[Samba] Integrate Samba with Active Directory

[Jonathan Buzzard]

Bruno Martins - GALILEU LISBOA wrote:
> Hello guys,
> 
>  
> 
> I am setting up a Samba server (based on CentOS 5.6) on my company which
> will act as a print and file server. Also, it has dropbox installed.
> 
>  
> 
> I have set up everything regarding to CUPS and Samba itself, but I'm not
> being able to integrate my shares with Active Directory.
> 
>  
> 
> All I want is that access control to Samba shares is made through Active
> Directory users and their respective passwords, and not through
> Unix-style users and groups. Is this possible?
> 
>  
> 
> Some configuration files:
> 
> /etc/nsswitch.conf - http://pastebin.com/rPgXSL6G
> 
> /etc/samba/smb.conf - http://pastebin.com/9uffAyjV
> 
> /etc/krb5.conf - http://pastebin.com/9zJFQR6J
> 
>  
> 
> Can someone please give me some lights on this?
> 

A quick looks shows a lack of an idmap setup in the smb.conf. You say 
you are using CentOS 5.6, in which case I strongly recommend that you 
use the samba3x packages over the plain samba packages if you are not 
doing so already

Here is a example based on what I use with CentOS 5.6 using the samba3x 
packages. Note that I have the rfc2307 information set in the AD for all 
the users. I have a whole bunch of other options as well to do with 
CTDB, GPFS and other bits and bobs as well. However these are not 
relevant to getting it working.

On the AD side you need to set the UID, home directory and primary group 
in the Unix Attributes tab, and then in the Member Of tab you need to 
add the user to the primary group that you set in the Unix Attriubutes 
tab and make that their primary group. All the groups need a GID setting 
in their Unix Attributes tab as well.

The important thing about the idmap setting is that you must have a 
plain tdb backend (or something else that is allocatable) and the range 
must not overlap with the range for the domain or it does not work. Not 
quite sure why that is because in my setting all accounts exist in the 
AD with appropriate Unix attributes. Took me ages to work that nugget of 
information out.


JAB.


[global]
         netbios name = nemo
         security = ads
         workgroup = CAMPUS
	realm = CAMPUS.MYCORP.COM
	password server = *
	preferred master = no
	encrypt passwords = yes
	kerberos method = secrets only

# deal with NSS and the whole UID/SID id mapping stuff
	idmap backend = tdb
	idmap uid = 2000000 - 2999999
	idmap gid = 2000000 - 2999999
	idmap config CAMPUS : backend = ad
	idmap config CAMPUS : schema_mode = rfc2307
	idmap config CAMPUS : readonly = yes
	idmap config CAMPUS : range = 500 - 1999999
	idmap cache time = 120
	idmap negative cache time = 20
	winbind nss info = rfc2307
	winbind expand groups = 2
	winbind nested groups = yes
	winbind use default domain = yes
	winbind enum users = yes
	winbind enum groups = yes
	winbind refresh tickets = yes
	winbind offline logon = false


-- 
Jonathan A. Buzzard                 Email: jonathan (at) buzzard.me.uk
Fife, United Kingdom.