[Samba] Using samba4 with AD and rfc2307 - what are the *current* practices?

[Michael Brown]

On 13-12-12 01:42 PM, steve wrote:
> I've never really understood what sernet does. It seems to add 
> complexity over and above what really is a very simple installation 
> from source. So, to answer your question, the best place and way to 
> install samba4 is from source. Tat way you get just Samba4 and it just 
> works. No one has pissed around with it to try and make it distro 
> compatible. It's too new and under too rapid development to get stable 
> enough for the distros in my opinion. There is a model of an 
> installation howto at http://wiki.samba.org/index.php/Samba4/HOWTO 
They make the packages. Goes a long way - I need to make some procedures 
for Ubuntu, SLES and RHEL. I really really don't want to have to muck 
about with each of those systems.

And you know what, it works. I'd be having these exact problems if I 
compiled it myself. That HOWTO you linked addresses *none* of my concerns.

What's missing from the docs (and from pretty much every OSS project, 
ever) is the *why* part of the documentation. Why might I do it this way 
or this other way? The various how-tos are great, though.

Let's try and follow the documentation on building Samba:

To build Samba, run the following command in yoursamba-masterdirectory:

  $ cd samba-master
  $ ./configure
  $ make

[michael at challenger:~/prog/samba]$ cd samba-master
bash: cd: samba-master: No such file or directory

I do only have so much time in the day to muck about with this.

On 13-12-12 01:42 PM, steve wrote:

> He has the same username for both systems. There's none of the MAIN+ or MAIN\
> nonsense, unless he's also a local user on a windows box.
> ...
> Get it working on one domain. Worry about that later.

It is working, and now is later.

On 13-12-12 02:02 PM, Rowland Penny wrote:
> This is confusing me, (yes I know, it doesn't take much) when you say 
> 'system user' do you mean a Linux user that is found in /etc/passwd?
What I meant was: a system user provided by winbind vs. a user coming 
into smbd
> If the answer to that is yes, then I am sorry, you cannot have the 
> same username as a local user and a domain user, but you can use a 
> domain user as a local user by joining the linux machine to the domain.
I've got it set up with a minimal:
/etc/samba/smb.conf:
[global]
    workgroup = MAIN
    realm = MAIN.ADLAB.NETDIRECT.CA
    security = ads

[stuff]
    path = /var/stuff
    read only = No

and /etc/samba/winbind.conf:
[global]
    workgroup = MAIN
    realm = MAIN.ADLAB.NETDIRECT.CA
    security = ads

    winbind use default domain = true
    winbind offline logon = true
    winbind nss info = rfc2307

    idmap config * : range = 16777216-33554431
    idmap config MAIN:backend = ad
    idmap config MAIN:schema_mode = rfc2307
    idmap config MAIN:range = 10000-100000
    idmap config BUILTIN : backend = rid
    idmap config BUILTIN : range = 9000-9999

So I can keep the two configs separate. Works well actually, though it 
just ignores the idmap for BUILTIN.

I solved the remote administration problem by granting administrator 
DiskOperator and PrintOperator on the samba server - it works as 
expected now other than the little annoyances that are probably just 
lingerings bugs (groups with gid=-1)

M.

-- 
Michael Brown               | `One of the main causes of the fall of
Systems Consultant          | the Roman Empire was that, lacking zero,
Net Direct Inc.             | they had no way to indicate successful
☎: +1 519 883 1172 x5106    | termination of their C programs.' - Firth