[Samba] RSAT - cloud on the horizon

Derek Shaw d3r3kshaw at gmail.com
Thu Jan 22 18:49:39 MST 2015 

This useful reply came via email - thank you Matt.

-------- Original Message --------
Subject: 	Re: [Samba] RSAT - cloud on the horizon
Date: 	Mon, 19 Jan 2015 19:24:16 +0000
From: 	Mattias Zhabinskiy <m at ...>
To: 	Derek Shaw <d3r3kshaw at gmail.com>


Hello Derek,

I'm running 2012 R2 AD DCs with native AD rfc2307 schema (never used 
Identity Management for UNIX) and using powershell scripts to create 
user and group accounts and populate following attributes:
    gecos
    gidNumber
    loginShell
    primaryGroupID
    uidNumber
    unixHomeDirectory

to support Samba 4.1.x domain member servers.

Also, all of the above attributes can be set manually using ADUC's 
Attribute Editor by enabling Advanced Features option under View menu item.

Below are relevant entries from  smb.conf:
    workgroup = DOMAINNAME
    security = ADS
    realm = DOMAINNAME.COM
    encrypt passwords = yes
    local master = no
    idmap config *:backend = tdb
    idmap config *:range = 70001-80000
    idmap config DOMAINNAME:backend = ad
    idmap config DOMAINNAME:schema_mode = rfc2307
    idmap config DOMAINNAME:range = 80001-3100000
    winbind nss info = rfc2307
    winbind trusted domains only = no
    winbind use default domain = yes
    winbind enum users  = yes
    winbind enum groups = yes
    winbind expand groups = 3

nsswitch.conf:
    passwd:      files winbind
    group:       files winbind

password-auth-ac:
    auth        sufficient    pam_winbind.so use_first_pass
    account     [default=bad success=ok user_unknown=ignore] pam_winbind.so
    password    sufficient    pam_winbind.so use_authtok
    session     required      pam_winbind.so use_first_pass

and appropriate symbolic links:
    libnss_winbind.so -> /usr/local/samba/lib/libnss_winbind.so
    libnss_winbind.so.2 -> /usr/local/samba/lib/libnss_winbind.so.2

    pam_smbpass.so -> /usr/local/samba/lib/security/pam_smbpass.so
    pam_winbind.so -> /usr/local/samba/lib/security/pam_winbind.so

Regards,
Matt

> ________________________________________
> From: samba-bounces at lists.samba.org <samba-bounces at lists.samba.org> on behalf of Derek Shaw <d3r3kshaw at gmail.com>
> Sent: Monday, January 19, 2015 1:32 AM
> To: samba at lists.samba.org
> Subject: [Samba] RSAT - cloud on the horizon
>
> I think I see some heavy weather ahead of me:
>
> http://technet.microsoft.com/en-ca/library/dn303411.aspx
>
> specifically w.r.t. Server 2012 r2 (with which I will have to soon(ish)
> wrestle):
>
>> Features Removed or Deprecated in Windows Server 2012 R2
>>...
>> RSAT: Identity management for Unix/NIS
>>
>> The Server for Network Information Service (NIS) Tools option of
>  > Remote Server Administration Tools (RSAT) is deprecated. Use native
>  > LDAP, Samba Client, Kerberos, or non-Microsoft options.
>
> I have recently fixed a problem with using a samba4 member server in a
> domain controlled by a windows 2008r2 AD-DC by installing the role
> service described in the technet article/quote.  I fully expect to run
> into this issue again with server 2012 R2 DCs deployed elsewhere in my
> client base.
>
> Surely someone has run into this situation already.
>
> I have no idea how to configure "native LDAP, Samba Client, Kerberos, or
> non-Microsoft options" to provide the necessary information for the
> member server (essentially NIS group, GID and UID).  Nor really any idea
> of where to begin looking.  I'd be surprised if the technet author had
> the first clue.
>
> Can anybody provide links to relevant documentation that might be usable
> by a Microsoft-phobic SA who will likely have to deal with the issue in
> the future?
>
> Any other thoughts?
>
> Thanks in advance!
> d.

More information about the samba mailing list