[Samba] Did you get my previous email? Not Spam.

Rowland Penny rowlandpenny at googlemail.com
Mon Jan 26 07:33:28 MST 2015 

On 26/01/15 10:21, Jason Long wrote:
> Thanks.
>
> The videos show me to configure below files :
>
> /etc/nsswitch.conf :
> hosts:       files dns mdns4
>
> then
>
> /etc/sudoers :
> DOMAINNAME\\ACCOUNT ALL=(ALL) ALL
> %DOMAINNAME\\domain^users ALL=(ALL) ALL
>
> and after it, Installed Likewiseopen. The video url is :
>
> www.youtube.com/watch?v=Y3TFPDT9uic
>
>
> Can you look at it?
>
> Thanks.
>
>
>
>
>
> On Sunday, January 25, 2015 4:30 AM, Rowland Penny <rowlandpenny at googlemail.com> wrote:
> On 25/01/15 10:40, Jason Long wrote:
>> Thanks a lot Bro.
>> I changed the configuration and it show me :
>>
>>
>> # net ads join -U jokar at hamshahri.ir
>>
>> # net ads testjoin
>> Join is OK
>>
>>
>> The problem is that, I can't login to Linux via AD user!!!.
>>
>> I have a question. As you know I use a Youtube Video to change PAM too, In your opinion is it necessary? Can you revist the video.
>>
> No, as I never looked at and now cannot seem to find the URL.
>
> If I remember correctly, you are running Centos and if so should be
> using 'authconfig' to set PAM correctly, don't mess with the pam stack
> directly.
>
> Find out how to use 'authconfig' , in this instance, I cannot help you,
> I do not use Centos.
>
>
> Rowland

So, as you are using Centos, you referred to a 4 yr old you-tube video 
about joining a Ubuntu client to AD using likewiseopen and you wonder 
why you are having problems ?

Things have changed a lot in the last 4 years, Jeremy Allinson advised 
you not use likewiseopen (if you don't know who Jeremy is, try Googling 
him). You do not need the sudo alterations, in fact remove them.

If you have likewiseopen installed, remove it, hopefully this will put 
your pam stack back to where it was before.

OK, I tested it myself and it works for me.

Install and update Centos 7

This was done on a machine called 'centos7.example.com' it gets its ip 
via dhcp, the domain is 'example.com' the ipaddress of the AD DC is 
'192.168.0.2'.
Where ever you find any of the above, replace them with settings that 
match your domain.

Open a terminal as root.

Edit /etc/hostname to contain your FQDN:

centos7.example.com

Install the required software:

yum install samba samba-winbind krb5-workstation 
samba-winbind-krb5-locator pam_krb5

run 'authconfig-tui'

Alter the settings to match these:

##########################################
User Information

[*] Use Winbind

Authentication

[*] Use Shadow Passwords
[*] Use Kerberos
[*] Use Winbind Authentication
[*] Local authorization is sufficient

########################################

Do not alter any other settings and select <OK> on the last screen (you 
could join the domain on this screen, but don't)

Make smb.conf look like this:

nano /etc/samba/smb.conf

[global]
    workgroup = EXAMPLE
    security = ADS
    realm = EXAMPLE.COM

    dedicated keytab file = /etc/krb5.keytab
    kerberos method = secrets and keytab
    server string = Samba 4 Client %h

    winbind enum users = no
    winbind enum groups = no
    winbind use default domain = yes
    winbind expand groups = 4
    winbind nss info = rfc2307
    winbind refresh tickets = Yes
    winbind offline logon = yes
    winbind normalize names = Yes

    ## map id's outside of domain to tdb files.
    idmap config *:backend = tdb
    idmap config *:range = 2000-9999
    ## map ids from the domain  the ranges may not overlap !
    idmap config EXAMPLE : backend = ad
    idmap config EXAMPLE : schema_mode = rfc2307
    idmap config EXAMPLE : range = 10000-999999

    wins server = 192.168.0.2, 192.168.0.3

    domain master = no
    local master = no
    preferred master = no
    os level = 20
    map to guest = bad user
    host msdfs = no
    # user Administrator workaround, without it you are unable to set 
privileges
    username map = /etc/samba/user.map

    # For ACL support on member server
    vfs objects = acl_xattr
    map acl inherit = Yes
    store dos attributes = Yes

    # Share Setting Globally
    unix extensions = no
    reset on zero vc = yes
    veto files = /.bash_logout/.bash_profile/.bash_history/.bashrc/
    hide unreadable = yes

[home]
    path = /home
    read only = no

Create the file referred to above:

nano /etc/samba/user.map

!root = EXAMPLE\Administrator EXAMPLE\administrator Administrator 
administrator

Make krb5.conf lok like this:

nano /etc/krb5.conf

logging]
  default = FILE:/var/log/krb5libs.log
  kdc = FILE:/var/log/krb5kdc.log
  admin_server = FILE:/var/log/kadmind.log

[libdefaults]
  default_realm = EXAMPLE.COM
  dns_lookup_realm = false
  dns_lookup_kdc = true

Join the domain, enter the Administrator password when prompted.

net ads join -U Administrator

start the daemons:

systemctl start smb
systemctl start nmb
systemctl start winbind

getent passwd rowland
rowland:*:10000:10000:Rowland Penny:/home/rowland:/bin/bash

More information about the samba mailing list