[Samba] W2k8r2 and samba 3 integration

steve steve at steve-ss.com
Wed Dec 4 08:10:27 MST 2013


On Wed, 2013-12-04 at 13:44 +0000, paul harford wrote:
> Hi Steve
> 
> i've just noticed after making the changes you mentioned the getent
> passwd doesn't return the list of domain users now neither does getent
> groups
> 
> 
> wbinfo - u and -g booth still return the list of domain users and
> groups
> 
> 
> Paul
> 
> 

Hi Paul
OK. This sounds familiar;)

We need to get the rfc2307 attributes into AD so that winbind can access
them with the configuration that Rowland posted. You _can_ do it
otherwise, but on this list we usually come back to concluding that
rfc2307 in AD is the best way to go.

Fortunately, you already have what you need in your R2 DC. Pull up a
user, say paul, on ADUC on the DC and you'll see a 'Unix' tab. Now do a:
wbinfo -i paul using Rowland's smb.conf. It may look something like
this:
 
  DOMAIN\paul:*:3000091:20513::/home/DOMAIN/steve:/bin/false

Now take the 3000091 and stick it in the uid field for paul on the Unix
tab.

For us, I gave Domain\ Users a gid of 20513.

This should give you an idea of what we mean by getting rfc2307 into
AD. 

The next question is how many users would you need to do this for. If
it's a lot, then it may be better to join a Samba4 DC say on a VM to the
R2 box and script it using ldbmodify from the output of wbinfo. If it's
only a few, then an hour or so's typing would get you there.

HTH
Steve

> 
> On 4 December 2013 11:14, steve <steve at steve-ss.com> wrote:
>         On Wed, 2013-12-04 at 11:04 +0000, paul harford wrote:
>         > Hi Steve
>         > Yes the nas is joined to the domain. When i do wbinfo -u and
>         -g all
>         > looks good when i do getent passwd i can see all the users
>         and the
>         > same for groups.
>         >
>         >
>         > i didn't stick up the share config but its listed below
>         >
>         >
>         > [tshare]
>         >
>         >         valid users = @"Domain removed\domain
>         admins",@"Domain removed
>         > \domain users"
>         >
>         >         path = /testpool/tshare
>         >
>         >         write list = @"Domain removed\domain
>         admins",@"Domain removed
>         > \domain users"
>         >
>         >
>         > This was just a test share but basically there will be user
>         share on
>         > the NAS and we want to restrict the share to certain users
>         and groups
>         > etc
>         >
>         >
>         > haven't heard of the keytab before can you explain ?
>         >
>         
>         >
>         > Thanks for the response its appreciated
>         >
>         >
>         > Paul
>         
>         
>         Hi
>         Phew. AD, kerberos and keytabs would need a whole book to
>         describe but
>         basically, with kerberos, not only does the user have to prove
>         himself,
>         but also the machine on which he is working has to too. Hence
>         the keytab
>         which must contain the machine key. This can be produced when
>         the
>         machine is joined to the domain or, if you forgot, afterwards
>         as
>         outlined below.
>         
>         Add to smb.conf:
>         kerberos method = system keytab
>         
>         now issue:
>         net ads keytab create -UAdministrator
>         and enter the windows Administrator password
>         
>         That should get us to the next stage or give errors which will
>         help us
>         further.
>         
>         Meanwhile, what does
>         /etc/krb5.conf
>         look like?
>         
>         Cheers,
>         Steve
>         
>         
> 
> 




More information about the samba mailing list