Ignore:
Timestamp:
Mar 1, 2010, 3:05:48 PM (15 years ago)
Author:
Herwig Bauernfeind
Message:

Update Samba 3.3.x to 3.3.11

File:
1 edited

Legend:

Unmodified
Added
Removed

  • branches/samba-3.3.x/docs/htmldocs/Samba3-ByExample/unixclients.html

    r368 r411  
    1 <html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 7. Adding Domain Member Servers and Clients</title><link rel="stylesheet" href="../samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.75.2"><link rel="home" href="index.html" title="Samba-3 by Example"><link rel="up" href="DMSMig.html" title="Part II. Domain Members, Updating Samba and Migration"><link rel="prev" href="DMSMig.html" title="Part II. Domain Members, Updating Samba and Migration"><link rel="next" href="upgrades.html" title="Chapter 8. Updating Samba-3"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 7. Adding Domain Member Servers and Clients</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="DMSMig.html">Prev</a> </td><th width="60%" align="center">Part II. Domain Members, Updating Samba and Migration</th><td width="20%" align="right"> <a accesskey="n" href="upgrades.html">Next</a></td></tr></table><hr></div><div class="chapter" title="Chapter 7. Adding Domain Member Servers and Clients"><div class="titlepage"><div><div><h2 class="title"><a name="unixclients"></a>Chapter 7. Adding Domain Member Servers and Clients</h2></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="unixclients.html#id2595324">Introduction</a></span></dt><dd><dl><dt><span class="sect2"><a href="unixclients.html#id2595378">Assignment Tasks</a></span></dt></dl></dd><dt><span class="sect1"><a href="unixclients.html#id2595413">Dissection and Discussion</a></span></dt><dd><dl><dt><span class="sect2"><a href="unixclients.html#id2595441">Technical Issues</a></span></dt><dt><span class="sect2"><a href="unixclients.html#id2596090">Political Issues</a></span></dt></dl></dd><dt><span class="sect1"><a href="unixclients.html#id2596190">Implementation</a></span></dt><dd><dl><dt><span class="sect2"><a href="unixclients.html#sdcsdmldap">Samba Domain with Samba Domain Member Server  Using NSS LDAP</a></span></dt><dt><span class="sect2"><a href="unixclients.html#wdcsdm">NT4/Samba Domain with Samba Domain Member Server: Using NSS and Winbind</a></span></dt><dt><span class="sect2"><a href="unixclients.html#dcwonss">NT4/Samba Domain with Samba Domain Member Server without NSS Support</a></span></dt><dt><span class="sect2"><a href="unixclients.html#adssdm">Active Directory Domain with Samba Domain Member Server</a></span></dt><dt><span class="sect2"><a href="unixclients.html#id2602396">UNIX/Linux Client Domain Member</a></span></dt><dt><span class="sect2"><a href="unixclients.html#id2602971">Key Points Learned</a></span></dt></dl></dd><dt><span class="sect1"><a href="unixclients.html#id2603025">Questions and Answers</a></span></dt></dl></div><p><a class="indexterm" name="id2595226"></a><a class="indexterm" name="id2595233"></a>
     1<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 7. Adding Domain Member Servers and Clients</title><link rel="stylesheet" href="../samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.74.0"><link rel="home" href="index.html" title="Samba-3 by Example"><link rel="up" href="DMSMig.html" title="Part II. Domain Members, Updating Samba and Migration"><link rel="prev" href="DMSMig.html" title="Part II. Domain Members, Updating Samba and Migration"><link rel="next" href="upgrades.html" title="Chapter 8. Updating Samba-3"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 7. Adding Domain Member Servers and Clients</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="DMSMig.html">Prev</a> </td><th width="60%" align="center">Part II. Domain Members, Updating Samba and Migration</th><td width="20%" align="right"> <a accesskey="n" href="upgrades.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="unixclients"></a>Chapter 7. Adding Domain Member Servers and Clients</h2></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="unixclients.html#id2589239">Introduction</a></span></dt><dd><dl><dt><span class="sect2"><a href="unixclients.html#id2589292">Assignment Tasks</a></span></dt></dl></dd><dt><span class="sect1"><a href="unixclients.html#id2589328">Dissection and Discussion</a></span></dt><dd><dl><dt><span class="sect2"><a href="unixclients.html#id2589356">Technical Issues</a></span></dt><dt><span class="sect2"><a href="unixclients.html#id2590005">Political Issues</a></span></dt></dl></dd><dt><span class="sect1"><a href="unixclients.html#id2590105">Implementation</a></span></dt><dd><dl><dt><span class="sect2"><a href="unixclients.html#sdcsdmldap">Samba Domain with Samba Domain Member Server  Using NSS LDAP</a></span></dt><dt><span class="sect2"><a href="unixclients.html#wdcsdm">NT4/Samba Domain with Samba Domain Member Server: Using NSS and Winbind</a></span></dt><dt><span class="sect2"><a href="unixclients.html#dcwonss">NT4/Samba Domain with Samba Domain Member Server without NSS Support</a></span></dt><dt><span class="sect2"><a href="unixclients.html#adssdm">Active Directory Domain with Samba Domain Member Server</a></span></dt><dt><span class="sect2"><a href="unixclients.html#id2596311">UNIX/Linux Client Domain Member</a></span></dt><dt><span class="sect2"><a href="unixclients.html#id2596886">Key Points Learned</a></span></dt></dl></dd><dt><span class="sect1"><a href="unixclients.html#id2596940">Questions and Answers</a></span></dt></dl></div><p><a class="indexterm" name="id2589141"></a><a class="indexterm" name="id2589148"></a>
    22        The most frequently discussed Samba subjects over the past 2 years have focused around domain control and printing.
    33        It is well known that Samba is a file and print server. A recent survey conducted by <span class="emphasis"><em>Open Magazine</em></span> found
     
    1212        the addition of Samba servers into your present Windows network  whatever the controlling technology
    1313        may be. So let's get back to our good friends at Abmas.
    14         </p><div class="sect1" title="Introduction"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2595324"></a>Introduction</h2></div></div></div><p><a class="indexterm" name="id2595330"></a><a class="indexterm" name="id2595338"></a>
     14        </p><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2589239"></a>Introduction</h2></div></div></div><p><a class="indexterm" name="id2589245"></a><a class="indexterm" name="id2589253"></a>
    1515        Looking back over the achievements of the past year or two, daily events at Abmas are rather straightforward
    1616        with not too many distractions or problems. Your team is doing well, but a number of employees
    1717        are asking for Linux desktop systems. Your network has grown and demands additional domain member servers. Let's
    1818        get on with this; Christine and Stan are ready to go.
    19         </p><p><a class="indexterm" name="id2595359"></a>
     19        </p><p><a class="indexterm" name="id2589274"></a>
    2020        Stan is firmly in control of the department of the future, while Christine is enjoying a stable and
    2121        predictable network environment. It is time to add more servers and to add Linux desktops. It is
    2222        time to meet the demands of future growth and endure trial by fire.
    23         </p><div class="sect2" title="Assignment Tasks"><div class="titlepage"><div><div><h3 class="title"><a name="id2595378"></a>Assignment Tasks</h3></div></div></div><p><a class="indexterm" name="id2595384"></a>
     23        </p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2589292"></a>Assignment Tasks</h3></div></div></div><p><a class="indexterm" name="id2589299"></a>
    2424        You must now add UNIX/Linux domain member servers to your network. You have a friend who has a Windows 2003
    2525        Active Directory domain network who wants to add a Samba/Linux server and has asked Christine to help him
     
    3131        do likewise at Swodniw Biz NL (your friend's company) to help them to evaluate a Linux desktop. You want to make
    3232        the right decision, don't you?
    33         </p></div></div><div class="sect1" title="Dissection and Discussion"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2595413"></a>Dissection and Discussion</h2></div></div></div><p>
    34         <a class="indexterm" name="id2595421"></a>
     33        </p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2589328"></a>Dissection and Discussion</h2></div></div></div><p>
     34        <a class="indexterm" name="id2589336"></a>
    3535        Recent Samba mailing-list activity is witness to how many sites are using winbind. Some have no trouble
    3636        at all with it, yet to others the problems seem insurmountable. Periodically there are complaints concerning
     
    4040        resolution. You also provide working examples of solutions for integrated authentication for
    4141        both UNIX/Linux and Windows environments.
    42         </p><div class="sect2" title="Technical Issues"><div class="titlepage"><div><div><h3 class="title"><a name="id2595441"></a>Technical Issues</h3></div></div></div><p>
    43                 One of the great challenges we face when people ask us, <span class="quote">&#8220;<span class="quote">What is the best way to solve
    44                 this problem?</span>&#8221;</span> is to get beyond the facts so we not only can clearly comprehend
     42        </p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2589356"></a>Technical Issues</h3></div></div></div><p>
     43                One of the great challenges we face when people ask us, &#8220;<span class="quote">What is the best way to solve
     44                this problem?</span>&#8221; is to get beyond the facts so we not only can clearly comprehend
    4545                the immediate technical problem, but also can understand how needs may change.
    4646                </p><p>
    47                 <a class="indexterm" name="id2595460"></a>
     47                <a class="indexterm" name="id2589375"></a>
    4848                There are a few facts we should note when dealing with the question of how best to
    4949                integrate UNIX/Linux clients and servers into a Windows networking environment:
    50                 </p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p>
    51                         <a class="indexterm" name="id2595476"></a>
    52                         <a class="indexterm" name="id2595483"></a>
    53                         <a class="indexterm" name="id2595490"></a>
    54                         <a class="indexterm" name="id2595499"></a>
    55                         <a class="indexterm" name="id2595506"></a>
     50                </p><div class="itemizedlist"><ul type="disc"><li><p>
     51                        <a class="indexterm" name="id2589391"></a>
     52                        <a class="indexterm" name="id2589398"></a>
     53                        <a class="indexterm" name="id2589405"></a>
     54                        <a class="indexterm" name="id2589414"></a>
     55                        <a class="indexterm" name="id2589421"></a>
    5656                        A domain controller (PDC or BDC) is always authoritative for all accounts in its domain.
    5757                        This means that a BDC must (of necessity) be able to resolve all account UIDs and GIDs
    5858                        to the same values that the PDC resolved them to.
    59                         </p></li><li class="listitem"><p>
    60                         <a class="indexterm" name="id2595521"></a>
    61                         <a class="indexterm" name="id2595528"></a>
    62                         <a class="indexterm" name="id2595540"></a>
    63                         <a class="indexterm" name="id2595547"></a>
     59                        </p></li><li><p>
     60                        <a class="indexterm" name="id2589436"></a>
     61                        <a class="indexterm" name="id2589443"></a>
     62                        <a class="indexterm" name="id2589455"></a>
     63                        <a class="indexterm" name="id2589462"></a>
    6464                        A domain member can be authoritative for local accounts, but is never authoritative for
    6565                        domain accounts. If a user is accessing a domain member server and that user's account
     
    6767                        from the domain in which that user's account resides. It must then map that ID to a
    6868                        UID/GID pair that it can use locally. This is handled by <code class="literal">winbindd</code>.
    69                         </p></li><li class="listitem"><p>
     69                        </p></li><li><p>
    7070                        Samba, when running on a domain member server, can resolve user identities from a
    7171                        number of sources:
    72                         </p><div class="itemizedlist"><ul class="itemizedlist" type="circle"><li class="listitem"><p>
    73                                 <a class="indexterm" name="id2595579"></a>
    74                                 <a class="indexterm" name="id2595586"></a>
    75                                 <a class="indexterm" name="id2595593"></a>
    76                                 <a class="indexterm" name="id2595599"></a>
    77                                 <a class="indexterm" name="id2595606"></a>
     72                        </p><div class="itemizedlist"><ul type="circle"><li><p>
     73                                <a class="indexterm" name="id2589494"></a>
     74                                <a class="indexterm" name="id2589501"></a>
     75                                <a class="indexterm" name="id2589508"></a>
     76                                <a class="indexterm" name="id2589514"></a>
     77                                <a class="indexterm" name="id2589521"></a>
    7878                                By executing a system <code class="literal">getpwnam()</code> or <code class="literal">getgrnam()</code> call.
    7979                                On systems that support it, this utilizes the name service switch (NSS) facility to
    8080                                resolve names according to the configuration of the <code class="filename">/etc/nsswitch.conf</code>
    8181                                file. NSS can be configured to use LDAP, winbind, NIS, or local files.
    82                                 </p></li><li class="listitem"><p>
    83                                 <a class="indexterm" name="id2595639"></a>
    84                                 <a class="indexterm" name="id2595646"></a>
    85                                 <a class="indexterm" name="id2595653"></a>
     82                                </p></li><li><p>
     83                                <a class="indexterm" name="id2589554"></a>
     84                                <a class="indexterm" name="id2589561"></a>
     85                                <a class="indexterm" name="id2589568"></a>
    8686                                Performing, via NSS, a direct LDAP search (where an LDAP passdb backend has been configured).
    8787                                This requires the use of the PADL nss_ldap tool (or equivalent).
    88                                 </p></li><li class="listitem"><p>
    89                                 <a class="indexterm" name="id2595667"></a>
    90                                 <a class="indexterm" name="id2595674"></a>
    91                                 <a class="indexterm" name="id2595680"></a>
    92                                 <a class="indexterm" name="id2595687"></a>
     88                                </p></li><li><p>
     89                                <a class="indexterm" name="id2589582"></a>
     90                                <a class="indexterm" name="id2589589"></a>
     91                                <a class="indexterm" name="id2589595"></a>
     92                                <a class="indexterm" name="id2589602"></a>
    9393                                Directly by querying <code class="literal">winbindd</code>. The <code class="literal">winbindd</code>
    9494                                contacts a domain controller to attempt to resolve the identity of the user or group. It
     
    9898                                <code class="filename">winbindd_cache.tdb</code> files.
    9999                                </p><p>
    100                                 <a class="indexterm" name="id2595727"></a>
    101                                 <a class="indexterm" name="id2595734"></a>
     100                                <a class="indexterm" name="id2589642"></a>
     101                                <a class="indexterm" name="id2589649"></a>
    102102                                If the parameter <a class="link" href="smb.conf.5.html#IDMAPBACKEND" target="_top">idmap backend = ldap:ldap://myserver.domain</a>
    103103                                was specified and the LDAP server has been configured with a container in which it may
     
    111111                        in the <code class="filename">smb.conf</code> file. Some of the configuration options are rather less than obvious to the
    112112                        casual user.
    113                         </p></li><li class="listitem"><p>
    114                         <a class="indexterm" name="id2595799"></a>
    115                         <a class="indexterm" name="id2595806"></a>
    116                         <a class="indexterm" name="id2595816"></a>
     113                        </p></li><li><p>
     114                        <a class="indexterm" name="id2589714"></a>
     115                        <a class="indexterm" name="id2589721"></a>
     116                        <a class="indexterm" name="id2589731"></a>
    117117                        If you wish to make use of accounts (users and/or groups) that are local to (i.e., capable
    118118                        of being resolved using) the NSS facility, it is possible to use the
     
    121121                        and to domain member servers.
    122122                        </p></li></ul></div><p>
    123                 <a class="indexterm" name="id2595851"></a>
    124                 <a class="indexterm" name="id2595858"></a>
    125                 <a class="indexterm" name="id2595865"></a>
     123                <a class="indexterm" name="id2589766"></a>
     124                <a class="indexterm" name="id2589773"></a>
     125                <a class="indexterm" name="id2589780"></a>
    126126                For many administrators, it should be plain that the use of an LDAP-based repository for all network
    127127                accounts (both for POSIX accounts and for Samba accounts) provides the most elegant and
    128128                controllable facility. You eventually appreciate the decision to use LDAP.
    129129                </p><p>
    130                 <a class="indexterm" name="id2595880"></a>
    131                 <a class="indexterm" name="id2595886"></a>
    132                 <a class="indexterm" name="id2595893"></a>
     130                <a class="indexterm" name="id2589795"></a>
     131                <a class="indexterm" name="id2589801"></a>
     132                <a class="indexterm" name="id2589808"></a>
    133133                If your network account information resides in an LDAP repository, you should use it ahead of any
    134134                alternative method. This means that if it is humanly possible to use the <code class="literal">nss_ldap</code>
     
    137137                throughout the network.
    138138                </p><p>
    139                 <a class="indexterm" name="id2595916"></a>
    140                 <a class="indexterm" name="id2595925"></a>
    141                 <a class="indexterm" name="id2595932"></a>
    142                 <a class="indexterm" name="id2595939"></a>
    143                 <a class="indexterm" name="id2595946"></a>
    144                 <a class="indexterm" name="id2595953"></a>
     139                <a class="indexterm" name="id2589831"></a>
     140                <a class="indexterm" name="id2589840"></a>
     141                <a class="indexterm" name="id2589847"></a>
     142                <a class="indexterm" name="id2589854"></a>
     143                <a class="indexterm" name="id2589861"></a>
     144                <a class="indexterm" name="id2589868"></a>
    145145                In the situation where UNIX accounts are held on the domain member server itself, the only effective
    146146                way to use them involves the <code class="filename">smb.conf</code> entry
     
    150150                disables the use of Samba with trusted domains (i.e., external domains).
    151151                </p><p>
    152                 <a class="indexterm" name="id2596004"></a>
    153                 <a class="indexterm" name="id2596011"></a>
    154                 <a class="indexterm" name="id2596020"></a>
    155                 <a class="indexterm" name="id2596027"></a>
     152                <a class="indexterm" name="id2589919"></a>
     153                <a class="indexterm" name="id2589926"></a>
     154                <a class="indexterm" name="id2589935"></a>
     155                <a class="indexterm" name="id2589942"></a>
    156156                Winbind can be used to create an appliance mode domain member server. In this capacity, <code class="literal">winbindd</code>
    157157                is configured to automatically allocate UIDs/GIDs from numeric ranges set in the <code class="filename">smb.conf</code> file. The allocation
     
    162162                is stored in the <code class="filename">winbindd_idmap.tdb</code> and <code class="filename">winbindd_cache.tdb</code> files.
    163163                </p><p>
    164                 <a class="indexterm" name="id2596075"></a>
     164                <a class="indexterm" name="id2589990"></a>
    165165                The use of an LDAP backend for the Winbind IDMAP facility permits Windows domain SIDs
    166166                mappings to UIDs/GIDs to be stored centrally. The result is a consistent mapping across all domain member
    167167                servers so configured. This solves one of the major headaches for network administrators who need to copy
    168168                files between or across network file servers.
    169                 </p></div><div class="sect2" title="Political Issues"><div class="titlepage"><div><div><h3 class="title"><a name="id2596090"></a>Political Issues</h3></div></div></div><p>
    170                 <a class="indexterm" name="id2596098"></a>
    171                 <a class="indexterm" name="id2596105"></a>
    172                 <a class="indexterm" name="id2596111"></a>
    173                 <a class="indexterm" name="id2596120"></a>
     169                </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2590005"></a>Political Issues</h3></div></div></div><p>
     170                <a class="indexterm" name="id2590013"></a>
     171                <a class="indexterm" name="id2590020"></a>
     172                <a class="indexterm" name="id2590026"></a>
     173                <a class="indexterm" name="id2590035"></a>
    174174                One of the most fierce conflicts recently being waged is resistance to the adoption of LDAP, in
    175175                particular OpenLDAP, as a replacement for UNIX NIS (previously called Yellow Pages). Let's face it, LDAP
     
    183183                commercial integration products. But it's not what Active Directory was designed for.
    184184                </p><p>
    185                 <a class="indexterm" name="id2596159"></a>
    186                 <a class="indexterm" name="id2596165"></a>
     185                <a class="indexterm" name="id2590074"></a>
     186                <a class="indexterm" name="id2590080"></a>
    187187                A number of long-term UNIX devotees have recently commented in various communications that the Samba Team
    188188                is the first application group to almost force network administrators to use LDAP. It should be pointed
     
    190190                finally emerged as the preferred identity management backend for Samba. We recommend LDAP for your total
    191191                organizational directory needs.
    192                 </p></div></div><div class="sect1" title="Implementation"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2596190"></a>Implementation</h2></div></div></div><p>
    193         <a class="indexterm" name="id2596198"></a>
    194         <a class="indexterm" name="id2596208"></a>
    195         <a class="indexterm" name="id2596217"></a>
     192                </p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2590105"></a>Implementation</h2></div></div></div><p>
     193        <a class="indexterm" name="id2590113"></a>
     194        <a class="indexterm" name="id2590123"></a>
     195        <a class="indexterm" name="id2590132"></a>
    196196        The domain member server and the domain member client are at the center of focus in this chapter.
    197197        Configuration of Samba-3 domain controller is covered in earlier chapters, so if your
     
    199199        oil that helps you to add domain member servers and clients.
    200200        </p><p>
    201         <a class="indexterm" name="id2596233"></a>
     201        <a class="indexterm" name="id2590148"></a>
    202202        In practice, domain member servers and domain member workstations are very different entities, but in
    203203        terms of technology they share similar core infrastructure. A technologist would argue that servers
     
    207207        but a server is viewed as a core component of the business.
    208208        </p><p>
    209         <a class="indexterm" name="id2596255"></a>
     209        <a class="indexterm" name="id2590170"></a>
    210210        We can look at this another way. If a workstation breaks down, one user is affected, but if a
    211211        server breaks down, hundreds of users may not be able to work. The services that a workstation
     
    213213        and is distribution oriented.
    214214        </p><p>
    215         <a class="indexterm" name="id2596271"></a>
    216         <a class="indexterm" name="id2596278"></a>
    217         <a class="indexterm" name="id2596285"></a>
     215        <a class="indexterm" name="id2590186"></a>
     216        <a class="indexterm" name="id2590193"></a>
     217        <a class="indexterm" name="id2590200"></a>
    218218        <span class="emphasis"><em>Why is this important?</em></span> For starters, we must identify what
    219219        components of the operating system and its environment must be configured. Also, it is necessary
     
    226226        So, in this chapter we demonstrate how to implement the technology. It is done within a context of
    227227        what type of service need must be fulfilled.
    228         </p><div class="sect2" title="Samba Domain with Samba Domain Member Server Using NSS LDAP"><div class="titlepage"><div><div><h3 class="title"><a name="sdcsdmldap"></a>Samba Domain with Samba Domain Member Server  Using NSS LDAP</h3></div></div></div><p>
    229         <a class="indexterm" name="id2596326"></a>
    230         <a class="indexterm" name="id2596332"></a>
    231         <a class="indexterm" name="id2596339"></a>
    232         <a class="indexterm" name="id2596346"></a>
    233         <a class="indexterm" name="id2596355"></a>
    234         <a class="indexterm" name="id2596362"></a>
     228        </p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="sdcsdmldap"></a>Samba Domain with Samba Domain Member Server  Using NSS LDAP</h3></div></div></div><p>
     229        <a class="indexterm" name="id2590241"></a>
     230        <a class="indexterm" name="id2590247"></a>
     231        <a class="indexterm" name="id2590254"></a>
     232        <a class="indexterm" name="id2590261"></a>
     233        <a class="indexterm" name="id2590270"></a>
     234        <a class="indexterm" name="id2590277"></a>
    235235        In this example, it is assumed that you have Samba PDC/BDC servers. This means you are using
    236236        an LDAP ldapsam backend. We are adding to the LDAP backend database (directory)
     
    248248        so that all domain member servers can use a consistent mapping.
    249249        </p><p>
    250         <a class="indexterm" name="id2596426"></a>
    251         <a class="indexterm" name="id2596433"></a>
    252         <a class="indexterm" name="id2596440"></a>
     250        <a class="indexterm" name="id2590341"></a>
     251        <a class="indexterm" name="id2590348"></a>
     252        <a class="indexterm" name="id2590355"></a>
    253253        If your installation is accessed only from clients that are members of your own domain, and all
    254254        user accounts are present in a local passdb backend then it is not necessary to run
     
    259259        <code class="literal">getpwnam()</code> system call. On NSS-enabled systems, the actual POSIX account
    260260        source can be provided from
    261         </p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p>
    262                 <a class="indexterm" name="id2596477"></a>
    263                 <a class="indexterm" name="id2596484"></a>
     261        </p><div class="itemizedlist"><ul type="disc"><li><p>
     262                <a class="indexterm" name="id2590392"></a>
     263                <a class="indexterm" name="id2590398"></a>
    264264                Accounts in <code class="filename">/etc/passwd</code> or in <code class="filename">/etc/group</code>.
    265                 </p></li><li class="listitem"><p>
    266                 <a class="indexterm" name="id2596507"></a>
    267                 <a class="indexterm" name="id2596514"></a>
    268                 <a class="indexterm" name="id2596520"></a>
    269                 <a class="indexterm" name="id2596527"></a>
    270                 <a class="indexterm" name="id2596534"></a>
    271                 <a class="indexterm" name="id2596540"></a>
    272                 <a class="indexterm" name="id2596547"></a>
    273                 <a class="indexterm" name="id2596554"></a>
    274                 <a class="indexterm" name="id2596561"></a>
     265                </p></li><li><p>
     266                <a class="indexterm" name="id2590422"></a>
     267                <a class="indexterm" name="id2590428"></a>
     268                <a class="indexterm" name="id2590435"></a>
     269                <a class="indexterm" name="id2590442"></a>
     270                <a class="indexterm" name="id2590449"></a>
     271                <a class="indexterm" name="id2590455"></a>
     272                <a class="indexterm" name="id2590462"></a>
     273                <a class="indexterm" name="id2590469"></a>
     274                <a class="indexterm" name="id2590476"></a>
    275275                Resolution via NSS. On NSS-enabled systems, there is usually a facility to resolve IDs
    276276                via multiple methods. The methods typically include <code class="literal">files</code>,
     
    279279                correctly installed, Samba adds to this list the <code class="literal">winbindd</code> facility.
    280280                The ldap facility is frequently the nss_ldap tool provided by PADL Software.
    281                 </p></li></ul></div><div class="note" title="Note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
     281                </p></li></ul></div><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
    282282        To advoid confusion the use of the term <code class="literal">local passdb backend</code> means that
    283283        the user account backend is not shared by any other Samba server  instead, it is
    284284        used only locally on the Samba domain member server under discussion.
    285285        </p></div><p>
    286         <a class="indexterm" name="id2596640"></a>
     286        <a class="indexterm" name="id2590555"></a>
    287287        The diagram in <a class="link" href="unixclients.html#ch9-sambadc" title="Figure 7.2. Samba Domain: Samba Member Server">&#8220;Samba Domain: Samba Member Server&#8221;</a> demonstrates the relationship of Samba and system
    288288        components that are involved in the identity resolution process where Samba is used as a domain
    289289        member server within a Samba domain control network.
    290290        </p><div class="figure"><a name="ch9-sambadc"></a><p class="title"><b>Figure 7.2. Samba Domain: Samba Member Server</b></p><div class="figure-contents"><div class="mediaobject"><img src="images/chap9-SambaDC.png" width="324" alt="Samba Domain: Samba Member Server"></div></div></div><br class="figure-break"><p>
    291         <a class="indexterm" name="id2596702"></a>
    292         <a class="indexterm" name="id2596709"></a>
     291        <a class="indexterm" name="id2590617"></a>
     292        <a class="indexterm" name="id2590624"></a>
    293293        In this example configuration, Samba will directly search the LDAP-based passwd backend ldapsam
    294294        to obtain authentication and user identity information. The IDMAP information is stored in the LDAP
     
    301301        If the network does not have an LDAP slave server (i.e., <a class="link" href="happy.html" title="Chapter 5. Making Happy Users">&#8220;Making Happy Users&#8221;</a> configuration),
    302302        change the target LDAP server from <code class="constant">lapdc</code> to <code class="constant">massive.</code>
    303         </p><div class="procedure" title="Procedure 7.1. Configuration of NSS_LDAP-Based Identity Resolution"><a name="id2596757"></a><p class="title"><b>Procedure 7.1. Configuration of NSS_LDAP-Based Identity Resolution</b></p><ol class="procedure" type="1"><li class="step" title="Step 1"><p>
     303        </p><div class="procedure"><a name="id2590672"></a><p class="title"><b>Procedure 7.1. Configuration of NSS_LDAP-Based Identity Resolution</b></p><ol type="1"><li><p>
    304304                Create the <code class="filename">smb.conf</code> file as shown in <a class="link" href="unixclients.html#ch9-sdmsdc" title="Example 7.1. Samba Domain Member in Samba Domain Using LDAP smb.conf File">&#8220;Samba Domain Member in Samba Domain Using LDAP  smb.conf File&#8221;</a>. Locate
    305305                this file in the directory <code class="filename">/etc/samba</code>.
    306                 </p></li><li class="step" title="Step 2"><p>
    307                 <a class="indexterm" name="id2596795"></a>
     306                </p></li><li><p>
     307                <a class="indexterm" name="id2590710"></a>
    308308                Configure the file that will be used by <code class="constant">nss_ldap</code> to
    309309                locate and communicate with the LDAP server. This file is called <code class="filename">ldap.conf</code>.
     
    323323/etc/ldap.conf
    324324</pre><p>
    325                 </p></li><li class="step" title="Step 3"><p>
     325                </p></li><li><p>
    326326                Configure the NSS control file so it matches the one shown in
    327327                <a class="link" href="unixclients.html#ch9-sdmnss" title="Example 7.4. NSS using LDAP for Identity Resolution File: /etc/nsswitch.conf">&#8220;NSS using LDAP for Identity Resolution  File: /etc/nsswitch.conf&#8221;</a>.
    328                 </p></li><li class="step" title="Step 4"><p>
    329                 <a class="indexterm" name="id2596883"></a>
    330                 <a class="indexterm" name="id2596890"></a>
     328                </p></li><li><p>
     329                <a class="indexterm" name="id2590798"></a>
     330                <a class="indexterm" name="id2590805"></a>
    331331                Before proceeding to configure Samba, validate the operation of the NSS identity
    332332                resolution via LDAP by executing:
     
    363363sammy:x:4321:
    364364</pre><p>
    365                 <a class="indexterm" name="id2596954"></a>
    366                 <a class="indexterm" name="id2596961"></a>
    367                 <a class="indexterm" name="id2596968"></a>
     365                <a class="indexterm" name="id2590869"></a>
     366                <a class="indexterm" name="id2590876"></a>
     367                <a class="indexterm" name="id2590883"></a>
    368368                This shows that all is working as it should be. Notice that in the LDAP database
    369369                the users' primary and secondary group memberships are identical. It is not
     
    374374                conditions. It is intended that these limitations with winbind will be resolved soon
    375375                after Samba-3.0.20 has been released.
    376                 </p></li><li class="step" title="Step 5"><p>
    377                 <a class="indexterm" name="id2596992"></a>
     376                </p></li><li><p>
     377                <a class="indexterm" name="id2590906"></a>
    378378                The LDAP directory must have a container object for IDMAP data. There are several ways you can
    379379                check that your LDAP database is able to receive IDMAP information. One of the simplest is to
     
    384384ou: idmap
    385385</pre><p>
    386                 <a class="indexterm" name="id2597014"></a>
     386                <a class="indexterm" name="id2590929"></a>
    387387                If the execution of this command does not return IDMAP entries, you need to create an LDIF
    388388                template file (see <a class="link" href="unixclients.html#ch9-ldifadd" title="Example 7.2. LDIF IDMAP Add-On Load File File: /etc/openldap/idmap.LDIF">&#8220;LDIF IDMAP Add-On Load File  File: /etc/openldap/idmap.LDIF&#8221;</a>). You can add the required entries using
     
    392392                -w not24get &lt; /etc/openldap/idmap.LDIF
    393393</pre><p>
    394                 </p></li><li class="step" title="Step 6"><p>
     394                </p></li><li><p>
    395395                Samba automatically populates the LDAP directory container when it needs to. To permit Samba
    396396                write access to the LDAP directory it is necessary to set the LDAP administrative password
     
    399399<code class="prompt">root# </code> smbpasswd -w not24get
    400400</pre><p>
    401                 </p></li><li class="step" title="Step 7"><p>
    402                 <a class="indexterm" name="id2597078"></a>
    403                 <a class="indexterm" name="id2597090"></a>
     401                </p></li><li><p>
     402                <a class="indexterm" name="id2590993"></a>
     403                <a class="indexterm" name="id2591004"></a>
    404404                The system is ready to join the domain. Execute the following:
    405405</p><pre class="screen">
     
    412412                causes of failure to join are:
    413413                </p><p>
    414                 </p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p>Broken resolution of NetBIOS names to the respective IP address.</p></li><li class="listitem"><p>Incorrect username and password credentials.</p></li><li class="listitem"><p>The NT4 <em class="parameter"><code>restrict anonymous</code></em> is set to exclude anonymous
     414                </p><div class="itemizedlist"><ul type="disc"><li><p>Broken resolution of NetBIOS names to the respective IP address.</p></li><li><p>Incorrect username and password credentials.</p></li><li><p>The NT4 <em class="parameter"><code>restrict anonymous</code></em> is set to exclude anonymous
    415415                                connections.</p></li></ul></div><p>
    416416                </p><p>
     
    419419<code class="prompt">root# </code> net rpc join -S 'pdc-name' -U administrator%password -d 5
    420420</pre><p>
    421                 <a class="indexterm" name="id2597162"></a>
    422                 <a class="indexterm" name="id2597168"></a>
    423                 <a class="indexterm" name="id2597175"></a>
    424                 <a class="indexterm" name="id2597182"></a>
     421                <a class="indexterm" name="id2591076"></a>
     422                <a class="indexterm" name="id2591083"></a>
     423                <a class="indexterm" name="id2591090"></a>
     424                <a class="indexterm" name="id2591097"></a>
    425425                Note: Use "root" for UNIX/Linux and Samba, use "Administrator" for Windows NT4/200X. If the cause of
    426426                the failure appears to be related to a rejected or failed NT_SESSION_SETUP*  or an error message that
     
    449449Join to 'MEGANET2' failed.
    450450</pre><p>
    451                 </p></li><li class="step" title="Step 8"><p>
    452                 <a class="indexterm" name="id2597243"></a>
     451                </p></li><li><p>
     452                <a class="indexterm" name="id2591158"></a>
    453453                Just joining the domain is not quite enough; you must now provide a privileged set
    454454                of credentials through which <code class="literal">winbindd</code> can interact with the
     
    458458</pre><p>
    459459                The configuration is now ready to obtain the Samba domain user and group information.
    460                 </p></li><li class="step" title="Step 9"><p>
     460                </p></li><li><p>
    461461                You may now start Samba in the usual manner, and your Samba domain member server
    462462                is ready for use. Just add shares as required.
    463                 </p></li></ol></div><div class="example"><a name="ch9-sdmsdc"></a><p class="title"><b>Example 7.1. Samba Domain Member in Samba Domain Using LDAP  <code class="filename">smb.conf</code> File</b></p><div class="example-contents"><table border="0" summary="Simple list" class="simplelist"><tr><td># Global parameters</td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[global]</code></em></td></tr><tr><td><a class="indexterm" name="id2597321"></a><em class="parameter"><code>unix charset = LOCALE</code></em></td></tr><tr><td><a class="indexterm" name="id2597333"></a><em class="parameter"><code>workgroup = MEGANET2</code></em></td></tr><tr><td><a class="indexterm" name="id2597345"></a><em class="parameter"><code>security = DOMAIN</code></em></td></tr><tr><td><a class="indexterm" name="id2597356"></a><em class="parameter"><code>username map = /etc/samba/smbusers</code></em></td></tr><tr><td><a class="indexterm" name="id2597368"></a><em class="parameter"><code>log level = 10</code></em></td></tr><tr><td><a class="indexterm" name="id2597380"></a><em class="parameter"><code>syslog = 0</code></em></td></tr><tr><td><a class="indexterm" name="id2597391"></a><em class="parameter"><code>log file = /var/log/samba/%m</code></em></td></tr><tr><td><a class="indexterm" name="id2597403"></a><em class="parameter"><code>max log size = 50</code></em></td></tr><tr><td><a class="indexterm" name="id2597415"></a><em class="parameter"><code>smb ports = 139</code></em></td></tr><tr><td><a class="indexterm" name="id2597427"></a><em class="parameter"><code>name resolve order = wins bcast hosts</code></em></td></tr><tr><td><a class="indexterm" name="id2597439"></a><em class="parameter"><code>printcap name = CUPS</code></em></td></tr><tr><td><a class="indexterm" name="id2597451"></a><em class="parameter"><code>wins server = 192.168.2.1</code></em></td></tr><tr><td><a class="indexterm" name="id2597462"></a><em class="parameter"><code>ldap suffix = dc=abmas,dc=biz</code></em></td></tr><tr><td><a class="indexterm" name="id2597474"></a><em class="parameter"><code>ldap machine suffix = ou=People</code></em></td></tr><tr><td><a class="indexterm" name="id2597486"></a><em class="parameter"><code>ldap user suffix = ou=People</code></em></td></tr><tr><td><a class="indexterm" name="id2597498"></a><em class="parameter"><code>ldap group suffix = ou=Groups</code></em></td></tr><tr><td><a class="indexterm" name="id2597510"></a><em class="parameter"><code>ldap idmap suffix = ou=Idmap</code></em></td></tr><tr><td><a class="indexterm" name="id2597522"></a><em class="parameter"><code>ldap admin dn = cn=Manager,dc=abmas,dc=biz</code></em></td></tr><tr><td><a class="indexterm" name="id2597534"></a><em class="parameter"><code>idmap backend = ldap:ldap://lapdc.abmas.biz</code></em></td></tr><tr><td><a class="indexterm" name="id2597546"></a><em class="parameter"><code>idmap uid = 10000-20000</code></em></td></tr><tr><td><a class="indexterm" name="id2597558"></a><em class="parameter"><code>idmap gid = 10000-20000</code></em></td></tr><tr><td><a class="indexterm" name="id2597570"></a><em class="parameter"><code>winbind trusted domains only = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2597582"></a><em class="parameter"><code>printer admin = root</code></em></td></tr><tr><td><a class="indexterm" name="id2597594"></a><em class="parameter"><code>printing = cups</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[homes]</code></em></td></tr><tr><td><a class="indexterm" name="id2597615"></a><em class="parameter"><code>comment = Home Directories</code></em></td></tr><tr><td><a class="indexterm" name="id2597626"></a><em class="parameter"><code>valid users = %S</code></em></td></tr><tr><td><a class="indexterm" name="id2597638"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td><a class="indexterm" name="id2597650"></a><em class="parameter"><code>browseable = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[printers]</code></em></td></tr><tr><td><a class="indexterm" name="id2597670"></a><em class="parameter"><code>comment = SMB Print Spool</code></em></td></tr><tr><td><a class="indexterm" name="id2597682"></a><em class="parameter"><code>path = /var/spool/samba</code></em></td></tr><tr><td><a class="indexterm" name="id2597694"></a><em class="parameter"><code>guest ok = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2597705"></a><em class="parameter"><code>printable = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2597717"></a><em class="parameter"><code>browseable = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[print$]</code></em></td></tr><tr><td><a class="indexterm" name="id2597737"></a><em class="parameter"><code>comment = Printer Drivers</code></em></td></tr><tr><td><a class="indexterm" name="id2597749"></a><em class="parameter"><code>path = /var/lib/samba/drivers</code></em></td></tr><tr><td><a class="indexterm" name="id2597761"></a><em class="parameter"><code>admin users = root, Administrator</code></em></td></tr><tr><td><a class="indexterm" name="id2597773"></a><em class="parameter"><code>write list = root</code></em></td></tr></table></div></div><br class="example-break"><div class="example"><a name="ch9-ldifadd"></a><p class="title"><b>Example 7.2. LDIF IDMAP Add-On Load File  File: /etc/openldap/idmap.LDIF</b></p><div class="example-contents"><pre class="screen">
     463                </p></li></ol></div><div class="example"><a name="ch9-sdmsdc"></a><p class="title"><b>Example 7.1. Samba Domain Member in Samba Domain Using LDAP  <code class="filename">smb.conf</code> File</b></p><div class="example-contents"><table class="simplelist" border="0" summary="Simple list"><tr><td># Global parameters</td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[global]</code></em></td></tr><tr><td><a class="indexterm" name="id2591236"></a><em class="parameter"><code>unix charset = LOCALE</code></em></td></tr><tr><td><a class="indexterm" name="id2591248"></a><em class="parameter"><code>workgroup = MEGANET2</code></em></td></tr><tr><td><a class="indexterm" name="id2591260"></a><em class="parameter"><code>security = DOMAIN</code></em></td></tr><tr><td><a class="indexterm" name="id2591271"></a><em class="parameter"><code>username map = /etc/samba/smbusers</code></em></td></tr><tr><td><a class="indexterm" name="id2591283"></a><em class="parameter"><code>log level = 10</code></em></td></tr><tr><td><a class="indexterm" name="id2591295"></a><em class="parameter"><code>syslog = 0</code></em></td></tr><tr><td><a class="indexterm" name="id2591306"></a><em class="parameter"><code>log file = /var/log/samba/%m</code></em></td></tr><tr><td><a class="indexterm" name="id2591318"></a><em class="parameter"><code>max log size = 50</code></em></td></tr><tr><td><a class="indexterm" name="id2591330"></a><em class="parameter"><code>smb ports = 139</code></em></td></tr><tr><td><a class="indexterm" name="id2591342"></a><em class="parameter"><code>name resolve order = wins bcast hosts</code></em></td></tr><tr><td><a class="indexterm" name="id2591354"></a><em class="parameter"><code>printcap name = CUPS</code></em></td></tr><tr><td><a class="indexterm" name="id2591366"></a><em class="parameter"><code>wins server = 192.168.2.1</code></em></td></tr><tr><td><a class="indexterm" name="id2591377"></a><em class="parameter"><code>ldap suffix = dc=abmas,dc=biz</code></em></td></tr><tr><td><a class="indexterm" name="id2591389"></a><em class="parameter"><code>ldap machine suffix = ou=People</code></em></td></tr><tr><td><a class="indexterm" name="id2591401"></a><em class="parameter"><code>ldap user suffix = ou=People</code></em></td></tr><tr><td><a class="indexterm" name="id2591413"></a><em class="parameter"><code>ldap group suffix = ou=Groups</code></em></td></tr><tr><td><a class="indexterm" name="id2591425"></a><em class="parameter"><code>ldap idmap suffix = ou=Idmap</code></em></td></tr><tr><td><a class="indexterm" name="id2591437"></a><em class="parameter"><code>ldap admin dn = cn=Manager,dc=abmas,dc=biz</code></em></td></tr><tr><td><a class="indexterm" name="id2591449"></a><em class="parameter"><code>idmap backend = ldap:ldap://lapdc.abmas.biz</code></em></td></tr><tr><td><a class="indexterm" name="id2591461"></a><em class="parameter"><code>idmap uid = 10000-20000</code></em></td></tr><tr><td><a class="indexterm" name="id2591473"></a><em class="parameter"><code>idmap gid = 10000-20000</code></em></td></tr><tr><td><a class="indexterm" name="id2591485"></a><em class="parameter"><code>winbind trusted domains only = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2591497"></a><em class="parameter"><code>printer admin = root</code></em></td></tr><tr><td><a class="indexterm" name="id2591509"></a><em class="parameter"><code>printing = cups</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[homes]</code></em></td></tr><tr><td><a class="indexterm" name="id2591530"></a><em class="parameter"><code>comment = Home Directories</code></em></td></tr><tr><td><a class="indexterm" name="id2591541"></a><em class="parameter"><code>valid users = %S</code></em></td></tr><tr><td><a class="indexterm" name="id2591553"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td><a class="indexterm" name="id2591564"></a><em class="parameter"><code>browseable = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[printers]</code></em></td></tr><tr><td><a class="indexterm" name="id2591585"></a><em class="parameter"><code>comment = SMB Print Spool</code></em></td></tr><tr><td><a class="indexterm" name="id2591597"></a><em class="parameter"><code>path = /var/spool/samba</code></em></td></tr><tr><td><a class="indexterm" name="id2591608"></a><em class="parameter"><code>guest ok = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2591620"></a><em class="parameter"><code>printable = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2591632"></a><em class="parameter"><code>browseable = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[print$]</code></em></td></tr><tr><td><a class="indexterm" name="id2591652"></a><em class="parameter"><code>comment = Printer Drivers</code></em></td></tr><tr><td><a class="indexterm" name="id2591664"></a><em class="parameter"><code>path = /var/lib/samba/drivers</code></em></td></tr><tr><td><a class="indexterm" name="id2591676"></a><em class="parameter"><code>admin users = root, Administrator</code></em></td></tr><tr><td><a class="indexterm" name="id2591688"></a><em class="parameter"><code>write list = root</code></em></td></tr></table></div></div><br class="example-break"><div class="example"><a name="ch9-ldifadd"></a><p class="title"><b>Example 7.2. LDIF IDMAP Add-On Load File  File: /etc/openldap/idmap.LDIF</b></p><div class="example-contents"><pre class="screen">
    464464dn: ou=Idmap,dc=abmas,dc=biz
    465465objectClass: organizationalUnit
     
    498498automount:      files
    499499aliases:        files
    500 </pre></div></div><br class="example-break"></div><div class="sect2" title="NT4/Samba Domain with Samba Domain Member Server: Using NSS and Winbind"><div class="titlepage"><div><div><h3 class="title"><a name="wdcsdm"></a>NT4/Samba Domain with Samba Domain Member Server: Using NSS and Winbind</h3></div></div></div><p>
     500</pre></div></div><br class="example-break"></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="wdcsdm"></a>NT4/Samba Domain with Samba Domain Member Server: Using NSS and Winbind</h3></div></div></div><p>
    501501        You need to use this method for creating a Samba domain member server if any of the following conditions
    502502        prevail:
    503         </p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p>
     503        </p><div class="itemizedlist"><ul type="disc"><li><p>
    504504                LDAP support (client) is not installed on the system.
    505                 </p></li><li class="listitem"><p>
     505                </p></li><li><p>
    506506                There are mitigating circumstances forcing a decision not to use LDAP.
    507                 </p></li><li class="listitem"><p>
     507                </p></li><li><p>
    508508                The Samba domain member server must be part of a Windows NT4 Domain, or a Samba Domain.
    509509                </p></li></ul></div><p>
    510         <a class="indexterm" name="id2597904"></a>
    511         <a class="indexterm" name="id2597910"></a>
    512         <a class="indexterm" name="id2597917"></a>
     510        <a class="indexterm" name="id2591819"></a>
     511        <a class="indexterm" name="id2591825"></a>
     512        <a class="indexterm" name="id2591832"></a>
    513513        Later in the chapter, you can see how to configure a Samba domain member server for a Windows ADS domain.
    514514        Right now your objective is to configure a Samba server that can be a member of a Windows NT4-style
    515515        domain and/or does not use LDAP.
    516         </p><div class="note" title="Note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
    517         <a class="indexterm" name="id2597933"></a>
     516        </p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
     517        <a class="indexterm" name="id2591848"></a>
    518518        If you use <code class="literal">winbind</code> for identity resolution, make sure that there are no
    519519        duplicate accounts.
    520520        </p><p>
    521         <a class="indexterm" name="id2597950"></a>
     521        <a class="indexterm" name="id2591865"></a>
    522522        For example, do not have more than one account that has UID=0 in the password database. If there
    523523        is an account called <code class="constant">root</code> in the <code class="filename">/etc/passwd</code> database,
     
    527527        <code class="constant">root</code>.
    528528        </p><p>
    529         <a class="indexterm" name="id2597987"></a>
    530         <a class="indexterm" name="id2597994"></a>
    531         <a class="indexterm" name="id2598000"></a>
     529        <a class="indexterm" name="id2591902"></a>
     530        <a class="indexterm" name="id2591909"></a>
     531        <a class="indexterm" name="id2591915"></a>
    532532        Winbind will break if there is an account in <code class="filename">/etc/passwd</code> that has
    533533        the same UID as an account that is in LDAP ldapsam (or in tdbsam) but that differs in name only.
    534534        </p></div><p>
    535         <a class="indexterm" name="id2598019"></a>
    536         <a class="indexterm" name="id2598026"></a>
    537         <a class="indexterm" name="id2598033"></a>
    538         <a class="indexterm" name="id2598040"></a>
    539         <a class="indexterm" name="id2598049"></a>
     535        <a class="indexterm" name="id2591934"></a>
     536        <a class="indexterm" name="id2591941"></a>
     537        <a class="indexterm" name="id2591948"></a>
     538        <a class="indexterm" name="id2591954"></a>
     539        <a class="indexterm" name="id2591964"></a>
    540540        The following configuration uses CIFS/SMB protocols alone to obtain user and group credentials.
    541541        The winbind information is locally cached in the <code class="filename">winbindd_cache.tdb winbindd_idmap.tdb</code>
     
    544544        files using the tool <code class="literal">tdbdump</code>, though you may have to build this from the Samba
    545545        source code if it has not been supplied as part of a binary package distribution that you may be using.
    546         </p><div class="procedure" title="Procedure 7.2. Configuration of Winbind-Based Identity Resolution"><a name="id2598078"></a><p class="title"><b>Procedure 7.2. Configuration of Winbind-Based Identity Resolution</b></p><ol class="procedure" type="1"><li class="step" title="Step 1"><p>
     546        </p><div class="procedure"><a name="id2591993"></a><p class="title"><b>Procedure 7.2. Configuration of Winbind-Based Identity Resolution</b></p><ol type="1"><li><p>
    547547                Using your favorite text editor, create the <code class="filename">smb.conf</code> file so it has the contents
    548548                shown in <a class="link" href="unixclients.html#ch0-NT4DSDM" title="Example 7.5. Samba Domain Member Server Using Winbind smb.conf File for NT4 Domain">&#8220;Samba Domain Member Server Using Winbind smb.conf File for NT4 Domain&#8221;</a>.
    549                 </p></li><li class="step" title="Step 2"><p>
    550                 <a class="indexterm" name="id2598110"></a>
     549                </p></li><li><p>
     550                <a class="indexterm" name="id2592025"></a>
    551551                Edit the <code class="filename">/etc/nsswitch.conf</code> so it has the entries shown in
    552552                <a class="link" href="unixclients.html#ch9-sdmnss" title="Example 7.4. NSS using LDAP for Identity Resolution File: /etc/nsswitch.conf">&#8220;NSS using LDAP for Identity Resolution  File: /etc/nsswitch.conf&#8221;</a>.
    553                 </p></li><li class="step" title="Step 3"><p>
    554                 <a class="indexterm" name="id2598136"></a>
     553                </p></li><li><p>
     554                <a class="indexterm" name="id2592051"></a>
    555555                The system is ready to join the domain. Execute the following:
    556556</p><pre class="screen">
     
    560560                This indicates that the domain join succeed.
    561561
    562                 </p></li><li class="step" title="Step 4"><p>
    563                 <a class="indexterm" name="id2598163"></a>
    564                 <a class="indexterm" name="id2598169"></a>
     562                </p></li><li><p>
     563                <a class="indexterm" name="id2592078"></a>
     564                <a class="indexterm" name="id2592084"></a>
    565565                Validate operation of <code class="literal">winbind</code> using the <code class="literal">wbinfo</code>
    566566                tool as follows:
     
    588588</pre><p>
    589589                This shows that domain groups have been correctly obtained also.
    590                 </p></li><li class="step" title="Step 5"><p>
    591                 <a class="indexterm" name="id2598226"></a>
    592                 <a class="indexterm" name="id2598232"></a>
    593                 <a class="indexterm" name="id2598239"></a>
     590                </p></li><li><p>
     591                <a class="indexterm" name="id2592140"></a>
     592                <a class="indexterm" name="id2592147"></a>
     593                <a class="indexterm" name="id2592154"></a>
    594594                The next step verifies that NSS is able to obtain this information
    595595                correctly from <code class="literal">winbind</code> also.
     
    630630MEGANET2+PIOps:x:10005:
    631631</pre><p>
    632                 </p></li><li class="step" title="Step 6"><p>
     632                </p></li><li><p>
    633633                The Samba member server of a Windows NT4 domain is ready for use.
    634                 </p></li></ol></div><div class="example"><a name="ch0-NT4DSDM"></a><p class="title"><b>Example 7.5. Samba Domain Member Server Using Winbind <code class="filename">smb.conf</code> File for NT4 Domain</b></p><div class="example-contents"><table border="0" summary="Simple list" class="simplelist"><tr><td># Global parameters</td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[global]</code></em></td></tr><tr><td><a class="indexterm" name="id2598350"></a><em class="parameter"><code>unix charset = LOCALE</code></em></td></tr><tr><td><a class="indexterm" name="id2598362"></a><em class="parameter"><code>workgroup = MEGANET2</code></em></td></tr><tr><td><a class="indexterm" name="id2598373"></a><em class="parameter"><code>security = DOMAIN</code></em></td></tr><tr><td><a class="indexterm" name="id2598385"></a><em class="parameter"><code>username map = /etc/samba/smbusers</code></em></td></tr><tr><td><a class="indexterm" name="id2598397"></a><em class="parameter"><code>log level = 1</code></em></td></tr><tr><td><a class="indexterm" name="id2598409"></a><em class="parameter"><code>syslog = 0</code></em></td></tr><tr><td><a class="indexterm" name="id2598420"></a><em class="parameter"><code>log file = /var/log/samba/%m</code></em></td></tr><tr><td><a class="indexterm" name="id2598432"></a><em class="parameter"><code>max log size = 0</code></em></td></tr><tr><td><a class="indexterm" name="id2598444"></a><em class="parameter"><code>smb ports = 139</code></em></td></tr><tr><td><a class="indexterm" name="id2598455"></a><em class="parameter"><code>name resolve order = wins bcast hosts</code></em></td></tr><tr><td><a class="indexterm" name="id2598467"></a><em class="parameter"><code>printcap name = CUPS</code></em></td></tr><tr><td><a class="indexterm" name="id2598479"></a><em class="parameter"><code>wins server = 192.168.2.1</code></em></td></tr><tr><td><a class="indexterm" name="id2598491"></a><em class="parameter"><code>idmap uid = 10000-20000</code></em></td></tr><tr><td><a class="indexterm" name="id2598503"></a><em class="parameter"><code>idmap gid = 10000-20000</code></em></td></tr><tr><td><a class="indexterm" name="id2598514"></a><em class="parameter"><code>template primary group = "Domain Users"</code></em></td></tr><tr><td><a class="indexterm" name="id2598527"></a><em class="parameter"><code>template shell = /bin/bash</code></em></td></tr><tr><td><a class="indexterm" name="id2598539"></a><em class="parameter"><code>winbind separator = +</code></em></td></tr><tr><td><a class="indexterm" name="id2598550"></a><em class="parameter"><code>printer admin = root</code></em></td></tr><tr><td><a class="indexterm" name="id2598562"></a><em class="parameter"><code>hosts allow = 192.168.2., 192.168.3., 127.</code></em></td></tr><tr><td><a class="indexterm" name="id2598574"></a><em class="parameter"><code>printing = cups</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[homes]</code></em></td></tr><tr><td><a class="indexterm" name="id2598595"></a><em class="parameter"><code>comment = Home Directories</code></em></td></tr><tr><td><a class="indexterm" name="id2598607"></a><em class="parameter"><code>valid users = %S</code></em></td></tr><tr><td><a class="indexterm" name="id2598618"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td><a class="indexterm" name="id2598630"></a><em class="parameter"><code>browseable = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[printers]</code></em></td></tr><tr><td><a class="indexterm" name="id2598650"></a><em class="parameter"><code>comment = SMB Print Spool</code></em></td></tr><tr><td><a class="indexterm" name="id2598662"></a><em class="parameter"><code>path = /var/spool/samba</code></em></td></tr><tr><td><a class="indexterm" name="id2598674"></a><em class="parameter"><code>guest ok = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2598685"></a><em class="parameter"><code>printable = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2598697"></a><em class="parameter"><code>browseable = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[print$]</code></em></td></tr><tr><td><a class="indexterm" name="id2598718"></a><em class="parameter"><code>comment = Printer Drivers</code></em></td></tr><tr><td><a class="indexterm" name="id2598729"></a><em class="parameter"><code>path = /var/lib/samba/drivers</code></em></td></tr><tr><td><a class="indexterm" name="id2598741"></a><em class="parameter"><code>admin users = root, Administrator</code></em></td></tr><tr><td><a class="indexterm" name="id2598753"></a><em class="parameter"><code>write list = root</code></em></td></tr></table></div></div><br class="example-break"></div><div class="sect2" title="NT4/Samba Domain with Samba Domain Member Server without NSS Support"><div class="titlepage"><div><div><h3 class="title"><a name="dcwonss"></a>NT4/Samba Domain with Samba Domain Member Server without NSS Support</h3></div></div></div><p>
     634                </p></li></ol></div><div class="example"><a name="ch0-NT4DSDM"></a><p class="title"><b>Example 7.5. Samba Domain Member Server Using Winbind <code class="filename">smb.conf</code> File for NT4 Domain</b></p><div class="example-contents"><table class="simplelist" border="0" summary="Simple list"><tr><td># Global parameters</td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[global]</code></em></td></tr><tr><td><a class="indexterm" name="id2592265"></a><em class="parameter"><code>unix charset = LOCALE</code></em></td></tr><tr><td><a class="indexterm" name="id2592277"></a><em class="parameter"><code>workgroup = MEGANET2</code></em></td></tr><tr><td><a class="indexterm" name="id2592288"></a><em class="parameter"><code>security = DOMAIN</code></em></td></tr><tr><td><a class="indexterm" name="id2592300"></a><em class="parameter"><code>username map = /etc/samba/smbusers</code></em></td></tr><tr><td><a class="indexterm" name="id2592312"></a><em class="parameter"><code>log level = 1</code></em></td></tr><tr><td><a class="indexterm" name="id2592324"></a><em class="parameter"><code>syslog = 0</code></em></td></tr><tr><td><a class="indexterm" name="id2592335"></a><em class="parameter"><code>log file = /var/log/samba/%m</code></em></td></tr><tr><td><a class="indexterm" name="id2592347"></a><em class="parameter"><code>max log size = 0</code></em></td></tr><tr><td><a class="indexterm" name="id2592359"></a><em class="parameter"><code>smb ports = 139</code></em></td></tr><tr><td><a class="indexterm" name="id2592370"></a><em class="parameter"><code>name resolve order = wins bcast hosts</code></em></td></tr><tr><td><a class="indexterm" name="id2592382"></a><em class="parameter"><code>printcap name = CUPS</code></em></td></tr><tr><td><a class="indexterm" name="id2592394"></a><em class="parameter"><code>wins server = 192.168.2.1</code></em></td></tr><tr><td><a class="indexterm" name="id2592406"></a><em class="parameter"><code>idmap uid = 10000-20000</code></em></td></tr><tr><td><a class="indexterm" name="id2592418"></a><em class="parameter"><code>idmap gid = 10000-20000</code></em></td></tr><tr><td><a class="indexterm" name="id2592429"></a><em class="parameter"><code>template primary group = "Domain Users"</code></em></td></tr><tr><td><a class="indexterm" name="id2592442"></a><em class="parameter"><code>template shell = /bin/bash</code></em></td></tr><tr><td><a class="indexterm" name="id2592454"></a><em class="parameter"><code>winbind separator = +</code></em></td></tr><tr><td><a class="indexterm" name="id2592465"></a><em class="parameter"><code>printer admin = root</code></em></td></tr><tr><td><a class="indexterm" name="id2592477"></a><em class="parameter"><code>hosts allow = 192.168.2., 192.168.3., 127.</code></em></td></tr><tr><td><a class="indexterm" name="id2592489"></a><em class="parameter"><code>printing = cups</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[homes]</code></em></td></tr><tr><td><a class="indexterm" name="id2592510"></a><em class="parameter"><code>comment = Home Directories</code></em></td></tr><tr><td><a class="indexterm" name="id2592522"></a><em class="parameter"><code>valid users = %S</code></em></td></tr><tr><td><a class="indexterm" name="id2592533"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td><a class="indexterm" name="id2592545"></a><em class="parameter"><code>browseable = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[printers]</code></em></td></tr><tr><td><a class="indexterm" name="id2592565"></a><em class="parameter"><code>comment = SMB Print Spool</code></em></td></tr><tr><td><a class="indexterm" name="id2592577"></a><em class="parameter"><code>path = /var/spool/samba</code></em></td></tr><tr><td><a class="indexterm" name="id2592589"></a><em class="parameter"><code>guest ok = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2592600"></a><em class="parameter"><code>printable = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2592612"></a><em class="parameter"><code>browseable = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[print$]</code></em></td></tr><tr><td><a class="indexterm" name="id2592632"></a><em class="parameter"><code>comment = Printer Drivers</code></em></td></tr><tr><td><a class="indexterm" name="id2592644"></a><em class="parameter"><code>path = /var/lib/samba/drivers</code></em></td></tr><tr><td><a class="indexterm" name="id2592656"></a><em class="parameter"><code>admin users = root, Administrator</code></em></td></tr><tr><td><a class="indexterm" name="id2592668"></a><em class="parameter"><code>write list = root</code></em></td></tr></table></div></div><br class="example-break"></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="dcwonss"></a>NT4/Samba Domain with Samba Domain Member Server without NSS Support</h3></div></div></div><p>
    635635        No matter how many UNIX/Linux administrators there may be who believe that a UNIX operating
    636636        system that does not have NSS and PAM support to be outdated, the fact is there
     
    643643        is found, it is used. If the account is not found, one will be automatically created
    644644        on the local machine so that it can then be used for all access controls.
    645         </p><div class="procedure" title="Procedure 7.3. Configuration Using Local Accounts Only"><a name="id2598796"></a><p class="title"><b>Procedure 7.3. Configuration Using Local Accounts Only</b></p><ol class="procedure" type="1"><li class="step" title="Step 1"><p>
     645        </p><div class="procedure"><a name="id2592711"></a><p class="title"><b>Procedure 7.3. Configuration Using Local Accounts Only</b></p><ol type="1"><li><p>
    646646                Using your favorite text editor, create the <code class="filename">smb.conf</code> file so it has the contents
    647647                shown in <a class="link" href="unixclients.html#ch0-NT4DSCM" title="Example 7.6. Samba Domain Member Server Using Local Accounts smb.conf File for NT4 Domain">&#8220;Samba Domain Member Server Using Local Accounts smb.conf File for NT4 Domain&#8221;</a>.
    648                 </p></li><li class="step" title="Step 2"><p><a class="indexterm" name="id2598829"></a>
     648                </p></li><li><p><a class="indexterm" name="id2592744"></a>
    649649                The system is ready to join the domain. Execute the following:
    650650</p><pre class="screen">
     
    653653</pre><p>
    654654                This indicates that the domain join succeed.
    655                 </p></li><li class="step" title="Step 3"><p>
     655                </p></li><li><p>
    656656                Be sure to run all three Samba daemons: <code class="literal">smbd</code>, <code class="literal">nmbd</code>, <code class="literal">winbindd</code>.
    657                 </p></li><li class="step" title="Step 4"><p>
     657                </p></li><li><p>
    658658                The Samba member server of a Windows NT4 domain is ready for use.
    659                 </p></li></ol></div><div class="example"><a name="ch0-NT4DSCM"></a><p class="title"><b>Example 7.6. Samba Domain Member Server Using Local Accounts <code class="filename">smb.conf</code> File for NT4 Domain</b></p><div class="example-contents"><table border="0" summary="Simple list" class="simplelist"><tr><td># Global parameters</td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[global]</code></em></td></tr><tr><td><a class="indexterm" name="id2598918"></a><em class="parameter"><code>unix charset = LOCALE</code></em></td></tr><tr><td><a class="indexterm" name="id2598930"></a><em class="parameter"><code>workgroup = MEGANET3</code></em></td></tr><tr><td><a class="indexterm" name="id2598941"></a><em class="parameter"><code>netbios name = BSDBOX</code></em></td></tr><tr><td><a class="indexterm" name="id2598953"></a><em class="parameter"><code>security = DOMAIN</code></em></td></tr><tr><td><a class="indexterm" name="id2598965"></a><em class="parameter"><code>username map = /etc/samba/smbusers</code></em></td></tr><tr><td><a class="indexterm" name="id2598977"></a><em class="parameter"><code>log level = 1</code></em></td></tr><tr><td><a class="indexterm" name="id2598988"></a><em class="parameter"><code>syslog = 0</code></em></td></tr><tr><td><a class="indexterm" name="id2599000"></a><em class="parameter"><code>add user script = /usr/sbin/useradd -m '%u'</code></em></td></tr><tr><td><a class="indexterm" name="id2599012"></a><em class="parameter"><code>add machine script = /usr/sbin/useradd -M '%u'</code></em></td></tr><tr><td><a class="indexterm" name="id2599024"></a><em class="parameter"><code>add group script = /usr/sbin/groupadd '%g'</code></em></td></tr><tr><td><a class="indexterm" name="id2599036"></a><em class="parameter"><code>log file = /var/log/samba/%m</code></em></td></tr><tr><td><a class="indexterm" name="id2599048"></a><em class="parameter"><code>max log size = 0</code></em></td></tr><tr><td><a class="indexterm" name="id2599060"></a><em class="parameter"><code>smb ports = 139</code></em></td></tr><tr><td><a class="indexterm" name="id2599072"></a><em class="parameter"><code>name resolve order = wins bcast hosts</code></em></td></tr><tr><td><a class="indexterm" name="id2599084"></a><em class="parameter"><code>printcap name = CUPS</code></em></td></tr><tr><td><a class="indexterm" name="id2599096"></a><em class="parameter"><code>wins server = 192.168.2.1</code></em></td></tr><tr><td><a class="indexterm" name="id2599107"></a><em class="parameter"><code>printer admin = root</code></em></td></tr><tr><td><a class="indexterm" name="id2599119"></a><em class="parameter"><code>hosts allow = 192.168.2., 192.168.3., 127.</code></em></td></tr><tr><td><a class="indexterm" name="id2599131"></a><em class="parameter"><code>printing = cups</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[homes]</code></em></td></tr><tr><td><a class="indexterm" name="id2599152"></a><em class="parameter"><code>comment = Home Directories</code></em></td></tr><tr><td><a class="indexterm" name="id2599163"></a><em class="parameter"><code>valid users = %S</code></em></td></tr><tr><td><a class="indexterm" name="id2599175"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td><a class="indexterm" name="id2599187"></a><em class="parameter"><code>browseable = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[printers]</code></em></td></tr><tr><td><a class="indexterm" name="id2599207"></a><em class="parameter"><code>comment = SMB Print Spool</code></em></td></tr><tr><td><a class="indexterm" name="id2599219"></a><em class="parameter"><code>path = /var/spool/samba</code></em></td></tr><tr><td><a class="indexterm" name="id2599231"></a><em class="parameter"><code>guest ok = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2599242"></a><em class="parameter"><code>printable = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2599254"></a><em class="parameter"><code>browseable = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[print$]</code></em></td></tr><tr><td><a class="indexterm" name="id2599274"></a><em class="parameter"><code>comment = Printer Drivers</code></em></td></tr><tr><td><a class="indexterm" name="id2599286"></a><em class="parameter"><code>path = /var/lib/samba/drivers</code></em></td></tr><tr><td><a class="indexterm" name="id2599298"></a><em class="parameter"><code>admin users = root, Administrator</code></em></td></tr><tr><td><a class="indexterm" name="id2599310"></a><em class="parameter"><code>write list = root</code></em></td></tr></table></div></div><br class="example-break"></div><div class="sect2" title="Active Directory Domain with Samba Domain Member Server"><div class="titlepage"><div><div><h3 class="title"><a name="adssdm"></a>Active Directory Domain with Samba Domain Member Server</h3></div></div></div><p>
    660         <a class="indexterm" name="id2599335"></a>
    661         <a class="indexterm" name="id2599344"></a>
    662         <a class="indexterm" name="id2599351"></a>
     659                </p></li></ol></div><div class="example"><a name="ch0-NT4DSCM"></a><p class="title"><b>Example 7.6. Samba Domain Member Server Using Local Accounts <code class="filename">smb.conf</code> File for NT4 Domain</b></p><div class="example-contents"><table class="simplelist" border="0" summary="Simple list"><tr><td># Global parameters</td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[global]</code></em></td></tr><tr><td><a class="indexterm" name="id2592833"></a><em class="parameter"><code>unix charset = LOCALE</code></em></td></tr><tr><td><a class="indexterm" name="id2592844"></a><em class="parameter"><code>workgroup = MEGANET3</code></em></td></tr><tr><td><a class="indexterm" name="id2592856"></a><em class="parameter"><code>netbios name = BSDBOX</code></em></td></tr><tr><td><a class="indexterm" name="id2592868"></a><em class="parameter"><code>security = DOMAIN</code></em></td></tr><tr><td><a class="indexterm" name="id2592880"></a><em class="parameter"><code>username map = /etc/samba/smbusers</code></em></td></tr><tr><td><a class="indexterm" name="id2592892"></a><em class="parameter"><code>log level = 1</code></em></td></tr><tr><td><a class="indexterm" name="id2592903"></a><em class="parameter"><code>syslog = 0</code></em></td></tr><tr><td><a class="indexterm" name="id2592915"></a><em class="parameter"><code>add user script = /usr/sbin/useradd -m '%u'</code></em></td></tr><tr><td><a class="indexterm" name="id2592927"></a><em class="parameter"><code>add machine script = /usr/sbin/useradd -M '%u'</code></em></td></tr><tr><td><a class="indexterm" name="id2592939"></a><em class="parameter"><code>add group script = /usr/sbin/groupadd '%g'</code></em></td></tr><tr><td><a class="indexterm" name="id2592951"></a><em class="parameter"><code>log file = /var/log/samba/%m</code></em></td></tr><tr><td><a class="indexterm" name="id2592963"></a><em class="parameter"><code>max log size = 0</code></em></td></tr><tr><td><a class="indexterm" name="id2592975"></a><em class="parameter"><code>smb ports = 139</code></em></td></tr><tr><td><a class="indexterm" name="id2592986"></a><em class="parameter"><code>name resolve order = wins bcast hosts</code></em></td></tr><tr><td><a class="indexterm" name="id2592999"></a><em class="parameter"><code>printcap name = CUPS</code></em></td></tr><tr><td><a class="indexterm" name="id2593010"></a><em class="parameter"><code>wins server = 192.168.2.1</code></em></td></tr><tr><td><a class="indexterm" name="id2593022"></a><em class="parameter"><code>printer admin = root</code></em></td></tr><tr><td><a class="indexterm" name="id2593034"></a><em class="parameter"><code>hosts allow = 192.168.2., 192.168.3., 127.</code></em></td></tr><tr><td><a class="indexterm" name="id2593046"></a><em class="parameter"><code>printing = cups</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[homes]</code></em></td></tr><tr><td><a class="indexterm" name="id2593067"></a><em class="parameter"><code>comment = Home Directories</code></em></td></tr><tr><td><a class="indexterm" name="id2593078"></a><em class="parameter"><code>valid users = %S</code></em></td></tr><tr><td><a class="indexterm" name="id2593090"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td><a class="indexterm" name="id2593102"></a><em class="parameter"><code>browseable = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[printers]</code></em></td></tr><tr><td><a class="indexterm" name="id2593122"></a><em class="parameter"><code>comment = SMB Print Spool</code></em></td></tr><tr><td><a class="indexterm" name="id2593134"></a><em class="parameter"><code>path = /var/spool/samba</code></em></td></tr><tr><td><a class="indexterm" name="id2593146"></a><em class="parameter"><code>guest ok = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2593157"></a><em class="parameter"><code>printable = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2593169"></a><em class="parameter"><code>browseable = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[print$]</code></em></td></tr><tr><td><a class="indexterm" name="id2593189"></a><em class="parameter"><code>comment = Printer Drivers</code></em></td></tr><tr><td><a class="indexterm" name="id2593201"></a><em class="parameter"><code>path = /var/lib/samba/drivers</code></em></td></tr><tr><td><a class="indexterm" name="id2593213"></a><em class="parameter"><code>admin users = root, Administrator</code></em></td></tr><tr><td><a class="indexterm" name="id2593225"></a><em class="parameter"><code>write list = root</code></em></td></tr></table></div></div><br class="example-break"></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="adssdm"></a>Active Directory Domain with Samba Domain Member Server</h3></div></div></div><p>
     660        <a class="indexterm" name="id2593250"></a>
     661        <a class="indexterm" name="id2593259"></a>
     662        <a class="indexterm" name="id2593266"></a>
    663663        One of the much-sought-after features new to Samba-3 is the ability to join an Active Directory
    664664        domain using Kerberos protocols. This makes it possible to operate an entire Windows network
     
    668668        in. For now, we simply focus on how a Samba-3 server can be made a domain member server.
    669669        </p><p>
    670         <a class="indexterm" name="id2599373"></a>
    671         <a class="indexterm" name="id2599380"></a>
    672         <a class="indexterm" name="id2599387"></a>
    673         <a class="indexterm" name="id2599394"></a>
     670        <a class="indexterm" name="id2593288"></a>
     671        <a class="indexterm" name="id2593295"></a>
     672        <a class="indexterm" name="id2593302"></a>
     673        <a class="indexterm" name="id2593309"></a>
    674674        The diagram in <a class="link" href="unixclients.html#ch9-adsdc" title="Figure 7.3. Active Directory Domain: Samba Member Server">&#8220;Active Directory Domain: Samba Member Server&#8221;</a> demonstrates how Samba-3 interfaces with
    675675        Microsoft Active Directory components. It should be noted that if Microsoft Windows Services
     
    695695        is known as <code class="constant">w2k3s.london.abmas.biz</code>. In NetBIOS nomenclature, the
    696696        domain name is <code class="constant">LONDON</code> and the server name is <code class="constant">W2K3S</code>.
    697         </p><div class="figure"><a name="ch9-adsdc"></a><p class="title"><b>Figure 7.3. Active Directory Domain: Samba Member Server</b></p><div class="figure-contents"><div class="mediaobject"><img src="images/chap9-ADSDC.png" width="324" alt="Active Directory Domain: Samba Member Server"></div></div></div><br class="figure-break"><div class="procedure" title="Procedure 7.4. Joining a Samba Server as an ADS Domain Member"><a name="id2599507"></a><p class="title"><b>Procedure 7.4. Joining a Samba Server as an ADS Domain Member</b></p><ol class="procedure" type="1"><li class="step" title="Step 1"><p>
    698                 <a class="indexterm" name="id2599519"></a>
     697        </p><div class="figure"><a name="ch9-adsdc"></a><p class="title"><b>Figure 7.3. Active Directory Domain: Samba Member Server</b></p><div class="figure-contents"><div class="mediaobject"><img src="images/chap9-ADSDC.png" width="324" alt="Active Directory Domain: Samba Member Server"></div></div></div><br class="figure-break"><div class="procedure"><a name="id2593422"></a><p class="title"><b>Procedure 7.4. Joining a Samba Server as an ADS Domain Member</b></p><ol type="1"><li><p>
     698                <a class="indexterm" name="id2593434"></a>
    699699                Before you try to use Samba-3, you want to know for certain that your executables have
    700700                support for Kerberos and for LDAP. Execute the following to identify whether or
     
    762762                This does look promising; <code class="literal">smbd</code> has been built with Kerberos and LDAP
    763763                support. You are relieved to know that it is safe to progress.
    764                 </p></li><li class="step" title="Step 2"><p>
    765                 <a class="indexterm" name="id2599618"></a>
    766                 <a class="indexterm" name="id2599627"></a>
    767                 <a class="indexterm" name="id2599634"></a>
    768                 <a class="indexterm" name="id2599641"></a>
    769                 <a class="indexterm" name="id2599650"></a>
    770                 <a class="indexterm" name="id2599659"></a>
    771                 <a class="indexterm" name="id2599666"></a>
    772                 <a class="indexterm" name="id2599673"></a>
    773                 <a class="indexterm" name="id2599680"></a>
     764                </p></li><li><p>
     765                <a class="indexterm" name="id2593533"></a>
     766                <a class="indexterm" name="id2593542"></a>
     767                <a class="indexterm" name="id2593549"></a>
     768                <a class="indexterm" name="id2593556"></a>
     769                <a class="indexterm" name="id2593565"></a>
     770                <a class="indexterm" name="id2593574"></a>
     771                <a class="indexterm" name="id2593581"></a>
     772                <a class="indexterm" name="id2593588"></a>
     773                <a class="indexterm" name="id2593595"></a>
    774774                The next step is to identify which version of the Kerberos libraries have been used.
    775775                In order to permit Samba-3 to interoperate with Windows 2003 Active Directory, it is
     
    792792                From this point on, you are certain that the Samba-3 build you are using has the
    793793                necessary capabilities. You can now configure Samba-3 and the NSS.
    794                 </p></li><li class="step" title="Step 3"><p>
     794                </p></li><li><p>
    795795                Using you favorite editor, configure the <code class="filename">smb.conf</code> file that is located in the
    796796                <code class="filename">/etc/samba</code> directory so that it has the contents shown
    797797                in <a class="link" href="unixclients.html#ch9-adssdm" title="Example 7.7. Samba Domain Member smb.conf File for Active Directory Membership">&#8220;Samba Domain Member smb.conf File for Active Directory Membership&#8221;</a>.
    798                 </p></li><li class="step" title="Step 4"><p>
     798                </p></li><li><p>
    799799                Edit or create the NSS control file so it has the contents shown in <a class="link" href="unixclients.html#ch9-sdmnss" title="Example 7.4. NSS using LDAP for Identity Resolution File: /etc/nsswitch.conf">&#8220;NSS using LDAP for Identity Resolution  File: /etc/nsswitch.conf&#8221;</a>.
    800                 </p></li><li class="step" title="Step 5"><p>
    801                 <a class="indexterm" name="id2599782"></a>
     800                </p></li><li><p>
     801                <a class="indexterm" name="id2593697"></a>
    802802                Delete the file <code class="filename">/etc/samba/secrets.tdb</code> if it exists. Of course, you
    803803                do keep a backup, don't you?
    804                 </p></li><li class="step" title="Step 6"><p>
     804                </p></li><li><p>
    805805                Delete the tdb files that cache Samba information. You keep a backup of the old
    806806                files, of course. You also remove all files to ensure that nothing can pollute your
     
    809809<code class="prompt">root# </code> rm /var/lib/samba/*tdb
    810810</pre><p>
    811                 </p></li><li class="step" title="Step 7"><p>
    812                 <a class="indexterm" name="id2599826"></a>
     811                </p></li><li><p>
     812                <a class="indexterm" name="id2593740"></a>
    813813                Validate your <code class="filename">smb.conf</code> file using <code class="literal">testparm</code> (as you have
    814814                done previously). Correct all errors reported before proceeding. The command you
     
    819819                Now that you are satisfied that your Samba server is ready to join the Windows
    820820                ADS domain, let's move on.
    821                 </p></li><li class="step" title="Step 8"><p>
    822                 <a class="indexterm" name="id2599867"></a>
    823                 <a class="indexterm" name="id2599878"></a>
     821                </p></li><li><p>
     822                <a class="indexterm" name="id2593782"></a>
     823                <a class="indexterm" name="id2593793"></a>
    824824                This is a good time to double-check everything and then execute the following
    825825                command when everything you have done has checked out okay:
     
    832832                using Kerberos protocols.
    833833                </p><p>
    834                 <a class="indexterm" name="id2599906"></a>
    835                 <a class="indexterm" name="id2599913"></a>
     834                <a class="indexterm" name="id2593821"></a>
     835                <a class="indexterm" name="id2593828"></a>
    836836                In the event that you receive no output messages, a silent return means that the
    837837                domain join failed. You should use <code class="literal">ethereal</code> to identify what
    838838                may be failing. Common causes of a failed join include:
    839839
    840                 </p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p>
    841                         <a class="indexterm" name="id2599935"></a>
     840                </p><div class="itemizedlist"><ul type="disc"><li><p>
     841                        <a class="indexterm" name="id2593850"></a>
    842842                        Defective or misconfigured DNS name resolution.
    843                         </p></li><li class="listitem"><p>
    844                         <a class="indexterm" name="id2599949"></a>
     843                        </p></li><li><p>
     844                        <a class="indexterm" name="id2593864"></a>
    845845                        Restrictive security settings on the Windows 200x ADS domain controller
    846846                        preventing needed communications protocols. You can check this by searching
    847847                        the Windows Server 200x Event Viewer.
    848                         </p></li><li class="listitem"><p>
     848                        </p></li><li><p>
    849849                        Incorrectly configured <code class="filename">smb.conf</code> file settings.
    850                         </p></li><li class="listitem"><p>
     850                        </p></li><li><p>
    851851                        Lack of support of necessary Kerberos protocols because the version of MIT
    852852                        Kerberos (or Heimdal) in use is not up to date enough to support the necessary
     
    854854                        </p></li></ul></div><p>
    855855
    856                 <a class="indexterm" name="id2599980"></a>
    857                 <a class="indexterm" name="id2599991"></a>
    858                 <a class="indexterm" name="id2599998"></a>
     856                <a class="indexterm" name="id2593895"></a>
     857                <a class="indexterm" name="id2593906"></a>
     858                <a class="indexterm" name="id2593913"></a>
    859859                In any case, never execute the <code class="literal">net rpc join</code> command in an attempt
    860860                to join the Samba server to the domain, unless you wish not to use the Kerberos
    861861                security protocols. Use of the older RPC-based domain join facility requires that
    862862                Windows Server 200x ADS has been configured appropriately for mixed mode operation.
    863                 </p></li><li class="step" title="Step 9"><p>
    864                 <a class="indexterm" name="id2600023"></a>
    865                 <a class="indexterm" name="id2600030"></a>
     863                </p></li><li><p>
     864                <a class="indexterm" name="id2593938"></a>
     865                <a class="indexterm" name="id2593945"></a>
    866866                If the <code class="literal">tdbdump</code> is installed on your system (not essential),
    867867                you can look inside the <code class="filename">/etc/samba/secrets.tdb</code> file. If
     
    890890</pre><p>
    891891                This is given to demonstrate to the skeptics that this process truly does work.
    892                 </p></li><li class="step" title="Step 10"><p>
     892                </p></li><li><p>
    893893                It is now time to start Samba in the usual way (as has been done many time before
    894894                in this book). 
    895                 </p></li><li class="step" title="Step 11"><p>
    896                 <a class="indexterm" name="id2600087"></a>
     895                </p></li><li><p>
     896                <a class="indexterm" name="id2594002"></a>
    897897                This is a good time to verify that everything is working. First, check that
    898898                winbind is able to obtain the list of users and groups from the ADS domain controller.
     
    920920</pre><p>
    921921                Excellent. That worked also, as expected.
    922                 </p></li><li class="step" title="Step 12"><p><a class="indexterm" name="id2600133"></a>
     922                </p></li><li><p><a class="indexterm" name="id2594048"></a>
    923923                Now repeat this via NSS to validate that full identity resolution is
    924924                functional as required. Execute:
     
    952952</pre><p>
    953953                This is very pleasing. Everything works as expected.
    954                 </p></li><li class="step" title="Step 13"><p>
    955                 <a class="indexterm" name="id2600191"></a>
    956                 <a class="indexterm" name="id2600202"></a>
    957                 <a class="indexterm" name="id2600211"></a>
     954                </p></li><li><p>
     955                <a class="indexterm" name="id2594106"></a>
     956                <a class="indexterm" name="id2594117"></a>
     957                <a class="indexterm" name="id2594126"></a>
    958958                You may now perform final verification that communications between Samba-3 winbind and
    959959                the Active Directory server is using Kerberos protocols. Execute the following:
     
    972972                keep all server time clocks synchronized using the network time protocol (NTP).
    973973                In any case, the output we obtained confirms that all systems are operational.
    974                 </p></li><li class="step" title="Step 14"><p>
    975                 <a class="indexterm" name="id2600247"></a>
     974                </p></li><li><p>
     975                <a class="indexterm" name="id2594162"></a>
    976976                There is one more action you elect to take, just because you are paranoid and disbelieving,
    977977                so you execute the following command:
     
    11431143        Now all is revealed. Your curiosity, as well as that of your team, has been put at ease.
    11441144        May this server serve well all who happen upon it.
    1145         </p><div class="example"><a name="ch9-adssdm"></a><p class="title"><b>Example 7.7. Samba Domain Member <code class="filename">smb.conf</code> File for Active Directory Membership</b></p><div class="example-contents"><table border="0" summary="Simple list" class="simplelist"><tr><td># Global parameters</td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[global]</code></em></td></tr><tr><td><a class="indexterm" name="id2600468"></a><em class="parameter"><code>unix charset = LOCALE</code></em></td></tr><tr><td><a class="indexterm" name="id2600480"></a><em class="parameter"><code>workgroup = LONDON</code></em></td></tr><tr><td><a class="indexterm" name="id2600492"></a><em class="parameter"><code>realm = LONDON.ABMAS.BIZ</code></em></td></tr><tr><td><a class="indexterm" name="id2600503"></a><em class="parameter"><code>server string = Samba 3.0.20</code></em></td></tr><tr><td><a class="indexterm" name="id2600515"></a><em class="parameter"><code>security = ADS</code></em></td></tr><tr><td><a class="indexterm" name="id2600527"></a><em class="parameter"><code>username map = /etc/samba/smbusers</code></em></td></tr><tr><td><a class="indexterm" name="id2600539"></a><em class="parameter"><code>log level = 1</code></em></td></tr><tr><td><a class="indexterm" name="id2600551"></a><em class="parameter"><code>syslog = 0</code></em></td></tr><tr><td><a class="indexterm" name="id2600562"></a><em class="parameter"><code>log file = /var/log/samba/%m</code></em></td></tr><tr><td><a class="indexterm" name="id2600574"></a><em class="parameter"><code>max log size = 50</code></em></td></tr><tr><td><a class="indexterm" name="id2600586"></a><em class="parameter"><code>printcap name = CUPS</code></em></td></tr><tr><td><a class="indexterm" name="id2600598"></a><em class="parameter"><code>ldap ssl = no</code></em></td></tr><tr><td><a class="indexterm" name="id2600609"></a><em class="parameter"><code>idmap uid = 10000-20000</code></em></td></tr><tr><td><a class="indexterm" name="id2600621"></a><em class="parameter"><code>idmap gid = 10000-20000</code></em></td></tr><tr><td><a class="indexterm" name="id2600633"></a><em class="parameter"><code>template primary group = "Domain Users"</code></em></td></tr><tr><td><a class="indexterm" name="id2600645"></a><em class="parameter"><code>template shell = /bin/bash</code></em></td></tr><tr><td><a class="indexterm" name="id2600657"></a><em class="parameter"><code>winbind separator = +</code></em></td></tr><tr><td><a class="indexterm" name="id2600669"></a><em class="parameter"><code>printing = cups</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[homes]</code></em></td></tr><tr><td><a class="indexterm" name="id2600689"></a><em class="parameter"><code>comment = Home Directories</code></em></td></tr><tr><td><a class="indexterm" name="id2600701"></a><em class="parameter"><code>valid users = %S</code></em></td></tr><tr><td><a class="indexterm" name="id2600712"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td><a class="indexterm" name="id2600724"></a><em class="parameter"><code>browseable = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[printers]</code></em></td></tr><tr><td><a class="indexterm" name="id2600745"></a><em class="parameter"><code>comment = SMB Print Spool</code></em></td></tr><tr><td><a class="indexterm" name="id2600756"></a><em class="parameter"><code>path = /var/spool/samba</code></em></td></tr><tr><td><a class="indexterm" name="id2600768"></a><em class="parameter"><code>guest ok = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2600780"></a><em class="parameter"><code>printable = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2600791"></a><em class="parameter"><code>browseable = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[print$]</code></em></td></tr><tr><td><a class="indexterm" name="id2600812"></a><em class="parameter"><code>comment = Printer Drivers</code></em></td></tr><tr><td><a class="indexterm" name="id2600824"></a><em class="parameter"><code>path = /var/lib/samba/drivers</code></em></td></tr><tr><td><a class="indexterm" name="id2600835"></a><em class="parameter"><code>admin users = root, Administrator</code></em></td></tr><tr><td><a class="indexterm" name="id2600847"></a><em class="parameter"><code>write list = root</code></em></td></tr></table></div></div><br class="example-break"><div class="sect3" title="IDMAP_RID with Winbind"><div class="titlepage"><div><div><h4 class="title"><a name="id2600860"></a>IDMAP_RID with Winbind</h4></div></div></div><p>
    1146         <a class="indexterm" name="id2600868"></a>
    1147         <a class="indexterm" name="id2600875"></a>
    1148         <a class="indexterm" name="id2600881"></a>
    1149         <a class="indexterm" name="id2600888"></a>
     1145        </p><div class="example"><a name="ch9-adssdm"></a><p class="title"><b>Example 7.7. Samba Domain Member <code class="filename">smb.conf</code> File for Active Directory Membership</b></p><div class="example-contents"><table class="simplelist" border="0" summary="Simple list"><tr><td># Global parameters</td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[global]</code></em></td></tr><tr><td><a class="indexterm" name="id2594383"></a><em class="parameter"><code>unix charset = LOCALE</code></em></td></tr><tr><td><a class="indexterm" name="id2594395"></a><em class="parameter"><code>workgroup = LONDON</code></em></td></tr><tr><td><a class="indexterm" name="id2594407"></a><em class="parameter"><code>realm = LONDON.ABMAS.BIZ</code></em></td></tr><tr><td><a class="indexterm" name="id2594418"></a><em class="parameter"><code>server string = Samba 3.0.20</code></em></td></tr><tr><td><a class="indexterm" name="id2594430"></a><em class="parameter"><code>security = ADS</code></em></td></tr><tr><td><a class="indexterm" name="id2594442"></a><em class="parameter"><code>username map = /etc/samba/smbusers</code></em></td></tr><tr><td><a class="indexterm" name="id2594454"></a><em class="parameter"><code>log level = 1</code></em></td></tr><tr><td><a class="indexterm" name="id2594466"></a><em class="parameter"><code>syslog = 0</code></em></td></tr><tr><td><a class="indexterm" name="id2594477"></a><em class="parameter"><code>log file = /var/log/samba/%m</code></em></td></tr><tr><td><a class="indexterm" name="id2594489"></a><em class="parameter"><code>max log size = 50</code></em></td></tr><tr><td><a class="indexterm" name="id2594501"></a><em class="parameter"><code>printcap name = CUPS</code></em></td></tr><tr><td><a class="indexterm" name="id2594512"></a><em class="parameter"><code>ldap ssl = no</code></em></td></tr><tr><td><a class="indexterm" name="id2594524"></a><em class="parameter"><code>idmap uid = 10000-20000</code></em></td></tr><tr><td><a class="indexterm" name="id2594536"></a><em class="parameter"><code>idmap gid = 10000-20000</code></em></td></tr><tr><td><a class="indexterm" name="id2594548"></a><em class="parameter"><code>template primary group = "Domain Users"</code></em></td></tr><tr><td><a class="indexterm" name="id2594560"></a><em class="parameter"><code>template shell = /bin/bash</code></em></td></tr><tr><td><a class="indexterm" name="id2594572"></a><em class="parameter"><code>winbind separator = +</code></em></td></tr><tr><td><a class="indexterm" name="id2594584"></a><em class="parameter"><code>printing = cups</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[homes]</code></em></td></tr><tr><td><a class="indexterm" name="id2594604"></a><em class="parameter"><code>comment = Home Directories</code></em></td></tr><tr><td><a class="indexterm" name="id2594616"></a><em class="parameter"><code>valid users = %S</code></em></td></tr><tr><td><a class="indexterm" name="id2594627"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td><a class="indexterm" name="id2594639"></a><em class="parameter"><code>browseable = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[printers]</code></em></td></tr><tr><td><a class="indexterm" name="id2594660"></a><em class="parameter"><code>comment = SMB Print Spool</code></em></td></tr><tr><td><a class="indexterm" name="id2594671"></a><em class="parameter"><code>path = /var/spool/samba</code></em></td></tr><tr><td><a class="indexterm" name="id2594683"></a><em class="parameter"><code>guest ok = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2594695"></a><em class="parameter"><code>printable = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2594706"></a><em class="parameter"><code>browseable = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[print$]</code></em></td></tr><tr><td><a class="indexterm" name="id2594727"></a><em class="parameter"><code>comment = Printer Drivers</code></em></td></tr><tr><td><a class="indexterm" name="id2594738"></a><em class="parameter"><code>path = /var/lib/samba/drivers</code></em></td></tr><tr><td><a class="indexterm" name="id2594750"></a><em class="parameter"><code>admin users = root, Administrator</code></em></td></tr><tr><td><a class="indexterm" name="id2594762"></a><em class="parameter"><code>write list = root</code></em></td></tr></table></div></div><br class="example-break"><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2594775"></a>IDMAP_RID with Winbind</h4></div></div></div><p>
     1146        <a class="indexterm" name="id2594783"></a>
     1147        <a class="indexterm" name="id2594790"></a>
     1148        <a class="indexterm" name="id2594796"></a>
     1149        <a class="indexterm" name="id2594803"></a>
    11501150        The <code class="literal">idmap_rid</code> facility is a new tool that, unlike native winbind, creates a
    11511151        predictable mapping of MS Windows SIDs to UNIX UIDs and GIDs. The key benefit of this method
     
    11541154        is not compatible with trusted domain implementations.
    11551155        </p><p>
    1156         <a class="indexterm" name="id2600912"></a>
    1157         <a class="indexterm" name="id2600918"></a>
    1158         <a class="indexterm" name="id2600925"></a>
    1159         <a class="indexterm" name="id2600932"></a>
     1156        <a class="indexterm" name="id2594827"></a>
     1157        <a class="indexterm" name="id2594833"></a>
     1158        <a class="indexterm" name="id2594840"></a>
     1159        <a class="indexterm" name="id2594847"></a>
    11601160        This alternate method of SID to UID/GID  mapping can be achieved with the idmap_rid
    11611161        plug-in. This plug-in uses the RID of the user SID to derive the UID and GID by adding the
    11621162        RID to a base value specified. This utility requires that the parameter
    1163         <span class="quote">&#8220;<span class="quote">allow trusted domains = No</span>&#8221;</span> must be specified, as it is not compatible
     1163        &#8220;<span class="quote">allow trusted domains = No</span>&#8221; must be specified, as it is not compatible
    11641164        with multiple domain environments. The <em class="parameter"><code>idmap uid</code></em> and
    11651165        <em class="parameter"><code>idmap gid</code></em> ranges must be specified.
    11661166        </p><p>
    1167         <a class="indexterm" name="id2600965"></a>
    1168         <a class="indexterm" name="id2600972"></a>
     1167        <a class="indexterm" name="id2594880"></a>
     1168        <a class="indexterm" name="id2594887"></a>
    11691169        The idmap_rid facility can be used both for NT4/Samba-style domains as well as with Active Directory.
    11701170        To use this with an NT4 domain, the <em class="parameter"><code>realm</code></em> is not used. Additionally the
     
    11721172        </p><p>
    11731173        An example <code class="filename">smb.conf</code> file for an ADS domain environment is shown in <a class="link" href="unixclients.html#sbe-idmapridex" title="Example 7.8. Example smb.conf File Using idmap_rid">&#8220;Example smb.conf File Using idmap_rid&#8221;</a>.
    1174         </p><div class="example"><a name="sbe-idmapridex"></a><p class="title"><b>Example 7.8. Example <code class="filename">smb.conf</code> File Using <code class="constant">idmap_rid</code></b></p><div class="example-contents"><table border="0" summary="Simple list" class="simplelist"><tr><td># Global parameters</td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[global]</code></em></td></tr><tr><td><a class="indexterm" name="id2601046"></a><em class="parameter"><code>workgroup = KPAK</code></em></td></tr><tr><td><a class="indexterm" name="id2601058"></a><em class="parameter"><code>netbios name = BIGJOE</code></em></td></tr><tr><td><a class="indexterm" name="id2601070"></a><em class="parameter"><code>realm = CORP.KPAK.COM</code></em></td></tr><tr><td><a class="indexterm" name="id2601081"></a><em class="parameter"><code>server string = Office Server</code></em></td></tr><tr><td><a class="indexterm" name="id2601093"></a><em class="parameter"><code>security = ADS</code></em></td></tr><tr><td><a class="indexterm" name="id2601105"></a><em class="parameter"><code>allow trusted domains = No</code></em></td></tr><tr><td><a class="indexterm" name="id2601117"></a><em class="parameter"><code>idmap backend = idmap_rid:KPAK=500-100000000</code></em></td></tr><tr><td><a class="indexterm" name="id2601129"></a><em class="parameter"><code>idmap uid = 500-100000000</code></em></td></tr><tr><td><a class="indexterm" name="id2601141"></a><em class="parameter"><code>idmap gid = 500-100000000</code></em></td></tr><tr><td><a class="indexterm" name="id2601153"></a><em class="parameter"><code>template shell = /bin/bash</code></em></td></tr><tr><td><a class="indexterm" name="id2601164"></a><em class="parameter"><code>winbind use default domain = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2601177"></a><em class="parameter"><code>winbind enum users = No</code></em></td></tr><tr><td><a class="indexterm" name="id2601188"></a><em class="parameter"><code>winbind enum groups = No</code></em></td></tr><tr><td><a class="indexterm" name="id2601200"></a><em class="parameter"><code>winbind nested groups = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2601212"></a><em class="parameter"><code>printer admin = "KPAK\Domain Admins"</code></em></td></tr></table></div></div><br class="example-break"><p>
    1175         <a class="indexterm" name="id2601228"></a>
    1176         <a class="indexterm" name="id2601235"></a>
    1177         <a class="indexterm" name="id2601242"></a>
    1178         <a class="indexterm" name="id2601248"></a>
     1174        </p><div class="example"><a name="sbe-idmapridex"></a><p class="title"><b>Example 7.8. Example <code class="filename">smb.conf</code> File Using <code class="constant">idmap_rid</code></b></p><div class="example-contents"><table class="simplelist" border="0" summary="Simple list"><tr><td># Global parameters</td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[global]</code></em></td></tr><tr><td><a class="indexterm" name="id2594961"></a><em class="parameter"><code>workgroup = KPAK</code></em></td></tr><tr><td><a class="indexterm" name="id2594973"></a><em class="parameter"><code>netbios name = BIGJOE</code></em></td></tr><tr><td><a class="indexterm" name="id2594984"></a><em class="parameter"><code>realm = CORP.KPAK.COM</code></em></td></tr><tr><td><a class="indexterm" name="id2594996"></a><em class="parameter"><code>server string = Office Server</code></em></td></tr><tr><td><a class="indexterm" name="id2595008"></a><em class="parameter"><code>security = ADS</code></em></td></tr><tr><td><a class="indexterm" name="id2595020"></a><em class="parameter"><code>allow trusted domains = No</code></em></td></tr><tr><td><a class="indexterm" name="id2595032"></a><em class="parameter"><code>idmap backend = idmap_rid:KPAK=500-100000000</code></em></td></tr><tr><td><a class="indexterm" name="id2595044"></a><em class="parameter"><code>idmap uid = 500-100000000</code></em></td></tr><tr><td><a class="indexterm" name="id2595056"></a><em class="parameter"><code>idmap gid = 500-100000000</code></em></td></tr><tr><td><a class="indexterm" name="id2595068"></a><em class="parameter"><code>template shell = /bin/bash</code></em></td></tr><tr><td><a class="indexterm" name="id2595079"></a><em class="parameter"><code>winbind use default domain = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2595092"></a><em class="parameter"><code>winbind enum users = No</code></em></td></tr><tr><td><a class="indexterm" name="id2595103"></a><em class="parameter"><code>winbind enum groups = No</code></em></td></tr><tr><td><a class="indexterm" name="id2595115"></a><em class="parameter"><code>winbind nested groups = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2595127"></a><em class="parameter"><code>printer admin = "KPAK\Domain Admins"</code></em></td></tr></table></div></div><br class="example-break"><p>
     1175        <a class="indexterm" name="id2595143"></a>
     1176        <a class="indexterm" name="id2595150"></a>
     1177        <a class="indexterm" name="id2595156"></a>
     1178        <a class="indexterm" name="id2595163"></a>
    11791179        In a large domain with many users, it is imperative to disable enumeration of users and groups.
    11801180        For example, at a site that has 22,000 users in Active Directory the winbind-based user and
     
    11861186        below.
    11871187        </p><p>
    1188         <a class="indexterm" name="id2601287"></a>
    1189         <a class="indexterm" name="id2601294"></a>
     1188        <a class="indexterm" name="id2595202"></a>
     1189        <a class="indexterm" name="id2595209"></a>
    11901190        The use of this tool requires configuration of NSS as per the native use of winbind. Edit the
    11911191        <code class="filename">/etc/nsswitch.conf</code> so it has the following parameters:
     
    12011201        </p><p>
    12021202        The following procedure can be used to utilize the idmap_rid facility:
    1203         </p><div class="procedure"><ol class="procedure" type="1"><li class="step" title="Step 1"><p>
     1203        </p><div class="procedure"><ol type="1"><li><p>
    12041204                Create or install and <code class="filename">smb.conf</code> file with the above configuration.
    1205                 </p></li><li class="step" title="Step 2"><p>
     1205                </p></li><li><p>
    12061206                Edit the <code class="filename">/etc/nsswitch.conf</code> file as shown above.
    1207                 </p></li><li class="step" title="Step 3"><p>
     1207                </p></li><li><p>
    12081208                Execute:
    12091209</p><pre class="screen">
     
    12131213</pre><p>
    12141214                </p><p>
    1215                 <a class="indexterm" name="id2601375"></a>
     1215                <a class="indexterm" name="id2595290"></a>
    12161216                An invalid or failed join can be detected by executing:
    12171217</p><pre class="screen">
     
    12251225                may have occurred. Increase the <em class="parameter"><code>log level</code></em> to 10, repeat the above test,
    12261226                and then examine the log files produced to identify the nature of the failure.
    1227                 </p></li><li class="step" title="Step 4"><p>
     1227                </p></li><li><p>
    12281228                Start the <code class="literal">nmbd</code>, <code class="literal">winbind,</code> and <code class="literal">smbd</code> daemons in the order shown.
    1229                 </p></li><li class="step" title="Step 5"><p>
     1229                </p></li><li><p>
    12301230                Validate the operation of this configuration by executing:
    1231                 <a class="indexterm" name="id2601442"></a>
     1231                <a class="indexterm" name="id2595357"></a>
    12321232</p><pre class="screen">
    12331233<code class="prompt">root# </code> getent passwd administrator
    12341234administrator:x:1000:1013:Administrator:/home/BE/administrator:/bin/bash
    12351235</pre><p>
    1236                 </p></li></ol></div></div><div class="sect3" title="IDMAP Storage in LDAP using Winbind"><div class="titlepage"><div><div><h4 class="title"><a name="id2601464"></a>IDMAP Storage in LDAP using Winbind</h4></div></div></div><p>
    1237         <a class="indexterm" name="id2601472"></a>
    1238         <a class="indexterm" name="id2601479"></a>
     1236                </p></li></ol></div></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2595379"></a>IDMAP Storage in LDAP using Winbind</h4></div></div></div><p>
     1237        <a class="indexterm" name="id2595387"></a>
     1238        <a class="indexterm" name="id2595394"></a>
    12391239        The storage of IDMAP information in LDAP can be used with both NT4/Samba-3-style domains as well as
    12401240        with ADS domains. OpenLDAP is a commonly used LDAP server for this purpose, although any standards-compliant
     
    12431243        </p><p>
    12441244        The example in <a class="link" href="unixclients.html#sbeunxa" title="Example 7.9. Typical ADS Style Domain smb.conf File">&#8220;Typical ADS Style Domain smb.conf File&#8221;</a> is for an ADS-style domain.
    1245         </p><div class="example"><a name="sbeunxa"></a><p class="title"><b>Example 7.9. Typical ADS Style Domain <code class="filename">smb.conf</code> File</b></p><div class="example-contents"><table border="0" summary="Simple list" class="simplelist"><tr><td># Global parameters</td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[global]</code></em></td></tr><tr><td><a class="indexterm" name="id2601539"></a><em class="parameter"><code>workgroup = SNOWSHOW</code></em></td></tr><tr><td><a class="indexterm" name="id2601551"></a><em class="parameter"><code>netbios name = GOODELF</code></em></td></tr><tr><td><a class="indexterm" name="id2601563"></a><em class="parameter"><code>realm = SNOWSHOW.COM</code></em></td></tr><tr><td><a class="indexterm" name="id2601574"></a><em class="parameter"><code>server string = Samba Server</code></em></td></tr><tr><td><a class="indexterm" name="id2601586"></a><em class="parameter"><code>security = ADS</code></em></td></tr><tr><td><a class="indexterm" name="id2601598"></a><em class="parameter"><code>log level = 1 ads:10 auth:10 sam:10 rpc:10</code></em></td></tr><tr><td><a class="indexterm" name="id2601610"></a><em class="parameter"><code>ldap admin dn = cn=Manager,dc=SNOWSHOW,dc=COM</code></em></td></tr><tr><td><a class="indexterm" name="id2601622"></a><em class="parameter"><code>ldap idmap suffix = ou=Idmap</code></em></td></tr><tr><td><a class="indexterm" name="id2601634"></a><em class="parameter"><code>ldap suffix = dc=SNOWSHOW,dc=COM</code></em></td></tr><tr><td><a class="indexterm" name="id2601646"></a><em class="parameter"><code>idmap backend = ldap:ldap://ldap.snowshow.com</code></em></td></tr><tr><td><a class="indexterm" name="id2601658"></a><em class="parameter"><code>idmap uid = 150000-550000</code></em></td></tr><tr><td><a class="indexterm" name="id2601670"></a><em class="parameter"><code>idmap gid = 150000-550000</code></em></td></tr><tr><td><a class="indexterm" name="id2601682"></a><em class="parameter"><code>template shell = /bin/bash</code></em></td></tr><tr><td><a class="indexterm" name="id2601694"></a><em class="parameter"><code>winbind use default domain = Yes</code></em></td></tr></table></div></div><br class="example-break"><p>
    1246         <a class="indexterm" name="id2601709"></a>
     1245        </p><div class="example"><a name="sbeunxa"></a><p class="title"><b>Example 7.9. Typical ADS Style Domain <code class="filename">smb.conf</code> File</b></p><div class="example-contents"><table class="simplelist" border="0" summary="Simple list"><tr><td># Global parameters</td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[global]</code></em></td></tr><tr><td><a class="indexterm" name="id2595454"></a><em class="parameter"><code>workgroup = SNOWSHOW</code></em></td></tr><tr><td><a class="indexterm" name="id2595466"></a><em class="parameter"><code>netbios name = GOODELF</code></em></td></tr><tr><td><a class="indexterm" name="id2595478"></a><em class="parameter"><code>realm = SNOWSHOW.COM</code></em></td></tr><tr><td><a class="indexterm" name="id2595489"></a><em class="parameter"><code>server string = Samba Server</code></em></td></tr><tr><td><a class="indexterm" name="id2595501"></a><em class="parameter"><code>security = ADS</code></em></td></tr><tr><td><a class="indexterm" name="id2595513"></a><em class="parameter"><code>log level = 1 ads:10 auth:10 sam:10 rpc:10</code></em></td></tr><tr><td><a class="indexterm" name="id2595525"></a><em class="parameter"><code>ldap admin dn = cn=Manager,dc=SNOWSHOW,dc=COM</code></em></td></tr><tr><td><a class="indexterm" name="id2595537"></a><em class="parameter"><code>ldap idmap suffix = ou=Idmap</code></em></td></tr><tr><td><a class="indexterm" name="id2595549"></a><em class="parameter"><code>ldap suffix = dc=SNOWSHOW,dc=COM</code></em></td></tr><tr><td><a class="indexterm" name="id2595561"></a><em class="parameter"><code>idmap backend = ldap:ldap://ldap.snowshow.com</code></em></td></tr><tr><td><a class="indexterm" name="id2595573"></a><em class="parameter"><code>idmap uid = 150000-550000</code></em></td></tr><tr><td><a class="indexterm" name="id2595585"></a><em class="parameter"><code>idmap gid = 150000-550000</code></em></td></tr><tr><td><a class="indexterm" name="id2595597"></a><em class="parameter"><code>template shell = /bin/bash</code></em></td></tr><tr><td><a class="indexterm" name="id2595609"></a><em class="parameter"><code>winbind use default domain = Yes</code></em></td></tr></table></div></div><br class="example-break"><p>
     1246        <a class="indexterm" name="id2595624"></a>
    12471247        In the case of an NT4 or Samba-3-style domain the <em class="parameter"><code>realm</code></em> is not used, and the
    12481248        command used to join the domain is <code class="literal">net rpc join</code>. The above example also demonstrates
    12491249        advanced error reporting techniques that are documented in the chapter called "Reporting Bugs" in
    1250         <span class="quote">&#8220;<span class="quote">The Official Samba-3 HOWTO and Reference Guide, Second Edition</span>&#8221;</span> (TOSHARG2).
     1250        &#8220;<span class="quote">The Official Samba-3 HOWTO and Reference Guide, Second Edition</span>&#8221; (TOSHARG2).
    12511251        </p><p>
    1252         <a class="indexterm" name="id2601740"></a>
    1253         <a class="indexterm" name="id2601747"></a>
    1254         <a class="indexterm" name="id2601754"></a>
     1252        <a class="indexterm" name="id2595655"></a>
     1253        <a class="indexterm" name="id2595662"></a>
     1254        <a class="indexterm" name="id2595669"></a>
    12551255        Where MIT kerberos is installed (version 1.3.4 or later), edit the <code class="filename">/etc/krb5.conf</code>
    12561256        file so it has the following contents:
     
    12911291        .snowshow.com = SNOWSHOW.COM
    12921292</pre><p>
    1293         </p><div class="note" title="Note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
     1293        </p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
    12941294        Samba cannot use the Heimdal libraries if there is no <code class="filename">/etc/krb5.conf</code> file.
    12951295        So long as there is an empty file, the Heimdal kerberos libraries will be usable. There is no
     
    13071307</pre><p>
    13081308        </p><p>
    1309         <a class="indexterm" name="id2601838"></a>
    1310         <a class="indexterm" name="id2601845"></a>
     1309        <a class="indexterm" name="id2595753"></a>
     1310        <a class="indexterm" name="id2595760"></a>
    13111311        You will need the <a class="ulink" href="http://www.padl.com" target="_top">PADL</a> <code class="literal">nss_ldap</code>
    13121312        tool set for this solution. Configure the <code class="filename">/etc/ldap.conf</code> file so it has
     
    13271327        </p><p>
    13281328        The following procedure may be followed to affect a working configuration:
    1329         </p><div class="procedure"><ol class="procedure" type="1"><li class="step" title="Step 1"><p>
     1329        </p><div class="procedure"><ol type="1"><li><p>
    13301330                Configure the <code class="filename">smb.conf</code> file as shown above.
    1331                 </p></li><li class="step" title="Step 2"><p>
     1331                </p></li><li><p>
    13321332                Create the <code class="filename">/etc/krb5.conf</code> file following the indications above.
    1333                 </p></li><li class="step" title="Step 3"><p>
     1333                </p></li><li><p>
    13341334                Configure the <code class="filename">/etc/nsswitch.conf</code> file as shown above.
    1335                 </p></li><li class="step" title="Step 4"><p>
     1335                </p></li><li><p>
    13361336                Download, build, and install the PADL nss_ldap tool set. Configure the
    13371337                <code class="filename">/etc/ldap.conf</code> file as shown above.
    1338                 </p></li><li class="step" title="Step 5"><p>
     1338                </p></li><li><p>
    13391339                Configure an LDAP server and initialize the directory with the top-level entries needed by IDMAP
    13401340                as shown in the following LDIF file:
     
    13561356ou: idmap
    13571357</pre><p>
    1358                 </p></li><li class="step" title="Step 6"><p>
     1358                </p></li><li><p>
    13591359                Execute the command to join the Samba domain member server to the ADS domain as shown here:
    13601360</p><pre class="screen">
     
    13631363Joined 'GOODELF' to realm 'SNOWSHOW.COM'
    13641364</pre><p>
    1365                 </p></li><li class="step" title="Step 7"><p>
     1365                </p></li><li><p>
    13661366                Store the LDAP server access password in the Samba <code class="filename">secrets.tdb</code> file as follows:
    13671367</p><pre class="screen">
    13681368<code class="prompt">root# </code> smbpasswd -w not24get
    13691369</pre><p>
    1370                 </p></li><li class="step" title="Step 8"><p>
     1370                </p></li><li><p>
    13711371                Start the <code class="literal">nmbd</code>, <code class="literal">winbind</code>, and <code class="literal">smbd</code> daemons in the order shown.
    13721372                </p></li></ol></div><p>
    1373         <a class="indexterm" name="id2602046"></a>
     1373        <a class="indexterm" name="id2595961"></a>
    13741374        Follow the diagnostic procedures shown earlier in this chapter to identify success or failure of the join.
    13751375        In many cases a failure is indicated by a silent return to the command prompt with no indication of the
    13761376        reason for failure.
    1377         </p></div><div class="sect3" title="IDMAP and NSS Using LDAP from ADS with RFC2307bis Schema Extension"><div class="titlepage"><div><div><h4 class="title"><a name="id2602059"></a>IDMAP and NSS Using LDAP from ADS with RFC2307bis Schema Extension</h4></div></div></div><p>
    1378         <a class="indexterm" name="id2602068"></a>
    1379         <a class="indexterm" name="id2602075"></a>
     1377        </p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2595974"></a>IDMAP and NSS Using LDAP from ADS with RFC2307bis Schema Extension</h4></div></div></div><p>
     1378        <a class="indexterm" name="id2595983"></a>
     1379        <a class="indexterm" name="id2595990"></a>
    13801380        The use of this method is messy. The information provided in this section is for guidance only
    13811381        and is very definitely not complete. This method does work; it is used in a number of large sites
     
    13831383        </p><p>
    13841384        An example <code class="filename">smb.conf</code> file is shown in <a class="link" href="unixclients.html#sbewinbindex" title="Example 7.10. ADS Membership Using RFC2307bis Identity Resolution smb.conf File">&#8220;ADS Membership Using RFC2307bis Identity Resolution smb.conf File&#8221;</a>.
    1385         </p><div class="example"><a name="sbewinbindex"></a><p class="title"><b>Example 7.10. ADS Membership Using RFC2307bis Identity Resolution <code class="filename">smb.conf</code> File</b></p><div class="example-contents"><table border="0" summary="Simple list" class="simplelist"><tr><td># Global parameters</td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[global]</code></em></td></tr><tr><td><a class="indexterm" name="id2602138"></a><em class="parameter"><code>workgroup = BUBBAH</code></em></td></tr><tr><td><a class="indexterm" name="id2602149"></a><em class="parameter"><code>netbios name = MADMAX</code></em></td></tr><tr><td><a class="indexterm" name="id2602161"></a><em class="parameter"><code>realm = BUBBAH.COM</code></em></td></tr><tr><td><a class="indexterm" name="id2602173"></a><em class="parameter"><code>server string = Samba Server</code></em></td></tr><tr><td><a class="indexterm" name="id2602185"></a><em class="parameter"><code>security = ADS</code></em></td></tr><tr><td><a class="indexterm" name="id2602196"></a><em class="parameter"><code>idmap uid = 150000-550000</code></em></td></tr><tr><td><a class="indexterm" name="id2602208"></a><em class="parameter"><code>idmap gid = 150000-550000</code></em></td></tr><tr><td><a class="indexterm" name="id2602220"></a><em class="parameter"><code>template shell = /bin/bash</code></em></td></tr><tr><td><a class="indexterm" name="id2602232"></a><em class="parameter"><code>winbind use default domain = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2602244"></a><em class="parameter"><code>winbind trusted domains only = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2602256"></a><em class="parameter"><code>winbind nested groups = Yes</code></em></td></tr></table></div></div><br class="example-break"><p>
    1386         <a class="indexterm" name="id2602271"></a>
     1385        </p><div class="example"><a name="sbewinbindex"></a><p class="title"><b>Example 7.10. ADS Membership Using RFC2307bis Identity Resolution <code class="filename">smb.conf</code> File</b></p><div class="example-contents"><table class="simplelist" border="0" summary="Simple list"><tr><td># Global parameters</td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[global]</code></em></td></tr><tr><td><a class="indexterm" name="id2596053"></a><em class="parameter"><code>workgroup = BUBBAH</code></em></td></tr><tr><td><a class="indexterm" name="id2596064"></a><em class="parameter"><code>netbios name = MADMAX</code></em></td></tr><tr><td><a class="indexterm" name="id2596076"></a><em class="parameter"><code>realm = BUBBAH.COM</code></em></td></tr><tr><td><a class="indexterm" name="id2596088"></a><em class="parameter"><code>server string = Samba Server</code></em></td></tr><tr><td><a class="indexterm" name="id2596100"></a><em class="parameter"><code>security = ADS</code></em></td></tr><tr><td><a class="indexterm" name="id2596111"></a><em class="parameter"><code>idmap uid = 150000-550000</code></em></td></tr><tr><td><a class="indexterm" name="id2596123"></a><em class="parameter"><code>idmap gid = 150000-550000</code></em></td></tr><tr><td><a class="indexterm" name="id2596135"></a><em class="parameter"><code>template shell = /bin/bash</code></em></td></tr><tr><td><a class="indexterm" name="id2596147"></a><em class="parameter"><code>winbind use default domain = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2596159"></a><em class="parameter"><code>winbind trusted domains only = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2596171"></a><em class="parameter"><code>winbind nested groups = Yes</code></em></td></tr></table></div></div><br class="example-break"><p>
     1386        <a class="indexterm" name="id2596186"></a>
    13871387        The DMS must be joined to the domain using the usual procedure. Additionally, it is necessary
    13881388        to build and install the PADL nss_ldap tool set. Be sure to build this tool set with the
     
    13931393</pre><p>
    13941394        </p><p>
    1395         <a class="indexterm" name="id2602292"></a>
     1395        <a class="indexterm" name="id2596207"></a>
    13961396        The following <code class="filename">/etc/nsswitch.conf</code> file contents are required:
    13971397</p><pre class="screen">
     
    14051405</pre><p>
    14061406        </p><p>
    1407         <a class="indexterm" name="id2602316"></a>
    1408         <a class="indexterm" name="id2602323"></a>
     1407        <a class="indexterm" name="id2596231"></a>
     1408        <a class="indexterm" name="id2596238"></a>
    14091409        The <code class="filename">/etc/ldap.conf</code> file must be configured also. Refer to the PADL documentation
    14101410        and source code for nss_ldap instructions.
     
    14121412        The next step involves preparation on the ADS schema. This is briefly discussed in the remaining
    14131413        part of this chapter.
    1414         </p><div class="sect4" title="IDMAP, Active Directory, and MS Services for UNIX 3.5"><div class="titlepage"><div><div><h5 class="title"><a name="id2602345"></a>IDMAP, Active Directory, and MS Services for UNIX 3.5</h5></div></div></div><p>
    1415                 <a class="indexterm" name="id2602354"></a>
     1414        </p><div class="sect4" lang="en"><div class="titlepage"><div><div><h5 class="title"><a name="id2596260"></a>IDMAP, Active Directory, and MS Services for UNIX 3.5</h5></div></div></div><p>
     1415                <a class="indexterm" name="id2596269"></a>
    14161416                The Microsoft Windows Service for UNIX version 3.5 is available for free
    14171417                <a class="ulink" href="http://www.microsoft.com/windows/sfu/" target="_top">download</a>
    14181418                from the Microsoft Web site. You will need to download this tool and install it following
    14191419                Microsoft instructions.
    1420                 </p></div><div class="sect4" title="IDMAP, Active Directory, and AD4UNIX"><div class="titlepage"><div><div><h5 class="title"><a name="id2602374"></a>IDMAP, Active Directory, and AD4UNIX</h5></div></div></div><p>
     1420                </p></div><div class="sect4" lang="en"><div class="titlepage"><div><div><h5 class="title"><a name="id2596289"></a>IDMAP, Active Directory, and AD4UNIX</h5></div></div></div><p>
    14211421                Instructions for obtaining and installing the AD4UNIX tool set can be found from the
    14221422                <a class="ulink" href="http://www.geekcomix.com/cgi-bin/classnotes/wiki.pl?LDAP01/An_Alternative_Approach" target="_top">
    14231423                Geekcomix</a> Web site.
    1424                 </p></div></div></div><div class="sect2" title="UNIX/Linux Client Domain Member"><div class="titlepage"><div><div><h3 class="title"><a name="id2602396"></a>UNIX/Linux Client Domain Member</h3></div></div></div><p><a class="indexterm" name="id2602403"></a>
     1424                </p></div></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2596311"></a>UNIX/Linux Client Domain Member</h3></div></div></div><p><a class="indexterm" name="id2596318"></a>
    14251425        So far this chapter has been mainly concerned with the provision of file and print
    14261426        services for domain member servers. However, an increasing number of UNIX/Linux
     
    14281428        other than a single desktop user. The key demand for desktop systems is to be able
    14291429        to log onto any UNIX/Linux or Windows desktop using the same network user credentials.
    1430         </p><p><a class="indexterm" name="id2602422"></a>
     1430        </p><p><a class="indexterm" name="id2596337"></a>
    14311431        The ability to use a common set of user credential across a variety of network systems
    14321432        is generally regarded as a single sign-on (SSO) solution. SSO systems are sold by a
    14331433        large number of vendors and include a range of technologies such as:
    1434         </p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p>
     1434        </p><div class="itemizedlist"><ul type="disc"><li><p>
    14351435                Proxy sign-on
    1436                 </p></li><li class="listitem"><p>
     1436                </p></li><li><p>
    14371437                Federated directory provisioning
    1438                 </p></li><li class="listitem"><p>
     1438                </p></li><li><p>
    14391439                Metadirectory server solutions
    1440                 </p></li><li class="listitem"><p>
     1440                </p></li><li><p>
    14411441                Replacement authentication systems
    1442                 </p></li></ul></div><p><a class="indexterm" name="id2602464"></a>
     1442                </p></li></ul></div><p><a class="indexterm" name="id2596379"></a>
    14431443        There are really four solutions that provide integrated authentication and
    14441444        user identity management facilities:
    1445         </p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p>
     1445        </p><div class="itemizedlist"><ul type="disc"><li><p>
    14461446                Samba winbind (free). Samba-3.0.20 introduced a complete replacement for Winbind that now
    14471447                provides a greater level of scalability in large ADS environments.
    1448                 </p></li><li class="listitem"><p>
     1448                </p></li><li><p>
    14491449                <a class="ulink" href="http://www.padl.com" target="_top">PADL</a> PAM and LDAP tools (free).
    1450                 </p></li><li class="listitem"><p>
     1450                </p></li><li><p>
    14511451                <a class="ulink" href="http://www.vintela.com" target="_top">Vintela</a> Authentication Services (commercial).
    1452                 </p></li><li class="listitem"><p>
     1452                </p></li><li><p>
    14531453                <a class="ulink" href="http://www.centrify.com" target="_top">Centrify</a> DirectControl (commercial).
    14541454                Centrify's commercial product allows UNIX and Linux systems to use Active Directory
     
    14651465        support via Samba-3.
    14661466        </p><p>
    1467         <a class="indexterm" name="id2602543"></a>
     1467        <a class="indexterm" name="id2596458"></a>
    14681468        On the other hand, if the authentication and identity resolution backend must be provided by
    14691469        a Windows NT4-style domain or from an Active Directory Domain that does not have the Microsoft
     
    14711471        situations now follows.
    14721472        </p><p>
    1473         <a class="indexterm" name="id2602561"></a>
    1474         <a class="indexterm" name="id2602567"></a>
    1475         <a class="indexterm" name="id2602574"></a>
     1473        <a class="indexterm" name="id2596476"></a>
     1474        <a class="indexterm" name="id2596482"></a>
     1475        <a class="indexterm" name="id2596489"></a>
    14761476        To permit users to log on to a Linux system using Windows network credentials, you need to
    14771477        configure identity resolution (NSS) and PAM. This means that the basic steps include those
     
    14801480        of shares and printers is generally less important. Often this allows the share specifications
    14811481        to be entirely removed from the <code class="filename">smb.conf</code> file. That is obviously an administrator decision.
    1482         </p><div class="sect3" title="NT4 Domain Member"><div class="titlepage"><div><div><h4 class="title"><a name="id2602597"></a>NT4 Domain Member</h4></div></div></div><p>
     1482        </p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2596512"></a>NT4 Domain Member</h4></div></div></div><p>
    14831483                The following steps provide a Linux system that users can log onto using
    14841484                Windows NT4 (or Samba-3) domain network credentials:
    1485                 </p><div class="procedure"><ol class="procedure" type="1"><li class="step" title="Step 1"><p>
     1485                </p><div class="procedure"><ol type="1"><li><p>
    14861486                        Follow the steps outlined in <a class="link" href="unixclients.html#wdcsdm" title="NT4/Samba Domain with Samba Domain Member Server: Using NSS and Winbind">&#8220;NT4/Samba Domain with Samba Domain Member Server: Using NSS and Winbind&#8221;</a> and ensure that
    14871487                        all validation tests function as shown.
    1488                         </p></li><li class="step" title="Step 2"><p>
     1488                        </p></li><li><p>
    14891489                        Identify what services users must log on to. On Red Hat Linux, if it is
    14901490                        intended that the user shall be given access to all services, it may be
    14911491                        most expeditious to simply configure the file
    14921492                        <code class="filename">/etc/pam.d/system-auth</code>.
    1493                         </p></li><li class="step" title="Step 3"><p>
     1493                        </p></li><li><p>
    14941494                        Carefully make a backup copy of all PAM configuration files before you
    14951495                        begin making changes. If you break the PAM configuration, please note
     
    14981498                        PAM files are incorrectly configured. The entire directory
    14991499                        <code class="filename">/etc/pam.d</code> should be backed up to a safe location.
    1500                         </p></li><li class="step" title="Step 4"><p>
     1500                        </p></li><li><p>
    15011501                        If you require only console login support, edit the <code class="filename">/etc/pam.d/login</code>
    15021502                        so it matches <a class="link" href="unixclients.html#ch9-pamwnbdlogin" title="Example 7.11. SUSE: PAM login Module Using Winbind">&#8220;SUSE: PAM login Module Using Winbind&#8221;</a>.
    1503                         </p></li><li class="step" title="Step 5"><p>
     1503                        </p></li><li><p>
    15041504                        To provide the ability to log onto the graphical desktop interface, you must edit
    15051505                        the files <code class="filename">gdm</code> and <code class="filename">xdm</code> in the
    15061506                        <code class="filename">/etc/pam.d</code> directory.
    1507                         </p></li><li class="step" title="Step 6"><p>
     1507                        </p></li><li><p>
    15081508                        Edit only one file at a time. Carefully validate its operation before attempting
    15091509                        to reboot the machine.
    1510                         </p></li></ol></div></div><div class="sect3" title="ADS Domain Member"><div class="titlepage"><div><div><h4 class="title"><a name="id2602719"></a>ADS Domain Member</h4></div></div></div><p>
     1510                        </p></li></ol></div></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2596634"></a>ADS Domain Member</h4></div></div></div><p>
    15111511                This procedure should be followed to permit a Linux network client (workstation/desktop)
    15121512                to permit users to log on using Microsoft Active Directory-based user credentials.
    1513                 </p><div class="procedure"><ol class="procedure" type="1"><li class="step" title="Step 1"><p>
     1513                </p><div class="procedure"><ol type="1"><li><p>
    15141514                        Follow the steps outlined in <a class="link" href="unixclients.html#adssdm" title="Active Directory Domain with Samba Domain Member Server">&#8220;Active Directory Domain with Samba Domain Member Server&#8221;</a> and ensure that
    15151515                        all validation tests function as shown.
    1516                         </p></li><li class="step" title="Step 2"><p>
     1516                        </p></li><li><p>
    15171517                        Identify what services users must log on to. On Red Hat Linux, if it is
    15181518                        intended that the user shall be given access to all services, it may be
    15191519                        most expeditious to simply configure the file
    15201520                        <code class="filename">/etc/pam.d/system-auth</code> as shown in <a class="link" href="unixclients.html#ch9-rhsysauth" title="Example 7.13. Red Hat 9: PAM System Authentication File: /etc/pam.d/system-auth Module Using Winbind">&#8220;Red Hat 9: PAM System Authentication File: /etc/pam.d/system-auth Module Using Winbind&#8221;</a>.
    1521                         </p></li><li class="step" title="Step 3"><p>
     1521                        </p></li><li><p>
    15221522                        Carefully make a backup copy of all PAM configuration files before you
    15231523                        begin making changes. If you break the PAM configuration, please note
     
    15261526                        PAM files are incorrectly configured. The entire directory
    15271527                        <code class="filename">/etc/pam.d</code> should be backed up to a safe location.
    1528                         </p></li><li class="step" title="Step 4"><p>
     1528                        </p></li><li><p>
    15291529                        If you require only console login support, edit the <code class="filename">/etc/pam.d/login</code>
    15301530                        so it matches <a class="link" href="unixclients.html#ch9-pamwnbdlogin" title="Example 7.11. SUSE: PAM login Module Using Winbind">&#8220;SUSE: PAM login Module Using Winbind&#8221;</a>.
    1531                         </p></li><li class="step" title="Step 5"><p>
     1531                        </p></li><li><p>
    15321532                        To provide the ability to log onto the graphical desktop interface, you must edit
    15331533                        the files <code class="filename">gdm</code> and <code class="filename">xdm</code> in the
    15341534                        <code class="filename">/etc/pam.d</code> directory.
    1535                         </p></li><li class="step" title="Step 6"><p>
     1535                        </p></li><li><p>
    15361536                        Edit only one file at a time. Carefully validate its operation before attempting
    15371537                        to reboot the machine.
     
    15881588session     sufficient    /lib/security/$ISA/pam_unix.so
    15891589session     sufficient    /lib/security/$ISA/pam_winbind.so use_first_pass
    1590 </pre></div></div><br class="example-break"></div><div class="sect2" title="Key Points Learned"><div class="titlepage"><div><div><h3 class="title"><a name="id2602971"></a>Key Points Learned</h3></div></div></div><p>
     1590</pre></div></div><br class="example-break"></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2596886"></a>Key Points Learned</h3></div></div></div><p>
    15911591                The addition of UNIX/Linux Samba servers and clients is a common requirement. In this chapter, you
    15921592                learned how to integrate such servers so that the UID/GID mappings they use can be consistent
     
    15951595                </p><p>
    15961596                The following are key points made in this chapter:
    1597                 </p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p>
     1597                </p><div class="itemizedlist"><ul type="disc"><li><p>
    15981598                        Domain controllers are always authoritative for the domain.
    1599                         </p></li><li class="listitem"><p>
     1599                        </p></li><li><p>
    16001600                        Domain members may have local accounts and must be able to resolve the identity of
    16011601                        domain user accounts. Domain user account identity must map to a local UID/GID. That
    16021602                        local UID/GID can be stored in LDAP. This way, it is possible to share the IDMAP data
    16031603                        across all domain member machines.
    1604                         </p></li><li class="listitem"><p>
     1604                        </p></li><li><p>
    16051605                        Resolution of user and group identities on domain member machines may be implemented
    16061606                        using direct LDAP services or using winbind.
    1607                         </p></li><li class="listitem"><p>
     1607                        </p></li><li><p>
    16081608                        On NSS/PAM enabled UNIX/Linux systems, NSS is responsible for identity management
    16091609                        and PAM is responsible for authentication of logon credentials (username and password).
    1610                         </p></li></ul></div></div></div><div class="sect1" title="Questions and Answers"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2603025"></a>Questions and Answers</h2></div></div></div><p>
     1610                        </p></li></ul></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2596940"></a>Questions and Answers</h2></div></div></div><p>
    16111611        The following questions were obtained from the mailing list and also from private discussions
    16121612        with Windows network administrators.
    1613         </p><div class="qandaset" title="Frequently Asked Questions"><a name="id2603037"></a><dl><dt> <a href="unixclients.html#id2603043">
     1613        </p><div class="qandaset"><dl><dt> <a href="unixclients.html#id2596958">
    16141614                We use NIS for all UNIX accounts. Why do we need winbind?
    1615                 </a></dt><dt> <a href="unixclients.html#id2603158">
     1615                </a></dt><dt> <a href="unixclients.html#id2597073">
    16161616                Our IT management people do not like LDAP but are looking at Microsoft Active Directory.
    16171617              Which is better?
    1618                 </a></dt><dt> <a href="unixclients.html#id2603242">
     1618                </a></dt><dt> <a href="unixclients.html#id2597157">
    16191619                We want to implement a Samba PDC, four Samba BDCs, and 10 Samba servers. Is it possible
    16201620                to use NIS in place of LDAP?
    1621                 </a></dt><dt> <a href="unixclients.html#id2603353">
     1621                </a></dt><dt> <a href="unixclients.html#id2597268">
    16221622                Are you suggesting that users should not log on to a domain member server? If so, why?
    1623                 </a></dt><dt> <a href="unixclients.html#id2603481">
     1623                </a></dt><dt> <a href="unixclients.html#id2597396">
    16241624                We want to ensure that only users from our own domain plus from trusted domains can use our
    16251625                Samba servers. In the smb.conf file on all servers, we have enabled the winbind
     
    16271627                cannot access our servers, and users from Windows clients that are not domain members
    16281628                can also access our servers. Is this a Samba bug?
    1629                 </a></dt><dt> <a href="unixclients.html#id2603656">
     1629                </a></dt><dt> <a href="unixclients.html#id2597571">
    16301630                What are the benefits of using LDAP for my domain member servers?
    1631                 </a></dt><dt> <a href="unixclients.html#id2603840">
     1631                </a></dt><dt> <a href="unixclients.html#id2597755">
    16321632                Is proper DNS operation necessary for Samba-3 plus LDAP? If so, what must I put into
    16331633                my DNS configuration?
    1634                 </a></dt><dt> <a href="unixclients.html#id2603998">
     1634                </a></dt><dt> <a href="unixclients.html#id2597913">
    16351635                Our Windows 2003 Server Active Directory domain runs with NetBIOS disabled. Can we
    16361636                use Samba-3 with that configuration?
    1637                 </a></dt><dt> <a href="unixclients.html#id2604016">
     1637                </a></dt><dt> <a href="unixclients.html#id2597931">
    16381638                When I tried to execute net ads join, I got no output. It did not work, so
    16391639                I think that it failed. I then executed net rpc join and that worked fine.
    16401640                That is okay, isn't it?
    1641                 </a></dt></dl><table border="0" width="100%" summary="Q and A Set"><col align="left" width="1%"><col><tbody><tr class="question"><td align="left" valign="top"><a name="id2603043"></a><a name="id2603046"></a></td><td align="left" valign="top"><p>
     1641                </a></dt></dl><table border="0" summary="Q and A Set"><col align="left" width="1%"><tbody><tr class="question"><td align="left" valign="top"><a name="id2596958"></a><a name="id2596960"></a></td><td align="left" valign="top"><p>
    16421642                We use NIS for all UNIX accounts. Why do we need winbind?
    16431643                </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p>
    1644                 <a class="indexterm" name="id2603057"></a>
    1645                 <a class="indexterm" name="id2603064"></a>
    1646                 <a class="indexterm" name="id2603071"></a>
    1647                 <a class="indexterm" name="id2603078"></a>
    1648                 <a class="indexterm" name="id2603084"></a>
    1649                 <a class="indexterm" name="id2603091"></a>
     1644                <a class="indexterm" name="id2596972"></a>
     1645                <a class="indexterm" name="id2596979"></a>
     1646                <a class="indexterm" name="id2596986"></a>
     1647                <a class="indexterm" name="id2596993"></a>
     1648                <a class="indexterm" name="id2596999"></a>
     1649                <a class="indexterm" name="id2597006"></a>
    16501650                You can use NIS for your UNIX accounts. NIS does not store the Windows encrypted
    16511651                passwords that need to be stored in one of the acceptable passdb backends.
     
    16541654                SIDs from trusted domains to local UID/GID values.
    16551655                </p><p>
    1656                 <a class="indexterm" name="id2603118"></a>
    1657                 <a class="indexterm" name="id2603126"></a>
     1656                <a class="indexterm" name="id2597033"></a>
     1657                <a class="indexterm" name="id2597041"></a>
    16581658                On a domain member server, you effectively map Windows domain users to local users
    16591659                that are in your NIS database by specifying the <em class="parameter"><code>winbind trusted domains
     
    16631663                </p><p>
    16641664                As a general rule, it is always a good idea to run winbind on all Samba servers.
    1665                 </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id2603158"></a><a name="id2603160"></a></td><td align="left" valign="top"><p>
     1665                </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id2597073"></a><a name="id2597075"></a></td><td align="left" valign="top"><p>
    16661666                Our IT management people do not like LDAP but are looking at Microsoft Active Directory.
    1667               Which is better?<a class="indexterm" name="id2603167"></a>
    1668                 </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p><a class="indexterm" name="id2603181"></a><a class="indexterm" name="id2603192"></a><a class="indexterm" name="id2603200"></a>
     1667              Which is better?<a class="indexterm" name="id2597082"></a>
     1668                </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p><a class="indexterm" name="id2597096"></a><a class="indexterm" name="id2597107"></a><a class="indexterm" name="id2597115"></a>
    16691669                Microsoft Active Directory is an LDAP server that is intricately tied to a Kerberos
    16701670                infrastructure. Most IT managers who object to LDAP do so because
     
    16731673                devise the backup and recovery facilities in a site-dependent manner. LDAP servers
    16741674                in general are seen as a high-energy, high-risk facility.
    1675                 </p><p><a class="indexterm" name="id2603220"></a>
     1675                </p><p><a class="indexterm" name="id2597134"></a>
    16761676                Microsoft Active Directory by comparison is easy to install and configure and
    16771677                is supplied with all tools necessary to implement and manage the directory. For sites
     
    16821682                consider the options. On the other hand, if management just wants a solution that works,
    16831683                Microsoft Active Directory is a good solution.
    1684                 </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id2603242"></a><a name="id2603244"></a></td><td align="left" valign="top"><p>
     1684                </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id2597157"></a><a name="id2597159"></a></td><td align="left" valign="top"><p>
    16851685                We want to implement a Samba PDC, four Samba BDCs, and 10 Samba servers. Is it possible
    16861686                to use NIS in place of LDAP?
    1687                 </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p><a class="indexterm" name="id2603256"></a><a class="indexterm" name="id2603264"></a><a class="indexterm" name="id2603272"></a><a class="indexterm" name="id2603280"></a><a class="indexterm" name="id2603288"></a><a class="indexterm" name="id2603296"></a><a class="indexterm" name="id2603304"></a>
     1687                </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p><a class="indexterm" name="id2597171"></a><a class="indexterm" name="id2597179"></a><a class="indexterm" name="id2597187"></a><a class="indexterm" name="id2597195"></a><a class="indexterm" name="id2597203"></a><a class="indexterm" name="id2597211"></a><a class="indexterm" name="id2597218"></a>
    16881688                Yes, it is possible to use NIS in place of LDAP, but there may be problems with keeping
    16891689                the Windows (SMB) encrypted passwords database correctly synchronized across the entire
     
    16911691                membership secure account password. How can you keep changes that are on remote BDCs
    16921692                synchronized on the PDC?
    1693                 </p><p><a class="indexterm" name="id2603321"></a><a class="indexterm" name="id2603329"></a><a class="indexterm" name="id2603337"></a>
     1693                </p><p><a class="indexterm" name="id2597236"></a><a class="indexterm" name="id2597244"></a><a class="indexterm" name="id2597252"></a>
    16941694                LDAP is a more elegant solution because it permits centralized storage and management
    16951695                of all network identities (user, group, and machine accounts) together with all information
    16961696                Samba needs to provide to network clients and their users.
    1697                 </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id2603353"></a><a name="id2603355"></a></td><td align="left" valign="top"><p>
     1697                </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id2597268"></a><a name="id2597270"></a></td><td align="left" valign="top"><p>
    16981698                Are you suggesting that users should not log on to a domain member server? If so, why?
    1699                 </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p><a class="indexterm" name="id2603367"></a><a class="indexterm" name="id2603375"></a><a class="indexterm" name="id2603386"></a>
     1699                </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p><a class="indexterm" name="id2597282"></a><a class="indexterm" name="id2597290"></a><a class="indexterm" name="id2597301"></a>
    17001700                Many UNIX administrators mock the model that the personal computer industry has adopted
    17011701                as normative since the early days of Novell NetWare. The old
     
    17031703                fears concerning the security and integrity of data. It was a simple and generally
    17041704                effective measure to keep users away from servers, except through mapped drives.
    1705                 </p><p><a class="indexterm" name="id2603411"></a><a class="indexterm" name="id2603419"></a><a class="indexterm" name="id2603427"></a><a class="indexterm" name="id2603435"></a><a class="indexterm" name="id2603442"></a>
     1705                </p><p><a class="indexterm" name="id2597326"></a><a class="indexterm" name="id2597334"></a><a class="indexterm" name="id2597342"></a><a class="indexterm" name="id2597350"></a><a class="indexterm" name="id2597357"></a>
    17061706                UNIX administrators are fully correct in asserting that UNIX servers and workstations
    17071707                are identical in terms of the software that is installed. They correctly assert that
     
    17121712                Only then can one begin to appraise the best strategy and adopt a site-specific
    17131713                policy that best protects the needs of users and of the organization alike.
    1714                 </p><p><a class="indexterm" name="id2603465"></a>
     1714                </p><p><a class="indexterm" name="id2597380"></a>
    17151715                From experience, it is my recommendation to keep general system-level logins to a
    17161716                practical minimum and to eliminate them if possible. This should not be taken as a
    17171717                hard rule, though. The better question is, what works best for the site?
    1718                 </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id2603481"></a><a name="id2603483"></a></td><td align="left" valign="top"><p><a class="indexterm" name="id2603486"></a><a class="indexterm" name="id2603494"></a><a class="indexterm" name="id2603506"></a><a class="indexterm" name="id2603514"></a>
     1718                </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id2597396"></a><a name="id2597398"></a></td><td align="left" valign="top"><p><a class="indexterm" name="id2597401"></a><a class="indexterm" name="id2597409"></a><a class="indexterm" name="id2597421"></a><a class="indexterm" name="id2597429"></a>
    17191719                We want to ensure that only users from our own domain plus from trusted domains can use our
    17201720                Samba servers. In the <code class="filename">smb.conf</code> file on all servers, we have enabled the <em class="parameter"><code>winbind
     
    17221722                cannot access our servers, and users from Windows clients that are not domain members
    17231723                can also access our servers. Is this a Samba bug?
    1724                 </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p><a class="indexterm" name="id2603547"></a><a class="indexterm" name="id2603555"></a><a class="indexterm" name="id2603562"></a><a class="indexterm" name="id2603570"></a><a class="indexterm" name="id2603578"></a><a class="indexterm" name="id2603586"></a>
     1724                </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p><a class="indexterm" name="id2597462"></a><a class="indexterm" name="id2597470"></a><a class="indexterm" name="id2597477"></a><a class="indexterm" name="id2597485"></a><a class="indexterm" name="id2597493"></a><a class="indexterm" name="id2597501"></a>
    17251725                The manual page for this <em class="parameter"><code>winbind trusted domains only</code></em> parameter says,
    1726                 <span class="quote">&#8220;<span class="quote">This parameter is designed to allow Samba servers that are members of a Samba-controlled
     1726                &#8220;<span class="quote">This parameter is designed to allow Samba servers that are members of a Samba-controlled
    17271727                domain to use UNIX accounts distributed vi NIS, rsync, or LDAP as the UIDs for winbindd users
    17281728                in the hosts primary domain. Therefore,  the user <code class="constant">SAMBA\user1</code> would be
    17291729                mapped to the account <code class="constant">user1</code> in <code class="filename">/etc/passwd</code> instead
    1730                 of allocating a new UID for him or her.</span>&#8221;</span> This clearly suggests that you are trying
     1730                of allocating a new UID for him or her.</span>&#8221; This clearly suggests that you are trying
    17311731                to use this parameter inappropriately.
    1732                 </p><p><a class="indexterm" name="id2603628"></a>
     1732                </p><p><a class="indexterm" name="id2597542"></a>
    17331733                A far better solution is to use the <em class="parameter"><code>valid users</code></em> by specifying
    17341734                precisely the domain users and groups that should be permitted access to the shares. You could,
     
    17391739        valid users = @"Domain Users", @"OTHERDOMAIN\Domain Users"
    17401740</pre><p>
    1741                 </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id2603656"></a><a name="id2603658"></a></td><td align="left" valign="top"><p>
     1741                </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id2597571"></a><a name="id2597573"></a></td><td align="left" valign="top"><p>
    17421742                What are the benefits of using LDAP for my domain member servers?
    1743                 </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p><a class="indexterm" name="id2603669"></a><a class="indexterm" name="id2603677"></a><a class="indexterm" name="id2603685"></a><a class="indexterm" name="id2603693"></a><a class="indexterm" name="id2603700"></a><a class="indexterm" name="id2603708"></a><a class="indexterm" name="id2603716"></a><a class="indexterm" name="id2603724"></a><a class="indexterm" name="id2603732"></a>
     1743                </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p><a class="indexterm" name="id2597584"></a><a class="indexterm" name="id2597592"></a><a class="indexterm" name="id2597600"></a><a class="indexterm" name="id2597608"></a><a class="indexterm" name="id2597615"></a><a class="indexterm" name="id2597623"></a><a class="indexterm" name="id2597631"></a><a class="indexterm" name="id2597639"></a><a class="indexterm" name="id2597647"></a>
    17441744                The key benefit of using LDAP is that the UID of all users and the GID of all groups
    17451745                are globally consistent on domain controllers as well as on domain member servers.
    17461746                This means that it is possible to copy/replicate files across servers without
    17471747                loss of identity.
    1748                 </p><p><a class="indexterm" name="id2603748"></a><a class="indexterm" name="id2603756"></a><a class="indexterm" name="id2603764"></a><a class="indexterm" name="id2603772"></a><a class="indexterm" name="id2603780"></a><a class="indexterm" name="id2603788"></a><a class="indexterm" name="id2603799"></a><a class="indexterm" name="id2603807"></a>
     1748                </p><p><a class="indexterm" name="id2597663"></a><a class="indexterm" name="id2597671"></a><a class="indexterm" name="id2597679"></a><a class="indexterm" name="id2597687"></a><a class="indexterm" name="id2597695"></a><a class="indexterm" name="id2597703"></a><a class="indexterm" name="id2597714"></a><a class="indexterm" name="id2597722"></a>
    17491749                When use is made of account identity resolution via winbind, even when an IDMAP backend
    17501750                is stored in LDAP, the UID/GID on domain member servers is consistent, but differs
     
    17531753                idmap uid/gid</code></em> in the <code class="filename">smb.conf</code> file. On domain controllers, the UID/GID is
    17541754                that of the POSIX value assigned in the LDAP directory as part of the POSIX account information.
    1755                 </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id2603840"></a><a name="id2603842"></a></td><td align="left" valign="top"><p>
     1755                </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id2597755"></a><a name="id2597757"></a></td><td align="left" valign="top"><p>
    17561756                Is proper DNS operation necessary for Samba-3 plus LDAP? If so, what must I put into
    17571757                my DNS configuration?
    1758                 </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p><a class="indexterm" name="id2603853"></a><a class="indexterm" name="id2603865"></a><a class="indexterm" name="id2603876"></a><a class="indexterm" name="id2603884"></a><a class="indexterm" name="id2603892"></a><a class="indexterm" name="id2603899"></a><a class="indexterm" name="id2603907"></a>
     1758                </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p><a class="indexterm" name="id2597768"></a><a class="indexterm" name="id2597780"></a><a class="indexterm" name="id2597791"></a><a class="indexterm" name="id2597798"></a><a class="indexterm" name="id2597806"></a><a class="indexterm" name="id2597814"></a><a class="indexterm" name="id2597822"></a>
    17591759                Samba depends on correctly functioning resolution of hostnames to their IP address. Samba
    17601760                makes no direct DNS lookup calls, but rather redirects all name-to-address calls via the
     
    17691769                If this fails to resolve, it attempts a DNS lookup, and if that fails, it tries a
    17701770                WINS lookup.
    1771                 </p><p><a class="indexterm" name="id2603962"></a><a class="indexterm" name="id2603970"></a><a class="indexterm" name="id2603978"></a>
     1771                </p><p><a class="indexterm" name="id2597877"></a><a class="indexterm" name="id2597885"></a><a class="indexterm" name="id2597892"></a>
    17721772                The addition of the WINS-based name lookup makes sense only if NetBIOS over TCP/IP has
    17731773                been enabled on all Windows clients. Where NetBIOS over TCP/IP has been disabled, DNS
     
    17761776                case, the Windows 200x autoregisters all locator records it needs with its own DNS
    17771777                server or servers.
    1778                 </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id2603998"></a><a name="id2604000"></a></td><td align="left" valign="top"><p>
     1778                </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id2597913"></a><a name="id2597915"></a></td><td align="left" valign="top"><p>
    17791779                Our Windows 2003 Server Active Directory domain runs with NetBIOS disabled. Can we
    17801780                use Samba-3 with that configuration?
    17811781                </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p>
    17821782                Yes.
    1783                 </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id2604016"></a><a name="id2604018"></a></td><td align="left" valign="top"><p><a class="indexterm" name="id2604022"></a><a class="indexterm" name="id2604036"></a>
     1783                </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id2597931"></a><a name="id2597933"></a></td><td align="left" valign="top"><p><a class="indexterm" name="id2597936"></a><a class="indexterm" name="id2597951"></a>
    17841784                When I tried to execute net ads join, I got no output. It did not work, so
    17851785                I think that it failed. I then executed net rpc join and that worked fine.
    17861786                That is okay, isn't it?
    1787                 </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p><a class="indexterm" name="id2604060"></a><a class="indexterm" name="id2604068"></a>
     1787                </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p><a class="indexterm" name="id2597975"></a><a class="indexterm" name="id2597982"></a>
    17881788                No. This is not okay. It means that your Samba-3 client has joined the ADS domain as
    17891789                a Windows NT4 client, and Samba-3 will not be using Kerberos-based authentication.
Note: See TracChangeset for help on using the changeset viewer.