Re: 回覆: About samba 3.0.28 trust AD
Wong siu yu
lmark1834997 at gmail.com
Sun Jul 7 23:02:00 MDT 2013
In my existing servers, there are two Red Hat Servers using Samba 3.0.28
and Openldap 2.7. There are 1500+ user accounts and group there.
Now we need to setup the trust relationship with Windows AD 2008 because we
created a New Domain.
How can I setup the trust for that? Is it I need to upgrade my samba?
If yes, is it any affect for my existing Domain?
If no, have any procedures for setup the trust relationship in Samba?
Thanks.
This is my smb.conf
# Global parameters
[global]
workgroup = HBDOMAIN
netbios name = PDC01
security = user
enable privileges = yes
#interfaces = 192.168.5.11
#username map = /etc/samba/smbusers
server string = Samba Server %v
#security = ads
encrypt passwords = Yes
#min passwd length = 3
#pam password change = no
#obey pam restrictions = No
# method 1:
#unix password sync = no
#ldap passwd sync = yes
# method 2:
unix password sync = yes
ldap passwd sync = yes
passwd program = /usr/sbin/smbldap-passwd -u "%u"
passwd chat = "Changing *\nNew password*" %n\n "*Retype new password*" %n\n"
log level = 10
syslog = 0
log file = /var/log/samba/log.%U
max log size = 100000
time server = Yes
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
mangling method = hash2
Dos charset = CP950
Unix charset = UTF-8
logon script = logon.bat
logon drive = H:
logon home =
logon path =
domain logons = Yes
domain master = Yes
os level = 65
preferred master = Yes
wins support = yes
# passdb backend = ldapsam:"ldap://ldap1.company.com ldap://
ldap2.company.com"
passdb backend = ldapsam:ldap://127.0.0.1/
ldap admin dn = cn=admin,dc=lch,dc=com
#ldap admin dn = cn=samba,ou=DSA,dc=company,dc=com
ldap suffix = dc=lch,dc=com
ldap group suffix = ou=Groups
ldap user suffix = ou=Users
ldap machine suffix = ou=Computers
#ldap idmap suffix = ou=Idmap
add user script = /usr/sbin/smbldap-useradd -m "%u"
ldap delete dn = Yes
delete user script = /usr/sbin/smbldap-userdel "%u"
add machine script = /usr/sbin/smbldap-useradd -t 0 -w "%u"
add group script = /usr/sbin/smbldap-groupadd -p "%g"
delete group script = /usr/sbin/smbldap-groupdel "%g"
add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g"
delete user from group script = /usr/sbin/smbldap-groupmod -x "%u"
"%g"
set primary group script = /usr/sbin/smbldap-usermod -g '%g' '%u'
ldap ssl = no
# printers configuration
#printer admin = @"Print Operators"
load printers = No
create mask = 0640
directory mask = 0750
#force create mode = 0640
#force directory mode = 0750
nt acl support = No
printing = cups
printcap name = cups
deadtime = 10
guest account = nobody
map to guest = Bad User
dont descend = /proc,/dev,/etc,/lib,/lost+found,/initrd
show add printer wizard = yes
; to maintain capital letters in shortcuts in any of the profile folders:
preserve case = yes
short preserve case = yes
case sensitive = no
[netlogon]
path = /home2/samba/netlogon
browseable = No
read only = yes
[profiles]
path = /home/profiles
read only = no
create mask = 0600
directory mask = 0700
browseable = No
guest ok = Yes
profile acls = yes
csc policy = disable
# next line is a great way to secure the profiles
#force user = %U
# next line allows administrator to access all profiles
#valid users = %U "Domain Admins"
[printers]
comment = Network Printers
#printer admin = @"Print Operators"
guest ok = yes
printable = yes
path = /home/spool/
browseable = No
read only = Yes
printable = Yes
print command = /usr/bin/lpr -P%p -r %s
lpq command = /usr/bin/lpq -P%p
lprm command = /usr/bin/lprm -P%p %j
# print command = /usr/bin/lpr -U%U@%M -P%p -r %s
# lpq command = /usr/bin/lpq -U%U@%M -P%p
# lprm command = /usr/bin/lprm -U%U@%M -P%p %j
# lppause command = /usr/sbin/lpc -U%U@%M hold %p %j
# lpresume command = /usr/sbin/lpc -U%U@%M release %p %j
# queuepause command = /usr/sbin/lpc -U%U@%M stop %p
# queueresume command = /usr/sbin/lpc -U%U@%M start %p
[print$]
path = /home/printers
guest ok = No
browseable = Yes
read only = Yes
valid users = @"Print Operators"
write list = @"Print Operators"
create mask = 0664
directory mask = 0775
[public]
path = /home2/samba/tmp
guest ok = yes
browseable = Yes
writable = yes
2013/7/8 Siu Yu Wong <lmark1834997 at gmail.com>
> Hi All,
>
> In my Red Hat, the samba with ldap are using. Now I need to setup a two
> way trust for the Windows AD 2008 and Samba. At now, I am upgrading my
> Samba to 3.6.0 with Winbind. Firstly, may I know that the upgrade will
> affect our existing system/ accouts/ operations or not? Second, may I
> have a procedures of the trust setting? When I setting. Trustdom
> establish, it will prompt me enter the Domain password. How can I reset
> the Samba Domain password? Thanks for your help.
>
> Warm Regards,
> MW
> 寄件者: Richard Sharpe
> 寄件日期: 7/7/2013 23:02
> 收件者: Marc Muehlfeld
> 副本: Wong siu yu; samba-technical at lists.samba.org
> 主旨: Re: About samba 3.0.28 trust AD
> On Sun, Jul 7, 2013 at 7:52 AM, Marc Muehlfeld <samba at marc-muehlfeld.de>
> wrote:
> > Hello Wong,
> >
> > Am 05.07.2013 11:14, schrieb Wong siu yu:
> >>
> >> I had a RedHat 5.2 need to trust domain the Windows Server 2008 R2
> (forest
> >> level 2003). Which package I need to install first? I am using
> >> samba-3.0.28
> >> but I have no samba-winbind.
> >> May I know procedures of trust setting in Linux?
> >
> >
> > First I would suggest you the following:
> >
> https://wiki.samba.org/index.php/FAQ#How_to_do_or_fix_..._in_an_outdated_Samba_version.3F
> >
> > For further help, please be a bit more specific what you are planning to
> do.
> > What do you mean by "trust"? Your posting isn't very clear on that. A
> trust
> > between a samba NT4-style domain and windows AD domain?
>
> My suggestion would be to upgrade to a more recent version of RHEL or
> CentOS if they don't want RHEL, and thus get a more recent version of
> Samba.
>
> I imagine that Mr/Ms Wong is wanting to Join the RHEL system with the
> AD domain because Samba 3.0.28 was not capable of forming a domain by
> itself, IIRC. In that case, trusts are not needed it would seem,
> although I can't recall what issues existed with 3.0.28 in that
> regard.
>
> However, you are correct, more info is needed.
>
> --
> Regards,
> Richard Sharpe
> (何以解憂?唯有杜康。--曹操)
>
More information about the samba-technical
mailing list