[Samba] help with AD integration
Gaiseric Vandal
gaiseric.vandal at gmail.com
Thu Sep 30 06:59:08 MDT 2010
disclaimer: I don't use Samba as an ADS member server. I use samba as
PDC with trusts to an ADS domain. So my observations may not be valuid.
Did you try updating nsswitch.conf
passwd: files winbind
group: files winbind
If you are using a Windows domain and have a user defined in the domain,
you generally don't want to add the user as a local user. Since the
underlying unix OS needs to know about the domain users you need to
either use nsswitch+winbind (which I do) or the smb pam module (which I
don't use, and not sure if it really is the correct approach.)
If you use nsswitch.conf+winbind you can then also OPTIONALLY allow
"windows" users "unix" access like ssh. My samba server is a PDC- I
have a domain trust with windows domains BUT the default shell is
"/bin/false." (It is still a little flaky...)
Does "getent passwd" show the windows users? It should show something like
ben:*:10001:10001:Ben George:/home/SRE/ben/bin/false
or
SRE+ben:*:10001:10001:Ben George:/home/SRE/ben/bin/false
It looks like = you already have a "unix" ben and a "ADS" ben defined?
"wbinfo -s" and "wbinfo -n" are also useful for making sure that the
name-to-sid and sid-to-name mappings are correct for domain users.
On 09/30/2010 08:17 AM, Ben George wrote:
> HI
>
> My name is Ben.T.George.
>
> i followed http://www.edsiohio.com/images/advanced-AD-2009-05-18.pdf this
> tutorial
>
>
> my current status is .i successfully joined to the AD
>
>
> *bash-3.00# ./net ads join -U administrator
> Enter administrator's password:
> Using short domain name -- SRE
> Joined 'SUN1' to realm 'sre.com'*
>
> and Wbinfo shows the users and groups from the AD
>
> *bash-3.00# ./wbinfo -u
> SUN1+ramana
> SUN1+user1
> SUN1+ben
> administrator
> guest
> support_388945a0
> krbtgt
> teju
> ben
> ramana*
>
> *bash-3.00# ./wbinfo -g
> helpservicesgroup
> telnetclients
> domain computers
> domain controllers
> schema admins
> enterprise admins
> cert publishers
> domain admins
> domain users
> domain guests
> group policy creator owners
> ras and ias servers
> dnsadmins
> dnsupdateproxy*
>
> then i checked the AD,the Sun1 is listed under the computer tab.
>
> That means my connection side is success na..?
>
> this is my smb.conf file
>
> *# Samba config file created using SWAT
> # from UNKNOWN (ÿ¿û^H)
> # Date: 2010/09/29 17:37:34
>
> [global]
> workgroup = SRE
> realm = SRE.COM<http://sre.com/>
> security = ADS
> idmap uid = 10000-20000
> idmap gid = 10000-20000
> winbind separator = +
> winbind use default domain = Yes
>
> [user1]
> path = /export/home/user1
> valid users = user1, ramana, teju
>
> [ramana]
> path = /export/home/ramana
> valid users = ramana, teju
>
> [teju]
> path = /export/home/teju
> valid users = teju
>
> [ben]
> path = /export/home/ben
> valid users = ben
> [user1]
> path = /export/home/user1
> valid users = ben, user1, ramana, teju*
>
>
> And Kerberos file: krb5.conf
>
>
> *[libdefaults]
> dns_lookup_realm = false
> default_realm = SRE.COM<http://sre.com/>
> ticket_lifetime = 600
> kdc_req_checksum_type = 2
> checksum_type = 2
> ccache_type = 1
>
> #[kdc]
> # profile = /krb5/var/krb5kdc/kdc.conf
>
>
> [logging]
> default = FILE:/usr/local/var/log/kdc.log
> kdc = FILE:/usr/local/var/log/kdc.log
> admin_server = FILE:/usr/local/var/log/adm.log
>
> [realms]
> SRE.COM<http://sre.com/> = {
> kdc = srec.sre.com:88
> admin_server = srec.sre.com:749
> # default_domain = SRE.COM<http://sre.com/>
> }
>
> [domain_realm]
> .sre.com = SRE.COM<http://sre.com/>
> sre.com = SRE.COM<http://sre.com/>
>
> [login]
> krb4_convert = 0*
>
>
> my need is,suppose ben is a user common to unix and windows..
> when i login as ben through a windows machine,want to access the shared
> folder for ben in Unix.(without giving password for ben)
>
> another thing is when we change the password or username in Active
> Directory,it also affect the same user in the unix
>
> that means suppose i changes the user ben to ben1,and password...the changes
> must be written in the /etc/passwd and shadow file..
>
> is there any way to do this..i a beginner to this.so please give me good
> advice
>
>
> Thanks
> Ben.T.George
>
More information about the samba
mailing list