[Samba] W2k8r2 and samba 3 integration
Rowland Penny
rowlandpenny at googlemail.com
Wed Dec 4 04:45:37 MST 2013
On 04/12/13 11:40, paul harford wrote:
> Hi Rowland
> Thanks for your reply, i did play around with a similar config (see
> below in email) but it didn't seem to make much difference. Which is
> why i reverted to the one i included it seemed to allow me to do more
> but not everything i needed.
>
> When i do wbinfo -u and -g all looks good when i do getent passwd i
> can see all the users and the same for groups.
>
>
> At the moment we just have a test share but basically there will be
> user shares on the NAS and we want to restrict the share to certain
> users and groups etc
>
>
>
>
> [global]
>
> workgroup = Domain Name
>
> security = ADS
> realm = Domain Name.int
> encrypt passwords = yes
>
> idmap config *:backend = tdb
> idmap config *:range = 70001-80000
> idmap config Domain Name:backend = ad
> idmap config Domain Name:schema_mode = rfc2307
> idmap config Domain Name:range = 500-40000
>
> winbind nss info = rfc2307
> winbind trusted domains only = no
> winbind use default domain = yes
> winbind enum users = yes
> winbind enum groups = yes
>
> log file = /var/log/samba/log.%m
> # passdb backend = tdbsam
> netbios name = system name
> server string = Samba Server Version %v
> os level = 20
> max log size = 50
>
>
>
>
>
> On 4 December 2013 11:33, Rowland Penny <rowlandpenny at googlemail.com
> <mailto:rowlandpenny at googlemail.com>> wrote:
>
> On 04/12/13 10:59, steve wrote:
>
> On Wed, 2013-12-04 at 10:38 +0000, paul harford wrote:
>
> Hi Samba users
> we have a samba 3 system we use as a NAS for a windows AD
> setup but we are
> having serious issues with the ad integration.
>
> Hi
> Have you joined the NAS to the domain? Do you have a keytab on
> the NAS
> which contains its machine key?
>
> has anyone any tips or trick for the AD windows 2008r2/
> samba integration ?
>
> we basically can't add groups or users to the share from
> the AD dc. we just
> get access denied even if we make the domain admins and
> current user the
> owner of the share. we have tried various configs and the
> below seems to
> get us part of the way.
>
> Not sure if I understand. You would add files to a share. Not
> users or
> groups. Do you mean that you wish only certain users or groups
> to access
> the files in the share?
>
> If so, which share? Your config doesn't seem to have any
> shares which
> users would access.
>
> i would appreciate any suggestions for you guys :-)
>
> Which version of samba do you have on the NAS? I think the
> first thing
> we must do is get the NAS properly joined to the domain but almost
> certainly we'll have to revise your smb.conf
>
> HTH. To get us started at least.
> Steve
>
>
>
> [global]
>
> log file = /var/log/samba/log.%m
>
> winbind nss info = rfc2307
>
> load printers = yes
>
> idmap gid = 10000-30000
>
> # winbind trusted domains only = yes
>
> encrypt passwords = yes
>
> realm = "DOMAIN removed for security reasons"
>
> # winbind use default domain = yes
>
> passdb backend = tdbsam
>
> cups options = raw
>
> netbios name = sfnas02
>
> server string = Samba Server Version %v
>
> idmap uid = 10000-30000
>
> workgroup = "DOMAIN removed for security reasons"
>
> os level = 20
>
> security = ADS
>
> max log size = 50
>
> winbind enum users = yes
>
> winbind enum groups = yes
>
>
>
> winbind nested groups = Yes
>
> vfs objects = acl_xattr
>
> acl_xattr:ignore system acls = yes
>
> map acl inherit = Yes
>
> store dos attributes = Yes
>
> acl group control = Yes
>
> acl map full control = Yes
>
>
> Hi, I am with Steve here, more info needed, it would seem that
> your samba 3 is either very old or setup incorrectly, for instance
> with a late 3.6 setup I would expect the winbind part to look
> similar to this:
>
>
> winbind enum groups = yes
> winbind use default domain = yes
> winbind expand groups = 4
>
> winbind nss info = rfc2307
> winbind refresh tickets = Yes
> winbind offline logon = yes
> winbind normalize names = Yes
> idmap config DOMAIN:schema_mode = rfc2307
> idmap config DOMAIN:range = 10000-30000
> idmap config DOMAIN:backend = ad
> idmap config *:range = 1100-2000
> idmap config *:backend = tdb
>
> With this and uidNumber's & gidNumber's in AD, the AD users and
> groups should be able to connect.
>
> Rowland
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
>
Can you please tell us us what version of samba you are using (smbd -V)
and also post a (sanitized) getent for a user
Rowland
More information about the samba
mailing list