[Samba] CentOS Samba as Domain Member
mikemol at gmail.com
Fri Feb 14 09:57:38 MST 2014
On Fri, 14 Feb 2014 14:03:11 +0000
Rowland Penny <rowlandpenny at googlemail.com> wrote:
> On 14/02/14 13:41, Bjoern.Becker at easycash.de wrote:
> > On 14/02/14 12:38, Bjoern.Becker at easycash.de wrote:
> >> Hi,
> >> yes, I installed it via yum. But the links under /lib were not
> >> available:
> >> rpm -qa | grep samba
> >> samba-winbind-clients-3.6.9-167.el6_5.x86_64
> >> samba-3.6.9-167.el6_5.x86_64
> >> samba4-libs-4.0.0-60.el6_5.rc4.x86_64
> >> samba-client-3.6.9-167.el6_5.x86_64
> >> samba-winbind-3.6.9-167.el6_5.x86_64
> >> samba-common-3.6.9-167.el6_5.x86_64
> >> Wondering a bit about samba4-libs....
> >>> Did samba4-libs get installed automatically ?
> > I would like to say yes, but I can't reproduce it. I got a really
> > clean install and just install some basic packages. Puppet ensured
> > that "samba" is present. I uninstall all and clean it up to
> > reinstall it through puppet again and now The samba4-libs aren't
> > installed....
> Strange, but you dont need samba4-libs anyway.
> >> I connecting against a active directory.
> >> # smb.conf
> >> #======================= Global Settings
> >> =====================================
> >> [global]
> >> workgroup = DOM_RAT
> >> server string = Samba Server Version %M
> >> security = ADS
> >> realm = DOM.DE
> >> workgroup = DOM_RAT
> >> winbind separator = +
> >> winbind enum users = yes
> >> winbind enum groups = yes
> >> template homedir = /home/%D/%U
> >> template shell = /bin/bash
> >> client use spnego = yes
> >> client ntlmv2 auth = yes
> >> encrypt passwords = yes
> >> winbind use default domain = yes
> >> restrict anonymous = 2
> >> domain master = no
> >> local master = no
> >> preferred master = no
> >> os level = 0
> >> winbind offline logon = no
> >>> OK, you need to add something like this:
> >>> kerberos method = secrets and keytab
> >>> winbind expand groups = 4
> >>> winbind nss info = rfc2307
> >>> winbind refresh tickets = Yes
> >>> winbind normalize names = Yes
> >>> idmap config DOM_RAT:schema_mode = rfc2307
> >>> idmap config DOM_RAT:range = 500-40000
> >>> idmap config DOM_RAT:backend = ad
> >>> idmap config *:range = 70001-80000
> >>> idmap config *:backend = tdb
> >>> Then restart samba, this will rely on the RFC2307 uidNumber &
> >>> gidNumber attributes being available in AD, if not change 'idmap
> >>> config DOM_RAT:backend = ad' to ' idmap config DOM_RAT:backend =
> >>> rid'
> > Yay! That's it. With backend = rid it works finaly!
> > Thank you very much!
> You are welcome, but be aware that without the RFC2307 attributes you
> could have different id numbers on different samba servers.
But that's what RID is for...it deterministically hashes down based on
available data. I suppose collisions are possible, but they're
unlikely. (Depending on how many users and groups you have, and the
size of your range, of course! If you've got fifty users and fifty IDs,
there will probably be a collision somewhere. I'd have to look up
the "birthday problem" to refresh myself on the math.)
Incidentally, using autorid here. Same host software versions as
Bjoern. Works beautifully, except for RPC printing from a Win2k12
server, but I've given up on that.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 490 bytes
Desc: not available
More information about the samba