[Samba] Samba server joining domain and browsing group shares

Victor Mendez vmendez at netsystemsinfo.com
Thu Feb 28 02:04:56 GMT 2008 

Hello I have a small network and would like to add samba to our environment. 
This what I would like to accomplish:
- We have a ADS PDC ( windows 2000 server)
-  We have 27 workstations windows XP-PRO

We have recently bought a new server, and installed OPENSUSE 10.3 and we have 
installed and configure samba. Basically we want to use the new samba server 
as a data repository server. 

In the windows environment we have 4 groups, management which has 4 users, 
Accounting which has 5 users, sales which has 3 users and ingeneering that 
has  15 users.

we would like that the users in each group only have access to the files for 
their corresponding group in the samba server. i.e accounting sees the 
accounting share only etc. this groups are defined in the PDC ADS machine not 
in the samba server.

My question is how do I configure the samba server to inherit the groups 
defined in the windows PDC ADS machine.

I  Include a copy of the /etc/samba/samba.conf file:

 # smb.conf is the main Samba configuration file. You find a full commented
# version at /usr/share/doc/packages/samba/examples/smb.conf.SUSE if the
# samba-doc package is installed.
# Date: 2007-12-04
[global]
	workgroup = NETSYS
	realm = NETSYSTEMSINFO.COM
	preferred master = no
	server string = Linux file server
	security = ADS
	encrypt passwords = yes
	log level = 3
	printcap name = cups
	printing = cups
	cups options = raw
	winbind enum users  = yes
	winbind enum groups = yes
	winbind use default domain = yes
	winbind nested groups = yes
	winbind separator = +
	map to guest = Bad User
	logon path = \\%L\profiles\.msprofile
	logon home = \\%L\%U\.9xprofile
	logon drive = P:
	#security = user
	add machine script = /usr/sbin/useradd  -c 
Machine -d /var/lib/nobody -s /bin/false %m$
	domain logons = No
	domain master = No
	netbios name = cuzco
	usershare allow guests = No
	use kerberos keytab = true
	idmap gid = 10000-20000
	idmap uid = 10000-20000
	template homedir = /home/%D/%U
	#winbind refresh tickets = yes
	password server     = arequipa.netsystemsinfo.com
	#winbind cache time  = 600
	allow trusted domains = yes

[homes]
	comment = Home Directories
	valid users = %S, %D%w%S
	browseable = No
	read only = No
	inherit acls = Yes

[users]
	comment = All users
	path = /home
	read only = No
	inherit acls = Yes
	veto files = /aquota.user/groups/shares/

[printers]
	comment = All Printers
	path = /var/tmp
	printable = Yes
	create mask = 0600
	browseable = No

[print$]
	comment = Printer Drivers
	path = /var/lib/samba/drivers
	write list = @ntadmin root
	force group = ntadmin
	create mask = 0664
	directory mask = 0775

[management]
	comment = Management files
	inherit acls = Yes
	path = /Management
	read only = No
	valid users = @Documentaries
	admin users = vmendez

[accounting]
	comment = Accounting  files
	inherit acls = Yes
	path = /Accounting
	read only = No
	valid users = @Movies
	admin users = vmendez

[sales]
	comment = Sales files
	inherit acls = Yes
	path = /Sales
	read only = No
	valid users = @Series
	admin users = vmendez
[ingeneering]
	comment = Ingeneering files
	inherit acls = Yes
	path = /Ingeneering
	read only = No
	valid users = @Series
	admin users = vmendez

## Share disabled by YaST
# [netlogon]
-------------------------------------------------------------------------------------------------------------------------
I also include a copy of my /etc/krb5.conf file
[libdefaults]
	default_realm    = NETSYSTEMSINFO.COM
	dns_lookup_realm = false
	dns_lookup_kdc   = false
	ticket_lifetime  = 24h
	forwardable      = yes
	#clockskew = 300

[realms]
	NETSYSTEMSINFO.COM = {
	kdc = arequipa.netsystemsinfo.com
	admin_server = arequipa.netsystemsinfo.com
	default_domain = netsystemsinfo.com
}

[logging]
	kdc = FILE:/var/log/krb5/krb5kdc.log
	admin_server = FILE:/var/log/krb5/kadmind.log
	default = SYSLOG:NOTICE:DAEMON

[domain_realm]
	#*.netsystemsinfo.com = NETSYSTEMSINFO.COM
	.kerberos.server    = NETSYSTEMSINFO.COM
	.netsystemsinfo.com = NETSYSTEMSINFO.COM

[appdefaults]
	pam = {
	ticket_lifetime = 36000
	renew_lifetime  = 36000
	forwardable = true
	proxiable = false
	retain_after_close = false
	minimum_uid = 1
	use_shmem = sshd
	krb4_convert   = false
}
-------------------------------------------------------------------------------------------------------------------------

The problem that we have is that users in the domain cannot logon into the 
samba machine and browse their group shares. 

Any help will be appreciated, we are really trying to move away from windows 
and solving this could help us convince management that this is the way to 
go.

Victor

More information about the samba mailing list