How to fix a bad join to an NT domain where winbind is used (along with SWAT and webmin).
OS: CentOS 4.0
Domain: NT4
1. I went into webmin and deselected all synch options:
Quote:
Configure automatic Unix and Samba user synchronisation
Configure automatic Unix and Samba group synchronisation
|
2. I stopped the samba and winbind services via webmin/other/command shell:
Code:
pkill -HUP smbd
pkill -HUP winbindd
3. I followed the instructions in this post to delete the secrets.tdb & smbpasswd from /etc/samba
http://www.justlinux.com/forum/show...threadid=118920
A. I went to /etc/samba and deleted secrets.tdb.
Quote:
Step B. below was missing from the thread above
|
B. Go to /var/cache/samba and rename or delete the winbindd_idmap.tdb. I actually renamed everything and so far I haven't observed any issues by doing that.
C. I went to server manager on my Windows box (or Hyena) and deleted the account for this linux server.
4. I changed my smb.conf lines:
Code:
winbind trusted domains only = no
Rest of smb.conf is at bottom.
5. I then followed the instructions in the Webmin "How To" to rejoin the domain:
http://us3.samba.org/samba/docs/man/...n/winbind.html
A. Join domain, this is samba 3.x so I used this command:
Code:
net rpc join -S WATTO -Usvc-samba%password
B. Started winbind daemon:
Code:
service winbind start
or
C. Followed authors instructions to ensure winbindd was running:
D. Tested to see if domain users were read.
Ok so far. As I saw all my users in this form scrolled on the screen:
Quote:
STARWARS\User1 ... STARWARS\UserN
|
E. Tested to see if group from domain were read.
Ok so far. Again I saw my groups in the proper format:
Quote:
STARWARS\Group1 ... STARWARS\GroupN
|
F. Setup unified passwords & groups so that I could use my NT domain users and groups when assigning share permissions in webmin/swat (samba).
Code:
getent passwd
getent group
When I executed those commands I could clearly see that the descriptions I had listed for my users were scrolled in the output. For the group version, I saw that my group name and the members within them were read. This is looking promising at this point.
Sample from group command.
Quote:
STARWARS\AdminDocAccess:x:16777217:STARWARS\Pam,STARWARS\Jane,STARWARS\Charlena...
|
6. Next I started the samba service.
7. Then I tested it from the NT box that was giving me problems before.
It worked!
I was not prompted for a password over and over again. Nor did I even have to supply a password, it just displayed the shares I had setup.
Short smb.conf
Code:
# Samba config file created using SWAT
# from 0.0.0.0 (0.0.0.0)
# Date: 2005/06/14 15:22:22
# Global parameters
[global]
workgroup = STARWARS
netbios aliases = C3PO
server string = C3PO (10.10.1.205)
security = DOMAIN
password server = 10.10.1.201, 10.10.1.106
client lanman auth = No
client plaintext auth = No
log file = /var/log/samba/%m.log
max log size = 50
smb ports = 139 445
name resolve order = wins host lmhosts bcast
server signing = auto
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
preferred master = No
local master = No
domain master = No
dns proxy = No
wins server = 10.10.1.201, 10.10.1.207, 10.10.1.111
ldap ssl = no
default service = files
idmap uid = 10000-20000
idmap gid = 10000-20000
template shell = /bin/bash
admin users = aka-linlu, aka-pam, aka-jane
cups options = raw
[homes]
comment = Home Directories
read only = No
browseable = No
available = No
[printers]
comment = All Printers
path = /var/spool/samba
printable = Yes
browseable = No
available = No
[files]
comment = Admin transfer
path = /shares/files
read only = No
Unfortunately this is not yet finished, as I can read all I want I just can't write to my files share with an account that is not listed as an admin users in my smb.conf.
I'm getting closer!
See below for fixes.