Date: Mon, 22 Sep 2014 13:54:07 +0200 From: Johan Hendriks <joh.hendriks@gmail.com> To: Victor Sudakov <vas@mpeks.tomsk.su> Cc: freebsd-questions@freebsd.org Subject: Re: FreeBSD + winbindd success stories? Message-ID: <54200DDF.8080503@gmail.com> In-Reply-To: <20140922112546.GA97150@admin.sibptus.tomsk.ru> References: <20140922104923.GA96132@admin.sibptus.tomsk.ru> <54200365.9090208@gmail.com> <20140922111356.GA96700@admin.sibptus.tomsk.ru> <20140922112546.GA97150@admin.sibptus.tomsk.ru>
next in thread | previous in thread | raw e-mail | index | archive | help
Op 22-09-14 om 13:25 schreef Victor Sudakov:
> Victor Sudakov wrote:
>>> I use samba in our domain from
>>> version samba 3.0 to 4.1 and I have no problems.
>> Could you please show your smb.conf (the part relevant to winbind
>> operation) and nsswitch.conf ?
> And also, where do you keep the nss_winbind.so.1 library?
> Mine is in /usr/local/lib/nss_winbind.so.1 by default, is it possible
> that the NSS subsystem does not see it there?
>
This is my samba4 config /usr/local/etc/smb4.conf
[global]
workgroup = MYDOMAIN
realm = MYDOMAIN.LOCAL
security = ADS
server role = member server
interfaces = 192.168.1.11
bind interfaces only = yes
dns forwarder = 192.168.1.87
debug uid = yes
debug hires timestamp = yes
ea support = yes
inherit acls = yes
csc policy = disable
store dos attributes = yes
dos filemode = no
map read only = no
map untrusted to domain = yes
printcap name = /etc/printcap
disable spoolss = yes
nsupdate command = /usr/local/bin/samba-nsupdate -g
template shell = /usr/local/bin/bash
template homedir = /usr/home/%U
winbind use default domain = yes
winbind cache time = 300
winbind nested groups = yes
winbind separator = |
winbind offline logon = yes
winbind enum users = no
winbind enum groups = no
winbind refresh tickets = yes
allow trusted domains = yes
idmap config * : backend = tdb
idmap config * : range = 1200 - 4999
idmap config MYDOMAIN:backend = rid
idmap config MYDOMAIN:range = 10000 - 1000000
idmap config MYDOMAIN-TRUST:backend = rid
idmap config MYDOMAIN-TRUST:range = 1000001 - 1200000
max protocol = SMB2
server max protocol = SMB2
getwd cache = yes
strict locking = no
write cache size = 2097152
min receivefile size=16384
map acl inherit = yes
admin users = @MYDOMAIN|administator, administrator, "@domain admins",
"@MYDOMAIN|domain admins"
write list = "@MYDOMAIN|domain users" "@domain users"
obey pam restrictions = yes
#####################################################################
my /etc/nsswitch.conf
group: files winbind
#group_compat: nis
hosts: files dns
networks: files
passwd: files winbind
#passwd_compat: nis
shells: files
services: files
# services_compat: nis
protocols: files
rpc: files
####################################################################
My /etc/krb5.conf
[appdefaults]
pam = {
forwardable = true
krb4_convert = false
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
}
[libdefaults]
dns_lookup_realm = true
dns_lookup_kdc = true
ticket_lifetime = 24h
clockskew = 300
forwardable = yes
default_realm = MYDOMAIN.LOCAL
[logging]
default = SYSLOG:INFO:LOCAL7
[domain_realms]
MYDOMAIN.LOCAL = MYDOMAIN.LOCAL
.MYDOMAIN.LOCAL = MYDOMAIN.LOCAL
#################################################################
Use as DNS server the ipadres of the domain controller in /etc/resolv.conf.
# Generated by resolvconf
search mydomain.local
nameserver 192.168.1.87
####################################################################
beasty ~ # locate winbind.so.1
/usr/local/lib/nss_winbind.so.1
beasty ~ #
From the command line
beasty ~ # id testuser
uid=13815(testuser) gid=10513(domain users) groups=10513(domain
users),13890(group2),13801(group3),13617(group4),1201(BUILTIN|users)
beasty ~ #
Hope this helps.
regards
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?54200DDF.8080503>