[Samba] W2k8r2 and samba 3 integration

Rowland Penny rowlandpenny at googlemail.com
Wed Dec 4 04:33:35 MST 2013 

On 04/12/13 10:59, steve wrote:
> On Wed, 2013-12-04 at 10:38 +0000, paul harford wrote:
>> Hi Samba users
>> we have a samba 3 system we use as a NAS for a windows AD setup but we are
>> having serious issues with the ad integration.
> Hi
> Have you joined the NAS to the domain? Do you have a keytab on the NAS
> which contains its machine key?
>> has anyone any tips or trick for the AD windows 2008r2/ samba integration ?
>>
>> we basically can't add groups or users to the share from the AD dc. we just
>> get access denied even if we make the domain admins and current user the
>> owner of the share. we have tried various configs and the below seems to
>> get us part of the way.
> Not sure if I understand. You would add files to a share. Not users or
> groups. Do you mean that you wish only certain users or groups to access
> the files in the share?
>
> If so, which share? Your config doesn't seem to have any shares which
> users would access.
>> i would appreciate any suggestions for you guys :-)
> Which version of samba do you have on the NAS? I think the first thing
> we must do is get the NAS properly joined to the domain but almost
> certainly we'll have to revise your smb.conf
>
> HTH. To get us started at least.
> Steve
>
>
>
>> [global]
>>
>>          log file = /var/log/samba/log.%m
>>
>>          winbind nss info = rfc2307
>>
>>          load printers = yes
>>
>>          idmap gid = 10000-30000
>>
>> #       winbind trusted domains only = yes
>>
>>          encrypt passwords = yes
>>
>>          realm = "DOMAIN removed for security reasons"
>>
>> #       winbind use default domain = yes
>>
>>          passdb backend = tdbsam
>>
>>          cups options = raw
>>
>>          netbios name = sfnas02
>>
>>          server string = Samba Server Version %v
>>
>>          idmap uid = 10000-30000
>>
>>          workgroup = "DOMAIN removed for security reasons"
>>
>>          os level = 20
>>
>>          security = ADS
>>
>>          max log size = 50
>>
>>          winbind enum users = yes
>>
>>          winbind enum groups = yes
>>
>>
>>
>>          winbind nested groups = Yes
>>
>>          vfs objects = acl_xattr
>>
>>          acl_xattr:ignore system acls = yes
>>
>>          map acl inherit = Yes
>>
>>          store dos attributes = Yes
>>
>>          acl group control = Yes
>>
>>          acl map full control = Yes
>
Hi, I am with Steve here, more info needed, it would seem that your 
samba 3 is either very old or setup incorrectly, for instance with a 
late 3.6 setup I would expect the winbind part to look similar to this:

         winbind enum groups = yes
         winbind use default domain = yes
         winbind expand groups = 4
         winbind nss info = rfc2307
         winbind refresh tickets = Yes
         winbind offline logon = yes
         winbind normalize names = Yes
         idmap config DOMAIN:schema_mode = rfc2307
         idmap config DOMAIN:range = 10000-30000
         idmap config DOMAIN:backend = ad
         idmap config *:range = 1100-2000
         idmap config *:backend = tdb

With this and uidNumber's & gidNumber's in AD, the AD users and groups 
should be able to connect.

Rowland

More information about the samba mailing list