I just got our IT guy to add my openSUSE box to the ActiveDirectory. Before I used user security in Samba and had to add users to my database to provide user auth to shares. I have a Win machine next to me, I use the same username and password (identity) on this machine as on SUSE. Before I could access my home share from the Win machine and read/write accordingly (user access for Win was seen as same as from local). Since changing to AD all the files created by the Windows machine in my SUSE shares are "user = DOMAIN/user" and "group = DOMAIN/domain users"; this is great - except that my SUSE login still writes the files as plain user no domain suffix? Is there any way to change DOMAIN/user accesses to just plain user? Or other way around, get my SUSE login to use DOMAIN suffix? ps, the SUSE manual says that I should get a different "domain" login page at restart after AD membership - I dont get it in gdm or kdm. E-Mail disclaimer: http://www.sunspace.co.za/emaildisclaimer.htm -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Sunday 04 March 2007, Hans van der Merwe wrote:
except that my SUSE login still writes the files as plain user no domain suffix?
What? Writes what files? -- _____________________________________ John Andersen -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Mon, 2007-03-05 at 00:29 -0900, John Andersen wrote:
On Sunday 04 March 2007, Hans van der Merwe wrote:
except that my SUSE login still writes the files as plain user no domain suffix?
What? Writes what files?
-- _____________________________________ John Andersen
Ok, sorry, was bit hurried last time. When I login at my Win machine and navigate to my home dir on the Suse machine and create files it creates it with uid = DOMAIN\user. When I login at my Suse machine directly and create files in that session it creates files with uid = user, no DOMAIN suffix. How do I login to the domain on my SUSE box? E-Mail disclaimer: http://www.sunspace.co.za/emaildisclaimer.htm -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Monday 05 March 2007, Hans van der Merwe wrote:
On Mon, 2007-03-05 at 00:29 -0900, John Andersen wrote:
On Sunday 04 March 2007, Hans van der Merwe wrote:
except that my SUSE login still writes the files as plain user no domain suffix?
What? Writes what files?
-- _____________________________________ John Andersen
Ok, sorry, was bit hurried last time. When I login at my Win machine and navigate to my home dir on the Suse machine and create files it creates it with uid = DOMAIN\user. When I login at my Suse machine directly and create files in that session it creates files with uid = user, no DOMAIN suffix. How do I login to the domain on my SUSE box?
It might be helpfull if you posted the numeric uids, because I have no clue how you attach a domain sufix to a uid. Usually the samba setup controls the uid/gid of file creation, and to the best of my knowledge it can not circumvent linus permissions. -- _____________________________________ John Andersen -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
If 'ls -l' shows you that some files are from "DOMAIN\user" and other are from "user", it seems to me that these are two different users. Most probable possibility: you have one user 'user' in local system and one with the same name in your system. could you please verify it? run as root: getent passwd and see whether you'll get 'user' and 'DOMAIN\user' Best regards, -- Lukas Lipavsky, QA Developer Key fingerprint = 5BEB 6AF2 9653 638E EC0E 7E73 9A11 2BC5 FF55 774A --------------------------------------------------- SUSE LINUX, s.r.o. e-mail: llipavsky@suse.cz Lihovarska 1060/12 tel: +420 284 028 969 190 00 Prague 9 Czech Republic --------------------------------------------------- On po 5. března 2007 Hans van der Merwe wrote:
I just got our IT guy to add my openSUSE box to the ActiveDirectory. Before I used user security in Samba and had to add users to my database to provide user auth to shares. I have a Win machine next to me, I use the same username and password (identity) on this machine as on SUSE. Before I could access my home share from the Win machine and read/write accordingly (user access for Win was seen as same as from local). Since changing to AD all the files created by the Windows machine in my SUSE shares are "user = DOMAIN/user" and "group = DOMAIN/domain users"; this is great - except that my SUSE login still writes the files as plain user no domain suffix?
Is there any way to change DOMAIN/user accesses to just plain user? Or other way around, get my SUSE login to use DOMAIN suffix?
ps, the SUSE manual says that I should get a different "domain" login page at restart after AD membership - I dont get it in gdm or kdm.
E-Mail disclaimer: http://www.sunspace.co.za/emaildisclaimer.htm
On Mon, 2007-03-05 at 13:29 +0100, Lukas Lipavsky wrote:
If 'ls -l' shows you that some files are from "DOMAIN\user" and other are from "user", it seems to me that these are two different users.
Most probable possibility: you have one user 'user' in local system and one with the same name in your system.
could you please verify it? run as root: getent passwd and see whether you'll get 'user' and 'DOMAIN\user'
Best regards,
Nope just user E-Mail disclaimer: http://www.sunspace.co.za/emaildisclaimer.htm -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On po 5. března 2007 Hans van der Merwe wrote:
On Mon, 2007-03-05 at 13:29 +0100, Lukas Lipavsky wrote:
If 'ls -l' shows you that some files are from "DOMAIN\user" and other are from "user", it seems to me that these are two different users.
Most probable possibility: you have one user 'user' in local system and one with the same name in your system.
could you please verify it? run as root: getent passwd and see whether you'll get 'user' and 'DOMAIN\user'
Best regards,
Nope just user
E-Mail disclaimer: http://www.sunspace.co.za/emaildisclaimer.htm
You wrote 'my suse login'. Is it the login you had on that suse before the machine has been added into the AD? If 'ls -l' shows once Domain\user and in other case 'user', it definitly seems strange :( does 'ls -n' gives you same UID? If 'getent passwd' don't return 'Domain\user' this migh mean that you are joined into the AD, but you don't use AD for user logins. -- Lukas Lipavsky, QA Developer Key fingerprint = 5BEB 6AF2 9653 638E EC0E 7E73 9A11 2BC5 FF55 774A --------------------------------------------------- SUSE LINUX, s.r.o. e-mail: llipavsky@suse.cz Lihovarska 1060/12 tel: +420 284 028 969 190 00 Prague 9 Czech Republic ---------------------------------------------------
On Mon, 2007-03-05 at 13:43 +0100, Lukas Lipavsky wrote:
On po 5. března 2007 Hans van der Merwe wrote:
On Mon, 2007-03-05 at 13:29 +0100, Lukas Lipavsky wrote:
If 'ls -l' shows you that some files are from "DOMAIN\user" and other are from "user", it seems to me that these are two different users.
Most probable possibility: you have one user 'user' in local system and one with the same name in your system.
could you please verify it? run as root: getent passwd and see whether you'll get 'user' and 'DOMAIN\user'
Best regards,
Nope just user
E-Mail disclaimer: http://www.sunspace.co.za/emaildisclaimer.htm
You wrote 'my suse login'. Is it the login you had on that suse before the machine has been added into the AD?
Yes (thinking about it, I should prob login as DOMAIN\user, but then I have to recreate my home dir?)
If 'ls -l' shows once Domain\user and in other case 'user', it definitly seems strange :(
No, it always shows the appropriate user - Win created files = DOMAIN \user - SUSE create files = user
does 'ls -n' gives you same UID?
No, 1000 for user and 10003 for DOMAIN\user All I did was go into Yast -> Windows Domain Membership -> fill in details. E-Mail disclaimer: http://www.sunspace.co.za/emaildisclaimer.htm -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On po 5. března 2007 Hans van der Merwe wrote:
You wrote 'my suse login'. Is it the login you had on that suse before the machine has been added into the AD?
Yes (thinking about it, I should prob login as DOMAIN\user, but then I have to recreate my home dir?)
If 'ls -l' shows once Domain\user and in other case 'user', it definitly seems strange :(
No, it always shows the appropriate user - Win created files = DOMAIN \user - SUSE create files = user
does 'ls -n' gives you same UID?
No, 1000 for user and 10003 for DOMAIN\user
All I did was go into Yast -> Windows Domain Membership -> fill in details.
I see. So it should be quite simple ;-) you should really login as DOMAIN\user: - from console DOMAIN\\user. - from kdm/gdm it should let you select the domain, od use 'DOMAIN\user' if it doens't give you the oportunity to select domain (combobox,etc) Then you will have UID 10003. You'll have to recreate your home and copy files, etc. But try the login first, lets see whether it's all or whether there is some other problem... -- Lukas Lipavsky, QA Developer Key fingerprint = 5BEB 6AF2 9653 638E EC0E 7E73 9A11 2BC5 FF55 774A --------------------------------------------------- SUSE LINUX, s.r.o. e-mail: llipavsky@suse.cz Lihovarska 1060/12 tel: +420 284 028 969 190 00 Prague 9 Czech Republic ---------------------------------------------------
On Mon, 2007-03-05 at 15:06 +0200, Hans van der Merwe wrote:
On Mon, 2007-03-05 at 13:43 +0100, Lukas Lipavsky wrote:
On po 5. března 2007 Hans van der Merwe wrote:
On Mon, 2007-03-05 at 13:29 +0100, Lukas Lipavsky wrote:
If 'ls -l' shows you that some files are from "DOMAIN\user" and other are from "user", it seems to me that these are two different users.
Most probable possibility: you have one user 'user' in local system and one with the same name in your system.
could you please verify it? run as root: getent passwd and see whether you'll get 'user' and 'DOMAIN\user'
Best regards,
Nope just user
E-Mail disclaimer: http://www.sunspace.co.za/emaildisclaimer.htm
You wrote 'my suse login'. Is it the login you had on that suse before the machine has been added into the AD?
Yes (thinking about it, I should prob login as DOMAIN\user, but then I have to recreate my home dir?)
If 'ls -l' shows once Domain\user and in other case 'user', it definitly seems strange :(
No, it always shows the appropriate user - Win created files = DOMAIN \user - SUSE create files = user
does 'ls -n' gives you same UID?
No, 1000 for user and 10003 for DOMAIN\user
All I did was go into Yast -> Windows Domain Membership -> fill in details.
When I login using DOMAIN\user - a home dir under /home/DOMAIN/user is created. I remember having issues after domain registration with Samba home dis pointing to /home/DOMAIN, so in my ignorance I changed it by hand back to /home in smb.conf. Thus logging in as DOMAIN\user or user always goes to /home/user. Sorry my fault. As I see it, to use the domain user I will have to move my local user home dir contents to /home/DOMAIN/user. But still, where is uid DOMAIN\user stored? What does Yast -> Windows Domain Memebership do to my config files? E-Mail disclaimer: http://www.sunspace.co.za/emaildisclaimer.htm -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On po 5. března 2007 Hans van der Merwe wrote:
When I login using DOMAIN\user - a home dir under /home/DOMAIN/user is created.
This is a default way, maybe it can be changed somewhere
I remember having issues after domain registration with Samba home dis pointing to /home/DOMAIN, so in my ignorance I changed it by hand back to /home in smb.conf. Thus logging in as DOMAIN\user or user always goes to /home/user. Sorry my fault. As I see it, to use the domain user I will have to move my local user home dir contents to /home/DOMAIN/user.
But still, where is uid DOMAIN\user stored? What does Yast -> Windows Domain Memebership do to my config files? I don't know exactly, whether it's _stored_ at all. Active directory membership uses pam_winbind which uses winbind which get user informations
simple way: yes maybe it can be archieved some another way, but I don't know how :( directly from the AD controller. This information is then cache in nscd (something like name service caching daemon, but I'm not sure). But if you want to be AD user, you need to log in as DOMAIN\user -- Lukas Lipavsky, QA Developer Key fingerprint = 5BEB 6AF2 9653 638E EC0E 7E73 9A11 2BC5 FF55 774A --------------------------------------------------- SUSE LINUX, s.r.o. e-mail: llipavsky@suse.cz Lihovarska 1060/12 tel: +420 284 028 969 190 00 Prague 9 Czech Republic ---------------------------------------------------
Hans van der Merwe wrote:
When I login using DOMAIN\user - a home dir under /home/DOMAIN/user is created. I remember having issues after domain registration with Samba home dis pointing to /home/DOMAIN, so in my ignorance I changed it by hand back to /home in smb.conf. Thus logging in as DOMAIN\user or user always goes to /home/user. Sorry my fault. As I see it, to use the domain user I will have to move my local user home dir contents to /home/DOMAIN/user.
But still, where is uid DOMAIN\user stored?
I think it's stored in a Samba tdb file... Ah yes http://us1.samba.org/samba/docs/man/manpages-3/smbd.8.html winbindd_idmap.tdb* winbindd's local idmap db I wonder in turn how one would keep these in sync across machines? (Of course, I'm not the first: http://lists.samba.org/archive/samba/2005-October/thread.html#111648 Looks like HP have dealt with this in a proprietary way: http://docs.hp.com/en/B8725-90110/ch09s03.html "Access to an LDAP-UX Netscape Directory Server as the backend storage for larger deployments to maintain winbind ID maps across multiple HP CIFS Servers." These look interesting: http://de.samba.org/samba/ftp/pre/WHATSNEW-3-0-25pre1.txt Winbind IDMAP integration with RFC2307 schema objects supported by Windows 2003 R2. New Winbind IDmap plugin (ad) for retrieving uid and gid from AD servers which maintain the SFU user and group attributes. http://linux.israel.net/samba/devel/roadmap-3.html (can't find this on samba.org) )
What does Yast -> Windows Domain Memebership do to my config files?
Isn't a lot of the YaST stuff perl scripts? Could you dig out (e.g. find it's package and use rpm -ql <package name> ) the one for this YaST module and read through it? -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Mon, 2007-03-05 at 14:01 +0000, Russell Jones wrote:
Hans van der Merwe wrote:
When I login using DOMAIN\user - a home dir under /home/DOMAIN/user is created. I remember having issues after domain registration with Samba home dis pointing to /home/DOMAIN, so in my ignorance I changed it by hand back to /home in smb.conf. Thus logging in as DOMAIN\user or user always goes to /home/user. Sorry my fault. As I see it, to use the domain user I will have to move my local user home dir contents to /home/DOMAIN/user.
But still, where is uid DOMAIN\user stored?
I think it's stored in a Samba tdb file... Ah yes http://us1.samba.org/samba/docs/man/manpages-3/smbd.8.html
winbindd_idmap.tdb*
winbindd's local idmap db
I wonder in turn how one would keep these in sync across machines?
(Of course, I'm not the first: http://lists.samba.org/archive/samba/2005-October/thread.html#111648 Looks like HP have dealt with this in a proprietary way: http://docs.hp.com/en/B8725-90110/ch09s03.html "Access to an LDAP-UX Netscape Directory Server as the backend storage for larger deployments to maintain winbind ID maps across multiple HP CIFS Servers."
These look interesting: http://de.samba.org/samba/ftp/pre/WHATSNEW-3-0-25pre1.txt
Winbind IDMAP integration with RFC2307 schema objects supported by Windows 2003 R2.
New Winbind IDmap plugin (ad) for retrieving uid and gid from AD servers which maintain the SFU user and group attributes.
http://linux.israel.net/samba/devel/roadmap-3.html (can't find this on samba.org)
)
What does Yast -> Windows Domain Memebership do to my config files?
Isn't a lot of the YaST stuff perl scripts? Could you dig out (e.g. find it's package and use rpm -ql <package name> ) the one for this YaST module and read through it?
OK, thanks, I'm back on local security :) E-Mail disclaimer: http://www.sunspace.co.za/emaildisclaimer.htm -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Mandag 05 marts 2007 15:16 skrev Hans van der Merwe:
On Mon, 2007-03-05 at 14:01 +0000, Russell Jones wrote:
Hans van der Merwe wrote:
When I login using DOMAIN\user - a home dir under /home/DOMAIN/user is [..]
Hi all and list, - I'm working right now with the very same issues as described in this thread. - I just came across "man winbindd", note the two "d's"... - Perhaps this is of help ? ------------------------------------------------------------------------- Med venlig hilsen/Best regards Verner Kjærsgaard -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
participants (5)
-
Hans van der Merwe -
John Andersen -
Lukas Lipavsky -
Russell Jones -
Verner Kjærsgaard