[Samba] W2k8r2 and samba 3 integration

Rowland Penny rowlandpenny at googlemail.com
Wed Dec 4 08:25:32 MST 2013


On 04/12/13 15:19, paul harford wrote:
> Hi Steve
> when i edit a user in ADUC i don't see a unix tab ?
>
> would it be easier to upgrade the samab to 4 and make it a domain member ?
>
> Paul
>
>
> On 4 December 2013 15:10, steve <steve at steve-ss.com> wrote:
>
>> On Wed, 2013-12-04 at 13:44 +0000, paul harford wrote:
>>> Hi Steve
>>>
>>> i've just noticed after making the changes you mentioned the getent
>>> passwd doesn't return the list of domain users now neither does getent
>>> groups
>>>
>>>
>>> wbinfo - u and -g booth still return the list of domain users and
>>> groups
>>>
>>>
>>> Paul
>>>
>>>
>> Hi Paul
>> OK. This sounds familiar;)
>>
>> We need to get the rfc2307 attributes into AD so that winbind can access
>> them with the configuration that Rowland posted. You _can_ do it
>> otherwise, but on this list we usually come back to concluding that
>> rfc2307 in AD is the best way to go.
>>
>> Fortunately, you already have what you need in your R2 DC. Pull up a
>> user, say paul, on ADUC on the DC and you'll see a 'Unix' tab. Now do a:
>> wbinfo -i paul using Rowland's smb.conf. It may look something like
>> this:
>>
>>    DOMAIN\paul:*:3000091:20513::/home/DOMAIN/steve:/bin/false
>>
>> Now take the 3000091 and stick it in the uid field for paul on the Unix
>> tab.
>>
>> For us, I gave Domain\ Users a gid of 20513.
>>
>> This should give you an idea of what we mean by getting rfc2307 into
>> AD.
>>
>> The next question is how many users would you need to do this for. If
>> it's a lot, then it may be better to join a Samba4 DC say on a VM to the
>> R2 box and script it using ldbmodify from the output of wbinfo. If it's
>> only a few, then an hour or so's typing would get you there.
>>
>> HTH
>> Steve
>>
>>> On 4 December 2013 11:14, steve <steve at steve-ss.com> wrote:
>>>          On Wed, 2013-12-04 at 11:04 +0000, paul harford wrote:
>>>          > Hi Steve
>>>          > Yes the nas is joined to the domain. When i do wbinfo -u and
>>>          -g all
>>>          > looks good when i do getent passwd i can see all the users
>>>          and the
>>>          > same for groups.
>>>          >
>>>          >
>>>          > i didn't stick up the share config but its listed below
>>>          >
>>>          >
>>>          > [tshare]
>>>          >
>>>          >         valid users = @"Domain removed\domain
>>>          admins",@"Domain removed
>>>          > \domain users"
>>>          >
>>>          >         path = /testpool/tshare
>>>          >
>>>          >         write list = @"Domain removed\domain
>>>          admins",@"Domain removed
>>>          > \domain users"
>>>          >
>>>          >
>>>          > This was just a test share but basically there will be user
>>>          share on
>>>          > the NAS and we want to restrict the share to certain users
>>>          and groups
>>>          > etc
>>>          >
>>>          >
>>>          > haven't heard of the keytab before can you explain ?
>>>          >
>>>
>>>          >
>>>          > Thanks for the response its appreciated
>>>          >
>>>          >
>>>          > Paul
>>>
>>>
>>>          Hi
>>>          Phew. AD, kerberos and keytabs would need a whole book to
>>>          describe but
>>>          basically, with kerberos, not only does the user have to prove
>>>          himself,
>>>          but also the machine on which he is working has to too. Hence
>>>          the keytab
>>>          which must contain the machine key. This can be produced when
>>>          the
>>>          machine is joined to the domain or, if you forgot, afterwards
>>>          as
>>>          outlined below.
>>>
>>>          Add to smb.conf:
>>>          kerberos method = system keytab
>>>
>>>          now issue:
>>>          net ads keytab create -UAdministrator
>>>          and enter the windows Administrator password
>>>
>>>          That should get us to the next stage or give errors which will
>>>          help us
>>>          further.
>>>
>>>          Meanwhile, what does
>>>          /etc/krb5.conf
>>>          look like?
>>>
>>>          Cheers,
>>>          Steve
>>>
>>>
>>>
>>>
>>
>>
Hi, have a look here: 
http://social.technet.microsoft.com/Forums/en-US/winserverDS/thread/beb89c0b-cfa4-4147-bc76-39b2df2cdc7d/

Rowland


More information about the samba mailing list