I'm trying to get my linux box to use active directory authentication. I believe I have almost everything setup correctly. I'm able to issue wbinfo -g
and wbinfo -u
and see all the groups and users respectively.
Brief intro to my setup:
The username I use on my linux box to do admin things is nick
. My active directory username is nwalke
. They have two different passwords. I am able to log in to the box with nick
and that user's password and I'm also able to login as nwalke
with nwalke
's password.
The curious bit:
Upon creating the active directory user's home directory, I run a script that requires root access. This is to setup some system wide things like a samba share for them. When I log in as nwalke
, I enter my nwalke
password and it succeeds. I'm then greeted with [sudo] password for nick:
. If I enter my nwalke
password here, it says Sorry, try again.
. If I enter nick
's password, it says Sorry, user nick is not allowed to execute scriptname as root
.
If I do groups
as nwalke
, I see that magically my user has been given the group nick
.
Now, I accidentally thought that nick
had a UID of 100, not 1000. So originally in my smb.conf
I had idmap uid 1000-10000
. The only thing I can think of, is that I logged in with nwalke
while that was still set and now I'm just being presented with a UID of 1000 forcing linux to think I'm nick
.
I'm not really sure where to go from here. Like I said, I'm fairly certain active directory is communicating with my server properly, but something must not be mapped right on the linux side.
Any thoughts?
Here is my smb.conf
:
[global]
security = ads
netbios name = hostname
realm = COMPANY.COM
password server = adshost.company.com
workgroup = COMPANY
idmap uid = 10000-90000
idmap gid = 10000-90000
winbind separator = +
winbind enum users = no
winbind enum groups = no
winbind use default domain = yes
template homedir = /home/%D/%U
template shell = /bin/bash
client use spnego = yes
domain master = no
load printers = no
printing = bsd
printcap name = /dev/null
disable spoolss = yes
Do I need to bind to a user on the linux box somehow?
Best Answer
It sounds like you have a UID overlap.
If
nwalke
andnick
share the same numeric UID the first nsswitch match will win for things likeid
,sudo
,ls
, etc. (and the first match is usually out of the passwd file unless you've changed the order in/etc/nsswitch.conf
or equivalent).(logins will work with either name, because login looks up the user by name. Having two users with the same name will cause some interesting chaos though...)
Your local (
/etc/passwd
,/etc/group
) and remote (NIS, Samba, LDAP, whatever) UIDs/GIDs should not overlap. Fix that core problem and the rest will resolve itself.