[Samba] Samba 4.1.17-Debian as ADS member
rpenny at samba.org
Wed Feb 24 13:16:14 UTC 2016
On 24/02/16 13:05, Stefan G. Weichinger wrote:
> Am 2016-02-24 um 13:32 schrieb Rowland penny:
>> I would add a few extra lines:
>> dedicated keytab file = /etc/krb5.keytab
>> kerberos method = secrets and keytab
>> winbind refresh tickets = Yes
>> idmap config CUST:schema_mode = rfc2307
>> The first three should ensure the tickets never expire and the last one
>> defines the schema that idmap will use.
> I had crashes as the /etc/krb5.keytab does not yet exist and the howto
> looked complicated. Will attack that one again, OK.
with those lines in smb.conf, the keytab will be created when the
machine is joined to the domain.
>> Is PAM setup correctly ?
> I tried my best. The examples in the docs always look slightly different
> from the files in the various distros.
> ran pam-auth-update now (as recommended for Debian)
>> Do you have libpam-winbind, libpam-krb5 and libnss-winbind installed ?
> 3x yes
>>> 3) in turn I only see UIDs and GIDs in the linux filesystem, no
>> This looks like something set up incorrectly in PAM.
> status on the production machine:
> I get users and groups via wbinfo AND via getent
> clients are connected and tell me things work so far
> In the shell I still see only numbers for owners of files
> # ls -l
> -rwxrwxr--. 1 1026 1009 1037630 Jän 24 2013 20130102.txt
> This is better than people not able to access their files ;)
> but still not satisfying
> as mentioned in my other reply I think of using "rid" later, ok?
As your other post proves, you didn't have any uidNumber & gidNumber
attributes in AD, the 'ad' backend *will not* work without these attributes.
More information about the samba