[Samba] CentOS Samba as Domain Member
Bjoern.Becker at easycash.de
Bjoern.Becker at easycash.de
Fri Feb 14 10:41:37 MST 2014
On Fri, 14 Feb 2014 14:03:11 +0000
Rowland Penny <rowlandpenny at googlemail.com> wrote:
> On 14/02/14 13:41, Bjoern.Becker at easycash.de wrote:
> > On 14/02/14 12:38, Bjoern.Becker at easycash.de wrote:
> >> Hi,
> >>
> >> yes, I installed it via yum. But the links under /lib were not
> >> available:
> >>
> >> rpm -qa | grep samba
> >> samba-winbind-clients-3.6.9-167.el6_5.x86_64
> >> samba-3.6.9-167.el6_5.x86_64
> >> samba4-libs-4.0.0-60.el6_5.rc4.x86_64
> >> samba-client-3.6.9-167.el6_5.x86_64
> >> samba-winbind-3.6.9-167.el6_5.x86_64
> >> samba-common-3.6.9-167.el6_5.x86_64
> >>
> >> Wondering a bit about samba4-libs....
> >>> Did samba4-libs get installed automatically ?
> > I would like to say yes, but I can't reproduce it. I got a really
> > clean install and just install some basic packages. Puppet ensured
> > that "samba" is present. I uninstall all and clean it up to
> > reinstall it through puppet again and now The samba4-libs aren't
> > installed....
>
> Strange, but you dont need samba4-libs anyway.
>
> >
> >> I connecting against a active directory.
> >>
> >> # smb.conf
> >> #======================= Global Settings
> >> =====================================
> >>
> >> [global]
> >>
> >> workgroup = DOM_RAT
> >> server string = Samba Server Version %M
> >> security = ADS
> >> realm = DOM.DE
> >> workgroup = DOM_RAT
> >> winbind separator = +
> >> winbind enum users = yes
> >> winbind enum groups = yes
> >> template homedir = /home/%D/%U
> >> template shell = /bin/bash
> >> client use spnego = yes
> >> client ntlmv2 auth = yes
> >> encrypt passwords = yes
> >> winbind use default domain = yes
> >> restrict anonymous = 2
> >> domain master = no
> >> local master = no
> >> preferred master = no
> >> os level = 0
> >> winbind offline logon = no
> >>> OK, you need to add something like this:
> >>> kerberos method = secrets and keytab
> >>> winbind expand groups = 4
> >>> winbind nss info = rfc2307
> >>> winbind refresh tickets = Yes
> >>> winbind normalize names = Yes
> >>> idmap config DOM_RAT:schema_mode = rfc2307
> >>> idmap config DOM_RAT:range = 500-40000
> >>> idmap config DOM_RAT:backend = ad
> >>> idmap config *:range = 70001-80000
> >>> idmap config *:backend = tdb Then restart samba, this
> >>> will rely on the RFC2307 uidNumber & gidNumber attributes being
> >>> available in AD, if not change 'idmap config DOM_RAT:backend = ad'
> >>> to ' idmap config DOM_RAT:backend = rid'
> > Yay! That's it. With backend = rid it works finaly!
> >
> > Thank you very much!
>
> You are welcome, but be aware that without the RFC2307 attributes you
> could have different id numbers on different samba servers.
>> But that's what RID is for...it deterministically hashes down based on available data. I suppose collisions are possible, but they're unlikely.
>> (Depending on how many users and groups you have, and the size of your range, of course! If you've got fifty users and fifty IDs, there will probably be a collision somewhere. I'd have to look up the "birthday problem" to
>> refresh myself on the math.)
> Incidentally, using autorid here. Same host software versions as Bjoern. Works beautifully, except for RPC printing from a Win2k12 server, but I've given up on that.
I got 2693 users and 1438 groups actually. But I have to say, I don't understand would the problem should be, this configuration is for domain members only.
I don't understand how a collision can happen...
Björn
More information about the samba
mailing list