svn commit: samba-docs r271 - in trunk/Samba-HOWTO-Collection: .
jht at samba.org
jht at samba.org
Sat Nov 6 00:11:19 GMT 2004
Author: jht
Date: 2004-11-06 00:11:16 +0000 (Sat, 06 Nov 2004)
New Revision: 271
WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba-docs&rev=271
Log:
More work in progress - further commits to follow.
Modified:
trunk/Samba-HOWTO-Collection/IDMAP.xml
Changeset:
Modified: trunk/Samba-HOWTO-Collection/IDMAP.xml
===================================================================
--- trunk/Samba-HOWTO-Collection/IDMAP.xml 2004-11-05 06:59:26 UTC (rev 270)
+++ trunk/Samba-HOWTO-Collection/IDMAP.xml 2004-11-06 00:11:16 UTC (rev 271)
@@ -315,20 +315,150 @@
<title>IDMAP Backend Usage</title>
<para>
+Anyone who wishes to use <command>winbind</command> will find the following example configurations helpful.
+Remember that in the majority of cases <command>winbind</command> is of primary interest for use with
+Domain Member Servers (DMSs) and Domain Member Clients (DMCs).
</para>
<sect2>
<title>Default Winbind TDB</title>
<para>
+ The following is a simple example of an NT4 DMS &smb.conf; file that shows only the global section.
+<screen>
+#Global parameters
+[global]
+ workgroup = MEGANET2
+ security = DOMAIN
+ idmap uid = 10000-20000
+ idmap gid = 10000-20000
+ template primary group = "Domain Users"
+ template shell = /bin/bash
+ winbind separator = +
+</screen>
</para>
+ <para>
+ The creation of the DMS requires the following steps:
+ </para>
+
+ <procedure>
+ <step><para>
+ Create or install and &smb.conf; file with the above configuration.
+ </para></step>
+
+ <step><para>
+ Execute:
+<screen>
+&rootprompt; net rpc join -UAdministrator%password
+Joined domain MEGANET2.
+</screen>
+ The success or failure of the join can be confirmed with the following command:
+<screen>
+&rootprompt; net rpc testjoin
+Join to 'MIDEARTH' is OK
+</screen>
+ A failed join would report the following:
+<screen>
+&rootprompt; net rpc testjoin
+[2004/11/05 16:34:12, 0] utils/net_rpc_join.c:net_rpc_join_ok(66)
+Join to domain 'MEGANET2' is not valid
+</screen>
+ </para></step>
+
+ <step><para>
+ Start the <command>nmbd, winbind,</command> and <command>smbd</command> daemons in the order shown.
+ </para></step>
+ </procedure>
+
+ <para>
+ The procedure for joining and ADS domain is similar to the NT4 domain join, except the &smb.conf; file
+ will have the following contents:
+<screen>
+# Global parameters
+[global]
+ workgroup = BUTTERNET
+ netbios name = GARGOYLE
+ realm = BUTTERNET.BIZ
+ security = ADS
+ template shell = /bin/bash
+ idmap uid = 500-10000000
+ idmap gid = 500-10000000
+ winbind use default domain = Yes
+ winbind nested groups = Yes
+ printer admin = "BUTTERNET\Domain Admins"
+</screen>
+ </para>
+
+ <para>
+ ADS DMS operation requires use of kerberos (KRB). For this to work the <filename>krb5.conf</filename>
+ must be configured. The exact requirements depends on which version of MIT or Heimdal kerberos is being
+ used. It is sound advice to use only the latest version, which at this time are MIT kerberos version
+ 1.3.5 and Heimdal 0.61.
+ </para>
+
+ <para>
+ The creation of the DMS requires the following steps:
+ </para>
+
+ <procedure>
+ <step><para>
+ Create or install and &smb.conf; file with the above configuration.
+ </para></step>
+
+ <step><para>
+ Execute:
+<screen>
+&rootprompt; net ads join -UAdministrator%password
+Joined domain BUTTERNET.
+</screen>
+ The success or failure of the join can be confirmed with the following command:
+<screen>
+&rootprompt; net ads testjoin
+Join to 'BUTTERNET' is OK
+</screen>
+ </para>
+
+ <para>
+ An invalid or failed join can be detected by executing:
+<screen>
+&rootprompt; net ads testjoin
+GARGOYLE$@'s password:
+[2004/11/05 16:53:03, 0] utils/net_ads.c:ads_startup(186)
+ ads_connect: No results returned
+Join to domain is not valid
+</screen>
+ </para></step>
+
+ <step><para>
+ Start the <command>nmbd, winbind,</command> and <command>smbd</command> daemons in the order shown.
+ </para></step>
+
+ </procedure>
+
</sect2>
<sect2>
<title>IDMAP Storage in LDAP using Winbind</title>
<para>
+<screen>
+# Global parameters
+[global]
+ workgroup = SNOWSHOW
+ realm = SNOWSHOW.COM
+ server string = Samba Server
+ security = ADS
+ log level = 1 ads:10 auth:10 sam:10 rpc:10
+ ldap admin dn = cn=Manager,dc=SNOWSHOW,dc=COM
+ ldap idmap suffix = ou=Idmap
+ ldap suffix = dc=SNOWSHOW,dc=COM
+ idmap backend = ldap:ldap://ldap.snowshow.com
+ idmap uid = 150000-550000
+ idmap gid = 150000-550000
+ template shell = /bin/bash
+ winbind use default domain = Yes
+</screen>
</para>
</sect2>
@@ -337,6 +467,20 @@
<title>IDMAP and NSS IDMAP Resolution</title>
<para>
+<screen>
+# Global parameters
+[global]
+ workgroup = BOBBY
+ realm = BOBBY.COM
+ security = ADS
+ idmap uid = 150000-550000
+ idmap gid = 150000-550000
+ template shell = /bin/bash
+ winbind cache time = 5
+ winbind use default domain = Yes
+ winbind trusted domains only = Yes
+ winbind nested groups = Yes
+</screen>
</para>
<sect3>
@@ -361,6 +505,24 @@
<title>IDMAP_RID with Winbind</title>
<para>
+<screen>
+# Global parameters
+[global]
+ workgroup = KPAK
+ realm = corp.kpak.com
+ server string = Office Server
+ security = ADS
+ allow trusted domains = No
+ idmap backend = idmap_rid:KPAK=500-100000000
+ idmap uid = 500-100000000
+ idmap gid = 500-100000000
+ template shell = /bin/bash
+ winbind use default domain = Yes
+ winbind enum users = No
+ winbind enum groups = No
+ winbind nested groups = Yes
+ printer admin = "Domain Admins"
+</screen>
</para>
</sect2>
More information about the samba-cvs
mailing list