[Samba] W2k8r2 and samba 3 integration
rowlandpenny at googlemail.com
Wed Dec 4 04:33:35 MST 2013
On 04/12/13 10:59, steve wrote:
> On Wed, 2013-12-04 at 10:38 +0000, paul harford wrote:
>> Hi Samba users
>> we have a samba 3 system we use as a NAS for a windows AD setup but we are
>> having serious issues with the ad integration.
> Have you joined the NAS to the domain? Do you have a keytab on the NAS
> which contains its machine key?
>> has anyone any tips or trick for the AD windows 2008r2/ samba integration ?
>> we basically can't add groups or users to the share from the AD dc. we just
>> get access denied even if we make the domain admins and current user the
>> owner of the share. we have tried various configs and the below seems to
>> get us part of the way.
> Not sure if I understand. You would add files to a share. Not users or
> groups. Do you mean that you wish only certain users or groups to access
> the files in the share?
> If so, which share? Your config doesn't seem to have any shares which
> users would access.
>> i would appreciate any suggestions for you guys :-)
> Which version of samba do you have on the NAS? I think the first thing
> we must do is get the NAS properly joined to the domain but almost
> certainly we'll have to revise your smb.conf
> HTH. To get us started at least.
>> log file = /var/log/samba/log.%m
>> winbind nss info = rfc2307
>> load printers = yes
>> idmap gid = 10000-30000
>> # winbind trusted domains only = yes
>> encrypt passwords = yes
>> realm = "DOMAIN removed for security reasons"
>> # winbind use default domain = yes
>> passdb backend = tdbsam
>> cups options = raw
>> netbios name = sfnas02
>> server string = Samba Server Version %v
>> idmap uid = 10000-30000
>> workgroup = "DOMAIN removed for security reasons"
>> os level = 20
>> security = ADS
>> max log size = 50
>> winbind enum users = yes
>> winbind enum groups = yes
>> winbind nested groups = Yes
>> vfs objects = acl_xattr
>> acl_xattr:ignore system acls = yes
>> map acl inherit = Yes
>> store dos attributes = Yes
>> acl group control = Yes
>> acl map full control = Yes
Hi, I am with Steve here, more info needed, it would seem that your
samba 3 is either very old or setup incorrectly, for instance with a
late 3.6 setup I would expect the winbind part to look similar to this:
winbind enum groups = yes
winbind use default domain = yes
winbind expand groups = 4
winbind nss info = rfc2307
winbind refresh tickets = Yes
winbind offline logon = yes
winbind normalize names = Yes
idmap config DOMAIN:schema_mode = rfc2307
idmap config DOMAIN:range = 10000-30000
idmap config DOMAIN:backend = ad
idmap config *:range = 1100-2000
idmap config *:backend = tdb
With this and uidNumber's & gidNumber's in AD, the AD users and groups
should be able to connect.
More information about the samba