[Samba] idmap backend = ad and Active Directory 2008R2

Randy Rue randyrue at gmail.com
Wed May 30 09:27:05 MDT 2012 

Thank you, this is the kind of feedback I need.

I've tried it with and without the writeable back end, I wasn't clear on
whether it was necessary if all accounts would be in either AD or local
files. I'll put it back.

Similar problem for the rfc2307 line. I've found conflicting advice online:
it appears that the needed directives and their syntax have changed
significantly over the last several versions and when I find a claimed
working example it usually doesn't specify what version it worked with or
when (I can make some guesses from the age of the post).

Tried these changes with no luck. I did see a new error from winbindd in the
syslog on restart, "Cannot find KDC for the requested realm." Realized that
in a previous restore to default I'd rolled back to the example
/etc/krb5.conf file.

On attempting an SSH login with an AD account I still get a string of errors
in syslog beginning with "invalid user," several variations on " error
retrieving information about user," and ending with " Failed password for
invalid user."

Current version of smb.conf and krb5.conf are:
-------------------------------
/etc/samba/smb.conf:
[global]
   workgroup = FOO
   password server = dc42.foo.org dc52.foo.org dc152.foo.org
   realm = FOO.ORG
   security = ads
   winbind use default domain = true
   winbind offline logon = false
   log file = /var/log/samba/%m.log
   max log size = 100
   socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
   dns proxy = no
   idmap backend = tdb
   idmap uid = 2500-4999
   idmap gid = 2500-4999
   idmap config FOO : default = yes
   idmap config FOO : backend = ad
   idmap config FOO : schema_mode = rfc2307
   idmap config FOO : range = 5000 - 70000
   allow trusted domains = No
   winbind nss info = rfc2307
   winbind enum users = Yes
   winbind enum groups = Yes
   winbind nested groups = Yes



/etc/krb5.conf:
[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = FOO.ORG
 dns_lookup_realm = true
 dns_lookup_kdc = true
 ticket_lifetime = 24h
 renew_lifetime = 7d
 forwardable = true

[realms]
 EXAMPLE.COM = {
  kdc = DC42.FOO.ORG:88
  kdc = DC52.FOO.ORG:88
  kdc = DC152.FOO.ORG
  admin_server = dc152.foo.org:749
 }

[domain_realm]
 .foo.org = FOO.ORG
 foo.org = FOO.ORG

[appdefaults]
 pam = {
   debug = false
   ticket_lifetime = 36000
   renew_lifetime = 36000
   forwardable = true
   krb4_convert = false
 }
-------------------------------

-----Original Message-----
From: samba-bounces at lists.samba.org [mailto:samba-bounces at lists.samba.org]
On Behalf Of Jonathan Buzzard
Sent: Wednesday, May 30, 2012 5:11 AM
To: samba at lists.samba.org
Subject: Re: [Samba] idmap backend = ad and Active Directory 2008R2


On Tue, 2012-05-29 at 15:41 -0700, Randy Rue wrote:

> 
> Can anyone tell me what's wrong with the below file? Or at least 
> provide a working example? Is there a complete howto anywhere for SMB3.5
and AD2008R2?
> 

Yes, for starters where is the default writable backend that is required as
specified in "man idmap_ad"?

You need some lines like the following

idmap backend = tdb
idmap uid = 1000000-1999999
idmap gid = 1000000-1999999

Where those numbers don't overlap with the numbers for your FHCRC domain.

> Hope to hear from you,
> 
> rrue
> seattle
> 
> /etc/samba/smb.conf:
> [global]
>    workgroup = FOO
>    password server = dcx.foo.org dcy.foo.org dcz.foo.org
>    realm = FOO.ORG
>    security = ads
>    winbind use default domain = true
>    winbind offline logon = false
>    log file = /var/log/samba/%m.log
>    max log size = 100
>    socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
>    dns proxy = no
>    idmap config FOO : default = yes
>    idmap config FOO : backend = ad
>    idmap config FOO : schema_mode = rfc2307
>    idmap config FOO : range = 5000 - 70000
>    allow trusted domains = No
>    winbind enum users = Yes
>    winbind enum groups = Yes
>    winbind nested groups = Yes

I also don't see a "winbind nss info = rfc2307" line either so it is not
clear how the UID's and GID's from the AD scheme are getting through to
Linux.

Note for reasons I don't follow the primary GID of the user is calculated
from the "primaryGroupID" attribute.


JAB.

-- 
Jonathan A. Buzzard                 Email: jonathan (at) buzzard.me.uk
Fife, United Kingdom.


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list