[Samba] Cooperation with the samba and the Windows ActiveDirectory

satoshi takano takano at designet.co.jp
Tue Aug 30 00:10:23 UTC 2016 

I'm Takano.

Now, a system such as the following by cooperation with the Samba and Windows ActiveDirectory
We would like to build.

☆Samba

OS:CentOS7
Samba:(ver4.4.5)

☆Windows(ActiveDirectory)

OS:Windows Server 2003
※State functional level is raised from 2000 to 2003.

That you want to achieve it will be following.

・Create a domain controller (samba.test) on the Samba server side.
・And set up a trust relationship Windows server side of the domain controller (ad.adtest).
※The direction of the trust Samba server → Windows server
・WindowsStorage to build a server (Windows2012R2) as a file server, the domain controller of the Samba server
To participate.
・Restrict access, etc. of both the domain controller of the user in the WindowsStorage server side.
・It is joined to a domain controller of the user ・ Windows servers that are joined to a domain controller of the Samba server
We want to be able to access (login) to the file server at the user.

Current situation, I tried various, user that is joined to the domain controller of the Samba server
You can access the file server, but is joined to the domain controller of the Windows server
The user can not access the file server.
※Access restrictions on the file server side can only be set to the user of the Samba server.

The thing that you have made, will be the following.

- Install samba4.4.5 to the Samba server
- Implement the following command
/usr/local/samba/bin/samba-tool domain provision --use-rfc2307 --interactive
Realm [TEST]: samba.test
   Domain [samba]:
   Server Role (dc, member, standalone) [dc]:
   DNS backend (SAMBA_INTERNAL, BIND9_FLATFILE, BIND9_DLZ, NONE) [SAMBA_INTERNAL]:
   DNS forwarder IP address (write 'none' to disable forwarding) [127.0.0.1]:xxx.xxx.xxx.xxx
Administrator password:xxxxxxx
Retype password:xxxxxxx
- Start the samba
- Set the input direction of the trust relationship in the Windows server
- Set the output direction of the trust relationship from the Samba server by running the following command
/usr/local/samba/bin/samba-tool domain trust create ad.adtest --type=external --direction=outgoing -U administrator at xxx.adtest --create-location=local --ipaddress=xxx.xxx.xxx.xxx
- A state in which it was able to confirm to try and trust relationship verified in Windows server ・ Samba server both are tied.

Here it is up.
Create a adtest user to the Windows server

When you run the following command user information is displayed.
/usr/local/samba/bin/wbinfo --user-info AD\\adtest

Authentication and run the following command (krb5) will also pass.
/usr/local/samba/bin/wbinfo -K AD\\adtest%password

So the winbind basis seems to be a state in which the user is visible.

Global section of smb.conf are as follows.

[global]
          netbios name = HOSTNAME
          realm = SAMBA.TEST
          workgroup = SAMBA
          dns forwarder = xxx.xxx.xxx.xxx
          server role = active directory domain controller
          idmap_ldb:use rfc2307 = yes

Very it will be saved and enjoy your help to resolve this matter.

regards

More information about the samba mailing list