[Samba] RSAT - cloud on the horizon
Derek Shaw
d3r3kshaw at gmail.com
Thu Jan 22 18:49:39 MST 2015
This useful reply came via email - thank you Matt.
-------- Original Message --------
Subject: Re: [Samba] RSAT - cloud on the horizon
Date: Mon, 19 Jan 2015 19:24:16 +0000
From: Mattias Zhabinskiy <m at ...>
To: Derek Shaw <d3r3kshaw at gmail.com>
Hello Derek,
I'm running 2012 R2 AD DCs with native AD rfc2307 schema (never used
Identity Management for UNIX) and using powershell scripts to create
user and group accounts and populate following attributes:
gecos
gidNumber
loginShell
primaryGroupID
uidNumber
unixHomeDirectory
to support Samba 4.1.x domain member servers.
Also, all of the above attributes can be set manually using ADUC's
Attribute Editor by enabling Advanced Features option under View menu item.
Below are relevant entries from smb.conf:
workgroup = DOMAINNAME
security = ADS
realm = DOMAINNAME.COM
encrypt passwords = yes
local master = no
idmap config *:backend = tdb
idmap config *:range = 70001-80000
idmap config DOMAINNAME:backend = ad
idmap config DOMAINNAME:schema_mode = rfc2307
idmap config DOMAINNAME:range = 80001-3100000
winbind nss info = rfc2307
winbind trusted domains only = no
winbind use default domain = yes
winbind enum users = yes
winbind enum groups = yes
winbind expand groups = 3
nsswitch.conf:
passwd: files winbind
group: files winbind
password-auth-ac:
auth sufficient pam_winbind.so use_first_pass
account [default=bad success=ok user_unknown=ignore] pam_winbind.so
password sufficient pam_winbind.so use_authtok
session required pam_winbind.so use_first_pass
and appropriate symbolic links:
libnss_winbind.so -> /usr/local/samba/lib/libnss_winbind.so
libnss_winbind.so.2 -> /usr/local/samba/lib/libnss_winbind.so.2
pam_smbpass.so -> /usr/local/samba/lib/security/pam_smbpass.so
pam_winbind.so -> /usr/local/samba/lib/security/pam_winbind.so
Regards,
Matt
> ________________________________________
> From: samba-bounces at lists.samba.org <samba-bounces at lists.samba.org> on behalf of Derek Shaw <d3r3kshaw at gmail.com>
> Sent: Monday, January 19, 2015 1:32 AM
> To: samba at lists.samba.org
> Subject: [Samba] RSAT - cloud on the horizon
>
> I think I see some heavy weather ahead of me:
>
> http://technet.microsoft.com/en-ca/library/dn303411.aspx
>
> specifically w.r.t. Server 2012 r2 (with which I will have to soon(ish)
> wrestle):
>
>> Features Removed or Deprecated in Windows Server 2012 R2
>>...
>> RSAT: Identity management for Unix/NIS
>>
>> The Server for Network Information Service (NIS) Tools option of
> > Remote Server Administration Tools (RSAT) is deprecated. Use native
> > LDAP, Samba Client, Kerberos, or non-Microsoft options.
>
> I have recently fixed a problem with using a samba4 member server in a
> domain controlled by a windows 2008r2 AD-DC by installing the role
> service described in the technet article/quote. I fully expect to run
> into this issue again with server 2012 R2 DCs deployed elsewhere in my
> client base.
>
> Surely someone has run into this situation already.
>
> I have no idea how to configure "native LDAP, Samba Client, Kerberos, or
> non-Microsoft options" to provide the necessary information for the
> member server (essentially NIS group, GID and UID). Nor really any idea
> of where to begin looking. I'd be surprised if the technet author had
> the first clue.
>
> Can anybody provide links to relevant documentation that might be usable
> by a Microsoft-phobic SA who will likely have to deal with the issue in
> the future?
>
> Any other thoughts?
>
> Thanks in advance!
> d.
More information about the samba
mailing list