[Samba] How to join join Ubuntu desktop to AD
lingpanda101 at gmail.com
Thu Dec 8 17:05:09 UTC 2016
On 12/6/2016 3:09 PM, Rowland Penny via samba wrote:
> On Tue, 6 Dec 2016 14:52:20 -0500
> lingpanda101 via samba <samba at lists.samba.org> wrote:
>> On 12/6/2016 1:49 PM, Rowland Penny via samba wrote:
>>> On Tue, 6 Dec 2016 19:38:49 +0100
>>> Marc Muehlfeld via samba <samba at lists.samba.org> wrote:
>>>> Am 06.12.2016 um 19:15 schrieb lingpanda101 via samba:
>>>>> Does the wiki contain documentation on how to join a Linux
>>>>> workstation to Samba? I can't seem to find it. I do see this
>>>>> but this appears to use SSH to login. I'm looking to login
>>>> This is the documentation you're looking for.
>>>> SSH is just an example in the documentation how to use pam_winbind.
>>>> Have a look at your PAM configuration files and the PAM
>>>> documentation to see which file you have to add pam_winbind to for
>>>> local logins.
>>> libpam-winbind, libpam-krb5 and libnss-winbind on Debian, presumably
>>> the same on Ubuntu.
>> OK thanks. I'm a bit stuck at the part where I configure my smb.conf.
>> I'm going with the winbind ad backend.
>> security = ADS
>> workgroup = MYDOMAIN
>> realm = MYDOMAIN.LOCAL (Yes I know about .local)
>> log file = /var/log/samba/%m.log
>> log level = 1
>> idmap config * : backend = tdb
>> idmap config * : range = 2000-9999 (This is the range for local
>> users on the workstation?)
>> winbind nss info = rfc2307
>> idmap config MYDOMAIN:backend = ad
>> idmap config MYDOMAIN:schema_mode = rfc2307
>> idmap config MYDOMAIN:range = 10000-999999 (This is the default
>> range samba uses correct?)
>> If I # cat /etc/adduser.conf I see
>> Is this the range I should use for 'idmap config * : range =
> No, the '*' range is for the 'well known SIDs' (see here:
> https://support.microsoft.com/en-us/kb/243330) and anything outside
> your domain (aka workgroup).
> The suggested ranges on the samba wiki are known to work (well, they
> work for me). They allow for local Unix users & groups in the range
> 1000-1999, for the well known SIDs in the range 2000-9999 and domain
> users & groups in the range 10000-999999
> The local Unix users & groups will get their IDs when they are added
> and they will be created in /etc/passwd and /etc/group.
> The well known SIDs will be allocated an ID, starting from 2000 i.e.
> the start number for the range
> You will have to add unique uidNumber attributes to each user, starting
> from 10000, you must also give 'Domain Users' a gidNumber attribute,
> you can use 10000 for this (yes, you can have a user with uidNumber
> 10000 and a group with the same number)
> If everything is installed and setup correctly and you run 'getent
> passwd auser' you should get something like this:
> rowland at devstation:~$ getent passwd rowland
> rowland:*:10000:10000:Rowland Penny:/home/rowland:/bin/bash
> Any further questions, just ask ;-)
I'll point out a typo in the wiki while I go through this exercise.
# smbd -B | grep LIBDIR
The switch is actually lowercase for me.
# smbd -b | grep LIBDIR
More information about the samba