[Samba] problem authenticating users to Active Directory after Ubuntu 12.04 -> 14.04 upgrade
Rowland Penny
rowlandpenny at googlemail.com
Fri Apr 25 12:58:06 MDT 2014
On 25/04/14 19:49, Geoff Rowland wrote:
>
>>> They do not have either set. Is this a (new?) requirement?
>>>
>>> I edited my PAM files to match and still have the same result.
>> One more question, do have libnss-winbind installed ??
>>
>> Rowland
>>
> yes, i have libnss-winbind installed as well.
OK, this is basicaly what I did to install my fileserver:
installed Ubuntu 14.04 with a fixed ipaddress and gave it a FQDN
Once installed, stopped NetworkManager from starting dnsmasq and removed
resolvconf, fully updated and then rebooted
I then installed samba winbind libpam-winbind libnss-winbind krb5-user
krb5-config ntp libpam-krb5
Stopped all samba services
Created a new smb.conf
[global]
workgroup = DOMAIN
realm = DOMAIN.COM
server string = %h server (Samba)
security = ADS
map to guest = Bad User
username map = /etc/samba/smbusers
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
client signing = if_required
printcap name = cups
local master = No
domain master = No
usershare allow guests = Yes
winbind enum users = Yes
winbind enum groups = Yes
winbind use default domain = Yes
winbind expand groups = 4
winbind nss info = rfc2307
winbind refresh tickets = Yes
winbind offline logon = Yes
winbind normalize names = Yes
idmap config DOMAIN:range = 10000-999999
idmap config DOMAIN:schema_mode = rfc2307
idmap config DOMAIN:backend = ad
idmap config *:range = 2000-9999
idmap config * : backend = tdb
map acl inherit = Yes
cups options = raw
store dos attributes = Yes
vfs objects = acl_xattr
[homes]
comment = Home Directories
valid users = %S
create mask = 0700
directory mask = 0700
browseable = No
[printers]
comment = All Printers
path = /var/spool/samba
create mask = 0700
printable = Yes
print ok = Yes
browseable = No
[print$]
comment = Printer Drivers
path = /var/lib/samba/printers
Create /etc/samba/smbusers
!root = DOMAIN\Administrator DOMAIN\administrator
sudo cp /etc/krb5.conf /etc/krb5.conf.orig
Edited /etc/krb5.conf to match the following:
[libdefaults]
default_realm = DOMAIN.COM
dns_lookup_realm = false
dns_lookup_kdc = true
edit /etc/resolv.conf
ensure it points to AD DC
search domain.com
domain domain.com
nameserver 192.168.0.5 <--- this is the ip of my samba4 AD DC
sudo rm -f /var/lib/samba/*.tdb
sudo rm -f /var/cache/samba/*.tdb
edit /etc/ntp.conf
#------------------Start-----------------------------------
driftfile /var/lib/ntp/ntp.drift
statistics loopstats peerstats clockstats
filegen loopstats file loopstats type day enable
filegen peerstats file peerstats type day enable
filegen clockstats file clockstats type day enable
server 192.168.0.5
restrict -4 default kod notrap nomodify nopeer noquery
restrict -6 default kod notrap nomodify nopeer noquery
restrict 127.0.0.1
restrict ::1
#disable auth
#broadcastclient
#----------------End----------------------------------------
sudo service ntp restart
sudo net ads join -U Administrator
Enter Administrator's password:
Using short domain name -- DOMAIN
Joined 'MEMBER1' to dns domain 'domain.com'
Add 'winbind' to the passwd & group lines in nsswitch.conf:
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.
passwd: compat winbind
group: compat winbind
sudo service smbd start
sudo service nmbd start
sudo service winbind start
'wbinfo -u' should display all domain users
'wbinfo -g' should display all domain groups
'getent passwd' should display all users, local & domain
'getent group' should display all groups, local & domain, only it
doesn't (known bug), but 'getent group <domain groupname>' will display
the domain group, (if it has a gidNumber).
More information about the samba
mailing list