[Samba] Cooperation with the samba and the Windows ActiveDirectory
takano at designet.co.jp
Tue Aug 30 00:10:23 UTC 2016
Now, a system such as the following by cooperation with the Samba and Windows ActiveDirectory
We would like to build.
OS：Windows Server 2003
※State functional level is raised from 2000 to 2003.
That you want to achieve it will be following.
・Create a domain controller (samba.test) on the Samba server side.
・And set up a trust relationship Windows server side of the domain controller (ad.adtest).
※The direction of the trust Samba server → Windows server
・WindowsStorage to build a server (Windows2012R2) as a file server, the domain controller of the Samba server
・Restrict access, etc. of both the domain controller of the user in the WindowsStorage server side.
・It is joined to a domain controller of the user ・ Windows servers that are joined to a domain controller of the Samba server
We want to be able to access (login) to the file server at the user.
Current situation, I tried various, user that is joined to the domain controller of the Samba server
You can access the file server, but is joined to the domain controller of the Windows server
The user can not access the file server.
※Access restrictions on the file server side can only be set to the user of the Samba server.
The thing that you have made, will be the following.
- Install samba4.4.5 to the Samba server
- Implement the following command
/usr/local/samba/bin/samba-tool domain provision --use-rfc2307 --interactive
Realm [TEST]: samba.test
Server Role (dc, member, standalone) [dc]:
DNS backend (SAMBA_INTERNAL, BIND9_FLATFILE, BIND9_DLZ, NONE) [SAMBA_INTERNAL]:
DNS forwarder IP address (write 'none' to disable forwarding) [127.0.0.1]:xxx.xxx.xxx.xxx
- Start the samba
- Set the input direction of the trust relationship in the Windows server
- Set the output direction of the trust relationship from the Samba server by running the following command
/usr/local/samba/bin/samba-tool domain trust create ad.adtest --type=external --direction=outgoing -U administrator at xxx.adtest --create-location=local --ipaddress=xxx.xxx.xxx.xxx
- A state in which it was able to confirm to try and trust relationship verified in Windows server ・ Samba server both are tied.
Here it is up.
Create a adtest user to the Windows server
When you run the following command user information is displayed.
/usr/local/samba/bin/wbinfo --user-info AD\\adtest
Authentication and run the following command (krb5) will also pass.
/usr/local/samba/bin/wbinfo -K AD\\adtest%password
So the winbind basis seems to be a state in which the user is visible.
Global section of smb.conf are as follows.
netbios name = HOSTNAME
realm = SAMBA.TEST
workgroup = SAMBA
dns forwarder = xxx.xxx.xxx.xxx
server role = active directory domain controller
idmap_ldb:use rfc2307 = yes
Very it will be saved and enjoy your help to resolve this matter.
More information about the samba