP with Active Directory

From: Mike Leone <turgon@mike-leone.com>

To: Philadelphia Linux User's Group Discussion List <plug@lists.phillylinux.org>

Subject: Re: [PLUG] using OpenLDAP with Active Directory

Date: Fri, 26 Mar 2010 22:19:06 -0400

Reply-to: Philadelphia Linux User's Group Discussion List <plug@lists.phillylinux.org>

Sender: plug-bounces@lists.phillylinux.org

User-agent: Thunderbird 2.0.0.24 (Windows/20100228)

Ben Love had this to say: >>> <test winbind/nss/AD integration with getent> >>> $ getent passwd >>> <SNIP: lots of output, including AD users> >>> $ getend group >>> <SNIP: lots of output, including AD groups> >> I don't see the AD users ... but I *do* see AD groups ... I was wrong; I am *not* seeing AD groups. Or not all of them ... I get all the Linux groups, then I get ... BUILTIN\administrators:x:10001:servicerunner,leonem,turgon,administrator,WORKHORSE\root BUILTIN\users:x:10002: Those users are AD users, but I don't see the AD groups (Domain Admins, etc) >> > > This stuff is key. If getent passwd isn't working, pam most certainly > won't be able to find the users. This is your problem for sure. I think you're right. Just don't know why (yet). > I'm fairly certain that winbind will do all the user/group lookups you need, > so no need for ldap in "compat winbind ldap" list. Indeed, I would > remove any nss-ldap packages you have installed entirely. We never > use/need them. Hrm .. I can try that ... > So, your problem is with winbind (or potentially samba/winbind > interaction). I think your next goal is to understand exactly what the > idmap options in smb.conf do. In general, they map AD users to linux > uids. Once you know your options are set right, make sure you restart > samba and winbind both (possibly several times each!) "wbinfo -u" and "wbinfo -g" do properly return all AD users and groups .. I will dig into the "idmap" option ... > > Sometimes winbind "messes up". I don't know how to describe it better > than that. When it does, we have to remove the idmap cache files, > restart samba and winbind, and then it /should/ work. The cache files > are in /var/lib/samba/{group_mapping,winbindd_idmap}.tdb. I'm not sure > what secrets.tdb does, so don't remove that one. > > You'll know it's working when getent passwd and getent group are both > returning AD entries. I'll keep plugging away at it. Thanks for the help. ___________________________________________________________________________ Philadelphia Linux Users Group -- http://www.phillylinux.org Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug

References:

[PLUG] using OpenLDAP with Active Directory
From: Mike Leone <turgon@mike-leone.com>

Re: [PLUG] using OpenLDAP with Active Directory
From: Ben Love <blove+plug@kylimar.com>

Re: [PLUG] using OpenLDAP with Active Directory
From: Mike Leone <turgon@mike-leone.com>

Re: [PLUG] using OpenLDAP with Active Directory
From: Ben Love <blove+plug@kylimar.com>

Prev by Date: Re: [PLUG] using OpenLDAP with Active Directory

Next by Date: Re: [PLUG] slightly OT: finding SQL injection in M$ logs with grep

Previous by thread: Re: [PLUG] using OpenLDAP with Active Directory

Next by thread: [PLUG] [plug-announce] Policy change for plug-announce

Index(es):

Date

Thread