[Samba] Configuration of smb.conf for Active Directory authentication
Kyle Manel
Kyle.Manel at inbaytech.com
Fri Aug 26 19:42:46 UTC 2016
Thanks for the feedback.
With the modifications you specified I have this smb.conf, however it cannot be accessed?;
"
[global]
netbios name = FILESERVER-001
security = ADS
workgroup = CORP
realm = CORP.INBAYTECH.COM
log file = /var/log/samba/%m.log
log level = 1
idmap config *: backend = tdb
idmap config *: range = 2000-9999
idmap config CORP: backend = rid
idmap config CORP: schema_mode = rfc2307
idmap config CORP: range = 1000-9999999999
template shell = /sbin/bash
template homedir = /home/%U
[public]
path = /srv/samba/share
public = yes
guest ok = yes
writable = yes
"
As for your question:
"Why have you also added the deprecated 'idmap uid' & 'idmap gid' lines, they are not on the domain member wiki page."
-NOTE: line 108 of https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_Member
This stipulates;
'# Just adding the following three lines is not enough!!'
-I apologize; Without further instruction I chose to access the wiki and documentation:
https://wiki.samba.org/index.php/Idmap_config_rid and https://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/idmapper.html#id2606596
-The latter specifies IDMAP_RID with WinBind and specifies the idmap uid and gid as global parameters alongside this construct; You have now identified them as deprecated.
-If there was some expectation of using RID exclusively, I did not read it as such, my apologies.
{Now: -removed (as above)-}
-----Original Message-----
From: samba [mailto:samba-bounces at lists.samba.org] On Behalf Of Rowland Penny via samba
Sent: Friday, August 26, 2016 11:51 AM
To: samba at lists.samba.org
Subject: Re: [Samba] Configuration of smb.conf for Active Directory authentication
See inline comments.
On Fri, 26 Aug 2016 15:11:25 +0000
Kyle Manel via samba <samba at lists.samba.org> wrote:
> I've completed the configuration specified,
No you haven't
> and the command 'wbinfo
> -g' provides a list of the groups available and 'wbinfo -u' provides a
> list of all the users on the system, but I cannot access the shares;
> When I navigate a file explorer to \\ip.ad.dre.ss I am presented with
> a login screen, which I cannot log into with my ID; 'The user name or
> password is incorrect'
>
> I suspect an issue with my idmap configuration:
>
> [global]
> netbios name = FILESERVER-001
> security = ADS
> workgroup = SUBDOMAIN
> realm = SUBDOMAIN.DOMAIN.COM
>
> log file = /var/log/samba/%m.log
> log level = 1
>
> idmap config CORP: backend = ad
> idmap config CORP: schema_mode = rfc2307
> idmap config CORP: range = 1000-9999999999
I thought you were advised to use the 'rid' backend
> idmap uid = 50-9999999999
> idmap gid = 50-9999999999
Why have you also added the deprecated 'idmap uid' & 'idmap gid' lines, they are not on the domain member wiki page.
> winbind nss info = rfc2307
You dont use the above line with the 'rid' backend
>
> allow dns updates = nonsecure
>
> [public]
> path = /srv/samba/share
> available = yes
> read only = no
> browsable = yes
> public = yes
> guest ok = yes
> writable = yes
the available line is the default
'read only = no' and 'writable = yes' are the same way of saying the same thing, you do not need both.
'browsable = yes' is the default.
'public = yes' and 'guest ok = yes' are the same way of saying the same thing, you do not need both.
Rowland
>
> Regards,
> Kyle
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
More information about the samba
mailing list