[Samba] Help needed. Samba 3.2.0rc2 - IDMAP - Windows 2008 Server - ADS Integration - Winbind

Samba-Liste samba at admindu.de
Fri Jun 27 11:31:41 GMT 2008


I read at least 100 different documentations during the last week and
didn't get it. So I decided to ask the list for help :)

Unfortunately we have to move to a Windows 2008 Server ADS in our
company as this is required for some other projects. But we want to 
keep our nice 5+ samba-server providing fast 50TB+ of storage.

So we have to find a way to nicely integrate the storage with the new
ADS installed. Therefor I installed a Testlab consisting of 2 debian
etch storage-servers with each 12TB lvm-based storage attached. Also we
have 2 MS 2008 Server SP1 as PDC and BDC. Further we have some Windows
XP 32 and 64 Bit clients as workstations for testing.

Now we setup everything and decided to use samba 3.2.0 as there are some
bugs related to W2k8 server are solved. So I build debian packages from
experimental for etch an installed them. Then I set up kerberos and
samba using "security = ads". Everythings works great. I can get a
kerberos ticket with kinit also I can join the ADS with "net ads join
-Uadministrator". I set up /etc/nssswitch to use winbind and I can
request user information successfully.

But now I have to set up shared IDMAP for my samba servers to have the
same UIDs and GIDs on all machines. As it would be nice to have all that
on the ADS server I tried the following for days without success and
that is where I need help:

- I installed the "MS Identity Management for Unix"
- I added UID, Homedir, Shell and "Default Group" to the AD User
- I set "Unix Attr" for my groups
- I configured samba to as followed:

----- snip -----

workgroup = TESTLAB
netbios name = filesrv001
server string = Samba Storage Fileserver 001 (%v)
security = ADS
idmap domains = BUILTIN, TESTLAB
idmap config TESTLAB:backend = ad
idmap config TESTLAB:default = yes
idmap config TESTLAB:schema_mode = rfc2307
idmap config BUILTIN:backend            = tdb
idmap config BUILTIN:base_rid           = 800
idmap config BUILTIN:range              = 800-999
winbind nss info = rfc2307
winbind use default domain = yes
winbind nested groups = Yes
password server = WIN-RXYDW1KO5DH.testlab.company.com
wins server = WIN-RXYDW1KO5DH.testlab.company.com
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
hide unreadable = yes
hide dot files = yes
unix charset = LOCALE
log level = 5

comment = Very Big Share
path =  /SERV
browseable = yes
guest ok = no
valid users = "@STGT\entenhausen"
create mask = 660
directory mode = 770
writeable = yes
readonly = no
force group = "STGT\entenhausen"

----- snip -----

- I cleaned /var/run/samba, /var/log/samba, /var/lib/samba
- I delete the Join on the ADS
- Then I rebooted the Linux-Server, re-joined the ADS
- And I can retrieve the user with getent and it has IT UID

filesrv001:/var/log/samba# getent passwd tic.tic

- But the default group, the home-dir and the shell is not right
- seems like the values are not retrieved correctly from ADS
- also strange: I set up the second storage with the same configs
- only changed names
- if I retrieve the user-information there
- it looks like this

getent passwd tic.tic
tic.tic:*:20007:10000:Tic Tic:/home/STGT/tic.tic:/bin/false

- so the default-group is changing 
- but its still not the value listed in the ADS

Any ideas on that? Did I get something completely wrong? I'll now take a
closer look to the Win 2008 logfiles and I'll check the communication
with tcpdump. But I'm mostly stuck and really could need some hints.
Or should I try another solution? IDMAP-RID cannot be used as we are
planning a "trust domain" setup

Thank you and best regards


More information about the samba mailing list