From owner-freebsd-questions@FreeBSD.ORG Mon Sep 22 11:54:10 2014 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 88253438 for ; Mon, 22 Sep 2014 11:54:10 +0000 (UTC) Received: from mail-wi0-x22a.google.com (mail-wi0-x22a.google.com [IPv6:2a00:1450:400c:c05::22a]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 1D7FFA3B for ; Mon, 22 Sep 2014 11:54:09 +0000 (UTC) Received: by mail-wi0-f170.google.com with SMTP id fb4so2655511wid.3 for ; Mon, 22 Sep 2014 04:54:07 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:content-type:content-transfer-encoding; bh=x1KR4qbtEzOzbqvrXLMlgu2GQNCyQ+/i7Q6x65wFK6M=; b=HKDQoKwRn3PoqA+yL8Vzel5PV0Ap21ImmdhwVDHPEM6Oe/6h40YxD646F3PacBcR0A f4MlaMkXvmgn/p5ltvhE5slpWdBzmwNx/gH3pgHUubPOlBsQM6IuXbJ+rOkWGurN0wge adtIbgi8bULDTwLm86daN3uVE2of3JGLtmL1Rczk+0OTgiKF5+5LNopeVAZdnWssdOeB mO+Eu+99maekUN4QdYnukW6XbCM10hZzb3hKUixKxuzdtvFghT/3hte13FL6doUEFIbW sY9j0+Z7q9cSfe8jChhoKhcJ+aLbmV3DlSbkSMsJJQqguMxfbRlgsge7M9vZ2ZPPVTQp 7zSA== X-Received: by 10.181.13.73 with SMTP id ew9mr14878258wid.56.1411386847469; Mon, 22 Sep 2014 04:54:07 -0700 (PDT) Received: from [192.168.1.145] ([193.173.55.180]) by mx.google.com with ESMTPSA id fx9sm10172368wib.5.2014.09.22.04.54.06 for (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 22 Sep 2014 04:54:07 -0700 (PDT) Message-ID: <54200DDF.8080503@gmail.com> Date: Mon, 22 Sep 2014 13:54:07 +0200 From: Johan Hendriks User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.1.1 MIME-Version: 1.0 To: Victor Sudakov Subject: Re: FreeBSD + winbindd success stories? References: <20140922104923.GA96132@admin.sibptus.tomsk.ru> <54200365.9090208@gmail.com> <20140922111356.GA96700@admin.sibptus.tomsk.ru> <20140922112546.GA97150@admin.sibptus.tomsk.ru> In-Reply-To: <20140922112546.GA97150@admin.sibptus.tomsk.ru> Content-Type: text/plain; charset=windows-1252; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-questions@freebsd.org X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 22 Sep 2014 11:54:10 -0000 Op 22-09-14 om 13:25 schreef Victor Sudakov: > Victor Sudakov wrote: >>> I use samba in our domain from >>> version samba 3.0 to 4.1 and I have no problems. >> Could you please show your smb.conf (the part relevant to winbind >> operation) and nsswitch.conf ? > And also, where do you keep the nss_winbind.so.1 library? > Mine is in /usr/local/lib/nss_winbind.so.1 by default, is it possible > that the NSS subsystem does not see it there? > This is my samba4 config /usr/local/etc/smb4.conf [global] workgroup = MYDOMAIN realm = MYDOMAIN.LOCAL security = ADS server role = member server interfaces = 192.168.1.11 bind interfaces only = yes dns forwarder = 192.168.1.87 debug uid = yes debug hires timestamp = yes ea support = yes inherit acls = yes csc policy = disable store dos attributes = yes dos filemode = no map read only = no map untrusted to domain = yes printcap name = /etc/printcap disable spoolss = yes nsupdate command = /usr/local/bin/samba-nsupdate -g template shell = /usr/local/bin/bash template homedir = /usr/home/%U winbind use default domain = yes winbind cache time = 300 winbind nested groups = yes winbind separator = | winbind offline logon = yes winbind enum users = no winbind enum groups = no winbind refresh tickets = yes allow trusted domains = yes idmap config * : backend = tdb idmap config * : range = 1200 - 4999 idmap config MYDOMAIN:backend = rid idmap config MYDOMAIN:range = 10000 - 1000000 idmap config MYDOMAIN-TRUST:backend = rid idmap config MYDOMAIN-TRUST:range = 1000001 - 1200000 max protocol = SMB2 server max protocol = SMB2 getwd cache = yes strict locking = no write cache size = 2097152 min receivefile size=16384 map acl inherit = yes admin users = @MYDOMAIN|administator, administrator, "@domain admins", "@MYDOMAIN|domain admins" write list = "@MYDOMAIN|domain users" "@domain users" obey pam restrictions = yes ##################################################################### my /etc/nsswitch.conf group: files winbind #group_compat: nis hosts: files dns networks: files passwd: files winbind #passwd_compat: nis shells: files services: files # services_compat: nis protocols: files rpc: files #################################################################### My /etc/krb5.conf [appdefaults] pam = { forwardable = true krb4_convert = false debug = false ticket_lifetime = 36000 renew_lifetime = 36000 } [libdefaults] dns_lookup_realm = true dns_lookup_kdc = true ticket_lifetime = 24h clockskew = 300 forwardable = yes default_realm = MYDOMAIN.LOCAL [logging] default = SYSLOG:INFO:LOCAL7 [domain_realms] MYDOMAIN.LOCAL = MYDOMAIN.LOCAL .MYDOMAIN.LOCAL = MYDOMAIN.LOCAL ################################################################# Use as DNS server the ipadres of the domain controller in /etc/resolv.conf. # Generated by resolvconf search mydomain.local nameserver 192.168.1.87 #################################################################### beasty ~ # locate winbind.so.1 /usr/local/lib/nss_winbind.so.1 beasty ~ # From the command line beasty ~ # id testuser uid=13815(testuser) gid=10513(domain users) groups=10513(domain users),13890(group2),13801(group3),13617(group4),1201(BUILTIN|users) beasty ~ # Hope this helps. regards