[Samba] winbind problems
Dale Schroeder
dale at BriannasSaladDressing.com
Thu Nov 12 21:37:42 UTC 2015
On 11/12/2015 2:59 PM, Rowland Penny wrote:
> On 12/11/15 20:31, Dale Schroeder wrote:
>> OK, try this smb.conf, don't add anything else until you have getent
>> working:
>>>
>>> [global]
>>> workgroup = DOMAIN
>>> security = ADS
>>> realm = DOMAIN.COM
>>> dedicated keytab file = /etc/krb5.keytab
>>> kerberos method = secrets and keytab
>>> idmap config * : range = 1000000-2000000
>>> idmap config * : backend = tdb
>>> idmap config DOMAIN : range = 1000-2000
>>> idmap config DOMAIN : backend = rid
>>> winbind nss info = template
>>> winbind trusted domains only = no
>>> winbind use default domain = yes
>>> winbind enum users = Yes
>>> winbind enum groups = Yes
>>> winbind refresh tickets = Yes
>>> winbind offline logon = Yes
>>> username map = /etc/samba/users.map
>>> template homedir = /data/users/%U
>>> template shell = /bin/bash
>>> vfs objects = acl_xattr
>>> map acl inherit = yes
>>> store dos attributes = yes
>>>
>>> The above should work against an AD DC
>>>
>>> Your users.map should be:
>>>
>>> !root = DOMAIN\Administrator DOMAIN\administrator
>>>
>>> Rowland
>>>
>>>
>> Thanks, Rowland. I've gotten it working for the most part. There are
>> some permissions issues with vfs recycle, but I'll have to work those
>> out later.
>>
>> Just to satisfy my curiosity more than anything, I'd like to clarify
>> a few things.
>>
>> 1. What is the benefit of using 'secrets and keytab'? All of my
>> other member servers seem to function OK with the default 'secrets
>> only'.
>
> It tries to use the secrets.tdb first for kerberos verification and if
> it cannot do this, it uses the system keytab, bit of a belt & braces
> situation really.
>
>> 2. What does the syntax of the users.map file that you have
>> presented mean, or maybe it would be better stated as what does it
>> do? That is nothing at all like the mapping files I have used for
>> the past 12 years. I have seen this before, but have never seen an
>> explanation of it.
>
> Fairly simple, it maps the windows domain Administrator to the local
> Unix 'root' user, you can then change file permissions on samba Unix
> shares from windows.
Then ! is not being interpreted as "not", which is how I interpreted it.
:-D To me, it looks like it's saying the users on the right side of
the equal sign are "not root". Like I said, it's hard to wrap my head
around the syntax. It looks like the inverse of what it actually is.
>
>>
>> 3. Some time back, you mentioned the name of the file in Debian that
>> listed the default mount options. Would you please state it again?
>> I can't seem to locate that particular email in the archives.
>
> Well I would if could, but what do you mean by 'default mount options'
> ? autofs ? cifs ? ???
Actually, I was thinking of the ext4 defaults for mount options in
fstab. At least, that's how I'm remembering it. Then again, my memory
is not what it used to be. ;-)
Dale
>
> Rowland
>
>>
>> Thanks again,
>> Dale
>>
>
>
More information about the samba
mailing list