[Samba] Samba 3.5.5. id-map issues with Active Directory
Haven
haven at thehavennet.org.uk
Mon Oct 4 09:53:50 MDT 2010
Its taken a lot of fairly random experimentation but I've finally
got configs that work under samba 3.5.5 on both Gentoo and Debian
with 2008 server. The sections in my old config that seemed to be
causing the problems and their replacements are shown below:
Old broken:
idmap backend = ad
winbind nss info = rfc2307
New working:
idmap uid = 10000-20000
idmap gid = 10000-20000
No changes were needed to my kerberos setup.
I've included a copy of my current smb.conf that is working for me
after upgrading from 3.4.8 to 3.5.5:
> [global]
>
> workgroup = DOMAIN
> security = ADS
> kerberos method = system keytab
> winbind use default domain = true
> realm = DOMAIN.NET
>
> disable netbios = yes
> name resolve order = host lmhosts
> hosts allow = 127.0.0.1 192.168.1.0/24 93.97.246.119
> hosts deny = 0.0.0.0/0
>
> password server = 192.168.1.2, 192.168.1.3, *
>
> idmap config DOMAIN : default = yes
> idmap config DOMAIN : schema_mode = rfc2307
> idmap config DOMAIN : backend = ad
> idmap config DOMAIN : range = 10000-20000
>
> idmap uid = 10000-20000
> idmap gid = 10000-20000
>
> winbind offline logon = yes
> winbind nested groups = yes
> winbind separator = +
>
> template homedir = /home/%U
> template shell = /bin/bash
> client ntlmv2 auth = yes
> encrypt passwords = yes
>
> local master = no
> domain master = no
> preferred master = no
> dns proxy = no
>
> server string = Samba Server Version %v
>
> socket options = TCP_NODELAY IPTOS_LOWDELAY SO_KEEPALIVE
> SO_RCVBUF=8192 SO_SNDBUF=8192
>
> # Fix character set issues:
> #
> http://www.unixresources.net/linux/lf/59/archive/00/00/13/18/131896.html
> dos charset = 850
> unix charset = UTF-8
There is still a slight discrepancy with debian returning more
groups for users when you type "id <user>" than gentoo, but it
appears to be a gentoo error i.e. "10005(denied rodc password
replication group)". Something to look at another day as auth works
for now which is the main thing.
Regards
Simon
More information about the samba
mailing list