[Samba] Make a share owned by a service account available to members of an AD group

Rowland Penny rowlandpenny241155 at gmail.com
Fri Oct 9 21:54:43 UTC 2015 

On 09/10/15 22:42, Tovey, Mark wrote:
> Here is my configuration:
>
> smb.conf:
>
> [global]
>          server string = Samba Server Version %v
>
>          log file = /var/log/samba/log.%m
>          max log size = 500
>
>          log level = 3
>
>          workgroup = DEVTST-CORP
>          realm = DEVTST-CORP.GO2UTI.COM
>          security = ADS

Remove these lines

         password server = sinmdp04.devtst-corp.go2uti.com
         passdb backend = tdbsam


>
>          domain master = no
>          local master = no
>          preferred master = no
>
>          disable netbios = yes
>          dns proxy = no
>
>          dedicated keytab file = /etc/krb5.keytab
>          kerberos method = secrets and keytab
>
>          idmap config *:backend = tdb
>          idmap config *:range = 5000-29999
>          idmap config DEVTST-CORP:backend = ad
>          idmap config DEVTST-CORP:schema_mode = rfc2307
>          idmap config DEVTST-CORP:range = 30000-99999
>
>          winbind nss info = rfc2307
>          winbind trusted domains only = no
>          winbind use default domain = yes
>          winbind enum users  = yes
>          winbind enum groups = yes
>          winbind refresh tickets = Yes
>          winbind normalize names = Yes
>
>          map untrusted to domain = yes
>          map to guest = Bad Uid
>          guest account = nobody
>
>          load printers = no
>          printcap name = /dev/null
>          printing = bsd
>
>
> [data]
>          path = /opt/app/data
>          read only = no
>          writable = yes
>          browseable = no
>          guest ok = yes
>          hide dot files = yes
>          hide special files = yes
>          force user = webserv
>          force group = webserv
>          create mask = 0644
>          directory mask = 0755
>          valid users = @DEVTST-CORP\smbgrp
>          write list = @DEVTST-CORP\smbgrp
>
>
> resolv.conf:
>
> domain devtst.go2uti.com
> search devtst.go2uti.com devtst-corp.go2uti.com
>
> nameserver 10.240.4.100
> nameserver 10.254.4.125
> nameserver 10.8.246.38
>

Remove the domain line from resolv.conf and any of the nameserver lines 
that isn't the AD DC

> /krb5.conf:
>
> [logging]
>    default = FILE:/var/log/samba/krb5libs.log
>    kdc = FILE:/var/log/samba/krb5kdc.log
>    admin_server = FILE:/var/log/samba/kadmind.log
>
> [libdefaults]
>    default_realm = DEVTST-CORP.GO2UTI.COM
>    dns_lookup_realm = false
>    dns_lookup_kdc = false
>    ticket_lifetime = 24h
>    forwardable = true
>
> [realms]
>    DEVTST-CORP.GO2UTI.COM = {
>      kdc = sinmdp04.devtst-corp.go2uti.com:88
>      admin_server = sinmdp04.devtst-corp.go2uti.com:749
>      default_domain = DEVTST-CORP
>    }
>
> [domain_realm]
>    .devtst-corp.go2uti.com = DEVTST-CORP.GO2UTI.COM
>    devtst-corp.go2uti.com = DEVTST-CORP.GO2UTI.COM
>
> [appdefaults]
>    pam = {
>      debug = false
>      ticket_lifetime = 36000
>      renew_lifetime = 36000
>
>      forwardable = true
>      krb4_convert = false
> }
>

change krb5.conf to just this:

[libdefaults]
   default_realm = DEVTST-CORP.GO2UTI.COM
   dns_lookup_realm = false
   dns_lookup_kdc = true


> net ads testjoin:
> Join is OK
>

Rowland

More information about the samba mailing list