[Samba] [INTERNET] Re: Samba 4 : File server
BOTZ Franck (Informaticien) - DDT 67/SG/MGI/CI
franck.botz at bas-rhin.gouv.fr
Tue Feb 12 01:12:17 MST 2013
Thanks for the answer.
So net join ads work fine
Here is my smb.conf :
[global]
workgroup = DDCS67
security = ADS
realm = DDCS67.INTRA
encrypt passwords = yes
idmap config *:backend = tdb
idmap config *:range = 70001-80000
idmap config SHORTDOMAINNAME:backend = ad
idmap config SHORTDOMAINNAME:schema_mode = rfc2307
idmap config SHORTDOMAINNAME:range = 500-40000
winbind nss info = rfc2307
winbind trusted domains only = no
winbind use default domain = yes
winbind enum users = yes
winbind enum groups = yes
[test]
path = /samba/test
read only = no
nsswitch.conf
passwd: compat winbind
group: compat winbind
shadow: compat
hosts: files dns
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
After starting smbd/nmbd/winbindd, I run this
* /samba/bin/wbinfo -t works fine
* /samba/bin/wbinfo -u get the users domain
* /samba/bin/wbinfo -g get the group domain
* getent passwd get local AND ad users
* getent group get local AND ad groups
Next step is to set acl
setfacl with ad group or user works well on the domain member. Looks good !
From an XP, I go to the share \\ddcs67-imp\test and create
subdirectories and files without any problem !
Next I would to manage the share security trough the ADTools.
I see the DDCS67-IMP in the "Computers" OU.
The share "test" is available and i can get the properties. I add an AD
group in the security options. The group is resolved and appear in the
list. When I validate the box I got this error: Access Denied
Is It normal ? The ACL on a domain member must be set on the member ?
Regards
Le 11/02/2013 22:51, > Andrew Bartlett (par Internet) a écrit :
> On Mon, 2013-02-11 at 16:54 +0100, BOTZ Franck (Informaticien) - DDT
> 67/SG/MGI/CI wrote:
>> Hi !
>>
>> I have installed a DC with samba-tool command and it works perfectly !
>>
>> Control AD with the 2003 tools is very amazing, thanks for the job !
>>
>> So, my next step is to install a file server as a member of the AD and
>> not as a DC
>>
>> I read carfully this one :
>> https://wiki.samba.org/index.php/Samba4/Domain_Member
>>
>> Compiling samba :
>>
>> * ./configure --with-ads --with-shared-modules=idmap_ad
>> --enable-debug --enable-selftest --prefix=/samba
>>
>> First of all why --with-ads ? It is not the default feature ?
> It is, but what this changes is that the compile will fail (prompting
> you to install some development headers, typically) if the right things
> are not found. The is very helpful, and long ago I promised to make
> that the default behaviour. Sadly I never got around to it.
>
>> * make
>> * make install
>>
>> The krb5.conf was fill with that :
>>
>> [logging]
>> default = FILE:/var/log/krb5libs.log
>> kdc = FILE:/var/log/krb5kdc.log
>> admin_server = FILE:/var/log/kadmind.log
>>
>> [libdefaults]
>> default_realm = DDCS67.INTRA
>> dns_lookup_realm = true
>> dns_lookup_kdc = true
>> ticket_lifetime = 24h
>> forwardable = yes
>>
>> [appdefaults]
>> pam = {
>> debug = false
>> ticket_lifetime = 36000
>> renew_lifetime = 36000
>> forwardable = true
>> krb4_convert = false
>> }
>>
>> What is appsection ? It is not necessary in a DC wich sharing a
>> directory. But why not.
>>
>> After that , the smb.conf
>>
>> I was wondering that the smb.conf must be fill by the hand. For the DC,
>> running samba-tool command will generate a smb.conf. Before doing this I
>> search the options of samba-tool and i find this :
>>
>> samba-tool domain join DDCS67 --realm=DDCS67.intra -U Administrator
>> Password for [WORKGROUP\Administrator]:
>> Joined domain DDCS67 (S-1-5-21-1814795784-576591386-2449700327)
>>
>> Fine, the domain is join !! And the server appear as a Computer in the
>> MMC. Good !
>>
>> Let's run /samba/sbin/samba
>>
>> The log are :
>> At this time the 'samba' binary should only be used for either: 'server
>> role = active directory domain controller' or to access the ntvfs file
>> server with 'server services = +smb' or the rpc proxy with 'dcerpc
>> endpoint servers = remote'
>> You should start smbd/nmbd/winbindd instead for domain member and
>> standalone file server tasks
>>
>> Is it me or i read the ntvfs is deprecatted ?
>>
>> So I run the/samba/sbin/smbd, but with no smb.conf the server does not start
>>
>> Tesparm give me :
>> Load smb config files from /samba/etc/smb.conf
>> rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
>> params.c:OpenConfFile() - Unable to open configuration file
>> "/samba/etc/smb.conf":
>>
>> Can i Genrate a valid smb.conf for a member with samba-tool ?
> I do apologise for this not being as integrated as you would expect.
> I'm very proud of the new level of ease of use found in 'samba-tool' and
> in the AD DC configuration. Sadly while this command will successfully
> join you to the domain, it does not currently generate the smb.conf.
>
> You don't need much, just set:
>
> [globals]
> server role = domain member
> workgroup = DDCS67
> realm = DDCS67.intra
>
> BTW, while I've hooked up 'samba-tool' to work, the advertised command
> for joining a domain member is 'net ads join'. We are working to
> consolidate the code, but currently it is a different codebase. From my
> understanding however, it also will not generate the smb.conf.
>
> I hope this helps, and feel free to file a bug as fixing this should not
> be difficult.
>
> Andrew Bartlett
>
More information about the samba
mailing list