Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
[Samba] Samba 4 / idmap / NIS / winbind
219 views
Skip to first unread message
Vogel, Sven
Jun 7, 2014, 4:40:01 PM6/7/14
to
Hi,
how can i get work Samba 4 Sernet 4.1.7 correctly with NIS. Ist provisioned with rfc2307.
When i query a User withi get the following.
getent passwd testswi
SWI\testswi:*:10000:100:testswi:/home/SWI/testswi:/bin/false
I want to change /bin/false to a other value /bin/bash
I tried many things to change the value.
1. ldbedit -e vim -H /var/lib/samba/private/sam.ldb samaccountname=testswi
i added "loginShell = /bin/bash" and got
----------------------------------------------------------------------------------------------------------------------------
# record 1
dn: CN=testswi,OU=Benutzer,OU=SWI,DC=swi,DC=local
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: testswi
givenName: testswi
instanceType: 4
whenCreated: 20140530142421.0Z
displayName: testswi
uSNCreated: 12359
name: testswi
objectGUID: d6ebbae7-8ec0-4a89-828d-58c10a7c9f99
userAccountControl: 66048
codePage: 0
countryCode: 0
pwdLastSet: 130459334610000000
primaryGroupID: 513
objectSid: S-1-5-21-1143642306-2581635645-836595807-1605
accountExpires: 9223372036854775807
sAMAccountName: testswi
sAMAccountType: 805306368
userPrincipalName: tes...@swi.local
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=swi,DC=local
loginShell: /bin/bash
whenChanged: 20140605153458.0Z
uSNChanged: 13969
distinguishedName: CN=testswi,OU=Benutzer,OU=SWI,DC=swi,DC=local
----------------------------------------------------------------------------------------------------------------------------
nothing changed always /bin/false when i use getent passwd ...
2. i tried the the Windows Remote Administration Tools and the Unix tab in Windows
I added NIS Domain, UID, GID, home and login shell but also nothing changed... i got the following
# record 1
dn: CN=testswi,OU=Benutzer,OU=SWI,DC=swi,DC=local
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: testswi
givenName: testswi
instanceType: 4
whenCreated: 20140530142421.0Z
displayName: testswi
uSNCreated: 12359
name: testswi
objectGUID: d6ebbae7-8ec0-4a89-828d-58c10a7c9f99
userAccountControl: 66048
codePage: 0
countryCode: 0
pwdLastSet: 130459334610000000
primaryGroupID: 513
objectSid: S-1-5-21-1143642306-2581635645-836595807-1605
accountExpires: 9223372036854775807
sAMAccountName: testswi
sAMAccountType: 805306368
userPrincipalName: tes...@swi.local
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=swi,DC=local
loginShell: /bin/bash
whenChanged: 20140607194437.0Z
uSNChanged: 14355
unixUserPassword: ABCD!efgh12345$67890
uid: testswi
msSFU30Name: testswi
msSFU30NisDomain: swi
uidNumber: 10000
gidNumber: 100
unixHomeDirectory: /home/testswi
distinguishedName: CN=testswi,OU=Benutzer,OU=SWI,DC=swi,DC=local
when i use getent passwd testswi i always get the same as above. /bin/false
Questions.
Is that a problem from winbind in samba 4 that not all thing will correctly set or supported? W
Where get getent passwd ... the information from? I know ist winbind but whats wrong?
I read about some user they use sssd or nlcd. Is that the solution for samba 4?
I am confused. Anyone who can explain that?
Thanks for help
Sven Vogel
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
how can i get work Samba 4 Sernet 4.1.7 correctly with NIS. Ist provisioned with rfc2307.
When i query a User withi get the following.
getent passwd testswi
SWI\testswi:*:10000:100:testswi:/home/SWI/testswi:/bin/false
I want to change /bin/false to a other value /bin/bash
I tried many things to change the value.
1. ldbedit -e vim -H /var/lib/samba/private/sam.ldb samaccountname=testswi
i added "loginShell = /bin/bash" and got
----------------------------------------------------------------------------------------------------------------------------
# record 1
dn: CN=testswi,OU=Benutzer,OU=SWI,DC=swi,DC=local
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: testswi
givenName: testswi
instanceType: 4
whenCreated: 20140530142421.0Z
displayName: testswi
uSNCreated: 12359
name: testswi
objectGUID: d6ebbae7-8ec0-4a89-828d-58c10a7c9f99
userAccountControl: 66048
codePage: 0
countryCode: 0
pwdLastSet: 130459334610000000
primaryGroupID: 513
objectSid: S-1-5-21-1143642306-2581635645-836595807-1605
accountExpires: 9223372036854775807
sAMAccountName: testswi
sAMAccountType: 805306368
userPrincipalName: tes...@swi.local
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=swi,DC=local
loginShell: /bin/bash
whenChanged: 20140605153458.0Z
uSNChanged: 13969
distinguishedName: CN=testswi,OU=Benutzer,OU=SWI,DC=swi,DC=local
----------------------------------------------------------------------------------------------------------------------------
nothing changed always /bin/false when i use getent passwd ...
2. i tried the the Windows Remote Administration Tools and the Unix tab in Windows
I added NIS Domain, UID, GID, home and login shell but also nothing changed... i got the following
# record 1
dn: CN=testswi,OU=Benutzer,OU=SWI,DC=swi,DC=local
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: testswi
givenName: testswi
instanceType: 4
whenCreated: 20140530142421.0Z
displayName: testswi
uSNCreated: 12359
name: testswi
objectGUID: d6ebbae7-8ec0-4a89-828d-58c10a7c9f99
userAccountControl: 66048
codePage: 0
countryCode: 0
pwdLastSet: 130459334610000000
primaryGroupID: 513
objectSid: S-1-5-21-1143642306-2581635645-836595807-1605
accountExpires: 9223372036854775807
sAMAccountName: testswi
sAMAccountType: 805306368
userPrincipalName: tes...@swi.local
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=swi,DC=local
loginShell: /bin/bash
whenChanged: 20140607194437.0Z
uSNChanged: 14355
unixUserPassword: ABCD!efgh12345$67890
uid: testswi
msSFU30Name: testswi
msSFU30NisDomain: swi
uidNumber: 10000
gidNumber: 100
unixHomeDirectory: /home/testswi
distinguishedName: CN=testswi,OU=Benutzer,OU=SWI,DC=swi,DC=local
when i use getent passwd testswi i always get the same as above. /bin/false
Questions.
Is that a problem from winbind in samba 4 that not all thing will correctly set or supported? W
Where get getent passwd ... the information from? I know ist winbind but whats wrong?
I read about some user they use sssd or nlcd. Is that the solution for samba 4?
I am confused. Anyone who can explain that?
Thanks for help
Sven Vogel
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Rowland Penny
Jun 7, 2014, 4:40:01 PM6/7/14
to
add the required RFC2307 attributes to the users and groups.
Rowland
steve
Jun 7, 2014, 5:30:01 PM6/7/14
to
winbind will not extract the loginShell or the unixHomeDrirector from
AD. If you wish to do this on the DC, you must use nslcd, nss-ldap or
sssd.
HTH
Steve
Nico Kadel-Garcia
Jun 7, 2014, 8:10:02 PM6/7/14
to
On Sat, Jun 7, 2014 at 4:31 PM, Vogel, Sven
<Sven....@kupper-computer.com> wrote:
> Hi,
>
> how can i get work Samba 4 Sernet 4.1.7 correctly with NIS. Ist provisioned with rfc2307.
What is your base OS.? It profoundly affects the availability, and how
<Sven....@kupper-computer.com> wrote:
> Hi,
>
> how can i get work Samba 4 Sernet 4.1.7 correctly with NIS. Ist provisioned with rfc2307.
to most easily configure, tools like NIS and sssd.
steve
Jun 8, 2014, 5:40:02 AM6/8/14
to
On Sat, 2014-06-07 at 20:06 -0400, Nico Kadel-Garcia wrote:
> On Sat, Jun 7, 2014 at 4:31 PM, Vogel, Sven
> <Sven....@kupper-computer.com> wrote:
> > Hi,
> >
> > how can i get work Samba 4 Sernet 4.1.7 correctly with NIS. Ist provisioned with rfc2307.
>
> What is your base OS.? It profoundly affects the availability, and how
> to most easily configure, tools like NIS and sssd.
Hi
> On Sat, Jun 7, 2014 at 4:31 PM, Vogel, Sven
> <Sven....@kupper-computer.com> wrote:
> > Hi,
> >
> > how can i get work Samba 4 Sernet 4.1.7 correctly with NIS. Ist provisioned with rfc2307.
>
> What is your base OS.? It profoundly affects the availability, and how
> to most easily configure, tools like NIS and sssd.
I think as long as sssd builds against whatever it is, that is
sufficient. e.g. for users, the ad backend needs simply:
uidNumber
gidNumber
and then whatever the OP needs from:
loginShell
unixHomeDirectory
gecos
under the DN.
You can add those using samba-tool or windows.
The only gotcha is that domain groups which users are a member thereof
must also contain the:
gidNumber
attribute.
The sssd configuration is minimal:
http://linuxcostablanca.blogspot.com.es/2014/04/sssd-ad-backend-with-samba4.html
HTH
Steve
Vogel, Sven
Jun 8, 2014, 5:30:02 PM6/8/14
to
Thanks for the help
@Rowland
I tried these but it dont work form e. i think Steve said it right that i need an sssd when i am on the domain controller itself.
@Steve
I will try it. You wrote on DC. Whats when i am not on a DC?
I can add them with samba tool but i dont modify them with it. I saw that in 2012 microsoft removed the unix tab. So the best way will be use the shell. Therefore the only way is ldbedit or ldbmodify. What do you think?
@Nico
Base OS is SLES 11 SP3.
Greeting
Sven
-----Ursprüngliche Nachricht-----
Von: samba-...@lists.samba.org [mailto:samba-...@lists.samba.org] Im Auftrag von Rowland Penny
Gesendet: Samstag, 7. Juni 2014 22:35
An: sa...@lists.samba.org
Betreff: Re: [Samba] Samba 4 / idmap / NIS / winbind
@Rowland
I tried these but it dont work form e. i think Steve said it right that i need an sssd when i am on the domain controller itself.
@Steve
I will try it. You wrote on DC. Whats when i am not on a DC?
I can add them with samba tool but i dont modify them with it. I saw that in 2012 microsoft removed the unix tab. So the best way will be use the shell. Therefore the only way is ldbedit or ldbmodify. What do you think?
@Nico
Base OS is SLES 11 SP3.
Greeting
Sven
-----Ursprüngliche Nachricht-----
Von: samba-...@lists.samba.org [mailto:samba-...@lists.samba.org] Im Auftrag von Rowland Penny
Gesendet: Samstag, 7. Juni 2014 22:35
An: sa...@lists.samba.org
Betreff: Re: [Samba] Samba 4 / idmap / NIS / winbind
Rowland Penny
Jun 8, 2014, 6:00:02 PM6/8/14
to
On 08/06/14 22:25, Vogel, Sven wrote:
> Thanks for the help
>
> @Rowland
>
> I tried these but it dont work form e. i think Steve said it right that i need an sssd when i am on the domain controller itself.
Your original post was a bit narrow and adding to the smb.conf will work
> Thanks for the help
>
> @Rowland
>
> I tried these but it dont work form e. i think Steve said it right that i need an sssd when i am on the domain controller itself.
for the samba4 server, but is as much use a chocolate fire-guard for
other machines in the domain. This is where sssd and using RFC2307
attributes come into their own.
>
> @Steve
>
> I will try it. You wrote on DC. Whats when i am not on a DC?
etc, I suggest that you read the wiki and take your choice.
>
> I can add them with samba tool but i dont modify them with it. I saw that in 2012 microsoft removed the unix tab. So the best way will be use the shell. Therefore the only way is ldbedit or ldbmodify. What do you think?
to write some scripts round the ldb-tools, that what I did anyway.
>
> @Nico
>
> Base OS is SLES 11 SP3.
Rowland
steve
Jun 8, 2014, 6:50:01 PM6/8/14
to
On Sun, 2014-06-08 at 21:25 +0000, Vogel, Sven wrote:
> Thanks for the help
>
> @Rowland
>
> I tried these but it dont work form e. i think Steve said it right that i need an sssd when i am on the domain controller itself.
>
> @Steve
>
> I will try it. You wrote on DC. Whats when i am not on a DC?
>
Hi. On the DC, you cannot use winbind to do what you want. On a client
> Thanks for the help
>
> @Rowland
>
> I tried these but it dont work form e. i think Steve said it right that i need an sssd when i am on the domain controller itself.
>
> @Steve
>
> I will try it. You wrote on DC. Whats when i am not on a DC?
>
or file server you could. OTOH, You can use sssd on all three.
> I can add them with samba tool but i dont modify them with it. I saw that in 2012 microsoft removed the unix tab. So the best way will be use the shell. Therefore the only way is ldbedit or ldbmodify. What do you think?
>
We're not sure if they've removed it but we doubt it will be around for
>
ever. 2012 supports rfc2307 as before however. That will perhaps be
around for much longer. Wrapping around ldbmodify is the way to go; you
can tailor it to the exact needs of your domain.
> @Nico
>
> Base OS is SLES 11 SP3.
>
AD on Linux and you'll need to build a recent 1.11 series sssd if you
wish to take advantage of its ad backend. 1.9.5 as shipped with suse can
be tempted to talk to ad too albeit with reduced functionality. You may
be able to use the sernet libraries to supply the build requirements for
sssd at least.
HTH
Steve
Vogel, Sven
Jun 9, 2014, 7:00:01 AM6/9/14
to
@Rowland and @Steve
Choclate fire guard... :) you wrote own scripts to add the rfc2307 information to the users?
I know SLES is not the best. It was not my decision. I use mostly redhat/centos. I will try sssd. Maybe thats the best choice for connection to the ad.
Maybe it is not correct but when you read on this side. Below....
http://technet.microsoft.com/en-us/library/dn303411.aspx
The Server for Network Information Service (NIS) is deprecated. This includes the associated administration tools in Remote Server Administration Tools (RSAT). Use native LDAP, Samba Client, Kerberos, or non-Microsoft options.
I dont know maybe they mean other things. Steve what do you think?
Greetings thanks...
Sven
-----Ursprüngliche Nachricht-----
Von: samba-...@lists.samba.org [mailto:samba-...@lists.samba.org] Im Auftrag von Rowland Penny
Gesendet: Sonntag, 8. Juni 2014 23:53
Choclate fire guard... :) you wrote own scripts to add the rfc2307 information to the users?
I know SLES is not the best. It was not my decision. I use mostly redhat/centos. I will try sssd. Maybe thats the best choice for connection to the ad.
Maybe it is not correct but when you read on this side. Below....
http://technet.microsoft.com/en-us/library/dn303411.aspx
The Server for Network Information Service (NIS) is deprecated. This includes the associated administration tools in Remote Server Administration Tools (RSAT). Use native LDAP, Samba Client, Kerberos, or non-Microsoft options.
I dont know maybe they mean other things. Steve what do you think?
Greetings thanks...
Sven
-----Ursprüngliche Nachricht-----
Von: samba-...@lists.samba.org [mailto:samba-...@lists.samba.org] Im Auftrag von Rowland Penny
Rowland Penny
Jun 9, 2014, 7:30:02 AM6/9/14
to
On 09/06/14 11:57, Vogel, Sven wrote:
> @Rowland and @Steve
>
> Choclate fire guard... :) you wrote own scripts to add the rfc2307 information to the users?
Yes, several versions, lately I am using a set of scripts based on
> @Rowland and @Steve
>
> Choclate fire guard... :) you wrote own scripts to add the rfc2307 information to the users?
ldapscripts but using the ldbtools instead.
>
> I know SLES is not the best. It was not my decision. I use mostly redhat/centos. I will try sssd. Maybe thats the best choice for connection to the ad.
uptodate, SLES should be very very stable, after all it is based on an
even older base ;-)
>
> Maybe it is not correct but when you read on this side. Below....
> http://technet.microsoft.com/en-us/library/dn303411.aspx
>
> The Server for Network Information Service (NIS) is deprecated. This includes the associated administration tools in Remote Server Administration Tools (RSAT). Use native LDAP, Samba Client, Kerberos, or non-Microsoft options.
>
> I dont know maybe they mean other things. Steve what do you think?
foot. I do not think that Samba will ever drop being able to connect to
Unix systems, so the RFC2307 attributes will always be available and if
microsoft try to stop them being added to AD, then they will probably
get clobbered by the European union again, just like they did with IE.
What it does mean is that Unix GUI tools need to be written to work like
ADUC does now, not everybody wants to work at the cli and sometimes it
is just easier to use a GUI.
Rowland
steve
Jun 9, 2014, 10:40:02 AM6/9/14
to
On Mon, 2014-06-09 at 10:57 +0000, Vogel, Sven wrote:
> @Rowland and @Steve
>
> Choclate fire guard... :) you wrote own scripts to add the rfc2307 information to the users?
>
> I know SLES is not the best. It was not my decision. I use mostly redhat/centos. I will try sssd. Maybe thats the best choice for connection to the ad.
>
> Maybe it is not correct but when you read on this side. Below....
> http://technet.microsoft.com/en-us/library/dn303411.aspx
>
> The Server for Network Information Service (NIS) is deprecated. This includes the associated administration tools in Remote Server Administration Tools (RSAT). Use native LDAP, Samba Client, Kerberos, or non-Microsoft options.
> @Rowland and @Steve
>
> Choclate fire guard... :) you wrote own scripts to add the rfc2307 information to the users?
>
> I know SLES is not the best. It was not my decision. I use mostly redhat/centos. I will try sssd. Maybe thats the best choice for connection to the ad.
>
> Maybe it is not correct but when you read on this side. Below....
> http://technet.microsoft.com/en-us/library/dn303411.aspx
>
> The Server for Network Information Service (NIS) is deprecated. This includes the associated administration tools in Remote Server Administration Tools (RSAT). Use native LDAP, Samba Client, Kerberos, or non-Microsoft options.
That's what I thought, but the Samba devs tell me otherwise:
https://lists.samba.org/archive/samba/2014-May/181643.html
Dunno. Just don't get used to managing UNIX from windows. I think the
rfc2307 will always be there, just not point and click as it is now.
Just our €0.02
Steve
steve
Jun 9, 2014, 10:50:01 AM6/9/14
to
On Mon, 2014-06-09 at 12:25 +0100, Rowland Penny wrote:
> On 09/06/14 11:57, Vogel, Sven wrote:
> > @Rowland and @Steve
> >
> > Choclate fire guard... :) you wrote own scripts to add the rfc2307 information to the users?
>
> Yes, several versions, lately I am using a set of scripts based on
> ldapscripts but using the ldbtools instead.
>
+1 for the roll your own.
> On 09/06/14 11:57, Vogel, Sven wrote:
> > @Rowland and @Steve
> >
> > Choclate fire guard... :) you wrote own scripts to add the rfc2307 information to the users?
>
> Yes, several versions, lately I am using a set of scripts based on
> ldapscripts but using the ldbtools instead.
>
> >
> > I know SLES is not the best. It was not my decision. I use mostly redhat/centos. I will try sssd. Maybe thats the best choice for connection to the ad.
> RHEL is know for being very stable, this is down to not being very
> uptodate, SLES should be very very stable, after all it is based on an
> even older base ;-)
I took on a sles setup. The best I could get was to persude them to go
> > I know SLES is not the best. It was not my decision. I use mostly redhat/centos. I will try sssd. Maybe thats the best choice for connection to the ad.
> RHEL is know for being very stable, this is down to not being very
> uptodate, SLES should be very very stable, after all it is based on an
> even older base ;-)
openSUSE. It's not ideal, but at least you stand more of a chance with
something which resembles modernity. The suse dev flatly refuses to
accept anything AD and Samba.
Cheers,
Steve
0 new messages