[Samba] Integrate Samba with Active Directory

Tue Jul 19 12:34:00 MDT 2011

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 07/19/2011 01:11 PM, Jonathan Buzzard wrote:
> Bruno Martins - GALILEU LISBOA wrote:
>> Hello guys,
>>
>>  
>>
>> I am setting up a Samba server (based on CentOS 5.6) on my company which
>> will act as a print and file server. Also, it has dropbox installed.
>>
>>  
>>
>> I have set up everything regarding to CUPS and Samba itself, but I'm not
>> being able to integrate my shares with Active Directory.
>>
>>  
>>
>> All I want is that access control to Samba shares is made through Active
>> Directory users and their respective passwords, and not through
>> Unix-style users and groups. Is this possible?
>>
>>  
>>
>> Some configuration files:
>>
>> /etc/nsswitch.conf - http://pastebin.com/rPgXSL6G
>>
>> /etc/samba/smb.conf - http://pastebin.com/9uffAyjV
>>
>> /etc/krb5.conf - http://pastebin.com/9zJFQR6J
>>
>>  
>>
>> Can someone please give me some lights on this?
>>
> 
> A quick looks shows a lack of an idmap setup in the smb.conf. You say
> you are using CentOS 5.6, in which case I strongly recommend that you
> use the samba3x packages over the plain samba packages if you are not
> doing so already
> 
> Here is a example based on what I use with CentOS 5.6 using the samba3x
> packages. Note that I have the rfc2307 information set in the AD for all
> the users. I have a whole bunch of other options as well to do with
> CTDB, GPFS and other bits and bobs as well. However these are not
> relevant to getting it working.
> 
> On the AD side you need to set the UID, home directory and primary group
> in the Unix Attributes tab, and then in the Member Of tab you need to
> add the user to the primary group that you set in the Unix Attriubutes
> tab and make that their primary group. All the groups need a GID setting
> in their Unix Attributes tab as well.
> 
> The important thing about the idmap setting is that you must have a
> plain tdb backend (or something else that is allocatable) and the range
> must not overlap with the range for the domain or it does not work. Not
> quite sure why that is because in my setting all accounts exist in the
> AD with appropriate Unix attributes. Took me ages to work that nugget of
> information out.
> 
> 
> JAB.
> 
> 
> [global]
>         netbios name = nemo
>         security = ads
>         workgroup = CAMPUS
>     realm = CAMPUS.MYCORP.COM
>     password server = *
>     preferred master = no
>     encrypt passwords = yes
>     kerberos method = secrets only
> 
> # deal with NSS and the whole UID/SID id mapping stuff
>     idmap backend = tdb
>     idmap uid = 2000000 - 2999999
>     idmap gid = 2000000 - 2999999
>     idmap config CAMPUS : backend = ad
>     idmap config CAMPUS : schema_mode = rfc2307
>     idmap config CAMPUS : readonly = yes
>     idmap config CAMPUS : range = 500 - 1999999
>     idmap cache time = 120
>     idmap negative cache time = 20
>     winbind nss info = rfc2307
>     winbind expand groups = 2
>     winbind nested groups = yes
>     winbind use default domain = yes
>     winbind enum users = yes
>     winbind enum groups = yes
>     winbind refresh tickets = yes
>     winbind offline logon = false
> 
> 
You will also want to keep in mind some incompatibilities if your AD is
pretty new (2008 or higher).

See the following for more info:
http://support.microsoft.com/kb/954387
http://support.microsoft.com/kb/957441

- -- 
________

Robert Freeman-Day

https://launchpad.net/~presgas
GPG Public Key:
http://keyserver.ubuntu.com:11371/pks/lookup?op=get&search=0xBA9DF9ED3E4C7D36
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk4lzhgACgkQup357T5MfTZlEACgnzh2dDdLA/NImyeKAtSmNwp+
YakAmwU54AxIcvpDyBBKB9INYQ4p0J+F
=5w+q
-----END PGP SIGNATURE-----