[Samba] Security = ADS and uidnumbers

Rowland Penny rpenny at f2s.com
Wed Jun 5 08:42:11 MDT 2013 

I never said that I couldn't get it to work, I just said that it is just
too complicated. Yes I can read and there was no need to get personal

You can have an smb.conf like this:

[global]
        workgroup = DOMAIN
        security = ADS
        realm = DOMAIN.LAN
        encrypt passwords = yes
        client signing = yes
        client use spnego = yes
        kerberos method = secrets and keytab

The main part of sssd.conf:

[domain/domain.lan]
description = AD domain with Samba 4 server
cache_credentials = true
id_provider = ldap
auth_provider = krb5
chpass_provider = krb5
access_provider = ldap

# Where is the AD server etc?
krb5_server = domainserver.domain.lan
krb5_kpasswd = domainserver.domain.lan
krb5_realm = DOMAIN.LAN

ldap_referrals = false
ldap_sasl_mech = GSSAPI
ldap_schema = rfc2307bis
ldap_access_order = expire
ldap_account_expire_policy = ad
ldap_force_upper_case_realm = true

# Change a few default settings
ldap_user_object_class = user
ldap_user_name = sAMAccountName
ldap_user_home_directory = unixdomainDirectory
ldap_user_principal = userPrincipalName
ldap_group_object_class = group
ldap_group_name = sAMAccountName

There is no messing with ranges, making sure that they do not overlap etc.
I know what I think is easier, and it isn't winbind




On 5 June 2013 14:23, Jonathan Buzzard <jonathan at buzzard.me.uk> wrote:

> On Wed, 2013-06-05 at 13:30 +0100, Rowland Penny wrote:
> > Hi, I gave up on winbind, it is just too complicated and most, if not
> all,
> > of the webpages I found via google are incomplete or just down right
> wrong.
> >
>
> It's actually dead simple, and these days the manual page is actually
> accurate. Really if you cannot get it working you cannot read.
>
> Now assuming that the BECAUSE domain actually has the uidNumber field
> populated a working configuration would be (this was taken from a
> working configuration and modified to change the domain).
>
> # deal with NSS and the whole UID/SID id mapping stuff
>         idmap config * : backend = tdb
>         idmap config * : range = 2000000 - 2999999
>         idmap config BECAUSE : backend = ad
>         idmap config BECAUSE : schema_mode = rfc2307
>         idmap config BECAUSE : readonly = yes
>         idmap config BECAUSE : range = 500 - 1999999
>         idmap cache time = 604800
>         idmap negative cache time = 20
>         winbind cache time = 600
>         winbind nss info = rfc2307
>         winbind expand groups = 2
>         winbind nested groups = yes
>         winbind use default domain = yes
>         winbind enum users = yes
>         winbind enum groups = yes
>         winbind refresh tickets = yes
>         winbind offline logon = false
>
> Noting of cause that you must have a valid join to the domain, that
> winbind is running, that nscd is *NOT* running and you have an
> appropriate /etc/nsswitch.conf
>
> You might also have badly messed up tdb files from previous experiments.
> I would recommend nuking them from orbit and starting afresh.
>
> JAB.
>
> --
> Jonathan A. Buzzard                 Email: jonathan (at) buzzard.me.uk
> Fife, United Kingdom.
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

More information about the samba mailing list