and seamless authentication is working for every account in my domain. Now I have 2 issues:
1. I'm not sure if I understand the sentence: "Now you have winbind configured, you add the actual domain groups to the folder using chown/chmod to control permissions."
I tried changing group owner on a directory to a domain group, but Apache allows every user access to it. If I restrict it so that the apache user can't access (removing the 'world' read permission), then no one can access the directory.
I tried substituting "Require group my-group-name" for "require valid-user" in httpd.conf, but that doesn't work either.
2. The second issue is that we are a small subsidiary to a world-wide organization, and our AD domain is a part of their forest. Now when I run "getent passwd" the first time after samba and winbindd start, it only lists local accounts, then it times out after about 1 min 50 s.
When watching what is going on with Wireshark, it turns out that the web server I'm setting up is trying to contact pretty much all the other domains/domain controllers in my parent organization all over the world, and it times out, because there are firewalls in place... After abour 3-5 minutes, I can see the account info is pulled from our domain cotrollers over LDAP. Then when I run "getent passwd", it lists domain accounts right away.
So as a crude workaround, I think I will run "getent passwd > /dev/null&" at system startup, but is there a way to limit what domains/Domain controllers Samba tries to talk to?
My smb.conf:
----------------
[global]
security = ads
password server = 10.1.1.1 10.1.1.2
realm = AMERICA.MYCORP.ORG
workgroup = AMERICAMYCORP
encrypt passwords = yes
netbios name = MYSERV001
server string = Linux - Web server
# section 7 (name resolution)
local master = no
preferred master = no
domain master = no
#ldap timeout = 15 # Default
ldap timeout = 2
ldap suffix = dc=america,dc=mycorp,dc=org
wins support = no
wins server = 10.1.1.1 10.1.1.2
#name resolve order = wins bcast
#name resolve order = lmhosts host wins
name resolve order = wins # this seems to get user list faster than the above
socket options = IPTOS_LOWDELAY TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
log file = /var/log/samba/%m.log
log level = 1
# max log size in KB:
max log size = 500
dns proxy = no
allow trusted domains = no
I have Slackware 12.2 and I have followed the instructions at:
http://adldap.sourceforge.net/wiki/doku.php?id=mod_auth_ntlm_winbind
and seamless authentication is working for every account in my domain. Now I have 2 issues:
1. I'm not sure if I understand the sentence: "Now you have winbind configured, you add the actual domain groups to the folder using chown/chmod to control permissions."
I tried changing group owner on a directory to a domain group, but Apache allows every user access to it. If I restrict it so that the apache user can't access (removing the 'world' read permission), then no one can access the directory.
I tried substituting "Require group my-group-name" for "require valid-user" in httpd.conf, but that doesn't work either.
2. The second issue is that we are a small subsidiary to a world-wide organization, and our AD domain is a part of their forest. Now when I run "getent passwd" the first time after samba and winbindd start, it only lists local accounts, then it times out after about 1 min 50 s.
When watching what is going on with Wireshark, it turns out that the web server I'm setting up is trying to contact pretty much all the other domains/domain controllers in my parent organization all over the world, and it times out, because there are firewalls in place... After abour 3-5 minutes, I can see the account info is pulled from our domain cotrollers over LDAP. Then when I run "getent passwd", it lists domain accounts right away.
So as a crude workaround, I think I will run "getent passwd > /dev/null&" at system startup, but is there a way to limit what domains/Domain controllers Samba tries to talk to?
My smb.conf:
----------------
[global]
security = ads
password server = 10.1.1.1 10.1.1.2
realm = AMERICA.MYCORP.ORG
workgroup = AMERICAMYCORP
encrypt passwords = yes
netbios name = MYSERV001
server string = Linux - Web server
# section 7 (name resolution)
local master = no
preferred master = no
domain master = no
#ldap timeout = 15 # Default
ldap timeout = 2
ldap suffix = dc=america,dc=mycorp,dc=org
wins support = no
wins server = 10.1.1.1 10.1.1.2
#name resolve order = wins bcast
#name resolve order = lmhosts host wins
name resolve order = wins # this seems to get user list faster than the above
socket options = IPTOS_LOWDELAY TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
log file = /var/log/samba/%m.log
log level = 1
# max log size in KB:
max log size = 500
dns proxy = no
allow trusted domains = no
;******************* winbindd ***********************
winbind separator = +
winbind uid = 10000-20000
winbind gid = 10000-20000
winbind enum users = yes
winbind enum groups = yes
winbind use default domain = yes