Re: Samba - how to put into domain and authenticate (once again)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Wed, Dec 10, 2003 at 09:45:05PM +0100, Roger Grosswiler wrote:
> Am Mit, den 10.12.2003 schrieb Nalin Dahyabhai um 21:20:
> > The 'login' program (or gdm, or kdm, or xdm, or whatever) probably
> > doesn't know who the user is.  Check that 'winbind' is listed in
> > /etc/nsswitch.conf on the lines for 'passwd', 'group'.
> if this has to be done on the side of my PDC its done...but i think its
> not possible on the client-side, as this uses the smb.conf of a working
> samba-server.

It needs to be done on the host which is running winbind (aargh, I
should have mentioned that you need to make sure that winbindd, in the
samba-common package, is installed and running).  Every client system in
the domain needs to do this in order to be able to retrieve information
about users from your PDC.

If the client machines need to run a Samba server with a different
configuration, you should be able to set WINBIND_OPTIONS in
/etc/sysconfig/samba to have the winbind init script pass a "-s" option
to winbind (more on winbind's command-line options in the winbindd(8)
man page).

> > You can run 'wbinfo -u' to check that winbind can read information about
> > your users from your domain controller, and run 'getent passwd' to check
> > if libc (and applications which use it, which is all of them, including
> > the application which is trying to authenticate you) can read
> > information about those users from the sources listed in
> > /etc/nsswitch.conf (which should include 'winbind').
> i copied my entries from the pdc-smb.conf into my clients-smb.conf and
> started winbind on the client side. wbinfo -u -g -t do not have success.
> Error-Message: error code was NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND
> (0xc0000233)
> but it was no problem getting the machine into the domain

I'm not sure what pdc-smb.conf and clients-smb.conf are; so far as I
know, you have /etc/samba/smb.conf, and both smbd and winbind read it
for their configuration information.

In the [globals] section of that file, you at least want to set
  workgroup = (your workgroupname)
  security = domain (or security = ads)
  password server = (your PDC's name)
  realm = (your realm name, only needed if "security" is set to "ads")
  idmap uid = 16777216-33554431 (or other large numbers, just use some range
                                 your Unix users don't have UIDs in)
  idmap gid = 16777216-33554431

(If you're using "security = ads", you also need to configure
/etc/krb5.conf with your realm settings, but I don't think you are, so
I'll not go into that.)

Then run the 'net ads join' or 'net rpc join' command, restart winbind
just to be sure (it might not be necessary, I haven't dug in enough to
know if it's actually necessary), and try 'wbinfo -u' again.

You need to get winbind running and talking to your PDC, and 'wbinfo -u'
reading a list of users, before you can start with nsswitch.conf and the
PAM configuration, because both of these require a functioning winbindd
to work at all.

HTH,

Nalin




[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux