[Samba] W2k8r2 and samba 3 integration

steve steve at steve-ss.com
Wed Dec 4 08:50:53 MST 2013


On Wed, 2013-12-04 at 15:19 +0000, paul harford wrote:
> Hi Steve
> 
> when i edit a user in ADUC i don't see a unix tab ?
> 
Hi
The link which describes how to get it has just been posted. Thanks:)
> 
> would it be easier to upgrade the samab to 4 and make it a domain
> member ?

Assuming that the NAS is just that (a file server), then 3.6.x is fine.
Just keep up with your distro security updates for it.
Steve

> 
> 
> Paul
> 
> 
> 
> On 4 December 2013 15:10, steve <steve at steve-ss.com> wrote:
>         On Wed, 2013-12-04 at 13:44 +0000, paul harford wrote:
>         > Hi Steve
>         >
>         
>         > i've just noticed after making the changes you mentioned the
>         getent
>         > passwd doesn't return the list of domain users now neither
>         does getent
>         > groups
>         >
>         >
>         > wbinfo - u and -g booth still return the list of domain
>         users and
>         > groups
>         >
>         >
>         > Paul
>         >
>         >
>         
>         
>         Hi Paul
>         OK. This sounds familiar;)
>         
>         We need to get the rfc2307 attributes into AD so that winbind
>         can access
>         them with the configuration that Rowland posted. You _can_ do
>         it
>         otherwise, but on this list we usually come back to concluding
>         that
>         rfc2307 in AD is the best way to go.
>         
>         Fortunately, you already have what you need in your R2 DC.
>         Pull up a
>         user, say paul, on ADUC on the DC and you'll see a 'Unix' tab.
>         Now do a:
>         wbinfo -i paul using Rowland's smb.conf. It may look something
>         like
>         this:
>         
>           DOMAIN\paul:*:3000091:20513::/home/DOMAIN/steve:/bin/false
>         
>         Now take the 3000091 and stick it in the uid field for paul on
>         the Unix
>         tab.
>         
>         For us, I gave Domain\ Users a gid of 20513.
>         
>         This should give you an idea of what we mean by getting
>         rfc2307 into
>         AD.
>         
>         The next question is how many users would you need to do this
>         for. If
>         it's a lot, then it may be better to join a Samba4 DC say on a
>         VM to the
>         R2 box and script it using ldbmodify from the output of
>         wbinfo. If it's
>         only a few, then an hour or so's typing would get you there.
>         
>         HTH
>         Steve
>         
>         >
>         > On 4 December 2013 11:14, steve <steve at steve-ss.com> wrote:
>         >         On Wed, 2013-12-04 at 11:04 +0000, paul harford
>         wrote:
>         >         > Hi Steve
>         >         > Yes the nas is joined to the domain. When i do
>         wbinfo -u and
>         >         -g all
>         >         > looks good when i do getent passwd i can see all
>         the users
>         >         and the
>         >         > same for groups.
>         >         >
>         >         >
>         >         > i didn't stick up the share config but its listed
>         below
>         >         >
>         >         >
>         >         > [tshare]
>         >         >
>         >         >         valid users = @"Domain removed\domain
>         >         admins",@"Domain removed
>         >         > \domain users"
>         >         >
>         >         >         path = /testpool/tshare
>         >         >
>         >         >         write list = @"Domain removed\domain
>         >         admins",@"Domain removed
>         >         > \domain users"
>         >         >
>         >         >
>         >         > This was just a test share but basically there
>         will be user
>         >         share on
>         >         > the NAS and we want to restrict the share to
>         certain users
>         >         and groups
>         >         > etc
>         >         >
>         >         >
>         >         > haven't heard of the keytab before can you
>         explain ?
>         >         >
>         >
>         >         >
>         >         > Thanks for the response its appreciated
>         >         >
>         >         >
>         >         > Paul
>         >
>         >
>         >         Hi
>         >         Phew. AD, kerberos and keytabs would need a whole
>         book to
>         >         describe but
>         >         basically, with kerberos, not only does the user
>         have to prove
>         >         himself,
>         >         but also the machine on which he is working has to
>         too. Hence
>         >         the keytab
>         >         which must contain the machine key. This can be
>         produced when
>         >         the
>         >         machine is joined to the domain or, if you forgot,
>         afterwards
>         >         as
>         >         outlined below.
>         >
>         >         Add to smb.conf:
>         >         kerberos method = system keytab
>         >
>         >         now issue:
>         >         net ads keytab create -UAdministrator
>         >         and enter the windows Administrator password
>         >
>         >         That should get us to the next stage or give errors
>         which will
>         >         help us
>         >         further.
>         >
>         >         Meanwhile, what does
>         >         /etc/krb5.conf
>         >         look like?
>         >
>         >         Cheers,
>         >         Steve
>         >
>         >
>         >
>         >
>         
>         
>         
> 
> 




More information about the samba mailing list