From: Nico De Ranter on

Hi,

I'm trying to integrate an existing linux environment with a Windows AD
environment. All my users are already in AD with valid rfc2307
attributes defined so I need a way to authenticate my users using
username, uid, gid, shell and homedirectory from AD. I've been using
Kerberos+LDAPs before but that requires a dummy AD user hardcoded with
username and password in /etc/ldap.conf which is making me icky.

According to the man pages it looks like idmap_adex should do the trick
for me, however I can't get things to work. (see config files below)

Running 'wbinfo -u' does give me a the list of valid users, however
'getent passwd' waits a second after displaying the local users and then
just gives me back the command-line prompt.

In /var/log/samba/log.winbindd-idmap I see:


==================
....
[2010/07/28 18:10:01, 0] winbindd/idmap.c:201(smb_register_idmap_alloc)
idmap_alloc module tdb already registered!
[2010/07/28 18:10:01, 0] winbindd/idmap.c:149(smb_register_idmap)
Idmap module passdb already registered!
[2010/07/28 18:10:01, 0] winbindd/idmap.c:149(smb_register_idmap)
Idmap module nss already registered!
[2010/07/28 18:10:01, 1] winbindd/idmap.c:580(idmap_alloc_init)
could not find idmap alloc module adex
[2010/07/28 18:10:01, 1] winbindd/idmap_adex/likewise_cell.c:346(cell_connect_dn)
LWI: Failled to connect to cell "dc=MY,dc=DOMAIN,dc=COM" (NT_STATUS_NO_LOGON_SERVERS)
==================


Note that the adex module is available on the filesystem:


==================
root(a)ubuntu:/var/log/samba# locate *adex*
/usr/lib/samba/idmap/adex.so
/usr/share/man/man8/idmap_adex.8.gz
==================



What am I doing wrong?

Thanks in advance,

Nico

==================

Environment:
server: Windows 2008R2
client: Ubuntu 10.04 64-bit running samba 3.4.7 (I can't find any 3.5
packages for Ubuntu unfortunately)


#### /etc/samba/smb.conf
[global]

domain master = no
local master = no
prefered master = no
server signing = mandatory
wide links = yes
unix extensions = no
server string = Samba Server ubuntu
realm = MY.DOMAIN.COM
workgroup = MY
security = ADS
password server = my ad servers
encrypt passwords = yes
guest account = nobody
log file = /var/log/samba/samba.log
username map = /etc/samba/user.map
socket options = TCP_noDELAY SO_RCVBUF=8192 SO_SNDBUF=8192
wins support = yes
disable netbios = Yes
dns proxy = yes
obey pam restrictions = yes
pam password change = yes
winbind separator = /
winbind use default domain = yes
winbind enum users = yes
winbind enum groups = yes
winbind nested groups = yes
idmap backend = adex
idmap uid = 1000-999999
idmap gid = 999-999999
winbind normalize names = yes
winbind nss info = adex
allow trusted domains = Yes
default service = homes
preload = global homes
valid users = @"MY/Domain Users"
admin users = "MY/administrator"


#### /etc/nsswitch.conf
passwd: compat winbind
group: compat winbind
shadow: compat winbind

#### /etc/pam.d/common-account
account [success=3 new_authtok_reqd=done default=ignore] pam_unix.so
account [success=2 new_authtok_reqd=done default=ignore] pam_winbind.so
account [success=1 default=ignore] pam_ldap.so
account requisite pam_deny.so
account required pam_permit.so
account required pam_krb5.so minimum_uid=1000

#### /etc/pam.d/common-auth

auth [success=4 default=ignore] pam_krb5.so minimum_uid=1000
auth [success=3 default=ignore] pam_unix.so nullok_secure try_first_pass
auth [success=2 default=ignore] pam_winbind.so krb5_auth krb5_ccache_type=FILE cached_login try_first_pass
auth [success=1 default=ignore] pam_ldap.so use_first_pass
auth requisite pam_deny.so
auth required pam_permit.so
auth optional pam_cap.so





--
With kind regards

Nico De Ranter
Senior System Administrator
Techsoft Centre

Technology and Software Centre Europe
The Corporate Village - Da Vincilaan 7-D1 - B-1935 Zaventem - Belgium

Phone: +32 (0)2 700 8641
Fax: +32 (0)2 700 8622
E-mail: nico.deranter(a)eu.sony.com

A division of Sony Europe (Belgium) N.V.
VAT BE 0413.825.160 - RPR Brussels
Fortis - BIC GEBABEBB - IBAN BE41293037680010



************************************************************************
The information contained in this message or any of its attachments may be confidential and is intended for the exclusive use of the addressee(s). Any disclosure, reproduction, distribution or other dissemination or use of this communication is strictly prohibited without the express permission of the sender. The views expressed in this email are those of the individual and not necessarily those of Sony or Sony affiliated companies. Sony email is for business use only.

This email and any response may be monitored by Sony to be in compliance with Sony's global policies and standards

--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba