[Samba] idmap backend = ad and Active Directory 2008R2

[Jonathan Buzzard]

This is a working smb.conf CentOS 6.2 latest aka 3.5.10-116.el6_2.x86_6
configuration against a Windows 2008R2 domain. Note we are using GPFS as
our underlying file system and CTDB. All I have changed is the names

[global]
        netbios name = NEMO
        security = ads
        workgroup = MYDOMAIN
        realm = MYDOMAIN.MEGACORP.COM
        password server = *
        preferred master = no
        encrypt passwords = yes
        kerberos method = secrets only

# general options
        vfs objects = shadow_copy2 fileid gpfs
        unix extensions = no
        mangled names = no
        case sensitive = no
        map untrusted to domain = yes
        deadtime = 0
        log level = 1
        log file = /var/log/samba/%I.log
        max log size = 100
        socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
SO_REUSEADDR SO_KEEPALIVE

# store DOS attributes in extended attributes (vfs_gpfs then stores them
in the file system)
        ea support = yes
        store dos attributes = yes
        map readonly = no
        map archive = no
        map system = no

# the ctdb clustering and GPFS stuff
        clustering = yes
        ctdbd socket = /tmp/ctdb.socket
        fileid : algorithm = fsname
        gpfs : sharemodes = yes
        gpfs : winattr = yes
        force unknown acl user = yes
        nfs4 : mode = special
        nfs4 : chown = no
        nfs4 : acedup = merge

# enable shadow copies
        shadow : snapdir = /nemo/.snapshots
        shadow : basedir = /nemo
        shadow : fixinodes = yes

# silence warnings about CUPS 
        printing = bsd
        printcap name = /etc/printcap
        load printers = yes
        cups options = raw

# stuff necessary for guest logins to work where required
        guest account = nobody
        map to guest = bad user

# fake the dfree information to match the fileset quota if it exists
        dfree cache time = 15
        dfree command = /var/lib/samba/scripts/mmdfree

# deal with NSS and the whole UID/SID id mapping stuff
        idmap backend = tdb
        idmap uid = 2000000 - 2999999 
        idmap gid = 2000000 - 2999999
        idmap config MYDOMAIN : backend = ad
        idmap config MYDOMAIN : schema_mode = rfc2307
        idmap config MYDOMAIN : readonly = yes
        idmap config MYDOMAIN : range = 500 - 1999999
        idmap cache time = 604800
        idmap negative cache time = 20
        winbind cache time = 600
        winbind nss info = rfc2307
        winbind expand groups = 2
        winbind nested groups = yes
        winbind use default domain = yes
        winbind enum users = yes
        winbind enum groups = yes
        winbind refresh tickets = yes
        winbind offline logon = false

-- 
Jonathan A. Buzzard                 Email: jonathan (at) buzzard.me.uk
Fife, United Kingdom.