[Samba] winbind problems

Rowland Penny rowlandpenny241155 at gmail.com
Fri Nov 13 08:20:23 UTC 2015 

On 12/11/15 21:37, Dale Schroeder wrote:
> On 11/12/2015 2:59 PM, Rowland Penny wrote:
>> On 12/11/15 20:31, Dale Schroeder wrote:
>>> OK, try this smb.conf, don't add anything else until you have getent 
>>> working:
>>>>
>>>> [global]
>>>>     workgroup = DOMAIN
>>>>     security = ADS
>>>>     realm = DOMAIN.COM
>>>>     dedicated keytab file = /etc/krb5.keytab
>>>>     kerberos method = secrets and keytab
>>>>     idmap config * : range = 1000000-2000000
>>>>     idmap config * : backend = tdb
>>>>     idmap config DOMAIN : range = 1000-2000
>>>>     idmap config DOMAIN : backend = rid
>>>>     winbind nss info = template
>>>>     winbind trusted domains only = no
>>>>     winbind use default domain = yes
>>>>     winbind enum users = Yes
>>>>     winbind enum groups = Yes
>>>>     winbind refresh tickets = Yes
>>>>     winbind offline logon = Yes
>>>>     username map = /etc/samba/users.map
>>>>     template homedir = /data/users/%U
>>>>     template shell = /bin/bash
>>>>     vfs objects = acl_xattr
>>>>     map acl inherit = yes
>>>>     store dos attributes = yes
>>>>
>>>> The above should work against an AD DC
>>>>
>>>> Your users.map should be:
>>>>
>>>> !root = DOMAIN\Administrator DOMAIN\administrator
>>>>
>>>> Rowland
>>>>
>>>>
>>> Thanks, Rowland.  I've gotten it working for the most part. There 
>>> are some permissions issues with vfs recycle, but I'll have to work 
>>> those out later.
>>>
>>> Just to satisfy my curiosity more than anything, I'd like to clarify 
>>> a few things.
>>>
>>> 1.  What is the benefit of using 'secrets and keytab'?  All of my 
>>> other member servers seem to function OK with the default 'secrets 
>>> only'.
>>
>> It tries to use the secrets.tdb first for kerberos verification and 
>> if it cannot do this, it uses the system keytab, bit of a belt & 
>> braces situation really.
>>
>>> 2.  What does the syntax of the users.map file that you have 
>>> presented mean, or maybe it would be better stated as what does it 
>>> do?  That is nothing at all like the mapping files I have used for 
>>> the past 12 years.  I have seen this before, but have never seen an 
>>> explanation of it.
>>
>> Fairly simple, it maps the windows domain Administrator to the local 
>> Unix 'root' user, you can then change file permissions on samba Unix 
>> shares from windows.
> Then ! is not being interpreted as "not", which is how I interpreted 
> it. :-D   To me, it looks like it's saying the users on the right side 
> of the equal sign are "not root".  Like I said, it's hard to wrap my 
> head around the syntax.  It looks like the inverse of what it actually 
> is.
>>
>>>
>>> 3.  Some time back, you mentioned the name of the file in Debian 
>>> that listed the default mount options.  Would you please state it 
>>> again?  I can't seem to locate that particular email in the archives.
>>
>> Well I would if could, but what do you mean by 'default mount 
>> options' ? autofs ? cifs ? ???
> Actually, I was thinking of the ext4 defaults for mount options in 
> fstab.  At least, that's how I'm remembering it.  Then again, my 
> memory is not what it used to be. ;-)
>

Ah, those mount options in fstab, if you are using ext4, then it is 
simple, you do not need to add any. All the ones that various websites 
tell you to add, are already part of the default settings.

see: https://www.kernel.org/doc/Documentation/filesystems/ext4.txt

Rowland

More information about the samba mailing list