I'm having the toughest time getting this to work... I have a windows 2000 domain and i'm in the process of adding a Samba fileserver... All of the setup guides i have seen point me in the right direction, but fail to provide assistance for my single problem...
basically i've figured out that if i have security = share. I can run the gentent passwd command and see the domain accounts in the list! thats great!!! but if i have security = ads, then the users disappear when i run the command. and i have to have a matching user account in linux to access the shares at all, and thats just plain silly!!!
I do see one error in the log.winbindd but i am unable to get past it.
[2003/10/13 14:52:28, 1] nsswitch/winbindd.c:main(832)
winbindd version 3.0.0 started.
Copyright The Samba Team 2000-2003
[2003/10/13 14:52:29, 1] nsswitch/winbindd_util.c:add_trusted_domain(149)
Added domain DATANAT DATANAT.COM
[2003/10/13 14:52:29, 1] libsmb/clikrb5.c:ads_krb5_mk_req(269)
krb5_cc_get_principal failed (No credentials cache found)
[2003/10/13 14:52:29, 1] nsswitch/winbindd_util.c:add_trusted_domains(206)
scanning trusted domain list
I did kinit, net ads join, and can test via wbinfo & smbclient... all is well!!! just no getent passwd or groups
I also dont see the kerberos error when winbindd starts in share mode...
Where can I look? HELP!!!
I've given my smb.conf, krb5.conf, and ldap.conf... The nsswitch.conf is set and so are the PAM's
SMB.CONF
[global]
workgroup = DATANAT
realm = DATANAT.COM
server string = Linux File Server
security = ads
encrypt passwords = yes
password server = 140.100.10.150
domain logons = yes
log file = /var/log/samba/log.%m
max log size = 50
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
dns proxy = No
netbios name = DCLINUX
guest account = nobody
winbind enum users = yes
winbind enum groups = yes
wins server = 140.100.10.150
winbind separator = +
winbind cache time = 15
template shell = /bin/bash
template homedir = /home/%D/%U
winbind uid = 10000-20000
winbind gid = 10000-20000
idmap uid = 500-65535
idmap gid = 100-65535
KRB5.CONF
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
ticket_lifetime = 24000
default_realm = DATANAT.COM
dns_lookup_realm = true
dns_lookup_kdc = true
forwardable = true
proxiable = true
default_etypes = des-cbc-crc des-cbc-md5
default_etypes_des = des-cbc-crc des-cbc-md5
[realms]
DATANAT.COM = {
kdc = dcpdc.datanat.com:88
admin_server = 140.100.10.150:749
default_domain = datanat.com
}
[domain_realm]
.datanat.com = DATANAT.COM
datanat.com = DATANAT.COM
[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
LDAP.CONF
host 140.100.10.150
base dc=datanat,dc=com
nss_map_objectclass posixAccount User
nss_map_attribute uid sAMAccountName
nss_map_attribute uniqueMember Member
nss_map_attribute homeDirectory msSFUHomeDirectory
nss_map_objectclass posixGroup Group
pam_login_attribute sAMAccountName
pam_filter objectclass=User
ssl no
pam_password ad
ldap_version 3
binddn cn=Administrator,cn=Users,dc=datanat,dc=com
bindpw dc030103
port 389
Thanks for the support!!!
basically i've figured out that if i have security = share. I can run the gentent passwd command and see the domain accounts in the list! thats great!!! but if i have security = ads, then the users disappear when i run the command. and i have to have a matching user account in linux to access the shares at all, and thats just plain silly!!!
I do see one error in the log.winbindd but i am unable to get past it.
[2003/10/13 14:52:28, 1] nsswitch/winbindd.c:main(832)
winbindd version 3.0.0 started.
Copyright The Samba Team 2000-2003
[2003/10/13 14:52:29, 1] nsswitch/winbindd_util.c:add_trusted_domain(149)
Added domain DATANAT DATANAT.COM
[2003/10/13 14:52:29, 1] libsmb/clikrb5.c:ads_krb5_mk_req(269)
krb5_cc_get_principal failed (No credentials cache found)
[2003/10/13 14:52:29, 1] nsswitch/winbindd_util.c:add_trusted_domains(206)
scanning trusted domain list
I did kinit, net ads join, and can test via wbinfo & smbclient... all is well!!! just no getent passwd or groups
I also dont see the kerberos error when winbindd starts in share mode...
Where can I look? HELP!!!
I've given my smb.conf, krb5.conf, and ldap.conf... The nsswitch.conf is set and so are the PAM's
SMB.CONF
[global]
workgroup = DATANAT
realm = DATANAT.COM
server string = Linux File Server
security = ads
encrypt passwords = yes
password server = 140.100.10.150
domain logons = yes
log file = /var/log/samba/log.%m
max log size = 50
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
dns proxy = No
netbios name = DCLINUX
guest account = nobody
winbind enum users = yes
winbind enum groups = yes
wins server = 140.100.10.150
winbind separator = +
winbind cache time = 15
template shell = /bin/bash
template homedir = /home/%D/%U
winbind uid = 10000-20000
winbind gid = 10000-20000
idmap uid = 500-65535
idmap gid = 100-65535
KRB5.CONF
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
ticket_lifetime = 24000
default_realm = DATANAT.COM
dns_lookup_realm = true
dns_lookup_kdc = true
forwardable = true
proxiable = true
default_etypes = des-cbc-crc des-cbc-md5
default_etypes_des = des-cbc-crc des-cbc-md5
[realms]
DATANAT.COM = {
kdc = dcpdc.datanat.com:88
admin_server = 140.100.10.150:749
default_domain = datanat.com
}
[domain_realm]
.datanat.com = DATANAT.COM
datanat.com = DATANAT.COM
[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
LDAP.CONF
host 140.100.10.150
base dc=datanat,dc=com
nss_map_objectclass posixAccount User
nss_map_attribute uid sAMAccountName
nss_map_attribute uniqueMember Member
nss_map_attribute homeDirectory msSFUHomeDirectory
nss_map_objectclass posixGroup Group
pam_login_attribute sAMAccountName
pam_filter objectclass=User
ssl no
pam_password ad
ldap_version 3
binddn cn=Administrator,cn=Users,dc=datanat,dc=com
bindpw dc030103
port 389
Thanks for the support!!!