Active directory integration not working properly with winbind and samba
Posted
by
tubaguy50035
on Server Fault
See other posts from Server Fault
or by tubaguy50035
Published on 2012-10-15T20:14:40Z
Indexed on
2012/10/15
21:39 UTC
Read the original article
Hit count: 420
I'm trying to get my linux box to use active directory authentication. I believe I have almost everything setup correctly. I'm able to issue wbinfo -g
and wbinfo -u
and see all the groups and users respectively.
Brief intro to my setup:
The username I use on my linux box to do admin things is nick
. My active directory username is nwalke
. They have two different passwords. I am able to log in to the box with nick
and that user's password and I'm also able to login as nwalke
with nwalke
's password.
The curious bit:
Upon creating the active directory user's home directory, I run a script that requires root access. This is to setup some system wide things like a samba share for them. When I log in as nwalke
, I enter my nwalke
password and it succeeds. I'm then greeted with [sudo] password for nick:
. If I enter my nwalke
password here, it says Sorry, try again.
. If I enter nick
's password, it says Sorry, user nick is not allowed to execute scriptname as root
.
If I do groups
as nwalke
, I see that magically my user has been given the group nick
.
Now, I accidentally thought that nick
had a UID of 100, not 1000. So originally in my smb.conf
I had idmap uid 1000-10000
. The only thing I can think of, is that I logged in with nwalke
while that was still set and now I'm just being presented with a UID of 1000 forcing linux to think I'm nick
.
I'm not really sure where to go from here. Like I said, I'm fairly certain active directory is communicating with my server properly, but something must not be mapped right on the linux side.
Any thoughts?
Here is my smb.conf
:
[global]
security = ads
netbios name = hostname
realm = COMPANY.COM
password server = adshost.company.com
workgroup = COMPANY
idmap uid = 10000-90000
idmap gid = 10000-90000
winbind separator = +
winbind enum users = no
winbind enum groups = no
winbind use default domain = yes
template homedir = /home/%D/%U
template shell = /bin/bash
client use spnego = yes
domain master = no
load printers = no
printing = bsd
printcap name = /dev/null
disable spoolss = yes
Let me know if more information about something is required.
© Server Fault or respective owner