[Samba] W2k8r2 and samba 3 integration
paul harford
harfordmeister at gmail.com
Wed Dec 4 08:19:25 MST 2013
Hi Steve
when i edit a user in ADUC i don't see a unix tab ?
would it be easier to upgrade the samab to 4 and make it a domain member ?
Paul
On 4 December 2013 15:10, steve <steve at steve-ss.com> wrote:
> On Wed, 2013-12-04 at 13:44 +0000, paul harford wrote:
> > Hi Steve
> >
> > i've just noticed after making the changes you mentioned the getent
> > passwd doesn't return the list of domain users now neither does getent
> > groups
> >
> >
> > wbinfo - u and -g booth still return the list of domain users and
> > groups
> >
> >
> > Paul
> >
> >
>
> Hi Paul
> OK. This sounds familiar;)
>
> We need to get the rfc2307 attributes into AD so that winbind can access
> them with the configuration that Rowland posted. You _can_ do it
> otherwise, but on this list we usually come back to concluding that
> rfc2307 in AD is the best way to go.
>
> Fortunately, you already have what you need in your R2 DC. Pull up a
> user, say paul, on ADUC on the DC and you'll see a 'Unix' tab. Now do a:
> wbinfo -i paul using Rowland's smb.conf. It may look something like
> this:
>
> DOMAIN\paul:*:3000091:20513::/home/DOMAIN/steve:/bin/false
>
> Now take the 3000091 and stick it in the uid field for paul on the Unix
> tab.
>
> For us, I gave Domain\ Users a gid of 20513.
>
> This should give you an idea of what we mean by getting rfc2307 into
> AD.
>
> The next question is how many users would you need to do this for. If
> it's a lot, then it may be better to join a Samba4 DC say on a VM to the
> R2 box and script it using ldbmodify from the output of wbinfo. If it's
> only a few, then an hour or so's typing would get you there.
>
> HTH
> Steve
>
> >
> > On 4 December 2013 11:14, steve <steve at steve-ss.com> wrote:
> > On Wed, 2013-12-04 at 11:04 +0000, paul harford wrote:
> > > Hi Steve
> > > Yes the nas is joined to the domain. When i do wbinfo -u and
> > -g all
> > > looks good when i do getent passwd i can see all the users
> > and the
> > > same for groups.
> > >
> > >
> > > i didn't stick up the share config but its listed below
> > >
> > >
> > > [tshare]
> > >
> > > valid users = @"Domain removed\domain
> > admins",@"Domain removed
> > > \domain users"
> > >
> > > path = /testpool/tshare
> > >
> > > write list = @"Domain removed\domain
> > admins",@"Domain removed
> > > \domain users"
> > >
> > >
> > > This was just a test share but basically there will be user
> > share on
> > > the NAS and we want to restrict the share to certain users
> > and groups
> > > etc
> > >
> > >
> > > haven't heard of the keytab before can you explain ?
> > >
> >
> > >
> > > Thanks for the response its appreciated
> > >
> > >
> > > Paul
> >
> >
> > Hi
> > Phew. AD, kerberos and keytabs would need a whole book to
> > describe but
> > basically, with kerberos, not only does the user have to prove
> > himself,
> > but also the machine on which he is working has to too. Hence
> > the keytab
> > which must contain the machine key. This can be produced when
> > the
> > machine is joined to the domain or, if you forgot, afterwards
> > as
> > outlined below.
> >
> > Add to smb.conf:
> > kerberos method = system keytab
> >
> > now issue:
> > net ads keytab create -UAdministrator
> > and enter the windows Administrator password
> >
> > That should get us to the next stage or give errors which will
> > help us
> > further.
> >
> > Meanwhile, what does
> > /etc/krb5.conf
> > look like?
> >
> > Cheers,
> > Steve
> >
> >
> >
> >
>
>
>
More information about the samba
mailing list