[Samba] idmap backend = ad and Active Directory 2008R2
Randy Rue
randyrue at gmail.com
Wed May 30 09:27:05 MDT 2012
Thank you, this is the kind of feedback I need.
I've tried it with and without the writeable back end, I wasn't clear on
whether it was necessary if all accounts would be in either AD or local
files. I'll put it back.
Similar problem for the rfc2307 line. I've found conflicting advice online:
it appears that the needed directives and their syntax have changed
significantly over the last several versions and when I find a claimed
working example it usually doesn't specify what version it worked with or
when (I can make some guesses from the age of the post).
Tried these changes with no luck. I did see a new error from winbindd in the
syslog on restart, "Cannot find KDC for the requested realm." Realized that
in a previous restore to default I'd rolled back to the example
/etc/krb5.conf file.
On attempting an SSH login with an AD account I still get a string of errors
in syslog beginning with "invalid user," several variations on " error
retrieving information about user," and ending with " Failed password for
invalid user."
Current version of smb.conf and krb5.conf are:
-------------------------------
/etc/samba/smb.conf:
[global]
workgroup = FOO
password server = dc42.foo.org dc52.foo.org dc152.foo.org
realm = FOO.ORG
security = ads
winbind use default domain = true
winbind offline logon = false
log file = /var/log/samba/%m.log
max log size = 100
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
dns proxy = no
idmap backend = tdb
idmap uid = 2500-4999
idmap gid = 2500-4999
idmap config FOO : default = yes
idmap config FOO : backend = ad
idmap config FOO : schema_mode = rfc2307
idmap config FOO : range = 5000 - 70000
allow trusted domains = No
winbind nss info = rfc2307
winbind enum users = Yes
winbind enum groups = Yes
winbind nested groups = Yes
/etc/krb5.conf:
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = FOO.ORG
dns_lookup_realm = true
dns_lookup_kdc = true
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
[realms]
EXAMPLE.COM = {
kdc = DC42.FOO.ORG:88
kdc = DC52.FOO.ORG:88
kdc = DC152.FOO.ORG
admin_server = dc152.foo.org:749
}
[domain_realm]
.foo.org = FOO.ORG
foo.org = FOO.ORG
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
-------------------------------
-----Original Message-----
From: samba-bounces at lists.samba.org [mailto:samba-bounces at lists.samba.org]
On Behalf Of Jonathan Buzzard
Sent: Wednesday, May 30, 2012 5:11 AM
To: samba at lists.samba.org
Subject: Re: [Samba] idmap backend = ad and Active Directory 2008R2
On Tue, 2012-05-29 at 15:41 -0700, Randy Rue wrote:
>
> Can anyone tell me what's wrong with the below file? Or at least
> provide a working example? Is there a complete howto anywhere for SMB3.5
and AD2008R2?
>
Yes, for starters where is the default writable backend that is required as
specified in "man idmap_ad"?
You need some lines like the following
idmap backend = tdb
idmap uid = 1000000-1999999
idmap gid = 1000000-1999999
Where those numbers don't overlap with the numbers for your FHCRC domain.
> Hope to hear from you,
>
> rrue
> seattle
>
> /etc/samba/smb.conf:
> [global]
> workgroup = FOO
> password server = dcx.foo.org dcy.foo.org dcz.foo.org
> realm = FOO.ORG
> security = ads
> winbind use default domain = true
> winbind offline logon = false
> log file = /var/log/samba/%m.log
> max log size = 100
> socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
> dns proxy = no
> idmap config FOO : default = yes
> idmap config FOO : backend = ad
> idmap config FOO : schema_mode = rfc2307
> idmap config FOO : range = 5000 - 70000
> allow trusted domains = No
> winbind enum users = Yes
> winbind enum groups = Yes
> winbind nested groups = Yes
I also don't see a "winbind nss info = rfc2307" line either so it is not
clear how the UID's and GID's from the AD scheme are getting through to
Linux.
Note for reasons I don't follow the primary GID of the user is calculated
from the "primaryGroupID" attribute.
JAB.
--
Jonathan A. Buzzard Email: jonathan (at) buzzard.me.uk
Fife, United Kingdom.
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
More information about the samba
mailing list