[Samba] Winbind + sernet Samba4 + CentOS 6.5 + AD

Rowland Penny rowlandpenny at googlemail.com
Thu Aug 28 14:26:11 MDT 2014 

On 28/08/14 20:29, Stephen Garcia wrote:
> So, update on this issue
>
> As it currently stands, I have a working setup. Install process and 
> configs will follow but before, the major changes that I can think of:
>
> sernet-samba4:
>     used 4.1.10 instead of 4.1.11
> instead of the yum install using the sernet repo to install, had to 
> individually install the rpm's for the 4.1.10 version
> smb.conf:
>   instead of using 'ad' as the backend, used 'rid'
> idmap config DOMAIN:backend = rid

This means that you do not need uidNumber's & gidNumber's in AD

> clearing of samba 3.6
>     previously I had not removed samba-winbind-clients or 
> samba-commons, this time I removed everything samba
>
You should have done this anyway

> Of these I want to test the smb.conf change and the clearing out all 
> samba related packages on the 4.1.11 version. Might be that those 
> changes will make it work fine, as of now, im rolling with the 4.1.10 
> version due to being on a schedule (and the saying: "if it aint broke, 
> dont fix it").

Unfortunately 4.1.10 is broken, 4.1.11 was released to deal with a CVE, 
that is the only difference.

Rowland
>
>
> Commands and configs as follows (some information masked with dummy names)
>
>
> =============
> yum remove samba4-libs samba-winbind-clients samba-winbind 
> samba-client samba-common
>
> ... wget the rpm packages ...
>
> rpm -ivh sernet-samba-common-4.1.10-8.el6.x86_64.rpm
> rpm -ivh sernet-samba-libs-4.1.10-8.el6.x86_64.rpm
> rpm -ivh sernet-samba-libsmbclient0-4.1.10-8.el6.x86_64.rpm
> rpm -ivh sernet-samba-client-4.1.10-8.el6.x86_64.rpm
> rpm -ivh sernet-samba-winbind-4.1.10-8.el6.x86_64.rpm
> rpm -ivh sernet-samba-4.1.10-8.el6.x86_64.rpm
>
>
> Verify verisions:
>
> # /usr/sbin/smbd -V
> Version 4.1.10-SerNet-RedHat-8.el6
>
> # rpm -qa | grep sern
> sernet-samba-libs-4.1.10-8.el6.x86_64
> sernet-samba-4.1.10-8.el6.x86_64
> sernet-samba-common-4.1.10-8.el6.x86_64
> sernet-samba-libsmbclient0-4.1.10-8.el6.x86_64
> sernet-samba-winbind-4.1.10-8.el6.x86_64
> sernet-samba-client-4.1.10-8.el6.x86_64
>
>
> Edit /etc/samba/smb.conf
> [global]
>    netbios name = whost
>    workgroup = DOMAIN
>    security = ADS
>    realm = DOMAIN.RINGLING.EDU <http://DOMAIN.RINGLING.EDU>
>    encrypt passwords = yes
>
>    idmap config *:backend = tdb
>    idmap config *:range = 2000-4999
>
>    idmap config DOMAIN:backend = rid
>    idmap config DOMAIN:schema_mode = rfc2307
>    idmap config DOMAIN:range = 100000-200000
>
>    winbind nss info = rfc2307
>    winbind trusted domains only = no
>    winbind use default domain = yes
>    winbind enum users  = yes
>    winbind enum groups = yes
>
>    force create mode = 0660
>    force directory mode = 0770
>
> Edit /etc/nsswitch.conf
> passwd:     files winbind
> shadow:     files
> group:      files winbind
>
> Edit /etc/default/sernet-samba
> SAMBA_START_MODE="classic"
>
> Edit /etc/krb5.conf
> [logging]
>  default = FILE:/var/log/krb5libs.log
>  kdc = FILE:/var/log/krb5kdc.log
>  admin_server = FILE:/var/log/kadmind.log
>
> [libdefaults]
>  default_realm = DOMAIN.RINGLING.EDU <http://DOMAIN.RINGLING.EDU>
>  dns_lookup_realm = false
>  dns_lookup_kdc = false
>  ticket_lifetime = 24h
>  renew_lifetime = 7d
>  forwardable = true
>
> [realms]
> DOMAIN.RINGLING.EDU <http://DOMAIN.RINGLING.EDU> = {
>   kdc = *domain.controller.fqdn*
>   admin_server = *domain.controller.fqdn*
>  }
>
> [domain_realm]
>  .domain.ringling.edu <http://domain.ringling.edu> = 
> DOMAIN.RINGLING.EDU <http://DOMAIN.RINGLING.EDU>
> domain.ringling.edu <http://domain.ringling.edu> = DOMAIN.RINGLING.EDU 
> <http://DOMAIN.RINGLING.EDU>
>
> Edit /etc/sysconfig/selinux
> SELINUX=disabled
>
> Edit /etc/security/limits.conf (add at the end)
> * - nofile 16384
>
> =====================
>
>
> After doing the 'net ads join -U administrator' command, verified all 
> wbinfo commands that were not working before, including the 'id user' 
> command and they all work and return the expected information.
>
>
> Im really curious on trying again 4.1.11 with those changes but wont 
> have time right now, eventually ill get to it.
>
>
> Thanks for the back and forth, hopefully this server doesnt break now 
> that its working.
>
> -Stephen
>
>
> Stephen E. Garcia-Morales
> sgmorale at ringling.edu <mailto:sgmorale at ringling.edu>
> Ringling College of Art and Design
> .'. Nosce Te Ipsvm .'.
>
>
> On Thu, Aug 28, 2014 at 11:42 AM, Rowland Penny 
> <rowlandpenny at googlemail.com <mailto:rowlandpenny at googlemail.com>> wrote:
>
>
>     I am fairly sure that if you give 'Domain Users' a gidNumber, then
>     it will start to work, you will not get anything from 'getent
>     group' but 'getent group Domain\ Users' should return the groups info.
>
>     Rowland
>
>
>

More information about the samba mailing list