Samba PDC with LDAP-backend. Fedora Core 5. Authenticating many W2K & XP workstations (as NT Domain members), lots of users and also other stuff (using LDAP backend directly) with no problems. Also serving files and printers.
Experimenting with using Linux workstation in the mix.
Using Ubuntu 6.06 LTS, really easy to set up in a simple configuration, but proper Samba PDC interoperability is a major pain in the back.
I am able to join the Ubuntu client to domain, and see all shares and connect to a printer. However, I REALLY need to authenticate the domain user right in the X login, and not every time trying to access shares, imap or whatever. So I want it to be just like logging to a real NT domain using any workstation.
So I need winbind, right? This was also very easy to set up when I did it way back in real NT domain, using FC3 machine as a client. Set up smb.conf, ran authconfig and that was it. But I cannot get this to work in Ubuntu using Samba LDAP PDC as NT Domain, no matter what I do.
I have basically followed these instructions:
They make perfect sense to me, but getent passwd and getent groups show only client's local users and groups. wbinfo -g tells me there is an error looking up groups, which figures. Nothing appears in the log files. So, I've forgotten something, big deal.
But the weird thing is this:
"wbinfo -u" DOES show domain users. The listing itself is also bit weird, sometimes there is the domain name included, sometimes not. When domain name is shown, the winbind separator is not respected, but there is always a letter w as a separator.
When I do "net groupmap list", the domain groups are shown, but the SID in them is the Ubuntu client's sid, and not the domain's. Also, they are mapped to group -1, and I cannot map them manually to locally created groups, because of the SID issue.
If I use the Samba PDC's LDAP backend directly, without winbind, user authentication works fine. I can see all the domain users and groups using getent, and I can log in as any of them using ssh or text console, and access all the samba resources as that user. But this setup does not allow gdm login! I get the error "user group not found".
So where should I look for clues on how to solve this?
I don't mind giving up winbind, and using ldap directly, but the optimal solution would be winbind just because it is driving me crazy that it worked so easily against real NT domain. I can't stand the idea that Linux-Windows interoperability is so easy, and Linux-Linux so difficult :-)
I have tried to avoid the most common pitfalls in setup as follows:
- nscd is NOT running on any machine that is running winbind
- I checked that all the names resolve fine and servers and clients all see each other.
- I have deleted the cache in /var/cache/samba, which just causes the domain name to briefly appear in the wbinfo -u listing, nothing else.
- winbind settings are exactly as stated in the URL above. I have experimented with explicitly stating the idmap backend as my ldap server (which is not in the instructions), but it makes no difference.
- Samba versions are newest that come with the distributions, FC5 is 3.0.23, Ubuntu 3.0.14.
Any help would be greatly appreciated. Also, if I have explained this in too complicated manner or left out something vital, please let me know and I'll revise my question.