[Samba] W2k8r2 and samba 3 integration
steve
steve at steve-ss.com
Wed Dec 4 08:50:53 MST 2013
On Wed, 2013-12-04 at 15:19 +0000, paul harford wrote:
> Hi Steve
>
> when i edit a user in ADUC i don't see a unix tab ?
>
Hi
The link which describes how to get it has just been posted. Thanks:)
>
> would it be easier to upgrade the samab to 4 and make it a domain
> member ?
Assuming that the NAS is just that (a file server), then 3.6.x is fine.
Just keep up with your distro security updates for it.
Steve
>
>
> Paul
>
>
>
> On 4 December 2013 15:10, steve <steve at steve-ss.com> wrote:
> On Wed, 2013-12-04 at 13:44 +0000, paul harford wrote:
> > Hi Steve
> >
>
> > i've just noticed after making the changes you mentioned the
> getent
> > passwd doesn't return the list of domain users now neither
> does getent
> > groups
> >
> >
> > wbinfo - u and -g booth still return the list of domain
> users and
> > groups
> >
> >
> > Paul
> >
> >
>
>
> Hi Paul
> OK. This sounds familiar;)
>
> We need to get the rfc2307 attributes into AD so that winbind
> can access
> them with the configuration that Rowland posted. You _can_ do
> it
> otherwise, but on this list we usually come back to concluding
> that
> rfc2307 in AD is the best way to go.
>
> Fortunately, you already have what you need in your R2 DC.
> Pull up a
> user, say paul, on ADUC on the DC and you'll see a 'Unix' tab.
> Now do a:
> wbinfo -i paul using Rowland's smb.conf. It may look something
> like
> this:
>
> DOMAIN\paul:*:3000091:20513::/home/DOMAIN/steve:/bin/false
>
> Now take the 3000091 and stick it in the uid field for paul on
> the Unix
> tab.
>
> For us, I gave Domain\ Users a gid of 20513.
>
> This should give you an idea of what we mean by getting
> rfc2307 into
> AD.
>
> The next question is how many users would you need to do this
> for. If
> it's a lot, then it may be better to join a Samba4 DC say on a
> VM to the
> R2 box and script it using ldbmodify from the output of
> wbinfo. If it's
> only a few, then an hour or so's typing would get you there.
>
> HTH
> Steve
>
> >
> > On 4 December 2013 11:14, steve <steve at steve-ss.com> wrote:
> > On Wed, 2013-12-04 at 11:04 +0000, paul harford
> wrote:
> > > Hi Steve
> > > Yes the nas is joined to the domain. When i do
> wbinfo -u and
> > -g all
> > > looks good when i do getent passwd i can see all
> the users
> > and the
> > > same for groups.
> > >
> > >
> > > i didn't stick up the share config but its listed
> below
> > >
> > >
> > > [tshare]
> > >
> > > valid users = @"Domain removed\domain
> > admins",@"Domain removed
> > > \domain users"
> > >
> > > path = /testpool/tshare
> > >
> > > write list = @"Domain removed\domain
> > admins",@"Domain removed
> > > \domain users"
> > >
> > >
> > > This was just a test share but basically there
> will be user
> > share on
> > > the NAS and we want to restrict the share to
> certain users
> > and groups
> > > etc
> > >
> > >
> > > haven't heard of the keytab before can you
> explain ?
> > >
> >
> > >
> > > Thanks for the response its appreciated
> > >
> > >
> > > Paul
> >
> >
> > Hi
> > Phew. AD, kerberos and keytabs would need a whole
> book to
> > describe but
> > basically, with kerberos, not only does the user
> have to prove
> > himself,
> > but also the machine on which he is working has to
> too. Hence
> > the keytab
> > which must contain the machine key. This can be
> produced when
> > the
> > machine is joined to the domain or, if you forgot,
> afterwards
> > as
> > outlined below.
> >
> > Add to smb.conf:
> > kerberos method = system keytab
> >
> > now issue:
> > net ads keytab create -UAdministrator
> > and enter the windows Administrator password
> >
> > That should get us to the next stage or give errors
> which will
> > help us
> > further.
> >
> > Meanwhile, what does
> > /etc/krb5.conf
> > look like?
> >
> > Cheers,
> > Steve
> >
> >
> >
> >
>
>
>
>
>
More information about the samba
mailing list