[Samba] Samba3 joining W2k3 as member server
Pieter De Wit
pieter at insync.za.net
Thu Dec 27 14:34:14 MST 2012
On 23/12/2012 03:31, Carlos R. Pena Evertsz wrote:
> Hi Pieter,
>
> I need to do the same, join a Ubuntu 12.04 samba server to an existing
> Win2k3.
>
> Could you post an example of the shares configuration (users and group
> read and write permitions) to be used in your example of a samba
> server as a domain member?
>
> Thanks.
>
> Carlos Pena
> Santo Domingo, Dominican Republic
>
>
>
> On 12/21/2012 5:36 PM, Pieter De Wit wrote:
>> On 18/12/2012 10:47, Andrew Bartlett wrote:
>>> On Mon, 2012-12-17 at 17:00 +1300, Pieter De Wit wrote:
>>>> Hi list,
>>>>
>>>> I have tried with all my might to get a samba3 server (Ubuntu
>>>> 12.04.1 LTS) to join a Windows 2003 domain as a member server,
>>>> without any luck. I have used,from memory, the official way of
>>>> doing this (aka, from the samba.org website). No matter what
>>>> settings I use in smb.conf, the server always joins as a domain
>>>> controller. This doesn't seem to break the domain how ever. All I
>>>> am after is that my users do not need to enter a username/password
>>>> for access from a domain PC to shares on my Linux box.
>>>>
>>>> Any pointers please or is this intended as the server does single
>>>> sign?
>>> If you can list exactly the steps you took, we might be able to help.
>>>
>>> But to answer your question: Yes, Samba will happily join Windows 2003
>>> as a domain member. The key command is 'net ads join'.
>>>
>>> Andrew Bartlett
>>>
>> Hi Andrew,
>>
>> Sorry for the delay in my reply, things has been hectic closing down
>> for the holidays. In a nut shell, there is what I do/did:
>>
>> 1) apt-get install samba winbindd krb5-user
>> 2) Configure smb.conf as per :
>>
>> [global]
>>
>> workgroup = WORK
>> realm = WORK.LOCAL
>> preferred master = no
>> server string = Linux Test Machine
>> security = ADS
>> encrypt passwords = yes
>> log level = 3
>> log file = /var/log/samba/%m
>> max log size = 50
>> printcap name = cups
>> printing = cups
>> # winbind enum users = Yes
>> # winbind enum groups = Yes
>> # winbind use default domain = Yes
>> winbind nested groups = Yes
>> winbind separator = +
>> idmap uid = 2000-20000
>> idmap gid = 2000-20000
>> template shell = /bin/bash
>> veto files = lost+found
>>
>> 3) Configure krb5.conf:
>> [libdefaults]
>> default_realm = WORK.LOCAL
>>
>> [realms]
>> YPG.LOCAL={
>> kdc=DC.WORK.LOCAL
>> }
>> [domain_realm]
>> .kerberos.server=WORK.LOCAL
>>
>> 4) Restart Samba/Winbind
>> 5) In /etc/nsswitch.conf add winbind to passwd and group
>> 5) Join the domain : net ads join -U <my_admin_account>
>> 6) kinit <my_admin_account>
>>
>> From then, users can connect to the shares on the server using Single
>> Sign On. The "issue" is that if I look under my Active Directory, the
>> server will state that it is a "Domain Controller". Running the usual
>> DC Info tools they seem to think the domain is ok. I would prefer to
>> have the server say Member server, rather than DC :)
>>
>> I would like to send you a screenshot of what "Active Directory Users
>> and Computers" shows but this will be hard to do remotely.
>>
>> Thanks,
>>
>> Pieter
>>
>> P.S. Good work on the AD integration btw, I am using the above for
>> Squid aswell and it's pretty neat ! :)
>
Hi Carlos,
My shares are create like normal shares. The only part that changes is
the ref to Domain users. They are "WORK+<USERNAME>", using a previous
naming setup, my user account would be as follow:
WORK+dewitp
So I could have something like:
[dump]
comment=Data Dump
read only=no
browseable=yes
path=/srv/exports/dump
valid user=WORK+user1,WORK+user2
I also noted that if you have ext4 (havn't tried the rest) and you
create user permissions on a folder, it is added as extended attribs -
WELL DONE SAMBA ! :)
HTH,
Pieter
More information about the samba
mailing list