[Samba] Starting from scratch... and Active Directory

Joel Therrien Joel_Therrien at uml.edu
Sat Dec 12 20:36:31 MST 2009 

    Thanks to all that replied. I will give the suggestions a try.

Asst. Prof. Joel M. Therrien
Ph: 978-934-3324
Fax: 978-934-3027
Joel_Therrien at uml.edu
Dept. of Electrical & Computer Engineering
U. Massachusetts-Lowell
1 University Ave
Lowell, MA 01854



Robert LeBlanc wrote:
> On Fri, Dec 11, 2009 at 12:57 PM, Joel Therrien <Joel_Therrien at uml.edu 
> <mailto:Joel_Therrien at uml.edu>> wrote:
>
>     Hello,
>
>       Due to a couple of circumstances, I am rebuilding my file
>     server. In the process
>     I want to see if I can iron out the last few issues I have had
>     with getting active directory
>     authentication to work. Ideally I would appreciate it if anyone
>     can provide a link to a
>     website that gives decently detailed instructions for setting up
>     samba with user authentication
>     via Active Directory running on a windows server 2008 box. If it
>     matters, I will be installing
>     Debian squeeze, since I believe that version has a version of
>     samba that is able to work with
>     2008 (our IT department upgraded over the weekend and thus broke
>     my authentication).
>
>       On top of that, one other question: Is it absolutely necessary
>     to enable enum users and groups?
>     I ask because with a student population of more that 13,000 I do
>     not want to choke either my
>     server or the university's server by making a request for that
>     large a number of people. And if one
>     can get away without, what are the side effects? For example, the
>     university's server has faculty
>     and staff in a separate group from the students, such that an
>     authentication call via wbinfo
>     requires specifying for example FACULTY+John_Doe and
>     STUDENT+Dave_Smith to
>     work correctly. This was the one remaining hitch I did have, I
>     used an account in the FACULTY
>     group to bind my server to the AD server and thereafter had no
>     issues with authenticating myself
>     with samba, but I could not get it to work for any students.
>
> This works very well in our environment (Windows 2008 DCs) with 
> trusted domains. I would suggest using idmap backend = hash over 
> anything else if you are using 3.4.x, it is consistent across machines 
> without having to worry about much configuration. You will be able to 
> login both your FACULTY+user and STUDENT+user without any problem in 
> this configuration. Beware that if you are doing AD logins to the box 
> that you may have to disable the kerberos method = system keytab. 
> There is a bug that prevents password challenges if you don't have a 
> Kerberos ticket on your machine (if you have a kerberos ticket on your 
> machine and ssh in, then it works fine because it doesn't challenge 
> for a password. It is suspected that the cause of this the the cache 
> file option in PAM, you could probably disable that instead (for more 
> info see https://bugzilla.samba.org/show_bug.cgi?id=6833 for more 
> info). If you are not using Kerberos for login, just comment out the 
> line in smb.conf regular file share requests will still use Kerberos.
>
> Our AD domain is delegated by our campus DNS servers, we don't have to 
> change the DHCP settings to get things to work. If your campus has not 
> delegated the AD DNS domain, it might be wise to have them look into 
> it. All that needs to happen is they put in the DC addresses as the NS 
> for that domain or sub-domain.
>
> #======================= Global Settings =======================
>
> [global]
>    workgroup = ad
>    realm = AD.LOCAL
>    preferred master = no
>    server string = %h server
>    dns proxy = no
>
> #### Debugging/Accounting ####
>
>    log file = /var/log/samba/log.%m
>    max log size = 1000
>    syslog = 0
>    panic action = /usr/share/samba/panic-action %d
>
> ####### Authentication #######
>
>    security = ADS
>    encrypt passwords = true
>    passdb backend = tdbsam
>    obey pam restrictions = yes
>    invalid users = root
>    unix password sync = yes
>    passwd program = /usr/bin/passwd %u
>    passwd chat = *Enter\snew\s*\spassword:* %n\n 
> *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
>    pam password change = yes
>    guest account = nobody
>    map to guest = bad user
>
> ########## Printing ##########
>
>    load printers = no
>    printing = bsd
>    printcap name = /dev/null
>    show add printer wizard = no
>    disable spoolss = yes
>
> ############ Misc ############
>
>   idmap backend = hash
>   winbind nss info = hash
>   winbind use default domain = yes
>   winbind separator = +
>   winbind enum groups = no
>   winbind enum users = no
>   winbind nested groups = yes
>   template homedir = /ls/users/%U
>   template shell = /bin/bash
>   winbind refresh tickets = yes
>   kerberos method = system keytab
>   winbind offline logon = yes
> #  get quota command = /root/sambaquota.sh
>
> #======================= Share Definitions =======================
>
>
> Robert LeBlanc
> Life Sciences & Undergraduate Education Computer Support
> Brigham Young University

More information about the samba mailing list