HI all,

I am trying to set up a handful of samba boxes as print servers on an NT network. Currently, we're using NT4 as the PDC and I need to use CUPS to authenticate and allocate quotas to users.

Without Winbind I have no problem getting the printers working but cannot control access and use to users so I decided to try Winbind. So far I've followed the instructions shown at the link below:

info.ccone.at/INFO/Samba/winbind.html

smb.conf is shown here:

#=================== smb.conf start=====================
[global]

workgroup = SCHOOL
netbios name = h2-lptserver
server string = Samba Server %v
printcap name = cups
load printers = yes
printer admin = @"Domain Admins"
log file = /var/log/samba/log.%m
max log size = 50
log level = 5
map to guest = bad user
security = domain
password server = NTServer
encrypt passwords = yes

idmap uid = 10000-20000
idmap gid = 10000-20000
winbind enum users = yes
winbind enum groups = yes
winbind separator = \
winbind use default domain = yes
template homedir = /home/%D/%U
obey pam restrictions = yes
template shell = /bin/bash
local master = no
preferred master = no

add user script = /usr/sbin/useradd -s /bin/false '%u'
delete user script = /usr/sbin/userdel '%s'
add user to group script = /usr/bin/gpasswd -a '%u' '%g'
delete user from group script = /usr/bin/gpasswd -d '%u' '%g'
set primary group script = /usr/sbin/usermod -g '%g' '%u'
add group script = /usr/sbin/groupadd %g && getent group '%g'|awk -F: '{print $3}'
delete group script = /usr/sbin/groupdel '%g'

name resolve order = bcast
dns proxy = no


#================== Share Definitions =====================
[homes]
comment = Home Directories
browseable = no
writable = yes

[printers]
comment = All Printers
path = /var/spool/samba
browseable = no
printer admin = school\bm, school\ew, school\jpb, root, @"Domain Admins"
guest ok = yes
writable = no
printable = yes
create mode = 0700

# print command = lpr-cups -P %p -o raw %s -r # using client side printer drivers.
print command = lpr-cups -P %p %s # using cups own drivers (use generic PostScript on clients).
use client driver = yes


[print$]
path = /var/lib/samba/printers
browseable = yes
write list = @adm root
guest ok = yes
inherit permissions = yes
write list = @"Domain Admins" root
force group = +@"Domain Admins"

=====================smb.conf end ==============================


/etc/pam.d/system-auth-winbind conf is here:

============================================================

#%PAM-1.0

auth required pam_env.so
auth sufficient pam_winbind.so
auth sufficient pam_unix.so likeauth nullok use_first_pass
auth required pam_deny.so

account sufficient pam_winbind.so
account required pam_unix.so

password required pam_cracklib.so retry=3
password sufficient pam_unix.so nullok use_authtok md5 shadow
password required pam_deny.so

session required pam_mkhomedir.so skel=/etc/skel/ umask=0022
session required pam_limits.so
session required pam_unix.so

=============================================================

Now, here's the fun bit.

When I run wbinfo passwd I get a list of all the users on the NTserver domain. If I hash out use deafult domain I get SCHOOL\<username> which suggests it's working fine.

getent passwd produces the following (small chunk shown for demo):

test:x:11169:10000:test:/home/SCHOOL/test:/bin/bash
test1:x:11170:10000:test1:/home/SCHOOL/test1:/bin/bash
test2:x:11171:10000:test2:/home/SCHOOL/test2:/bin/bash


suggesting that that's worked fine as well. If I try to change permissions on a file to a domain user e.g.:

chown SCHOOL\test test-file

I get:

chown: 'SCHOOLtest' : invalid user

I can't get into any of the accounts via ssh etc. or set permissions on any files. I tried just using the username with the SCHOOL\ removed with use default domain enabled but I get the same result.

Any help on this is greatly appreciated.

Thanks,

Jools

Here's a couple of articles that might help you.

To make your Samba server a member server of the domain.

http://www.justlinux.com/forum/showt...hreadid=118920


Once that's all tested and you're sure it's working properly, check out this one to add winbind

http://www.justlinux.com/forum/showt...hreadid=118512

I suggest you set up and test your domain membership thoroughly before you attempt to add winbind.

Thanks for those links, they helped a lot.

This is primarily because I wasn't sure what was supposed to happen (never used Winbind before).
Anyway, the irony of this is that it's actually working and doing exactly what it should. The problems I'm having are purely down to permissions which, as I have "use default domain" are no different to manipulate than standard UNIX.

Oh how we live and learn

Many thanks again, all the best,


Jools

In bash, the whack "\" has special meaning - treat the next character literally. ie. No filename expansion, etc... So using your example posted above, you changed owner to SCHOOLtest, not SCHOOL\test (as the error states).

With the above in mind - to change permissions on a command line using the whack character, you would use:

chown SCHOOL\\test test-file

The second whack is treated literally by bash and passed to chown as SCHOOL\test.