[Samba] CentOS Samba as Domain Member

Bjoern.Becker at easycash.de Bjoern.Becker at easycash.de
Fri Feb 14 10:41:37 MST 2014 

On Fri, 14 Feb 2014 14:03:11 +0000
Rowland Penny <rowlandpenny at googlemail.com> wrote:

> On 14/02/14 13:41, Bjoern.Becker at easycash.de wrote:
> > On 14/02/14 12:38, Bjoern.Becker at easycash.de wrote:
> >> Hi,
> >>
> >> yes, I installed it via yum. But the links under /lib were not
> >> available:
> >>
> >> rpm -qa | grep samba
> >> samba-winbind-clients-3.6.9-167.el6_5.x86_64
> >> samba-3.6.9-167.el6_5.x86_64
> >> samba4-libs-4.0.0-60.el6_5.rc4.x86_64
> >> samba-client-3.6.9-167.el6_5.x86_64
> >> samba-winbind-3.6.9-167.el6_5.x86_64
> >> samba-common-3.6.9-167.el6_5.x86_64
> >>
> >> Wondering a bit about samba4-libs....
> >>> Did samba4-libs get installed automatically ?
> > I would like to say yes, but I can't reproduce it. I got a really 
> > clean install and just install some basic packages. Puppet ensured 
> > that "samba" is present. I uninstall all and clean it up to 
> > reinstall it through puppet again and now The samba4-libs aren't 
> > installed....
> 
> Strange, but you dont need samba4-libs anyway.
> 
> >
> >> I connecting against a active directory.
> >>
> >> # smb.conf
> >> #======================= Global Settings 
> >> =====================================
> >> 	
> >> [global]
> >> 	
> >> 	workgroup = DOM_RAT
> >> 	server string = Samba Server Version %M
> >>           security = ADS
> >> 	realm = DOM.DE
> >>           workgroup = DOM_RAT
> >> 	winbind separator = +
> >> 	winbind enum users = yes
> >> 	winbind enum groups = yes
> >> 	template homedir = /home/%D/%U
> >> 	template shell = /bin/bash
> >> 	client use spnego = yes
> >> 	client ntlmv2 auth = yes
> >> 	encrypt passwords = yes
> >> 	winbind use default domain = yes
> >> 	restrict anonymous = 2
> >> 	domain master = no
> >> 	local master = no
> >> 	preferred master = no
> >> 	os level = 0
> >> 	winbind offline logon = no
> >>> OK, you need to add something like this:
> >>>          kerberos method = secrets and keytab
> >>>          winbind expand groups = 4
> >>>          winbind nss info = rfc2307
> >>>          winbind refresh tickets = Yes
> >>>          winbind normalize names = Yes
> >>>          idmap config DOM_RAT:schema_mode = rfc2307
> >>>          idmap config DOM_RAT:range = 500-40000
> >>>          idmap config DOM_RAT:backend = ad
> >>>          idmap config *:range = 70001-80000
> >>>           idmap config *:backend = tdb Then restart samba, this 
> >>> will rely on the RFC2307 uidNumber & gidNumber attributes being 
> >>> available in AD, if not change 'idmap config DOM_RAT:backend = ad' 
> >>> to ' idmap config DOM_RAT:backend = rid'
> > Yay! That's it. With backend = rid it works finaly!
> >
> > Thank you very much!
> 
> You are welcome, but be aware that without the RFC2307 attributes you 
> could have different id numbers on different samba servers.

>> But that's what RID is for...it deterministically hashes down based on available data. I suppose collisions are possible, but they're unlikely.
>> (Depending on how many users and groups you have, and the size of your range, of course! If you've got fifty users and fifty IDs, there will probably be a collision somewhere. I'd have to look up the "birthday problem" to 
>> refresh myself on the math.)

> Incidentally, using autorid here. Same host software versions as Bjoern. Works beautifully, except for RPC printing from a Win2k12 server, but I've given up on that.


I got 2693 users and 1438 groups actually. But I have to say, I don't understand would the problem should be, this configuration is for domain members only. 
I don't understand how a collision can happen...

Björn

More information about the samba mailing list