[Samba] W2k8r2 and samba 3 integration
Rowland Penny
rowlandpenny at googlemail.com
Wed Dec 4 08:25:32 MST 2013
On 04/12/13 15:19, paul harford wrote:
> Hi Steve
> when i edit a user in ADUC i don't see a unix tab ?
>
> would it be easier to upgrade the samab to 4 and make it a domain member ?
>
> Paul
>
>
> On 4 December 2013 15:10, steve <steve at steve-ss.com> wrote:
>
>> On Wed, 2013-12-04 at 13:44 +0000, paul harford wrote:
>>> Hi Steve
>>>
>>> i've just noticed after making the changes you mentioned the getent
>>> passwd doesn't return the list of domain users now neither does getent
>>> groups
>>>
>>>
>>> wbinfo - u and -g booth still return the list of domain users and
>>> groups
>>>
>>>
>>> Paul
>>>
>>>
>> Hi Paul
>> OK. This sounds familiar;)
>>
>> We need to get the rfc2307 attributes into AD so that winbind can access
>> them with the configuration that Rowland posted. You _can_ do it
>> otherwise, but on this list we usually come back to concluding that
>> rfc2307 in AD is the best way to go.
>>
>> Fortunately, you already have what you need in your R2 DC. Pull up a
>> user, say paul, on ADUC on the DC and you'll see a 'Unix' tab. Now do a:
>> wbinfo -i paul using Rowland's smb.conf. It may look something like
>> this:
>>
>> DOMAIN\paul:*:3000091:20513::/home/DOMAIN/steve:/bin/false
>>
>> Now take the 3000091 and stick it in the uid field for paul on the Unix
>> tab.
>>
>> For us, I gave Domain\ Users a gid of 20513.
>>
>> This should give you an idea of what we mean by getting rfc2307 into
>> AD.
>>
>> The next question is how many users would you need to do this for. If
>> it's a lot, then it may be better to join a Samba4 DC say on a VM to the
>> R2 box and script it using ldbmodify from the output of wbinfo. If it's
>> only a few, then an hour or so's typing would get you there.
>>
>> HTH
>> Steve
>>
>>> On 4 December 2013 11:14, steve <steve at steve-ss.com> wrote:
>>> On Wed, 2013-12-04 at 11:04 +0000, paul harford wrote:
>>> > Hi Steve
>>> > Yes the nas is joined to the domain. When i do wbinfo -u and
>>> -g all
>>> > looks good when i do getent passwd i can see all the users
>>> and the
>>> > same for groups.
>>> >
>>> >
>>> > i didn't stick up the share config but its listed below
>>> >
>>> >
>>> > [tshare]
>>> >
>>> > valid users = @"Domain removed\domain
>>> admins",@"Domain removed
>>> > \domain users"
>>> >
>>> > path = /testpool/tshare
>>> >
>>> > write list = @"Domain removed\domain
>>> admins",@"Domain removed
>>> > \domain users"
>>> >
>>> >
>>> > This was just a test share but basically there will be user
>>> share on
>>> > the NAS and we want to restrict the share to certain users
>>> and groups
>>> > etc
>>> >
>>> >
>>> > haven't heard of the keytab before can you explain ?
>>> >
>>>
>>> >
>>> > Thanks for the response its appreciated
>>> >
>>> >
>>> > Paul
>>>
>>>
>>> Hi
>>> Phew. AD, kerberos and keytabs would need a whole book to
>>> describe but
>>> basically, with kerberos, not only does the user have to prove
>>> himself,
>>> but also the machine on which he is working has to too. Hence
>>> the keytab
>>> which must contain the machine key. This can be produced when
>>> the
>>> machine is joined to the domain or, if you forgot, afterwards
>>> as
>>> outlined below.
>>>
>>> Add to smb.conf:
>>> kerberos method = system keytab
>>>
>>> now issue:
>>> net ads keytab create -UAdministrator
>>> and enter the windows Administrator password
>>>
>>> That should get us to the next stage or give errors which will
>>> help us
>>> further.
>>>
>>> Meanwhile, what does
>>> /etc/krb5.conf
>>> look like?
>>>
>>> Cheers,
>>> Steve
>>>
>>>
>>>
>>>
>>
>>
Hi, have a look here:
http://social.technet.microsoft.com/Forums/en-US/winserverDS/thread/beb89c0b-cfa4-4147-bc76-39b2df2cdc7d/
Rowland
More information about the samba
mailing list