[Samba] SAMBA + KERBEROS + AD
Sadique Puthen
sputhenp at redhat.com
Thu Mar 6 12:33:08 GMT 2008
Helio Calaça Filho wrote:
> SMB.CONF
>
> # Samba config file created using SWAT
> # from 10.10.15.33 (10.10.15.33)
> # Date: 2008/03/04 13:39:37
>
> [global]
> workgroup = SAMBA
> realm = SAMBA.COM
> server string = Test Server
> security = ADS
> log level = 4
> log file = /local/samba/var/%m.log
> ldap ssl = no
> idmap uid = 10000-20000
> idmap gid = 10000-20000
> winbind enum users = Yes
> winbind enum groups = Yes
> veto files = /.exe/*mp3*/
>
> #[homes]
> # comment = Personal Directory
> # read only = No
> # browseable = No
> [teste]
> comment = Test Directory
> path = /teste
> valid users = SAMBA #Ps.: SAMBA string here it's the domain, to can
> accept all domain users
>
I doubt whether this is valid. As per "man smb.conf", "If this is
empty (the default) then any user can login." So you should either
put it empty or specify valid users or groups. Specifying domain name to
allow all users/groups may not be valid.
> read only = No
> veto files = /*.exe/*mp3*/
>
> [commom_ad]
> comment = Common Directory
> path = /comum_ad
> force user = smbtest
> read only = No
> guest ok = Yes
>
> --------------------------------------------------------------------------------------------------------------
>
> NSSWITCH.CONF
>
> #
> # /etc/nsswitch.conf
> #
> # An example Name Service Switch config file. This file should be
> # sorted with the most-used services at the beginning.
> #
> # The entry '[NOTFOUND=return]' means that the search for an
> # entry should stop if the search in the previous entry turned
> # up nothing. Note that if the search failed due to some other reason
> # (like no NIS server responding) then the search continues with the
> # next entry.
> #
> # Legal entries are:
> #
> # nisplus or nis+ Use NIS+ (NIS version 3)
> # nis or yp Use NIS (NIS version 2), also called YP
> # dns Use DNS (Domain Name Service)
> # files Use the local files
> # db Use the local database (.db) files
> # compat Use NIS on compat mode
> # hesiod Use Hesiod for user lookups
> # [NOTFOUND=return] Stop searching if not found so far
> #
>
> # To use db, put the "db" in front of "files" for entries you want to be
> # looked up first in the databases
> #
> # Example:
> #passwd: db files nisplus nis
> #shadow: db files nisplus nis
> #group: db files nisplus nis
>
> passwd: files winbind
> shadow: files
> group: files winbind
>
> #hosts: db files nisplus nis dns
> hosts: files dns winbind
>
> # Example - obey only what nisplus tells us...
> #services: nisplus [NOTFOUND=return] files
> #networks: nisplus [NOTFOUND=return] files
> #protocols: nisplus [NOTFOUND=return] files
> #rpc: nisplus [NOTFOUND=return] files
> #ethers: nisplus [NOTFOUND=return] files
> #netmasks: nisplus [NOTFOUND=return] files
>
> bootparams: nisplus [NOTFOUND=return] files
>
> ethers: files
> netmasks: files
> networks: files
> protocols: files
> rpc: files
> services: files
>
> netgroup: nisplus
>
> publickey: nisplus
>
> automount: files nisplus
> aliases: files nisplus
> -------------------------------------------------------------------------------------------------------------------------------------
> [root at redh lib]# ll libnss_winb*
>
> -rwxr-xr-x 1 root root 18588 Fev 26 12:51 libnss_winbind.so
> lrwxrwxrwx 1 root root 22 Fev 27 17:25 libnss_winbind.so.2 ->
> /lib/libnss_winbind.so
> -rwxr-xr-x 1 root root 892632 Set 1 2006 libnss_wins.so.2
>
> --------------------------------------------------------------------------------------------------------------------
> [root at redh lib]# ps -A
> PID TTY TIME CMD
>
> 28736 ? 00:00:10 nmbd
> 28737 ? 00:00:00 winbindd
> 28738 ? 00:00:00 winbindd
> 28739 ? 00:00:00 smbd
> 28742 ? 00:00:00 smbd
> 28758 ? 00:00:00 winbindd
> 29019 ? 00:00:00 winbindd
> 31715 ? 00:00:00 smbd
> ----------------------------------------------------------------------------------------------------------------------
> [root at redh lib]# testparm
> Load smb config files from /etc/samba/smb.conf
> Processing section "[teste]"
> Processing section "[comum_ad]"
> Loaded services file OK.
> Server role: ROLE_DOMAIN_MEMBER
> Press enter to see a dump of your service definitions
>
> -------------------------------------------------------------------------------------------------------------
>
> [root at redh lib]# net ads join -U Administrator
> suporte's password:
> Using short domain name -- SAMBA
> Joined 'REDH' to realm 'SAMBA.COM'
>
> --------------------------------------------------------------------------------------------------------------------------
> All correct apparently. But, when i try to access my samba shares using my
> winxp station (logged in ads domain), the samba server ask a user n' pass. I
> put any ads user and i can't.
>
> Where i wrong?
>
> See Ya!
>
> Atte,
> Hélio Calaça Filho
>
More information about the samba
mailing list