[Samba] help with AD integration

Gaiseric Vandal gaiseric.vandal at gmail.com
Thu Sep 30 06:59:08 MDT 2010


disclaimer: I don't use Samba as an ADS member server.  I use samba as 
PDC with trusts to an ADS domain.  So my observations may not be valuid.

Did you try updating nsswitch.conf


     passwd:     files winbind
     group:    files winbind


If you are using a Windows domain and have a user defined in the domain, 
you generally don't want to add the user as a local user.   Since the 
underlying unix OS needs to know about the domain users you need to 
either use nsswitch+winbind (which I do) or the smb pam module (which I 
don't use, and not sure if it really is the correct approach.)

If you use nsswitch.conf+winbind you can then also OPTIONALLY allow 
"windows" users "unix" access like ssh.    My samba server is a PDC-  I 
have a domain trust with windows domains BUT  the default shell is 
"/bin/false."    (It is still a little flaky...)

Does "getent passwd" show the windows users?   It should show something like

ben:*:10001:10001:Ben George:/home/SRE/ben/bin/false

or

SRE+ben:*:10001:10001:Ben George:/home/SRE/ben/bin/false



It looks like = you already have a "unix" ben and a "ADS" ben defined?

"wbinfo -s" and "wbinfo -n" are also useful for making sure that the 
name-to-sid and sid-to-name mappings are correct for domain users.




On 09/30/2010 08:17 AM, Ben George wrote:
> HI
>
> My name is Ben.T.George.
>
> i followed http://www.edsiohio.com/images/advanced-AD-2009-05-18.pdf this
> tutorial
>
>
> my current status is .i successfully joined to the AD
>
>
> *bash-3.00# ./net ads join -U administrator
> Enter administrator's password:
> Using short domain name -- SRE
> Joined 'SUN1' to realm 'sre.com'*
>
> and Wbinfo shows the users and groups from the AD
>
> *bash-3.00# ./wbinfo -u
> SUN1+ramana
> SUN1+user1
> SUN1+ben
> administrator
> guest
> support_388945a0
> krbtgt
> teju
> ben
> ramana*
>
> *bash-3.00# ./wbinfo -g
> helpservicesgroup
> telnetclients
> domain computers
> domain controllers
> schema admins
> enterprise admins
> cert publishers
> domain admins
> domain users
> domain guests
> group policy creator owners
> ras and ias servers
> dnsadmins
> dnsupdateproxy*
>
> then i checked the AD,the Sun1 is listed under the computer tab.
>
> That means my connection side is success na..?
>
> this is my smb.conf file
>
> *# Samba config file created using SWAT
> # from UNKNOWN (ÿ¿û^H)
> # Date: 2010/09/29 17:37:34
>
> [global]
>          workgroup = SRE
>          realm = SRE.COM<http://sre.com/>
>          security = ADS
>          idmap uid = 10000-20000
>          idmap gid = 10000-20000
>          winbind separator = +
>          winbind use default domain = Yes
>
> [user1]
>          path = /export/home/user1
>          valid users = user1, ramana, teju
>
> [ramana]
>          path = /export/home/ramana
>          valid users = ramana, teju
>
> [teju]
>          path = /export/home/teju
>          valid users = teju
>
> [ben]
>          path = /export/home/ben
>          valid users = ben
> [user1]
>          path = /export/home/user1
>          valid users = ben, user1, ramana, teju*
>
>
> And Kerberos file: krb5.conf
>
>
> *[libdefaults]
>          dns_lookup_realm = false
>          default_realm = SRE.COM<http://sre.com/>
>          ticket_lifetime = 600
>          kdc_req_checksum_type = 2
>          checksum_type = 2
>          ccache_type = 1
>
> #[kdc]
> #        profile = /krb5/var/krb5kdc/kdc.conf
>
>
> [logging]
>          default = FILE:/usr/local/var/log/kdc.log
>          kdc = FILE:/usr/local/var/log/kdc.log
>          admin_server = FILE:/usr/local/var/log/adm.log
>
> [realms]
>          SRE.COM<http://sre.com/>  = {
>                  kdc = srec.sre.com:88
>                  admin_server = srec.sre.com:749
> #                default_domain = SRE.COM<http://sre.com/>
>          }
>
> [domain_realm]
>          .sre.com = SRE.COM<http://sre.com/>
>          sre.com = SRE.COM<http://sre.com/>
>
> [login]
>      krb4_convert = 0*
>
>
> my need is,suppose ben is a user common to unix and windows..
> when i login as ben through a windows machine,want to access the shared
> folder for ben in Unix.(without giving password for ben)
>
> another thing is when we change the password or username in Active
> Directory,it also affect the same user in the unix
>
> that means suppose i changes the user ben to ben1,and password...the changes
> must be written in the /etc/passwd and shadow file..
>
> is there any way to do this..i a beginner to this.so please give me good
> advice
>
>
> Thanks
> Ben.T.George
>    



More information about the samba mailing list