[Samba] Integrate Samba with Active Directory
Bruno Martins
bmartins at galileu.pt
Tue Jul 19 15:18:30 MDT 2011
On Tue, 2011-07-19 at 14:34 -0400, Robert Freeman-Day wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 07/19/2011 01:11 PM, Jonathan Buzzard wrote:
> > Bruno Martins - GALILEU LISBOA wrote:
> >> Hello guys,
> >>
> >>
> >>
> >> I am setting up a Samba server (based on CentOS 5.6) on my company which
> >> will act as a print and file server. Also, it has dropbox installed.
> >>
> >>
> >>
> >> I have set up everything regarding to CUPS and Samba itself, but I'm not
> >> being able to integrate my shares with Active Directory.
> >>
> >>
> >>
> >> All I want is that access control to Samba shares is made through Active
> >> Directory users and their respective passwords, and not through
> >> Unix-style users and groups. Is this possible?
> >>
> >>
> >>
> >> Some configuration files:
> >>
> >> /etc/nsswitch.conf - http://pastebin.com/rPgXSL6G
> >>
> >> /etc/samba/smb.conf - http://pastebin.com/9uffAyjV
> >>
> >> /etc/krb5.conf - http://pastebin.com/9zJFQR6J
> >>
> >>
> >>
> >> Can someone please give me some lights on this?
> >>
> >
> > A quick looks shows a lack of an idmap setup in the smb.conf. You say
> > you are using CentOS 5.6, in which case I strongly recommend that you
> > use the samba3x packages over the plain samba packages if you are not
> > doing so already
> >
> > Here is a example based on what I use with CentOS 5.6 using the samba3x
> > packages. Note that I have the rfc2307 information set in the AD for all
> > the users. I have a whole bunch of other options as well to do with
> > CTDB, GPFS and other bits and bobs as well. However these are not
> > relevant to getting it working.
> >
> > On the AD side you need to set the UID, home directory and primary group
> > in the Unix Attributes tab, and then in the Member Of tab you need to
> > add the user to the primary group that you set in the Unix Attriubutes
> > tab and make that their primary group. All the groups need a GID setting
> > in their Unix Attributes tab as well.
> >
> > The important thing about the idmap setting is that you must have a
> > plain tdb backend (or something else that is allocatable) and the range
> > must not overlap with the range for the domain or it does not work. Not
> > quite sure why that is because in my setting all accounts exist in the
> > AD with appropriate Unix attributes. Took me ages to work that nugget of
> > information out.
> >
> >
> > JAB.
> >
> >
> > [global]
> > netbios name = nemo
> > security = ads
> > workgroup = CAMPUS
> > realm = CAMPUS.MYCORP.COM
> > password server = *
> > preferred master = no
> > encrypt passwords = yes
> > kerberos method = secrets only
> >
> > # deal with NSS and the whole UID/SID id mapping stuff
> > idmap backend = tdb
> > idmap uid = 2000000 - 2999999
> > idmap gid = 2000000 - 2999999
> > idmap config CAMPUS : backend = ad
> > idmap config CAMPUS : schema_mode = rfc2307
> > idmap config CAMPUS : readonly = yes
> > idmap config CAMPUS : range = 500 - 1999999
> > idmap cache time = 120
> > idmap negative cache time = 20
> > winbind nss info = rfc2307
> > winbind expand groups = 2
> > winbind nested groups = yes
> > winbind use default domain = yes
> > winbind enum users = yes
> > winbind enum groups = yes
> > winbind refresh tickets = yes
> > winbind offline logon = false
> >
> >
> You will also want to keep in mind some incompatibilities if your AD is
> pretty new (2008 or higher).
>
> See the following for more info:
> http://support.microsoft.com/kb/954387
> http://support.microsoft.com/kb/957441
>
> - --
> ________
>
> Robert Freeman-Day
>
> https://launchpad.net/~presgas
> GPG Public Key:
> http://keyserver.ubuntu.com:11371/pks/lookup?op=get&search=0xBA9DF9ED3E4C7D36
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.11 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>
> iEYEARECAAYFAk4lzhgACgkQup357T5MfTZlEACgnzh2dDdLA/NImyeKAtSmNwp+
> YakAmwU54AxIcvpDyBBKB9INYQ4p0J+F
> =5w+q
> -----END PGP SIGNATURE-----
Good night Robert,
My Domain Controller is running Windows Server 2003 R2 X64, so I may not
be affected by those bulletins
By the way, thanks for noticing.
Best regards,
Bruno Martins
More information about the samba
mailing list