[Samba] FreeBSD 7.2 domain member problem

Ivo Karabojkov · External Since: Nov 05, 2009 Posts: 6

Hi!

I am trying to set a FreeBSD 7.2, Samba 3.3.8 as an AD domain member server.
I am not using LDAP, but idmap_rid. I have properly configured
nsswitch.conf.

Joining to domain and wbinfo -u work OK, but when I try
pw show user -a
I get only user accounts of FreeBSD. So, I cannot set owners, ACLs...

My main source is Samba guide chapter 7:
http://www.samba.org/samba/docs/man/Samba-Guide/unixclients.html#id2597100
All tests from Procedure 7.4 of the guide, except getent (eq. to pw show
user -a) work OK.

It seems that FreeBSD does not use nsswitch. What should I do or what I am
missing?

Thanks in advance fro your help.

--
View this message in context: http://old.nabble.com/FreeBSD-7.2-domain-member-problem-tp26204285p26204285.html
Sent from the Samba - General mailing list archive at Nabble.com.

--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba

Michael Wood · External Since: Aug 30, 2009 Posts: 7

2009/11/4 Ivo Karabojkov <ivo.TakeThisOut@kit-bg.com>:
> I am trying to set a FreeBSD 7.2, Samba 3.3.8 as an AD domain member server.
> I am not using LDAP, but idmap_rid. I have properly configured
> nsswitch.conf.
>
> Joining to domain and wbinfo -u work OK, but when I try
> pw show user -a
> I get only user accounts of FreeBSD. So, I cannot set owners, ACLs...
>
> My main source is Samba guide chapter 7:
> http://www.samba.org/samba/docs/man/Samba-Guide/unixclients.html#id2597100
> All tests from Procedure 7.4 of the guide, except getent (eq. to pw show
> user -a) work OK.
>
> It seems that FreeBSD does not use nsswitch. What should I do or what I am
> missing?
[...]

I have no idea what the problem is, but FreeBSD does seem to use nsswitch:
http://www.freebsd.org/cgi/man.cgi?query=nsswitch.conf&apropos=0&sekti...0&manpa

--
Michael Wood <esiotrot.TakeThisOut@gmail.com>
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba

Ivo Karabojkov · External Since: Nov 05, 2009 Posts: 6

Yes, FreeBSD supports nsswitch and I tried getent passwd - the result is the
same.
Maybe I should show my config files in my previous post, sorry:

smb.conf:
(very similar to Chapter 7, example 7.7 and 7.8 of the Samba Guide)

[global]
# unix charset = LOCALE
workgroup = DOMAIN
realm = domain.local
#
server string = sambaserver.domain.local
security = ADS
username map = /etc/samba/smbusers
log level = 1
syslog = 0
log file = /var/log/samba/%m
max log size = 50
#printcap name = CUPS
#idmap backend = idmap_rid:DOMAIN=10000-100000000
idmap backend = rid
# ldap ssl = no
idmap uid = 10000-100000000
idmap gid = 10000-100000000
allow trusted domains = No
winbind enum users = yes
winbind enum groups = yes
#
winbind refresh tickets = Yes
winbind nested groups = No

hosts allow = 192.168.1. 10.1.55. 127.0.0.1
interfaces = localhost, nfe0, tun*
bind interfaces only = Yes
case sensitive = No

[pub]
comment = Public
path = /var/samba/pub
guest ok = No
browseable = Yes
nt acl support = Yes

/etc/nsswitch.conf:

group: files winbind
group_compat: nis
hosts: files dns
networks: files
passwd: files winbind
passwd_compat: nis
shells: files
services: compat
services_compat: nis
protocols: files
rpc: files

/etc/pam.d/login:
(I don't think I need this, I don't need AD users to access anything but
some samba shares with ACL, but I keep trying)

# auth
auth sufficient pam_self.so no_warn
auth include system
auth sufficient /usr/local/lib/pam_winbind.so

# account
account requisite pam_securetty.so
account required pam_nologin.so
account include system
account sufficient /usr/local/lib/pam_winbind.so

# session
session include system

# password
password include system

So I'm stil trying, but AD users do not appear in password or group
databases of FreeBSD.
Should I try LDAP?
--
View this message in context: http://old.nabble.com/FreeBSD-7.2-domain-member-problem-tp26204285p26222348.html
Sent from the Samba - General mailing list archive at Nabble.com.

--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba

Ivo Karabojkov · External Since: Nov 05, 2009 Posts: 6

I noticed some error messages in log files too:

winbindd-idmap.log:
winbindd/idmap.c:idmap_init_passdb_domain(438)
Could not init passdb idmap domain
[2009/11/06 13:21:23, 0] winbindd/idmap.c:smb_register_idmap_alloc(201)
idmap_alloc module ldap already registered!
[2009/11/06 13:21:23, 0] winbindd/idmap.c:smb_register_idmap_alloc(201)
idmap_alloc module tdb already registered!
[2009/11/06 13:21:23, 0] winbindd/idmap.c:smb_register_idmap(149)
Idmap module passdb already registered!

winbindd.log
winbindd/idmap.c:smb_register_idmap(149)
Idmap module nss already registered!
[2009/11/06 13:21:33, 1] winbindd/winbindd_group.c:winbindd_getgrent(1366)
could not look up gid for group HelpServicesGroup
> This message repeats for all AD global groups and also AD users.

I also attach my ktrace output.
ktrace getent passwd
http://old.nabble.com/file/p26230478/ktrace.out ktrace.out
http://old.nabble.com/file/p26230478/ktrace.out ktrace.out

--
View this message in context: http://old.nabble.com/FreeBSD-7.2-domain-member-problem-tp26204285p26230478.html
Sent from the Samba - General mailing list archive at Nabble.com.

--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba

Ivo Karabojkov · External Since: Nov 05, 2009 Posts: 6

Sorry for my triple answer, the message was rejected by the mailing list last
few days and I tried to resend it over and over again.

--
View this message in context: http://old.nabble.com/FreeBSD-7.2-domain-member-problem-tp26204285p26354107.html
Sent from the Samba - General mailing list archive at Nabble.com.

--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba

Ivo Karabojkov · External Since: Nov 05, 2009 Posts: 6

So I kept "hitting my head in the wall" and here is my partial but satisfying
solution:

I was totally unable to get idmap_rid working! So I am using the default
IDMAP backend - tdb.
The problem with not working pw user / group show -a or getent passwd /
group was that nss_winbind.so was not where it supposed to. To correct this
I used:

ln -s /usr/local/lib/nss_winbind.so.1 /usr/lib/
ln -s /usr/local/lib/nss_winbind.so.1 /usr/lib/nss_winbind.so.2

Now all my users and groups are visible with pw or getent!
rid backend would give predictable sid <-> uid/gid mapping, with this
solution mapping changes every time server is joined to AD domain. But I
failed setting it up - it seems idmap_rid does not map anything...

If someone may help with better solution I will be grateful.

--
View this message in context: http://old.nabble.com/FreeBSD-7.2-domain-member-problem-tp26204285p26466399.html
Sent from the Samba - General mailing list archive at Nabble.com.

--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba

Diego Zuccato · External Since: Nov 18, 2009 Posts: 2

Ivo Karabojkov wrote:

> I was totally unable to get idmap_rid working! So I am using the default
> IDMAP backend - tdb.
Not good if you need that the same user receives the same UID on
different machines.

> The problem with not working pw user / group show -a or getent passwd /
> group was that nss_winbind.so was not where it supposed to. To correct this
> I used:
> ln -s /usr/local/lib/nss_winbind.so.1 /usr/lib/
> ln -s /usr/local/lib/nss_winbind.so.1 /usr/lib/nss_winbind.so.2
That's really ugly and shouldn't be needed on ANY distro. And it seems
you're looking for troubles (.1 and .2 IIRC have different ABI).

> Now all my users and groups are visible with pw or getent!
> rid backend would give predictable sid <-> uid/gid mapping, with this
> solution mapping changes every time server is joined to AD domain. But I
> failed setting it up - it seems idmap_rid does not map anything...
>
> If someone may help with better solution I will be grateful.
In my config I map users in two domains to different UID/GID values with
the following config:
winbind uid = 100000-100000000
winbind gid = 100000-100000000

idmap config DOM1:backend = rid
idmap config DOM1:base_rid = 500
idmap config DOM1:range = 100000 - 49999999
idmap config DOM2:backend = rid
idmap config DOM2:base_rid = 500
idmap config DOM2:range = 50000000 - 99999999

Maybe you need just:
winbind uid = 100000-100000000
winbind gid = 100000-100000000
idmap config backend = rid

And be sure to "testparm -v" any changes to smb.conf

--
Diego Zuccato
Servizi Informatici
Dip. di Astronomia - Università di Bologna
Via Ranzani, 1 - 40126 Bologna - Italy
tel.: +39 051 20 95786
mail: diego.zuccato DeleteThis @unibo.it
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba

Ivo Karabojkov · External Since: Nov 05, 2009 Posts: 6

I am sure it should work without these strange links I've made.
I don't know what is the problem. I use ports, just to keep my installations
more standard.

May you point me a good manual how to set up nss/ldap with Samba?

Daniel O'Connor-2 wrote:
>
> Indeed, that certainly shouldn't be necessary..
>
> I use nss/pam_ldap (on FreeBSD) and it works just fine living
> in /usr/local/lib as you'd expect.
>
> I don't know why you'd need nss_winbind.so.2 either.
>
>

--
View this message in context: http://old.nabble.com/FreeBSD-7.2-domain-member-problem-tp26204285p26476306.html
Sent from the Samba - General mailing list archive at Nabble.com.

--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba