Samba - how to put into domain and authenticate (once again)

Wed Dec 10 21:33:34 UTC 2003

Am Mit, den 10.12.2003 schrieb Nalin Dahyabhai um 22:05:
> On Wed, Dec 10, 2003 at 09:45:05PM +0100, Roger Grosswiler wrote:
> > Am Mit, den 10.12.2003 schrieb Nalin Dahyabhai um 21:20:
> > > The 'login' program (or gdm, or kdm, or xdm, or whatever) probably
> > > doesn't know who the user is.  Check that 'winbind' is listed in
> > > /etc/nsswitch.conf on the lines for 'passwd', 'group'.
> > if this has to be done on the side of my PDC its done...but i think its
> > not possible on the client-side, as this uses the smb.conf of a working
> > samba-server.
> 
> It needs to be done on the host which is running winbind (aargh, I
> should have mentioned that you need to make sure that winbindd, in the
> samba-common package, is installed and running).  Every client system in
> the domain needs to do this in order to be able to retrieve information
> about users from your PDC.
> 
> If the client machines need to run a Samba server with a different
> configuration, you should be able to set WINBIND_OPTIONS in
> /etc/sysconfig/samba to have the winbind init script pass a "-s" option
> to winbind (more on winbind's command-line options in the winbindd(8)
> man page).
> 
> > > You can run 'wbinfo -u' to check that winbind can read information about
> > > your users from your domain controller, and run 'getent passwd' to check
> > > if libc (and applications which use it, which is all of them, including
> > > the application which is trying to authenticate you) can read
> > > information about those users from the sources listed in
> > > /etc/nsswitch.conf (which should include 'winbind').
> > i copied my entries from the pdc-smb.conf into my clients-smb.conf and
> > started winbind on the client side. wbinfo -u -g -t do not have success.
> > Error-Message: error code was NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND
> > (0xc0000233)
> > but it was no problem getting the machine into the domain
> 
> I'm not sure what pdc-smb.conf and clients-smb.conf are; so far as I
> know, you have /etc/samba/smb.conf, and both smbd and winbind read it
> for their configuration information.
> 
> In the [globals] section of that file, you at least want to set
>   workgroup = (your workgroupname)
>   security = domain (or security = ads)
>   password server = (your PDC's name)
>   realm = (your realm name, only needed if "security" is set to "ads")
>   idmap uid = 16777216-33554431 (or other large numbers, just use some range
>                                  your Unix users don't have UIDs in)
>   idmap gid = 16777216-33554431
> 
> (If you're using "security = ads", you also need to configure
> /etc/krb5.conf with your realm settings, but I don't think you are, so
> I'll not go into that.)
> 
> Then run the 'net ads join' or 'net rpc join' command, restart winbind
> just to be sure (it might not be necessary, I haven't dug in enough to
> know if it's actually necessary), and try 'wbinfo -u' again.
> 
> You need to get winbind running and talking to your PDC, and 'wbinfo -u'
> reading a list of users, before you can start with nsswitch.conf and the
> PAM configuration, because both of these require a functioning winbindd
> to work at all.
> 
> HTH,
> 
> Nalin
> 
i tried now again, but just entered now in the system-auth the
following:
auth        sufficient    /lib/security/$ISA/pam_smb_auth.so
use_first_pass nolocal

as the winbind-line did not change anything at all (except i had to type
the password twice...)

but still no change...
i changed the smb.conf on the data i have on the pdc-entered, so it
should be equal...the change in nsswitch.conf is done and the
winbind-daemon is running, but still - wbinfo -u -g -t = false...

> 
> --
> fedora-list mailing list
> fedora-list at redhat.com
> To unsubscribe: http://www.redhat.com/mailman/listinfo/fedora-list