[Samba] [INTERNET] Re: Samba 4 : File server

BOTZ Franck (Informaticien) - DDT 67/SG/MGI/CI franck.botz at bas-rhin.gouv.fr
Tue Feb 12 01:12:17 MST 2013 

Thanks for the answer.

So net join ads work fine

Here is my smb.conf :

[global]

    workgroup = DDCS67
    security = ADS
    realm = DDCS67.INTRA
    encrypt passwords = yes

    idmap config *:backend = tdb
    idmap config *:range = 70001-80000
    idmap config SHORTDOMAINNAME:backend = ad
    idmap config SHORTDOMAINNAME:schema_mode = rfc2307
    idmap config SHORTDOMAINNAME:range = 500-40000

    winbind nss info = rfc2307
    winbind trusted domains only = no
    winbind use default domain = yes
    winbind enum users  = yes
    winbind enum groups = yes

[test]
    path = /samba/test
    read only = no

nsswitch.conf

passwd:         compat winbind
group:          compat winbind
shadow:         compat
hosts:          files dns
networks:       files
protocols:      db files
services:       db files
ethers:         db files
rpc:            db files
netgroup:       nis

After starting smbd/nmbd/winbindd, I run this
* /samba/bin/wbinfo -t works fine
* /samba/bin/wbinfo -u get the users domain
* /samba/bin/wbinfo -g get the group domain
* getent passwd get local AND ad users
* getent group get local AND ad groups

Next step is to set acl
setfacl with ad group or user works well on the domain member. Looks good !

 From an XP, I go to the share \\ddcs67-imp\test and create 
subdirectories and files without any problem !

Next I would to manage the share security trough the ADTools.

I see the DDCS67-IMP in the "Computers" OU.

The share "test" is available and i can get the properties. I add an AD 
group in the security options. The group is resolved and appear in the 
list. When I validate the box  I got this error: Access Denied

Is It normal ? The ACL on a domain member must be set on the member ?

Regards

Le 11/02/2013 22:51, > Andrew Bartlett (par Internet) a écrit :
> On Mon, 2013-02-11 at 16:54 +0100, BOTZ Franck (Informaticien) - DDT
> 67/SG/MGI/CI wrote:
>> Hi !
>>
>> I have installed a DC with samba-tool command and it works perfectly !
>>
>> Control AD with the 2003 tools is very amazing, thanks for the job !
>>
>> So, my next step is to install a file server as a member of the AD and
>> not as a DC
>>
>> I read carfully this one :
>> https://wiki.samba.org/index.php/Samba4/Domain_Member
>>
>> Compiling samba :
>>
>>     * ./configure --with-ads --with-shared-modules=idmap_ad
>> --enable-debug --enable-selftest --prefix=/samba
>>
>> First of all why --with-ads ? It is not the default feature ?
> It is, but what this changes is that the compile will fail (prompting
> you to install some development headers, typically) if the right things
> are not found.  The is very helpful, and long ago I promised to make
> that the default behaviour.  Sadly I never got around to it.
>
>>     * make
>>     * make install
>>
>> The krb5.conf was fill with that :
>>
>> [logging]
>>        default = FILE:/var/log/krb5libs.log
>>        kdc = FILE:/var/log/krb5kdc.log
>>        admin_server = FILE:/var/log/kadmind.log
>>
>> [libdefaults]
>>        default_realm = DDCS67.INTRA
>>        dns_lookup_realm = true
>>        dns_lookup_kdc = true
>>        ticket_lifetime = 24h
>>        forwardable = yes
>>
>> [appdefaults]
>>        pam = {
>>             debug = false
>>             ticket_lifetime = 36000
>>             renew_lifetime = 36000
>>             forwardable = true
>>             krb4_convert = false
>>        }
>>
>> What is appsection ? It is not necessary in a DC wich sharing a
>> directory. But why not.
>>
>> After that , the smb.conf
>>
>> I was wondering that the smb.conf must be fill by the hand. For the DC,
>> running samba-tool command will generate a smb.conf. Before doing this I
>> search the options of samba-tool and i find this :
>>
>> samba-tool domain join DDCS67  --realm=DDCS67.intra -U Administrator
>> Password for [WORKGROUP\Administrator]:
>> Joined domain DDCS67 (S-1-5-21-1814795784-576591386-2449700327)
>>
>> Fine, the domain is  join !! And the server appear as a Computer in the
>> MMC. Good !
>>
>> Let's run /samba/sbin/samba
>>
>> The log are :
>> At this time the 'samba' binary should only be used for either: 'server
>> role = active directory domain controller' or to access the ntvfs file
>> server with 'server services = +smb' or the rpc proxy with 'dcerpc
>> endpoint servers = remote'
>> You should start smbd/nmbd/winbindd instead for domain member and
>> standalone file server tasks
>>
>> Is it me or i read the ntvfs is deprecatted ?
>>
>> So I run the/samba/sbin/smbd, but with no smb.conf the server does not start
>>
>> Tesparm give me :
>> Load smb config files from /samba/etc/smb.conf
>> rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
>> params.c:OpenConfFile() - Unable to open configuration file
>> "/samba/etc/smb.conf":
>>
>> Can i Genrate a valid smb.conf for a member with samba-tool ?
> I do apologise for this not being as integrated as you would expect.
> I'm very proud of the new level of ease of use found in 'samba-tool' and
> in the AD DC configuration.  Sadly while this command will successfully
> join you to the domain, it does not currently generate the smb.conf.
>
> You don't need much, just set:
>
> [globals]
>   server role = domain member
>   workgroup = DDCS67
>   realm = DDCS67.intra
>
> BTW, while I've hooked up 'samba-tool' to work, the advertised command
> for joining a domain member is 'net ads join'.  We are working to
> consolidate the code, but currently it is a different codebase.  From my
> understanding however, it also will not generate the smb.conf.
>
> I hope this helps, and feel free to file a bug as fixing this should not
> be difficult.
>
> Andrew Bartlett
>

More information about the samba mailing list