[Samba] howto domain controller with home shares on file server
niya levi
niyalevi at gmail.com
Fri Mar 18 02:34:20 UTC 2016
hi
i have two active domain controllers dc1 and dc2 and i have a domain
member which is a file server fs1,
my home and profile shares are on fs1 and i mount the on dc1 and dc2 for
admin purposes i.e. to create user home shares,
fs1 uses the btrfs filesystem and snapper.
this is my smb.conf on the file server
[global]
workgroup = ADOMAIN
security = ADS
realm = AD.ADOMAIN.COM
server string = %h home directory file server
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
netbios name = tardis
host msdfs = no
client signing = yes
client use spnego = yes
encrypt passwords = yes
## map id's outside to domain to tdb files.
idmap config *:backend = tdb
idmap config *:range = 70001-80000
## map ids from the domain the range may not overlap !
idmap config ADOMAIN:backend = ad
idmap config ADOMAIN:schema_mode = rfc2307
idmap config ADOMAIN:range = 3000000-4000000
winbind nss info = rfc2307
winbind trusted domains only = no
winbind use default domain = yes
winbind enum users = yes
winbind enum groups = yes
winbind nested groups = yes
winbind refresh tickets = yes
winbind expand groups = 4
winbind offline logon = yes
winbind cache time = 300
# For ACL support on member server
inherit acls = yes
vfs objects = acl_xattr
map acl inherit = Yes
acl group control = yes
store dos attributes = Yes
admin users = ADOMAIN/Administrator
username map = /etc/samba/samba_usermapping
# Share Setting Globally
usershare allow guests = no
unix extensions = no
wide links = no
reset on zero vc = yes
veto files = /.bash_logout/.bash_profile/.bash_history/.bashrc/
hide unreadable = yes
map to guest = Bad User
log file = /var/log/samba/%m.log
max log size = 1000
panic action = /usr/share/samba/panic-action %d
load printers = yes
printcap name = cups
show add printer wizard = No
rpc_server:spoolss = external
rpc_daemon:spoolssd = fork
debuglevel = 3
use sendfile = no
# FSRVP server : snapper remote snapshot creation
rpc_daemon:fssd = fork
registry shares = yes
include registry
[printers]
comment = All Printers
path = /var/spool/samba
printable = Yes
printing = cups
browseable = no
guest ok = Yes
acl_xattr:ignore system acl = yes
admin users = @"ADOMAIN\Domain Admins"
[print$]
comment = Printer Drivers
path = /smb/Printer_drivers
browseable = yes
read only = yes
guest ok = Yes
acl_xattr:ignore system acl = yes
writeable = yes
admin users = @"ADOMAIN\Domain Admins"
[home]
path = /smb/home
read only = no
guest ok = no
vfs objects = snapper
#
shadow: snapdir = ./snapshot
# shadow: sort = desc
# shadow: format = @GMT_%Y.%m.%d-%H.%M.%S
# shadow: localtime = no
admin users = @"ADOMAIN\Domain Admins"
[profiles]
path = /smb/profiles
read only = no
admin users = @"ADOMAIN\Domain Admins"
profile acls = yes
csc policy = disable
this is my smb.conf on the dc1
# Global parameters
[global]
workgroup = ADOMAIN
realm = AD.ADOMAIN.COM
netbios name = ASHANTI
server role = active directory domain controller
idmap_ldb:use rfc2307 = yes
client signing = yes
client use spnego = yes
kerberos method = secrets and keytab
server services = -dns
# Disable printing completely
load printers = no
printing = bsd
printcap name = /dev/null
disable spoolss = yes
## setup bind to interface and time and wins server
interfaces = lo eth0
bind interfaces only = yes
time server = yes
wins support = yes
## Add AD backend.
idmap config * :backend = tdb
idmap config * :range = 2000-9999
idmap config ADOMAIN : backend = ad
idmap config ADOMAIN : range = 10000-3999999
winbind use default domain = yes
# nsupdate command = /usr/sbin/samba_dnsupdate
nsupdate command = /usr/bin/nsupdate -g
allow dns updates = nonsecure and secure
client ldap sasl wrapping = sign
tls enabled = yes
tls keyfile = tls/key.pem
tls certfile = tls/cert.pem
tls cafile = tls/ca.pem
log file = /var/log/samba/log.%m
max log size = 50
encrypt passwords = yes
map to guest = Bad User
[netlogon]
path = /var/lib/samba/sysvol/ad.adomain.com/scripts
read only = No
[sysvol]
path = /var/lib/samba/sysvol
read only = No
what is the best method to access user share when i logon using a
windows client,
without losing the snapshot capability from snapper.
do i,
1 add the share definition to smb.conf on the domain controllers and
remove them from the file server
2 leave the share definition in smb.conf on the file server and use the
microsoft rsat to connect clients to their home share
or is there a better way i have not thought of ?
shadrock
More information about the samba
mailing list