Samba4 file server status
Rowland Penny
repenny241155 at gmail.com
Sat Aug 17 03:22:54 MDT 2013
On 16/08/13 17:47, Juan Pablo Lorier wrote:
> Hi Steve,
>
> Thanks for the help. I have
>
> winbind use default domain = yes
>
> from the beginning. I've tried to do the steps you mention without
> success. In fact, there's no tdb file at all and it's not been created
> after restart of the services.
> At the beginning, I've set by mistake (by ignorance) the ad backend but
> I've changed it to tdb, so winbind should create the database file.
> Should I specify services +smb +s3fs in the smb.conf?
> This is the actual settings in the smb.conf
>
> workgroup = CANAL4
> password server = *
> realm = MONTECARLOTV.COM.UY
> security = ads
> idmap config * : range = 16777216-33554431
> template homedir = /disco/%U
> template shell = /sbin/nologin
> winbind use default domain = true
> winbind offline logon = false
> winbind nss info = rfc2307
> winbind expand groups = 2
> winbind nested groups = yes
> idmap config CANAL4 :schema_mode = rfc2307
> idmap config CANAL4 :backend = tdb
> idmap config CANAL4 :range = 100000-199999
> winbind enum users = yes
> winbind enum groups = yes
> ;winbind separator = +
> enable privileges = yes
>
> Regards,
>
>
> On 16/08/13 12:31, steve wrote:
>> On Fri, 2013-08-16 at 09:30 -0300, Juan Pablo Lorier wrote:
>>> Hi Steve,
>>>
>>> getent password shows only system users, though wbinfo -u shows all
>>> domain users including graficos.
>>>
>>> nsswitch is configured as described in the tutorials:
>>>
>>> passwd: files winbind
>>> shadow: files winbind
>>> group: files winbind
>> Guesses:
>> Looking at smb.conf, this is a linux client. It's running red hat.
>>
>> Try:
>> add:
>> winbind use default domain = yes
>> to smb.conf
>> remove winbind from shadow in nsswitch.conf
>> ensure that nscd is disabled
>>
>> net ads leave -USomeone
>> rm /var/lib/samba/*.tdb
>> net ads join -USomeone
>>
>> Any good?
>> (sorry, can't post to the list. It seems to be down. . .)
>> Steve
>>
Hello,
Every samba ads setup I have seen uses the first part of the realm for
the workgroup, next remove the 'password server' line, you do not need
it, you use kerberos. You have set the 'template shell' to
/sbin/nologin, do you really not want any of the users to login?
Add these lines to smb.conf:
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
Then change these lines:
idmap config * : range = 16777216-33554431
idmap config CANAL4 :backend = tdb
idmap config CANAL4 :range = 100000-199999
For these:
idmap config WORKGROUP:range = 20000-3100000
idmap config WORKGROUP:backend = ad
idmap config *:range = 1100-2000
idmap config *:backend = tdb
Yes, I know this uses the ad backend, you need to, to pull information
from the AD server.
Give your AD users 'uidNumbers' based on the users RID (the bit on the
end of the users SID) plus 3000000
stop samba and winbind
join the domain
net ads join -U Administrator at YOUR.DOMAIN
start samba and winbind
test:
wbinfo -u
wbinfo -g
check that /etc/nsswitch.conf has 'winbind' on the passwd & group lines
'getent passwd' should return all users including domain users with
gidNumbers
'getent group' will only return local groups even if you give the domain
groups a gidNumber
This setup works for me on Centos 6.4, if it still does not work for
you, have you installed and setup kerberos? is the time on the client
the same as on the server, have you considered sssd?
Rowland
More information about the samba-technical
mailing list