[Samba] Samba + NIS + ADS

Crombach, Leo B CrombachLB at Corning.com
Tue Sep 6 08:29:35 MDT 2011 

Samba Admins:

This is my second post on this matter so my apologies for redundant
requests for help.  My first request yielded only one response which did
not solve my current problem.

Background:

We have been using Samba on Linux (Redhat) for several years to access
shares on Sun servers.  The Sun environment uses NIS/NFS for user
accounts and sharing (mounting) remote file systems.  Accessing the Sun
shares was transparent for the users.  They were able to map the drives
using the standard \\server\share syntax and Samba would mount based on
the appropriate permissions.  The Samba server was a domain member
server.  I used a map file to map UNIX usernames to Windows usernames if
they were not the same.  I was not running winbind.  I believe the
Windows environment was Windows 2003 in mixed mode (I'm not a Windows
Domain Admin).

So, in short, the user would map to the Samba server, which, in turn,
would NFS mount the requested share providing the user credentials and
permissions were correct.

The configuration was Redhat 9 running Samba 3.0.1-2.

Now, we are moving to a Windows 2008 Active Directory backend.  Doing so
disabled Samba's ability to authenticate the users in Active Directory.
To get back to operation, I set up an OpenSuse 11.4 box running Samba
3.5.7-1.17 so it can talk to AD.  However, we are running with mixed
success.  Users are able to connect to shares but have to enter
username/password (some can't connect at all).  I need Samba to work as
before so connecting to shares is transparent.  Also, we are running in
Windows 2003 AD native mode.  Going forward, I will need Samba to run in
Windows 2008 AD mode.

I have tried many configurations and have done much reading on the
options in smb.conf, use or not use winbind, reviewed the Samba By
Example documentation on the Samba website, etc.

The OpenSuse box is running in AD as a member server no problem.  The
issue is authentication with, or between, NIS and Active Directory.  I
hoping someone who has a similar environment can provide assistance (Sun
NIS/NFS, Samba 3, Windows 2003/2008 AD).

My old smb.conf look something like this:

# Global parameters
[global]
	workgroup = MYWORKGROUP
	netbios name = SAMBASERVER
	server string = SAMBASERVER
	security = DOMAIN
	encrypt passwords = Yes
	obey pam restrictions = Yes
	password server = *
	pam password change = Yes
	passwd program = /usr/bin/passwd %u
	passwd chat = *New*password* %n\n *Retype*new*password* %n\n
*passwd:*all*authentication*tokens*updated*successfully*
	username map = /packages/smbmap/smbnames
	unix password sync = Yes
	log file = /var/log/samba/%m.log
	max log size = 0
	socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
	dns proxy = No
	wins server = IP ADDRESS
	printing = cups

My current smb.conf looks like this:

[global]
	workgroup = MYWORKGROUP
	realm = MYWORKGROUP.COMPANY.COM
	server string = SAMBASERVER
	security = ADS
	map to guest = Bad User
	null passwords = Yes
	obey pam restrictions = Yes
	passdb backend = smbpasswd
	username map = /packages/smbmap/smbnames
	unix password sync = Yes
	client NTLMv2 auth = Yes
	log level = 3
	log file = /var/log/samba/%m.log
	max log size = 0
	printcap name = cups
	domain master = No
	wins server = IP ADDRESS
	idmap uid = 10000-20000
	idmap gid = 10000-20000
	winbind refresh tickets = Yes
	cups options = raw

I'm running Winbind now, wasn't before.  So I'm also using the smbpasswd
file to map users.  Wasn't using this before either.

Thanks

More information about the samba mailing list