[Samba] Winbind + sernet Samba4 + CentOS 6.5 + AD

Thu Aug 28 13:29:19 MDT 2014

So, update on this issue

As it currently stands, I have a working setup. Install process and configs
will follow but before, the major changes that I can think of:

sernet-samba4:
    used 4.1.10 instead of 4.1.11
    instead of the yum install using the sernet repo to install, had to
individually install the rpm's for the 4.1.10 version
smb.conf:
    instead of using 'ad' as the backend, used 'rid'
        idmap config DOMAIN:backend = rid
clearing of samba 3.6
    previously I had not removed samba-winbind-clients or samba-commons,
this time I removed everything samba

Of these I want to test the smb.conf change and the clearing out all samba
related packages on the 4.1.11 version. Might be that those changes will
make it work fine, as of now, im rolling with the 4.1.10 version due to
being on a schedule (and the saying: "if it aint broke, dont fix it").

Commands and configs as follows (some information masked with dummy names)

=============
yum remove samba4-libs samba-winbind-clients samba-winbind samba-client
samba-common

... wget the rpm packages ...

rpm -ivh sernet-samba-common-4.1.10-8.el6.x86_64.rpm
rpm -ivh sernet-samba-libs-4.1.10-8.el6.x86_64.rpm
rpm -ivh sernet-samba-libsmbclient0-4.1.10-8.el6.x86_64.rpm
rpm -ivh sernet-samba-client-4.1.10-8.el6.x86_64.rpm
rpm -ivh sernet-samba-winbind-4.1.10-8.el6.x86_64.rpm
rpm -ivh sernet-samba-4.1.10-8.el6.x86_64.rpm

Verify verisions:

# /usr/sbin/smbd -V
Version 4.1.10-SerNet-RedHat-8.el6

# rpm -qa | grep sern
sernet-samba-libs-4.1.10-8.el6.x86_64
sernet-samba-4.1.10-8.el6.x86_64
sernet-samba-common-4.1.10-8.el6.x86_64
sernet-samba-libsmbclient0-4.1.10-8.el6.x86_64
sernet-samba-winbind-4.1.10-8.el6.x86_64
sernet-samba-client-4.1.10-8.el6.x86_64

Edit /etc/samba/smb.conf
[global]
   netbios name = whost
   workgroup = DOMAIN
   security = ADS
   realm = DOMAIN.RINGLING.EDU
   encrypt passwords = yes

   idmap config *:backend = tdb
   idmap config *:range = 2000-4999

   idmap config DOMAIN:backend = rid
   idmap config DOMAIN:schema_mode = rfc2307
   idmap config DOMAIN:range = 100000-200000

   winbind nss info = rfc2307
   winbind trusted domains only = no
   winbind use default domain = yes
   winbind enum users  = yes
   winbind enum groups = yes

   force create mode = 0660
   force directory mode = 0770

Edit /etc/nsswitch.conf
passwd:     files winbind
shadow:     files
group:      files winbind

Edit /etc/default/sernet-samba
SAMBA_START_MODE="classic"

Edit /etc/krb5.conf
[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = DOMAIN.RINGLING.EDU
 dns_lookup_realm = false
 dns_lookup_kdc = false
 ticket_lifetime = 24h
 renew_lifetime = 7d
 forwardable = true

[realms]
 DOMAIN.RINGLING.EDU = {
  kdc = *domain.controller.fqdn*
  admin_server = *domain.controller.fqdn*
 }

[domain_realm]
 .domain.ringling.edu = DOMAIN.RINGLING.EDU
 domain.ringling.edu = DOMAIN.RINGLING.EDU

Edit /etc/sysconfig/selinux
SELINUX=disabled

Edit /etc/security/limits.conf (add at the end)
* - nofile 16384

=====================

After doing the 'net ads join -U administrator' command, verified all
wbinfo commands that were not working before, including the 'id user'
command and they all work and return the expected information.

Im really curious on trying again 4.1.11 with those changes but wont have
time right now, eventually ill get to it.

Thanks for the back and forth, hopefully this server doesnt break now that
its working.

-Stephen

Stephen E. Garcia-Morales
sgmorale at ringling.edu
Ringling College of Art and Design
.'. Nosce Te Ipsvm .'.

On Thu, Aug 28, 2014 at 11:42 AM, Rowland Penny <rowlandpenny at googlemail.com
> wrote:

>
> I am fairly sure that if you give 'Domain Users' a gidNumber, then it will
> start to work, you will not get anything from 'getent group' but 'getent
> group Domain\ Users' should return the groups info.
>
> Rowland
>
>
>>