ok here are my files
KRB5.conf, nsswitch, smb.conf, ldap.
if you need more details please ask.
My network is like this:
-Win2k3 advanced server (french)
-15 Win XP stations (fixed and laptops)
-distant sites via VPN access
-some shared printers and a shared workstation for a specific DOS application
SInce it's a french OS, some words may be weird to you
UPPERCASE words are there for a reason you know. Lowercase too.
----------------------------------------------------------
KRB.5.conf file:
[logging]
kdc = FILE:/var/log/krb5/krb5kdc.log
admin_server = FILE:/var/log/krb5/kadmind.log
default = SYSLOG:NOTICE
AEMON
;default = FILE:/var/log/krb5/libs.log
[libdefaults]
ticket_lifetime = 24000
default_realm = DOMAIN.COM
default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc des-cbc-md5 aes256-cts arcfour-hmac-md5
default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc des-cbc-md5 aes256-cts arcfour-hmac-md5
; dns_lookup_realm = true
; dns_lookup_kdc = true
; clockskew = 300
[realms]
CARTOSHERB.COM = {
kdc = server.domain.com
default_domain = DOMAIN.COM
admin_server = server.domain.com
}
[domain_realm]
.domain.com = DOMAIN.COM
domain.com = DOMAIN.COM
;[kdc]
; profile = /var/kerberos/krb5kdc/kdc.conf
;[appdefaults]
;pam = {
; debug = false
; ticket_lifetime = 1d
; renew_lifetime = 1d
; forwardable = true
; krb4_convert = false
; proxiable = false
; retain_after_close = false
; minimum_uid = 0
; try_first_pass = true
;}
--------------------------------------------------------------------
nsswitch:
#
# /etc/nsswitch.conf
#
# An example Name Service Switch config file. This file should be
# sorted with the most-used services at the beginning.
#
# The entry '[NOTFOUND=return]' means that the search for an
# entry should stop if the search in the previous entry turned
# up nothing. Note that if the search failed due to some other reason
# (like no NIS server responding) then the search continues with the
# next entry.
#
# Legal entries are:
#
# compat Use compatibility setup
# nisplus Use NIS+ (NIS version 3)
# nis Use NIS (NIS version 2), also called YP
# dns Use DNS (Domain Name Service)
# files Use the local files
# [NOTFOUND=return] Stop searching if not found so far
#
# For more information, please read the nsswitch.conf.5 manual page.
#
passwd: files ldap
shadow: files ldap
group: files ldap
#passwd: compat winbind
#group: compat winbind
hosts: files dns wins
networks: files dns
services: files
protocols: files
rpc: files
ethers: files
netmasks: files
netgroup: files nis
publickey: files
bootparams: files
automount: files nis
aliases: files
----------------------------------------------------------------------
smb.conf
# smb.conf is the main Samba configuration file. You find a full commented
# version at /usr/share/doc/packages/samba/examples/smb.conf.SUSE if the
# samba-doc package is installed.
# Date: 2007-02-07
[global]
workgroup = DOMAIN
###PRINTING
printing = cups
security = ads
printcap name = cups
printcap cache time = 750
cups options = raw
map to guest = Bad User
include = /etc/samba/dhcp.conf
logon path = \\%L\profiles\.msprofile
logon home = \\%L\%U\.9xprofile
logon drive = P:
usershare allow guests = no
;add machine script = /usr/sbin/useradd -c Machine -d /var/lib/nobody -s /bin/false %m$
;domain logons = No
domain master = No
netbios name = poptarts
passdb backend = smbpasswd
wins support = Yes
usershare max shares = 100
preferred master = no
max log size = 100
log file = /var/log/samba/%m.log
####LDAP
;ldap group suffix = ou=Groups
;ldap idmap suffix = dc=domain,dc=com
ldap admin dn = cn=LDAPQUERYUSER,cn=Utilisateurs,dc=domain,dc=com ; Utilisateurs is the Users group
;ldap machine suffix = ou=Machines
ldap passwd sync = Yes
;ldap ssl = On
ldap suffix = dc=domain,dc=com
ldap user suffix = ou=Users ;I believe i have a bug here.... should it be Utilisateurs?
####IDMAP
idmap gid = 1000-59999
idmap uid = 1000-59999
#idmap backend = ad
idmap backend = ldap:ldap://willywallers.domain.com
realm = DOMAIN.COM
# template homedir = /home/%D/%U
template homedir = /home/%U
template shell = /bin/bash
encrypt passwords = Yes
use kerberos keytab = true
password server = willywallers.domain.com
####WINBIND
winbind separator = +
winbind use default domain = yes
winbind enum users = yes
winbind enum groups = yes
deadtime = 10
winbind cache time = 10
winbind nested groups = yes
winbind refresh tickets = yes
####OTHER
client use spnego = yes
socket options = TCP_NODELAY SO_RCVBUF=16384 SO_SNDBUF=16384
dns proxy = no
;[admin]
; comment = Windows admin access
; path = /
; valid users = "@Admins_du_domaine"
; admins users = "@Admins_du_domaine"
; read only = No
; create mask = 0664
; browseable = No
; inherit permissions = Yes
[homes]
comment = Home Directories
valid users = %S, %D%w%S
browseable = No
read only = No
inherit acls = Yes
[profiles]
comment = Network Profiles Service
path = %H
read only = No
store dos attributes = Yes
create mask = 0600
directory mask = 0700
[users]
comment = All users
path = /home
read only = No
inherit acls = Yes
veto files = /aquota.user/groups/shares/
[groups]
comment = All groups
path = /home/groups
read only = No
inherit acls = Yes
browseable = No
[printers]
comment = All Printers
path = /var/tmp
printable = Yes
create mask = 0600
browseable = No
[print$]
comment = Printer Drivers
path = /var/lib/samba/drivers
write list = @ntadmin root
force group = ntadmin
create mask = 0664
directory mask = 0775
[data]
comment = Répertoire data
path = /home/data
read only = No
guests = Yes
directory mask = 0775
valid users = "@Utilisa._du_domaine" "@Admins_du_domaine"
--------------------------------------------------------------
ldap.conf:
# Your LDAP server. Must be resolvable without using LDAP.
host 192.168.0.xx
# The distinguished name of the search base.
base dc=domain,dc=com
# The LDAP version to use (defaults to 3
# if supported by client library)
ldap_version 3
uri ldap://willywallers.domain.com
# Don't try forever if the LDAP server is not reacheable
bind_policy soft
;binddn cn=LDAPQUERYUSER,cn=Utilisateurs,dc=domain,dc=com
binddn
LDAPQUERYUSER@domain.com
bindpw ldapqueryuser
scope sub
#scope one
#scope base
timelimit 15
# Bind timelimit
bind_timelimit 15
referals no
pam_password md5
nss_base_passwd dc=domain,dc=com?sub
nss_base_shadow dc=domain,dc=com?sub
nss_base_group dc=domain,dc=com?sub?&(objectCategory=group)(gdinu mber=*)
nss_map_objectclass posixAccount User
nss_map_objectclass posixGroup Group
nss_map_attribute cn cn
nss_map_attribute homeDirectory unixHomeDirectory
nss_map_attribute uniqueMember member
nss_initgroups_ignoreusers root,ldap
ssl start_tls
ssl no
------
again thanks for your time helping out.
Ghys