[Samba] Integrate Samba with Active Directory

Bruno Martins bmartins at galileu.pt
Tue Jul 19 15:18:30 MDT 2011 

On Tue, 2011-07-19 at 14:34 -0400, Robert Freeman-Day wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> On 07/19/2011 01:11 PM, Jonathan Buzzard wrote:
> > Bruno Martins - GALILEU LISBOA wrote:
> >> Hello guys,
> >>
> >>  
> >>
> >> I am setting up a Samba server (based on CentOS 5.6) on my company which
> >> will act as a print and file server. Also, it has dropbox installed.
> >>
> >>  
> >>
> >> I have set up everything regarding to CUPS and Samba itself, but I'm not
> >> being able to integrate my shares with Active Directory.
> >>
> >>  
> >>
> >> All I want is that access control to Samba shares is made through Active
> >> Directory users and their respective passwords, and not through
> >> Unix-style users and groups. Is this possible?
> >>
> >>  
> >>
> >> Some configuration files:
> >>
> >> /etc/nsswitch.conf - http://pastebin.com/rPgXSL6G
> >>
> >> /etc/samba/smb.conf - http://pastebin.com/9uffAyjV
> >>
> >> /etc/krb5.conf - http://pastebin.com/9zJFQR6J
> >>
> >>  
> >>
> >> Can someone please give me some lights on this?
> >>
> > 
> > A quick looks shows a lack of an idmap setup in the smb.conf. You say
> > you are using CentOS 5.6, in which case I strongly recommend that you
> > use the samba3x packages over the plain samba packages if you are not
> > doing so already
> > 
> > Here is a example based on what I use with CentOS 5.6 using the samba3x
> > packages. Note that I have the rfc2307 information set in the AD for all
> > the users. I have a whole bunch of other options as well to do with
> > CTDB, GPFS and other bits and bobs as well. However these are not
> > relevant to getting it working.
> > 
> > On the AD side you need to set the UID, home directory and primary group
> > in the Unix Attributes tab, and then in the Member Of tab you need to
> > add the user to the primary group that you set in the Unix Attriubutes
> > tab and make that their primary group. All the groups need a GID setting
> > in their Unix Attributes tab as well.
> > 
> > The important thing about the idmap setting is that you must have a
> > plain tdb backend (or something else that is allocatable) and the range
> > must not overlap with the range for the domain or it does not work. Not
> > quite sure why that is because in my setting all accounts exist in the
> > AD with appropriate Unix attributes. Took me ages to work that nugget of
> > information out.
> > 
> > 
> > JAB.
> > 
> > 
> > [global]
> >         netbios name = nemo
> >         security = ads
> >         workgroup = CAMPUS
> >     realm = CAMPUS.MYCORP.COM
> >     password server = *
> >     preferred master = no
> >     encrypt passwords = yes
> >     kerberos method = secrets only
> > 
> > # deal with NSS and the whole UID/SID id mapping stuff
> >     idmap backend = tdb
> >     idmap uid = 2000000 - 2999999
> >     idmap gid = 2000000 - 2999999
> >     idmap config CAMPUS : backend = ad
> >     idmap config CAMPUS : schema_mode = rfc2307
> >     idmap config CAMPUS : readonly = yes
> >     idmap config CAMPUS : range = 500 - 1999999
> >     idmap cache time = 120
> >     idmap negative cache time = 20
> >     winbind nss info = rfc2307
> >     winbind expand groups = 2
> >     winbind nested groups = yes
> >     winbind use default domain = yes
> >     winbind enum users = yes
> >     winbind enum groups = yes
> >     winbind refresh tickets = yes
> >     winbind offline logon = false
> > 
> > 
> You will also want to keep in mind some incompatibilities if your AD is
> pretty new (2008 or higher).
> 
> See the following for more info:
> http://support.microsoft.com/kb/954387
> http://support.microsoft.com/kb/957441
> 
> - -- 
> ________
> 
> Robert Freeman-Day
> 
> https://launchpad.net/~presgas
> GPG Public Key:
> http://keyserver.ubuntu.com:11371/pks/lookup?op=get&search=0xBA9DF9ED3E4C7D36
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.11 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
> 
> iEYEARECAAYFAk4lzhgACgkQup357T5MfTZlEACgnzh2dDdLA/NImyeKAtSmNwp+
> YakAmwU54AxIcvpDyBBKB9INYQ4p0J+F
> =5w+q
> -----END PGP SIGNATURE-----

Good night Robert,

My Domain Controller is running Windows Server 2003 R2 X64, so I may not
be affected by those bulletins

By the way, thanks for noticing.

Best regards,

Bruno Martins

More information about the samba mailing list