RE: [Samba] wbinfo -u and -g work, getent passwd works,getent group DOES NOT WORK (solution!)
This is a discussion on RE: [Samba] wbinfo -u and -g work, getent passwd works,getent group DOES NOT WORK (solution!) within the Samba forums, part of the Networking and Network Related category; Hello all. I found the problem. I had winbind running on the PDC. I don't know why it was ...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
08-03-2008
|
|||
|
|||
RE: [Samba] wbinfo -u and -g work, getent passwd works,getent group DOES NOT WORK (solution!)
Hello all. I found the problem. I had winbind running on the PDC. I don't know why it was running, but when I turn if off on the server I get all my groups on the clients. Honestly I don't remember installing or setting it up. Anyway, I logged in as domain user bob4, which has bob4 as the group. The client automatically created the home directory and set up everything correctly. woohoo. Helmut had it right when he suggested turning off winbind. I thought he was talking about winbind on the client. Here's my listing: bob4@ubuntu19:~$ pwd /home/ORA/bob4 bob4@ubuntu19:~$ ls -altr total 20 -rw-r--r-- 1 bob4 bob4 586 2008-08-03 09:16 .profile lrwxrwxrwx 1 bob4 bob4 26 2008-08-03 09:16 Examples -> /usr/share/example-content -rw-r--r-- 1 bob4 bob4 2940 2008-08-03 09:16 .bashrc -rw-r--r-- 1 bob4 bob4 220 2008-08-03 09:16 .bash_logout drwxr-xr-x 8 root root 4096 2008-08-03 09:16 .. drwxr-xr-x 2 bob4 bob4 4096 2008-08-03 09:16 . So. In conclusion, winbind on server BAD, winbind on client GOOD. -----Original Message----- From: samba-bounces+jeff.lepage=asg.com@lists.samba.org on behalf of Helmut Hullen Sent: Sat 8/2/2008 11:30 AM To: samba@lists.samba.org Subject: Re: [Samba] wbinfo -u and -g work, getent passwd works,getent group DOES NOT WORK Hallo, John, Du (drescherjm) meintest am 02.08.08: >> My LANs (Linux Samba server 3.0.3x, Windows clients) run without it. > I have found that if you have domain member servers in addition to > your PDC and BDCs you will need winbind if you want to have ACLs > working correctly in windows. Without winbind the domain member > servers show only SIDs in the XP properties dialog. Thank you - I'll remember that. Viele Gruesse! Helmut -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba 
|
|
08-03-2008
|
|||
|
|||
|
[Samba] On linux clients: how do you add domain users to localgroups?
Regular desktop users on ubuntu are members of these groups: adm,dialout,cdrom,floppy,audio,dip,video,plugdev,f use Membership in these groups allows access to various important things. When my domain users log in their primary group is set to domainusers, because that's what group I put them in on the samba server. More to the point I set up a groupmap so that samba transmits this info to the client machine. Question: how do I set things up so that the members of domainusers will also be members of the other groups? If I try to simply add the domain users to the local groups, I get an error: no such user. If I create the corresponding groups on the samba server and groupmap them, won't that cause conflicts? -- -----Original Message----- From: samba-bounces+jeff.lepage=asg.com@lists.samba.org on behalf of Jeff LePage Sent: Sun 8/3/2008 11:25 AM To: Helmut Hullen; samba@lists.samba.org Subject: RE: [Samba] wbinfo -u and -g work, getent passwd works,getent group DOES NOT WORK (solution!) Hello all. I found the problem. I had winbind running on the PDC. I don't know why it was running, but when I turn if off on the server I get all my groups on the clients. Honestly I don't remember installing or setting it up. Anyway, I logged in as domain user bob4, which has bob4 as the group. The client automatically created the home directory and set up everything correctly. woohoo. Helmut had it right when he suggested turning off winbind. I thought he was talking about winbind on the client. Here's my listing: bob4@ubuntu19:~$ pwd /home/ORA/bob4 bob4@ubuntu19:~$ ls -altr total 20 -rw-r--r-- 1 bob4 bob4 586 2008-08-03 09:16 .profile lrwxrwxrwx 1 bob4 bob4 26 2008-08-03 09:16 Examples -> /usr/share/example-content -rw-r--r-- 1 bob4 bob4 2940 2008-08-03 09:16 .bashrc -rw-r--r-- 1 bob4 bob4 220 2008-08-03 09:16 .bash_logout drwxr-xr-x 8 root root 4096 2008-08-03 09:16 .. drwxr-xr-x 2 bob4 bob4 4096 2008-08-03 09:16 . So. In conclusion, winbind on server BAD, winbind on client GOOD. -----Original Message----- From: samba-bounces+jeff.lepage=asg.com@lists.samba.org on behalf of Helmut Hullen Sent: Sat 8/2/2008 11:30 AM To: samba@lists.samba.org Subject: Re: [Samba] wbinfo -u and -g work, getent passwd works,getent group DOES NOT WORK Hallo, John, Du (drescherjm) meintest am 02.08.08: >> My LANs (Linux Samba server 3.0.3x, Windows clients) run without it. > I have found that if you have domain member servers in addition to > your PDC and BDCs you will need winbind if you want to have ACLs > working correctly in windows. Without winbind the domain member > servers show only SIDs in the XP properties dialog. Thank you - I'll remember that. Viele Gruesse! Helmut -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
|
|
08-03-2008
|
|||
|
|||
|
Re: [Samba] wbinfo -u and -g work, getent passwd works, getent groupDOES NOT WORK (solution!)
> I found the problem. I had winbind running on the PDC.
Jeff, In the BSD port, winbind is built into the startup script by default. So, it takes some hacking to remove it. For that reason, and because I've only one domain, I leave it running. But, I'm fairly sure winbind serves a useful purpose on most any network IF configured correctly. I'm not sure "turn off winbind on your server," is always good advice. What I wonder is why does winbind cause you trouble? Is it possible you set it as master or preferred master in smb.conf and it's not allowing the clients to see the other broadcasts on the network? > So. In conclusion, winbind on server BAD, winbind on client GOOD. I still don't understand why winbind is always a bad feature on a server. I think it's more likely winbind is tricky and deserves correct configuration. If you just want to skip that hassle, I can see turning off winbind as a hackaround, but don't think it's necessarily a plan. -- Jason A. Nunnelley JasonN.com is my website - all opinions expressed were mine at some point. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
|
|
08-03-2008
|
|||
|
|||
|
RE: [Samba] wbinfo -u and -g work, getent passwd works,getent groupDOES NOT WORK (solution!)
You may be right. I know too little about winbind to comment. However, I note that the tutorials on creating a samba PDC (e.g., section 9.2 of Using Samba, 3rd edition) never mention winbind). However, tutorials on getting a linux client (a domain member server) to join a samba domain most definitely do.
I'm not sure what you mean when you say "Did you set it as master or preferred master in smb.conf". Are you referring the the server (PDC) or the client (domain member server)? The client is most definitely NOT set as a master or preferred master. Here's what the official docs at samba.org suggest for the smb.conf for the PDC: passdb backend = tdbsam os level = 33 preferred master = auto domain master = yes local master = yes security = user domain logons = yes So, yes. I do have it (meaning the server) set as master. We may be talking about different things here. When i say i turn off winbind, I merely mean i removed the service. On linux turning off winbindd is simply a matter of removing the service from /etc/init.d/ directory and running 'update-rc.d winbind remove'. Finally: --------------- So obviously I have some conflict between the server winbindd and the client winbindd. If I leave winbind running on the PDC and also on the clients, then what is the magic that allows them not to conflict? -----Original Message----- From: samba-bounces+jeff.lepage=asg.com@lists.samba.org on behalf of Jason A. Nunnelley Sent: Sun 8/3/2008 4:15 PM To: samba@lists.samba.org Subject: Re: [Samba] wbinfo -u and -g work, getent passwd works, getent groupDOES NOT WORK (solution!) > I found the problem. I had winbind running on the PDC. Jeff, In the BSD port, winbind is built into the startup script by default. So, it takes some hacking to remove it. For that reason, and because I've only one domain, I leave it running. But, I'm fairly sure winbind serves a useful purpose on most any network IF configured correctly. I'm not sure "turn off winbind on your server," is always good advice. What I wonder is why does winbind cause you trouble? Is it possible you set it as master or preferred master in smb.conf and it's not allowing the clients to see the other broadcasts on the network? > So. In conclusion, winbind on server BAD, winbind on client GOOD. I still don't understand why winbind is always a bad feature on a server. I think it's more likely winbind is tricky and deserves correct configuration. If you just want to skip that hassle, I can see turning off winbind as a hackaround, but don't think it's necessarily a plan. -- Jason A. Nunnelley JasonN.com is my website - all opinions expressed were mine at some point. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
|
|
08-03-2008
|
|||
|
|||
|
Re: [Samba] On linux clients: how do you add domain users to localgroups?
On Sun, Aug 3, 2008 at 1:47 PM, Jeff LePage <Jeff.LePage@asg.com> wrote:
> > Regular desktop users on ubuntu are members of these groups: adm,dialout,cdrom,floppy,audio,dip,video,plugdev,f use > > Membership in these groups allows access to various important things. > > When my domain users log in their primary group is set to domainusers, because that's what group I put them in on the samba server. More to the point I set up a groupmap so that samba transmits this info to the client machine. > > Question: how do I set things up so that the members of domainusers will also be members of the other groups? > If I try to simply add the domain users to the local groups, I get an error: no such user. > > If I create the corresponding groups on the samba server and groupmap them, won't that cause conflicts? > > It sounds like you did not setup /etc/nsswitch.conf John -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
|
|
08-03-2008
|
|||
|
|||
|
[Samba] To use or not to use winbind
Recap: Jeff and I are having a conversation about whether "turning off
winbinds" is a solution for rectifying apparent conflicts with a PDC running winbinds. Jeff said: "I'm not sure what you mean when you say "Did you set it as master or preferred master in smb.conf". Are you referring the the server (PDC) or the client (domain member server)?" And, he sent me his this config from the Samba manual: > passdb backend = tdbsam > os level = 33 > preferred master = auto > domain master = yes > local master = yes > security = user > domain logons = yes So, he concludes: > So, yes. I do have it (meaning the server) set as master. Here's where I may get confused myself. What configuration tells smbd/nmbd to shout to the world "Here I am!" via winbinds and what role should or does winbind play for a PDC? > So obviously I have some conflict between the server winbindd and the client winbindd. Yes, I agree with everything he said... so far. And, to be honest I'm very new to this set of configurations and behaviors. It's just my nature to ask why until I get a good answer. So far, the answers don't make sense to me. Winbind is a service that serves a purpose in the network. There's no reason a winbind service running on the PDC would in itself break clients. That violates logic. So, there must be a configuration to tell a given winbind server that its to submit to another, or pull records from another, or perhaps simply share its knowledge with others. The question remains, what is the proper winbind configuration that allows winbind to do its job correctly without spewing bad information and corrupting winbind clients' queries about other domains? I'm running winbind and have other groups in my network and this does not seem to conflict with Windows clients' ability to see the other networks. Someone here is skilled at winbind configuration. Please share your knowledge with us. What is the correct way to configure winbind or where is the documentation that clarifies why he had this problem and resolved it by turning off winbind? -- Jason A. Nunnelley JasonN.com is my website - all opinions expressed were mine at some point. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
|
|
08-04-2008
|
|||
|
|||
|
Re: [Samba] To use or not to use winbind
On Sun, Aug 3, 2008 at 5:54 PM, Jason A. Nunnelley <jason@jasonn.com> wrote:
> Recap: Jeff and I are having a conversation about whether "turning off > winbinds" is a solution for rectifying apparent conflicts with a PDC running > winbinds. > Are you using 3.0.31 on the PDC? There was a winbind fix specifically for samba PDCs. http://us1.samba.org/samba/history/samba-3.0.31.html John -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
|
|
08-04-2008
|
|||
|
|||
|
RE: [Samba] To use or not to use winbind
No. I'm using 3.0.28a. This is what is in the ubuntu repositories right now.
If I apply this patch do you think I would only have to do it on the server, or do I have to do it on all the clients? I've got 20 clients. -----Original Message----- From: samba-bounces+jeff.lepage=asg.com@lists.samba.org on behalf of John Drescher Sent: Sun 8/3/2008 6:21 PM To: jason@jasonn.com; samba Subject: Re: [Samba] To use or not to use winbind On Sun, Aug 3, 2008 at 5:54 PM, Jason A. Nunnelley <jason@jasonn.com> wrote: > Recap: Jeff and I are having a conversation about whether "turning off > winbinds" is a solution for rectifying apparent conflicts with a PDC running > winbinds. > Are you using 3.0.31 on the PDC? There was a winbind fix specifically for samba PDCs. http://us1.samba.org/samba/history/samba-3.0.31.html John -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
|
|
08-04-2008
|
|||
|
|||
|
Re: [Samba] To use or not to use winbind
On Sunday 03 August 2008, Jason A. Nunnelley wrote:
> Recap: Jeff and I are having a conversation about whether "turning > off winbinds" is a solution for rectifying apparent conflicts with a > PDC running winbinds. Here's my take on the subject: The general use for winbind is to be able to use an MS domain controller for authentication eliminating the need to separately create matching 'nix users. The special case for using winbind is when, using Samba as the PDC, you wish to insist that a username/password pair from a system not a domain member is not authenticated even if the username/password pair matches that of a domain user (maybe more correctly to state that the domain part is missing from the supplied credentials). Note that generally with a pure Windows network and a Windows NT4 PDC, as well as Windows in general (peer to peer), matching username/password credentials are enough to authenticate, so using winbind in this situation creates an environment more restrictive then generally expected. -- Chris -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
|
|
08-04-2008
|
|||
|
|||
|
Re: [Samba] To use or not to use winbind
On Sunday 03 August 2008, Jason A. Nunnelley wrote:
> Recap: Jeff and I are having a conversation about whether "turning > off winbinds" is a solution for rectifying apparent conflicts with a > PDC running winbinds. Here's my take on the subject: The general use for winbind is to be able to use an MS domain controller for authentication eliminating the need to separately create matching 'nix users. The special case for using winbind is when, using Samba as the PDC, you wish to insist that a username/password pair from a system not a domain member is not authenticated even if the username/password pair matches that of a domain user (maybe more correctly to state that the domain part is missing from the supplied credentials). Note that generally with a pure Windows network and a Windows NT4 PDC, as well as Windows in general (peer to peer), matching username/password credentials are enough to authenticate, so using winbind in this situation creates an environment more restrictive then generally expected. -- Chris -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
|
Linear Mode
