[Samba] Starting from scratch... and Active Directory
Joel Therrien
Joel_Therrien at uml.edu
Sat Dec 12 20:36:31 MST 2009
Thanks to all that replied. I will give the suggestions a try.
Asst. Prof. Joel M. Therrien
Ph: 978-934-3324
Fax: 978-934-3027
Joel_Therrien at uml.edu
Dept. of Electrical & Computer Engineering
U. Massachusetts-Lowell
1 University Ave
Lowell, MA 01854
Robert LeBlanc wrote:
> On Fri, Dec 11, 2009 at 12:57 PM, Joel Therrien <Joel_Therrien at uml.edu
> <mailto:Joel_Therrien at uml.edu>> wrote:
>
> Hello,
>
> Due to a couple of circumstances, I am rebuilding my file
> server. In the process
> I want to see if I can iron out the last few issues I have had
> with getting active directory
> authentication to work. Ideally I would appreciate it if anyone
> can provide a link to a
> website that gives decently detailed instructions for setting up
> samba with user authentication
> via Active Directory running on a windows server 2008 box. If it
> matters, I will be installing
> Debian squeeze, since I believe that version has a version of
> samba that is able to work with
> 2008 (our IT department upgraded over the weekend and thus broke
> my authentication).
>
> On top of that, one other question: Is it absolutely necessary
> to enable enum users and groups?
> I ask because with a student population of more that 13,000 I do
> not want to choke either my
> server or the university's server by making a request for that
> large a number of people. And if one
> can get away without, what are the side effects? For example, the
> university's server has faculty
> and staff in a separate group from the students, such that an
> authentication call via wbinfo
> requires specifying for example FACULTY+John_Doe and
> STUDENT+Dave_Smith to
> work correctly. This was the one remaining hitch I did have, I
> used an account in the FACULTY
> group to bind my server to the AD server and thereafter had no
> issues with authenticating myself
> with samba, but I could not get it to work for any students.
>
> This works very well in our environment (Windows 2008 DCs) with
> trusted domains. I would suggest using idmap backend = hash over
> anything else if you are using 3.4.x, it is consistent across machines
> without having to worry about much configuration. You will be able to
> login both your FACULTY+user and STUDENT+user without any problem in
> this configuration. Beware that if you are doing AD logins to the box
> that you may have to disable the kerberos method = system keytab.
> There is a bug that prevents password challenges if you don't have a
> Kerberos ticket on your machine (if you have a kerberos ticket on your
> machine and ssh in, then it works fine because it doesn't challenge
> for a password. It is suspected that the cause of this the the cache
> file option in PAM, you could probably disable that instead (for more
> info see https://bugzilla.samba.org/show_bug.cgi?id=6833 for more
> info). If you are not using Kerberos for login, just comment out the
> line in smb.conf regular file share requests will still use Kerberos.
>
> Our AD domain is delegated by our campus DNS servers, we don't have to
> change the DHCP settings to get things to work. If your campus has not
> delegated the AD DNS domain, it might be wise to have them look into
> it. All that needs to happen is they put in the DC addresses as the NS
> for that domain or sub-domain.
>
> #======================= Global Settings =======================
>
> [global]
> workgroup = ad
> realm = AD.LOCAL
> preferred master = no
> server string = %h server
> dns proxy = no
>
> #### Debugging/Accounting ####
>
> log file = /var/log/samba/log.%m
> max log size = 1000
> syslog = 0
> panic action = /usr/share/samba/panic-action %d
>
> ####### Authentication #######
>
> security = ADS
> encrypt passwords = true
> passdb backend = tdbsam
> obey pam restrictions = yes
> invalid users = root
> unix password sync = yes
> passwd program = /usr/bin/passwd %u
> passwd chat = *Enter\snew\s*\spassword:* %n\n
> *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
> pam password change = yes
> guest account = nobody
> map to guest = bad user
>
> ########## Printing ##########
>
> load printers = no
> printing = bsd
> printcap name = /dev/null
> show add printer wizard = no
> disable spoolss = yes
>
> ############ Misc ############
>
> idmap backend = hash
> winbind nss info = hash
> winbind use default domain = yes
> winbind separator = +
> winbind enum groups = no
> winbind enum users = no
> winbind nested groups = yes
> template homedir = /ls/users/%U
> template shell = /bin/bash
> winbind refresh tickets = yes
> kerberos method = system keytab
> winbind offline logon = yes
> # get quota command = /root/sambaquota.sh
>
> #======================= Share Definitions =======================
>
>
> Robert LeBlanc
> Life Sciences & Undergraduate Education Computer Support
> Brigham Young University
More information about the samba
mailing list