[Samba] Samba 4 to replicate my samba3.6 config

Rowland Penny rowlandpenny at googlemail.com
Fri Oct 17 08:54:56 MDT 2014


On 17/10/14 15:04, Justin Cooper-Marsh wrote:
> Ok Thanks.
>
> Is samba4 capable of just using our AD servers as an authentication method, then using the logon from windows  to map to their corresponding linux user as it is in samba 3?
Yes, what you are describing is known a 'member server' and is what you 
have set samba4 up as. You would have all your users stored only in AD. 
The best way to authenticate your linux users would be to give them the 
required rfc2307 attributes in AD and then use something to pull these 
attributes from AD, but this would require 'Service for NIS' being added 
to AD. If the attributes are in AD, you could then use nlscd, sssd or 
winbind (with the ad backend) to get your linux users from AD, this way 
any users in AD that do not have the attributes would be ignored. If you 
wanted all your AD users to be linux users and do not want to use the 
rfc2307 attributes, you could user sssd or winbind (rid backend) to get 
your users.

Just one further thought, if you do go down the AD route, you will need 
to join ALL your linux machines to the domain and setup samba appropriately.

Rowland

>
> -----Original Message-----
> From: samba-bounces at lists.samba.org [mailto:samba-bounces at lists.samba.org] On Behalf Of Rowland Penny
> Sent: 17 October 2014 14:36
> To: samba at lists.samba.org
> Subject: Re: [Samba] Samba 4 to replicate my samba3.6 config
>
> On 17/10/14 14:04, Justin Cooper-Marsh wrote:
>> Our main file servers are linux based
>>
>> Users have both windows and linux users which samba 3.6 deals with fine.
>>
>> The groups around the shares have always been controlled by our NIS.
>>
>> The samba was just complimentary to allow windows users on the shares.
>>
>> Am I looking at Samba4 the completely wrong way?
> Well, looking at the way you have set samba4 up, yes. With samba3, users had to be both linux & samba users i.e. they have to appear both in /etc/passwd and the samba database. You can use samba4 just like samba3, but the way you have set samba4 (ADS) yours users have to be stored on your AD DC and winbind pulls the user info from there.
>
> If I were you, I would do a bit more investigating before deciding which way to go, it may help if you can get your windows admins to add 'Service for NIS' (also known as SFU), you could then store ALL your users in AD and use the rfc2307 attributes for your linux users.
>
> I would start your investigations here:
> https://wiki.samba.org/index.php/Main_Page
>
> If you have an further questions, you know where we are ;-)
>
> Rowland
>> -----Original Message-----
>> From: samba-bounces at lists.samba.org
>> [mailto:samba-bounces at lists.samba.org] On Behalf Of Rowland Penny
>> Sent: 17 October 2014 13:49
>> To: samba at lists.samba.org
>> Subject: Re: [Samba] Samba 4 to replicate my samba3.6 config
>>
>> On 17/10/14 13:34, Justin Cooper-Marsh wrote:
>>> Still the same issue
>>>
>>> A slight development, When I use force group development and chown
>>> the group, all works
>>>
>>> If I leave the group as is, it should authenticate as a unix user in my instance "jcm".
>>>
>>> It does not. Perhaps the window/unix user mapping is not in place.
>> idmap config * : backend = tdb
>> idmap config * : range = 30000-40000
>>
>> The above maps the windows builtin users & groups to the range '30000-40000'
>>
>> idmap config MYDOMAIN : backend = rid
>> idmap config MYDOMAIN : range = 10000-20000
>>
>> The above should map your windows users & groups to the range '10000-20000'
>>
>> Your users & groups are in AD, aren't they ?
>>
>> Rowland
>>
>>
>>> -----Original Message-----
>>> From: samba-bounces at lists.samba.org
>>> [mailto:samba-bounces at lists.samba.org] On Behalf Of Rowland Penny
>>> Sent: 17 October 2014 13:18
>>> To: samba at lists.samba.org
>>> Subject: Re: [Samba] Samba 4 to replicate my samba3.6 config
>>>
>>> On 17/10/14 12:18, Justin Cooper-Marsh wrote:
>>>> The security server for the samba 3 config is a Windows 2008 Active
>>>> Directory server
>>>>
>>>> I have run net ads join on the samba 4 server to allow the winbindd to authenticate. Until I did this I was unable to authenticate from a windows PC.
>>>>
>>>>
>>>>
>>>> -----Original Message-----
>>>> From: samba-bounces at lists.samba.org
>>>> [mailto:samba-bounces at lists.samba.org] On Behalf Of Rowland Penny
>>>> Sent: 17 October 2014 11:51
>>>> To: samba at lists.samba.org
>>>> Subject: Re: [Samba] Samba 4 to replicate my samba3.6 config
>>>>
>>>> On 17/10/14 11:36, Justin Cooper-Marsh wrote:
>>>>> [global]
>>>>>
>>>>>         workgroup = CBL
>>>>>         netbios name = NEWVSBUILD
>>>>>         null passwords = yes
>>>>>         fake oplocks = yes
>>>>>         log level = 1
>>>>>
>>>>>         server string = Engsvr
>>>>> log file = /var/log/samba-engsvr/log.%m lock directory =
>>>>> /var/run/samba-engsvr state directory = /var/lib/samba-engsvr cache
>>>>> directory = /var/cache/samba-engsvr pid directory =
>>>>> /var/run/samba-engsvr private dir = /var/lib/samba-engsvr
>>>>>         max log size = 512
>>>>>         security = server
>>>>>         password server = dc1, dc2, dc3
>>>>>
>>>>>         password level = 8
>>>>>         username level = 8
>>>>> #vfs objects = extd_audit
>>>>>
>>>>>
>>>>> #  socket options = TCP_NODELAY SO_RCVBUF=65536 SO_SNDBUF=16384
>>>>>        socket options = TCP_NODELAY SO_RCVBUF=16384 SO_SNDBUF=16384
>>>>>
>>>>> # Configure Samba to use multiple interfaces # If you have multiple
>>>>> network interfaces then you must list them # here. See the man page
>>>>> for details.
>>>>> ;   interfaces = 192.168.12.2/24 192.168.13.2/24
>>>>> interfaces = eth0
>>>>> bind interfaces only = Yes
>>>>>
>>>>> # Configure remote browse list synchronisation here #  request
>>>>> announcement to, or browse list sync from:
>>>>> #       a specific host or from / to a whole subnet (see below)
>>>>> ;   remote browse sync = 192.168.3.25 192.168.5.255
>>>>> # Cause this host to announce itself to local subnets here
>>>>> ;   remote announce = 192.168.1.255 192.168.2.44
>>>>> remote announce = 172.24.0.255 172.16.8.255 172.16.4.255
>>>>>
>>>>> # Browser Control Options:
>>>>> # set local master to no if you don't want Samba to become a master
>>>>> # browser on your network. Otherwise the normal election rules apply
>>>>>         local master = no
>>>>>
>>>>> name resolve order = host wins lmhosts bcast
>>>>>
>>>>>         wins server = 10.0.0.184
>>>>>
>>>>> #============================ Share Definitions
>>>>> ==============================
>>>>>
>>>>> # This one is useful for people to share files
>>>>>
>>>>> [scratch]
>>>>>       comment = Scratch folders
>>>>>       path = /scratch
>>>>>       valid users = @development @test-ver @cvs
>>>>>       browseable = yes
>>>>>       writable = yes
>>>>>       locking = yes
>>>>>
>>>>>
>>>>> -----Original Message-----
>>>>> From: samba-bounces at lists.samba.org
>>>>> [mailto:samba-bounces at lists.samba.org] On Behalf Of Rowland Penny
>>>>> Sent: 17 October 2014 11:31
>>>>> To: samba at lists.samba.org
>>>>> Subject: Re: [Samba] Samba 4 to replicate my samba3.6 config
>>>>>
>>>>> On 17/10/14 11:26, Justin Cooper-Marsh wrote:
>>>>>> We are running Arch Linux as a new sever and only has samba4
>>>>>> available officially I am trying to migrate my samba 3 config to
>>>>>> work with samba 4
>>>>>>
>>>>>>
>>>>>> I currently use samba to authenticate windows users to use our Linux shares. Then using the Unix groups setup in NIS to validate the users access to a particular share.
>>>>>>
>>>>>> Here is the problem.
>>>>>>
>>>>>> I can see the shares using samba 4 but it uses the "Domain users" group to read and write to the shares and not any of the Unix groups.
>>>>>>
>>>>>> Any Suggestions?
>>>>>>
>>>>>>
>>>>>> My samba 4 config
>>>>>>
>>>>>>
>>>>>>
>>>>>> [Global]
>>>>>>         netbios name = newvsbuild
>>>>>>         workgroup = mydomain
>>>>>>         realm = mydomain.local
>>>>>>         server string = %h ArchLinux Host
>>>>>>         security = ads
>>>>>>         encrypt passwords = yes
>>>>>>         #password server = dc1.cambridgebroadband.com
>>>>>>
>>>>>>         idmap config * : backend = rid
>>>>>>         idmap config * : range = 10000-20000
>>>>>>
>>>>>>         winbind use default domain = Yes
>>>>>>         winbind enum users = Yes
>>>>>>         winbind enum groups = Yes
>>>>>>         winbind nested groups = Yes
>>>>>>         winbind separator = @
>>>>>>         winbind refresh tickets = yes
>>>>>>
>>>>>>         template shell = /bin/bash
>>>>>>         template homedir = /home/%D/%U
>>>>>>
>>>>>>         preferred master = no
>>>>>>         dns proxy = no
>>>>>>         wins server = cb-dc1.cambridgebroadband.com
>>>>>>         wins proxy = no
>>>>>>
>>>>>>         inherit acls = Yes
>>>>>>         map acl inherit = Yes
>>>>>>         acl group control = yes
>>>>>>
>>>>>> # load printers = no
>>>>>>         debug level = 3
>>>>>>         use sendfile = no
>>>>>>
>>>>>>
>>>>>> [share]
>>>>>> comment = Scratch folders
>>>>>> path = /scratch
>>>>>> valid users = @development @cvs
>>>>>> browseable = yes
>>>>>> writable = yes
>>>>>> locking = yes
>>>>>> create mode = 0770
>>>>>> directory mode = 0770
>>>>>>
>>>>>>
>>>>>> Cambridge Broadband Networks Limited (CBNL) is registered in England and Wales at Byron House, Cambridge Business Park, Cowley Road, Cambridge CB4 0WZ under company registration number 3879840. CBNL is the market leader in carrier-class multipoint microwave backhaul and access solutions, serving customers in over 40 countries across the globe.
>>>>>>        
>>>>>> This e-mail and any attachments to it are confidential. If you are not the intended recipient, please send an e-mail to the sender stating that it has been received in error and then delete all copies of it immediately. Any views expressed may not be the views of CBNL. Please only print this email if necessary.
>>>>> Hi, any chance that you can post your samba3 smb.conf ?
>>>>>
>>>>> Rowland
>>>>>
>>>> OK, trying to understand this, it looks as if your original S3
>>>> machine uses another machine for authentication (security = server),
>>>> just what is this machine ? another samba machine or a windows server ?
>>>>
>>>> Your samba4 machine appears to be a domain member, is it joined to a
>>>> domain ?
>>>>
>>>> Rowland
>>>>
>>> OK, try changing smb.conf to this:
>>>
>>> [Global]
>>>       workgroup = MYDOMAIN
>>>       realm = MYDOMAIN.LOCAL
>>>       server string = %h ArchLinux Host
>>>       security = ADS
>>>       dedicated keytab file = /etc/krb5.keytab
>>>       kerberos method = secrets and keytab
>>>       idmap config * : backend = tdb
>>>       idmap config * : range = 30000-40000
>>>       idmap config MYDOMAIN : backend = rid
>>>       idmap config MYDOMAIN : range = 10000-20000
>>>
>>>       winbind use default domain = Yes
>>>       winbind enum users = Yes
>>>       winbind enum groups = Yes
>>>       winbind nested groups = Yes
>>>       winbind separator = @
>>>       winbind refresh tickets = yes
>>>
>>>       template shell = /bin/bash
>>>       template homedir = /home/%D/%U
>>>
>>>       preferred master = no
>>>       dns proxy = no
>>>       wins server = cb-dc1.cambridgebroadband.com
>>>       wins proxy = no
>>>
>>>       inherit acls = Yes
>>>       map acl inherit = Yes
>>>       acl group control = yes
>>>
>>> # load printers = no
>>>       debug level = 3
>>>       use sendfile = no
>>>
>>> Rowland
>>>
>>> --
>>> To unsubscribe from this list go to the following URL and read the
>>> instructions:  https://lists.samba.org/mailman/options/samba
>>>
>>>
>>> Cambridge Broadband Networks Limited (CBNL) is registered in England and Wales at Byron House, Cambridge Business Park, Cowley Road, Cambridge CB4 0WZ under company registration number 3879840. CBNL is the market leader in carrier-class multipoint microwave backhaul and access solutions, serving customers in over 40 countries across the globe.
>>>     
>>> This e-mail and any attachments to it are confidential. If you are not the intended recipient, please send an e-mail to the sender stating that it has been received in error and then delete all copies of it immediately. Any views expressed may not be the views of CBNL. Please only print this email if necessary.
>>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>>
>>
>> Cambridge Broadband Networks Limited (CBNL) is registered in England and Wales at Byron House, Cambridge Business Park, Cowley Road, Cambridge CB4 0WZ under company registration number 3879840. CBNL is the market leader in carrier-class multipoint microwave backhaul and access solutions, serving customers in over 40 countries across the globe.
>>    
>> This e-mail and any attachments to it are confidential. If you are not the intended recipient, please send an e-mail to the sender stating that it has been received in error and then delete all copies of it immediately. Any views expressed may not be the views of CBNL. Please only print this email if necessary.
>>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>
>
> Cambridge Broadband Networks Limited (CBNL) is registered in England and Wales at Byron House, Cambridge Business Park, Cowley Road, Cambridge CB4 0WZ under company registration number 3879840. CBNL is the market leader in carrier-class multipoint microwave backhaul and access solutions, serving customers in over 40 countries across the globe.
>   
> This e-mail and any attachments to it are confidential. If you are not the intended recipient, please send an e-mail to the sender stating that it has been received in error and then delete all copies of it immediately. Any views expressed may not be the views of CBNL. Please only print this email if necessary.
>



More information about the samba mailing list