[Samba] Integrate Samba with Active Directory
Jonathan Buzzard
jonathan at buzzard.me.uk
Tue Jul 19 11:11:25 MDT 2011
Bruno Martins - GALILEU LISBOA wrote:
> Hello guys,
>
>
>
> I am setting up a Samba server (based on CentOS 5.6) on my company which
> will act as a print and file server. Also, it has dropbox installed.
>
>
>
> I have set up everything regarding to CUPS and Samba itself, but I'm not
> being able to integrate my shares with Active Directory.
>
>
>
> All I want is that access control to Samba shares is made through Active
> Directory users and their respective passwords, and not through
> Unix-style users and groups. Is this possible?
>
>
>
> Some configuration files:
>
> /etc/nsswitch.conf - http://pastebin.com/rPgXSL6G
>
> /etc/samba/smb.conf - http://pastebin.com/9uffAyjV
>
> /etc/krb5.conf - http://pastebin.com/9zJFQR6J
>
>
>
> Can someone please give me some lights on this?
>
A quick looks shows a lack of an idmap setup in the smb.conf. You say
you are using CentOS 5.6, in which case I strongly recommend that you
use the samba3x packages over the plain samba packages if you are not
doing so already
Here is a example based on what I use with CentOS 5.6 using the samba3x
packages. Note that I have the rfc2307 information set in the AD for all
the users. I have a whole bunch of other options as well to do with
CTDB, GPFS and other bits and bobs as well. However these are not
relevant to getting it working.
On the AD side you need to set the UID, home directory and primary group
in the Unix Attributes tab, and then in the Member Of tab you need to
add the user to the primary group that you set in the Unix Attriubutes
tab and make that their primary group. All the groups need a GID setting
in their Unix Attributes tab as well.
The important thing about the idmap setting is that you must have a
plain tdb backend (or something else that is allocatable) and the range
must not overlap with the range for the domain or it does not work. Not
quite sure why that is because in my setting all accounts exist in the
AD with appropriate Unix attributes. Took me ages to work that nugget of
information out.
JAB.
[global]
netbios name = nemo
security = ads
workgroup = CAMPUS
realm = CAMPUS.MYCORP.COM
password server = *
preferred master = no
encrypt passwords = yes
kerberos method = secrets only
# deal with NSS and the whole UID/SID id mapping stuff
idmap backend = tdb
idmap uid = 2000000 - 2999999
idmap gid = 2000000 - 2999999
idmap config CAMPUS : backend = ad
idmap config CAMPUS : schema_mode = rfc2307
idmap config CAMPUS : readonly = yes
idmap config CAMPUS : range = 500 - 1999999
idmap cache time = 120
idmap negative cache time = 20
winbind nss info = rfc2307
winbind expand groups = 2
winbind nested groups = yes
winbind use default domain = yes
winbind enum users = yes
winbind enum groups = yes
winbind refresh tickets = yes
winbind offline logon = false
--
Jonathan A. Buzzard Email: jonathan (at) buzzard.me.uk
Fife, United Kingdom.
More information about the samba
mailing list