[Samba] Make a share owned by a service account available to members of an AD group
Rowland Penny
rowlandpenny241155 at gmail.com
Fri Oct 9 21:54:43 UTC 2015
On 09/10/15 22:42, Tovey, Mark wrote:
> Here is my configuration:
>
> smb.conf:
>
> [global]
> server string = Samba Server Version %v
>
> log file = /var/log/samba/log.%m
> max log size = 500
>
> log level = 3
>
> workgroup = DEVTST-CORP
> realm = DEVTST-CORP.GO2UTI.COM
> security = ADS
Remove these lines
password server = sinmdp04.devtst-corp.go2uti.com
passdb backend = tdbsam
>
> domain master = no
> local master = no
> preferred master = no
>
> disable netbios = yes
> dns proxy = no
>
> dedicated keytab file = /etc/krb5.keytab
> kerberos method = secrets and keytab
>
> idmap config *:backend = tdb
> idmap config *:range = 5000-29999
> idmap config DEVTST-CORP:backend = ad
> idmap config DEVTST-CORP:schema_mode = rfc2307
> idmap config DEVTST-CORP:range = 30000-99999
>
> winbind nss info = rfc2307
> winbind trusted domains only = no
> winbind use default domain = yes
> winbind enum users = yes
> winbind enum groups = yes
> winbind refresh tickets = Yes
> winbind normalize names = Yes
>
> map untrusted to domain = yes
> map to guest = Bad Uid
> guest account = nobody
>
> load printers = no
> printcap name = /dev/null
> printing = bsd
>
>
> [data]
> path = /opt/app/data
> read only = no
> writable = yes
> browseable = no
> guest ok = yes
> hide dot files = yes
> hide special files = yes
> force user = webserv
> force group = webserv
> create mask = 0644
> directory mask = 0755
> valid users = @DEVTST-CORP\smbgrp
> write list = @DEVTST-CORP\smbgrp
>
>
> resolv.conf:
>
> domain devtst.go2uti.com
> search devtst.go2uti.com devtst-corp.go2uti.com
>
> nameserver 10.240.4.100
> nameserver 10.254.4.125
> nameserver 10.8.246.38
>
Remove the domain line from resolv.conf and any of the nameserver lines
that isn't the AD DC
> /krb5.conf:
>
> [logging]
> default = FILE:/var/log/samba/krb5libs.log
> kdc = FILE:/var/log/samba/krb5kdc.log
> admin_server = FILE:/var/log/samba/kadmind.log
>
> [libdefaults]
> default_realm = DEVTST-CORP.GO2UTI.COM
> dns_lookup_realm = false
> dns_lookup_kdc = false
> ticket_lifetime = 24h
> forwardable = true
>
> [realms]
> DEVTST-CORP.GO2UTI.COM = {
> kdc = sinmdp04.devtst-corp.go2uti.com:88
> admin_server = sinmdp04.devtst-corp.go2uti.com:749
> default_domain = DEVTST-CORP
> }
>
> [domain_realm]
> .devtst-corp.go2uti.com = DEVTST-CORP.GO2UTI.COM
> devtst-corp.go2uti.com = DEVTST-CORP.GO2UTI.COM
>
> [appdefaults]
> pam = {
> debug = false
> ticket_lifetime = 36000
> renew_lifetime = 36000
>
> forwardable = true
> krb4_convert = false
> }
>
change krb5.conf to just this:
[libdefaults]
default_realm = DEVTST-CORP.GO2UTI.COM
dns_lookup_realm = false
dns_lookup_kdc = true
> net ads testjoin:
> Join is OK
>
Rowland
More information about the samba
mailing list