[Samba] W2k8r2 and samba 3 integration

Rowland Penny rowlandpenny at googlemail.com
Wed Dec 4 04:45:37 MST 2013


On 04/12/13 11:40, paul harford wrote:
> Hi Rowland
> Thanks for your reply, i did play around with a similar config (see 
> below in email) but it didn't seem to make much difference. Which is 
> why i reverted to the one i included it seemed to allow me to do more 
> but not everything i needed.
>
> When i do wbinfo -u and -g all looks good when i do getent passwd i 
> can see all the users and the same for groups.
>
>
> At the moment we just have a test share but basically there will be 
> user shares on the NAS and we want to restrict the share to certain 
> users and groups etc
>
>
>
>
> [global]
>
> workgroup = Domain Name
>
> security = ADS
>         realm = Domain Name.int
>         encrypt passwords = yes
>
> idmap config *:backend = tdb
>         idmap config *:range = 70001-80000
>         idmap config Domain Name:backend = ad
>         idmap config Domain Name:schema_mode = rfc2307
>         idmap config Domain Name:range = 500-40000
>
> winbind nss info = rfc2307
>         winbind trusted domains only = no
>         winbind use default domain = yes
>         winbind enum users  = yes
>         winbind enum groups = yes
>
> log file = /var/log/samba/log.%m
> #       passdb backend = tdbsam
>         netbios name = system name
>         server string = Samba Server Version %v
>         os level = 20
>         max log size = 50
>
>
>
>
>
> On 4 December 2013 11:33, Rowland Penny <rowlandpenny at googlemail.com 
> <mailto:rowlandpenny at googlemail.com>> wrote:
>
>     On 04/12/13 10:59, steve wrote:
>
>         On Wed, 2013-12-04 at 10:38 +0000, paul harford wrote:
>
>             Hi Samba users
>             we have a samba 3 system we use as a NAS for a windows AD
>             setup but we are
>             having serious issues with the ad integration.
>
>         Hi
>         Have you joined the NAS to the domain? Do you have a keytab on
>         the NAS
>         which contains its machine key?
>
>             has anyone any tips or trick for the AD windows 2008r2/
>             samba integration ?
>
>             we basically can't add groups or users to the share from
>             the AD dc. we just
>             get access denied even if we make the domain admins and
>             current user the
>             owner of the share. we have tried various configs and the
>             below seems to
>             get us part of the way.
>
>         Not sure if I understand. You would add files to a share. Not
>         users or
>         groups. Do you mean that you wish only certain users or groups
>         to access
>         the files in the share?
>
>         If so, which share? Your config doesn't seem to have any
>         shares which
>         users would access.
>
>             i would appreciate any suggestions for you guys :-)
>
>         Which version of samba do you have on the NAS? I think the
>         first thing
>         we must do is get the NAS properly joined to the domain but almost
>         certainly we'll have to revise your smb.conf
>
>         HTH. To get us started at least.
>         Steve
>
>
>
>             [global]
>
>                      log file = /var/log/samba/log.%m
>
>                      winbind nss info = rfc2307
>
>                      load printers = yes
>
>                      idmap gid = 10000-30000
>
>             #       winbind trusted domains only = yes
>
>                      encrypt passwords = yes
>
>                      realm = "DOMAIN removed for security reasons"
>
>             #       winbind use default domain = yes
>
>                      passdb backend = tdbsam
>
>                      cups options = raw
>
>                      netbios name = sfnas02
>
>                      server string = Samba Server Version %v
>
>                      idmap uid = 10000-30000
>
>                      workgroup = "DOMAIN removed for security reasons"
>
>                      os level = 20
>
>                      security = ADS
>
>                      max log size = 50
>
>                      winbind enum users = yes
>
>                      winbind enum groups = yes
>
>
>
>                      winbind nested groups = Yes
>
>                      vfs objects = acl_xattr
>
>                      acl_xattr:ignore system acls = yes
>
>                      map acl inherit = Yes
>
>                      store dos attributes = Yes
>
>                      acl group control = Yes
>
>                      acl map full control = Yes
>
>
>     Hi, I am with Steve here, more info needed, it would seem that
>     your samba 3 is either very old or setup incorrectly, for instance
>     with a late 3.6 setup I would expect the winbind part to look
>     similar to this:
>
>
>             winbind enum groups = yes
>             winbind use default domain = yes
>             winbind expand groups = 4
>
>             winbind nss info = rfc2307
>             winbind refresh tickets = Yes
>             winbind offline logon = yes
>             winbind normalize names = Yes
>             idmap config DOMAIN:schema_mode = rfc2307
>             idmap config DOMAIN:range = 10000-30000
>             idmap config DOMAIN:backend = ad
>             idmap config *:range = 1100-2000
>             idmap config *:backend = tdb
>
>     With this and uidNumber's & gidNumber's in AD, the AD users and
>     groups should be able to connect.
>
>     Rowland
>
>
>     -- 
>     To unsubscribe from this list go to the following URL and read the
>     instructions: https://lists.samba.org/mailman/options/samba
>
>
Can you please tell us us what version of samba you are using (smbd -V) 
and also post a (sanitized) getent for a user

Rowland



More information about the samba mailing list