On Wed, Dec 10, 2003 at 09:45:05PM +0100, Roger Grosswiler wrote: > Am Mit, den 10.12.2003 schrieb Nalin Dahyabhai um 21:20: > > The 'login' program (or gdm, or kdm, or xdm, or whatever) probably > > doesn't know who the user is. Check that 'winbind' is listed in > > /etc/nsswitch.conf on the lines for 'passwd', 'group'. > if this has to be done on the side of my PDC its done...but i think its > not possible on the client-side, as this uses the smb.conf of a working > samba-server. It needs to be done on the host which is running winbind (aargh, I should have mentioned that you need to make sure that winbindd, in the samba-common package, is installed and running). Every client system in the domain needs to do this in order to be able to retrieve information about users from your PDC. If the client machines need to run a Samba server with a different configuration, you should be able to set WINBIND_OPTIONS in /etc/sysconfig/samba to have the winbind init script pass a "-s" option to winbind (more on winbind's command-line options in the winbindd(8) man page). > > You can run 'wbinfo -u' to check that winbind can read information about > > your users from your domain controller, and run 'getent passwd' to check > > if libc (and applications which use it, which is all of them, including > > the application which is trying to authenticate you) can read > > information about those users from the sources listed in > > /etc/nsswitch.conf (which should include 'winbind'). > i copied my entries from the pdc-smb.conf into my clients-smb.conf and > started winbind on the client side. wbinfo -u -g -t do not have success. > Error-Message: error code was NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND > (0xc0000233) > but it was no problem getting the machine into the domain I'm not sure what pdc-smb.conf and clients-smb.conf are; so far as I know, you have /etc/samba/smb.conf, and both smbd and winbind read it for their configuration information. In the [globals] section of that file, you at least want to set workgroup = (your workgroupname) security = domain (or security = ads) password server = (your PDC's name) realm = (your realm name, only needed if "security" is set to "ads") idmap uid = 16777216-33554431 (or other large numbers, just use some range your Unix users don't have UIDs in) idmap gid = 16777216-33554431 (If you're using "security = ads", you also need to configure /etc/krb5.conf with your realm settings, but I don't think you are, so I'll not go into that.) Then run the 'net ads join' or 'net rpc join' command, restart winbind just to be sure (it might not be necessary, I haven't dug in enough to know if it's actually necessary), and try 'wbinfo -u' again. You need to get winbind running and talking to your PDC, and 'wbinfo -u' reading a list of users, before you can start with nsswitch.conf and the PAM configuration, because both of these require a functioning winbindd to work at all. HTH, Nalin