[Samba] CentOS Samba as Domain Member

Bjoern.Becker at easycash.de Bjoern.Becker at easycash.de
Fri Feb 14 11:22:23 MST 2014


On 14/02/14 17:41, Bjoern.Becker at easycash.de wrote:
> On Fri, 14 Feb 2014 14:03:11 +0000
> Rowland Penny <rowlandpenny at googlemail.com> wrote:
>
>> On 14/02/14 13:41, Bjoern.Becker at easycash.de wrote:
>>> On 14/02/14 12:38, Bjoern.Becker at easycash.de wrote:
>>>> Hi,
>>>>
>>>> yes, I installed it via yum. But the links under /lib were not
>>>> available:
>>>>
>>>> rpm -qa | grep samba
>>>> samba-winbind-clients-3.6.9-167.el6_5.x86_64
>>>> samba-3.6.9-167.el6_5.x86_64
>>>> samba4-libs-4.0.0-60.el6_5.rc4.x86_64
>>>> samba-client-3.6.9-167.el6_5.x86_64
>>>> samba-winbind-3.6.9-167.el6_5.x86_64
>>>> samba-common-3.6.9-167.el6_5.x86_64
>>>>
>>>> Wondering a bit about samba4-libs....
>>>>> Did samba4-libs get installed automatically ?
>>> I would like to say yes, but I can't reproduce it. I got a really 
>>> clean install and just install some basic packages. Puppet ensured 
>>> that "samba" is present. I uninstall all and clean it up to 
>>> reinstall it through puppet again and now The samba4-libs aren't 
>>> installed....
>> Strange, but you dont need samba4-libs anyway.
>>
>>>> I connecting against a active directory.
>>>>
>>>> # smb.conf
>>>> #======================= Global Settings 
>>>> =====================================
>>>> 	
>>>> [global]
>>>> 	
>>>> 	workgroup = DOM_RAT
>>>> 	server string = Samba Server Version %M
>>>>            security = ADS
>>>> 	realm = DOM.DE
>>>>            workgroup = DOM_RAT
>>>> 	winbind separator = +
>>>> 	winbind enum users = yes
>>>> 	winbind enum groups = yes
>>>> 	template homedir = /home/%D/%U
>>>> 	template shell = /bin/bash
>>>> 	client use spnego = yes
>>>> 	client ntlmv2 auth = yes
>>>> 	encrypt passwords = yes
>>>> 	winbind use default domain = yes
>>>> 	restrict anonymous = 2
>>>> 	domain master = no
>>>> 	local master = no
>>>> 	preferred master = no
>>>> 	os level = 0
>>>> 	winbind offline logon = no
>>>>> OK, you need to add something like this:
>>>>>           kerberos method = secrets and keytab
>>>>>           winbind expand groups = 4
>>>>>           winbind nss info = rfc2307
>>>>>           winbind refresh tickets = Yes
>>>>>           winbind normalize names = Yes
>>>>>           idmap config DOM_RAT:schema_mode = rfc2307
>>>>>           idmap config DOM_RAT:range = 500-40000
>>>>>           idmap config DOM_RAT:backend = ad
>>>>>           idmap config *:range = 70001-80000
>>>>>            idmap config *:backend = tdb Then restart samba, this 
>>>>> will rely on the RFC2307 uidNumber & gidNumber attributes being 
>>>>> available in AD, if not change 'idmap config DOM_RAT:backend = ad'
>>>>> to ' idmap config DOM_RAT:backend = rid'
>>> Yay! That's it. With backend = rid it works finaly!
>>>
>>> Thank you very much!
>> You are welcome, but be aware that without the RFC2307 attributes you 
>> could have different id numbers on different samba servers.
>>> But that's what RID is for...it deterministically hashes down based on available data. I suppose collisions are possible, but they're unlikely.
>>> (Depending on how many users and groups you have, and the size of 
>>> your range, of course! If you've got fifty users and fifty IDs, 
>>> there will probably be a collision somewhere. I'd have to look up 
>>> the "birthday problem" to refresh myself on the math.)
>> Incidentally, using autorid here. Same host software versions as Bjoern. Works beautifully, except for RPC printing from a Win2k12 server, but I've given up on that.
>
> I got 2693 users and 1438 groups actually. But I have to say, I don't understand would the problem should be, this configuration is for domain members only.
> I don't understand how a collision can happen...
>
> Björn
>

> Sorry, what I really meant was, if you use exactly the same winbind settings on every linux machine, you shouldn't have any problems, but if you are using any samba4 AD DC's, you will get different id numbers.


> Rowland


Ah okay, thanks for explaining! 

Björn




More information about the samba mailing list