[Samba] Cooperation with the samba and the Windows ActiveDirectory

Fri Sep 2 10:58:17 UTC 2016

Hi Takano,

You wrote:
※The direction of the trust Samba server → Windows server

Which should mean, according to some MS book sitting on my desk, that you
want Samba domain to trust MS domain.

In the Samba FAQ, here:
https://wiki.samba.org/index.php/FAQ#Does_Samba_support_trust_relationship_with_AD.3F
you can read "Samba can be trusted, but can't trust yet."

According to that, if your arrow was in right direction, you just can't
achieve what you want to, for now.

2016-08-30 2:10 GMT+02:00 satoshi takano via samba <samba at lists.samba.org>:

> I'm Takano.
>
> Now, a system such as the following by cooperation with the Samba and
> Windows ActiveDirectory
> We would like to build.
>
> ☆Samba
>
> OS：CentOS7
> Samba：(ver4.4.5)
>
> ☆Windows(ActiveDirectory)
>
> OS：Windows Server 2003
> ※State functional level is raised from 2000 to 2003.
>
> That you want to achieve it will be following.
>
> ・Create a domain controller (samba.test) on the Samba server side.
> ・And set up a trust relationship Windows server side of the domain
> controller (ad.adtest).
> ※The direction of the trust Samba server → Windows server
> ・WindowsStorage to build a server (Windows2012R2) as a file server, the
> domain controller of the Samba server
> To participate.
> ・Restrict access, etc. of both the domain controller of the user in the
> WindowsStorage server side.
> ・It is joined to a domain controller of the user ・ Windows servers that
> are joined to a domain controller of the Samba server
> We want to be able to access (login) to the file server at the user.
>
> Current situation, I tried various, user that is joined to the domain
> controller of the Samba server
> You can access the file server, but is joined to the domain controller of
> the Windows server
> The user can not access the file server.
> ※Access restrictions on the file server side can only be set to the user
> of the Samba server.
>
> The thing that you have made, will be the following.
>
> - Install samba4.4.5 to the Samba server
> - Implement the following command
> /usr/local/samba/bin/samba-tool domain provision --use-rfc2307
> --interactive
> Realm [TEST]: samba.test
>   Domain [samba]:
>   Server Role (dc, member, standalone) [dc]:
>   DNS backend (SAMBA_INTERNAL, BIND9_FLATFILE, BIND9_DLZ, NONE)
> [SAMBA_INTERNAL]:
>   DNS forwarder IP address (write 'none' to disable forwarding)
> [127.0.0.1]:xxx.xxx.xxx.xxx
> Administrator password:xxxxxxx
> Retype password:xxxxxxx
> - Start the samba
> - Set the input direction of the trust relationship in the Windows server
> - Set the output direction of the trust relationship from the Samba server
> by running the following command
> /usr/local/samba/bin/samba-tool domain trust create ad.adtest
> --type=external --direction=outgoing -U administrator at xxx.adtest
> --create-location=local --ipaddress=xxx.xxx.xxx.xxx
> - A state in which it was able to confirm to try and trust relationship
> verified in Windows server ・ Samba server both are tied.
>
> Here it is up.
> Create a adtest user to the Windows server
>
> When you run the following command user information is displayed.
> /usr/local/samba/bin/wbinfo --user-info AD\\adtest
>
> Authentication and run the following command (krb5) will also pass.
> /usr/local/samba/bin/wbinfo -K AD\\adtest%password
>
> So the winbind basis seems to be a state in which the user is visible.
>
> Global section of smb.conf are as follows.
>
> [global]
>          netbios name = HOSTNAME
>          realm = SAMBA.TEST
>          workgroup = SAMBA
>          dns forwarder = xxx.xxx.xxx.xxx
>          server role = active directory domain controller
>          idmap_ldb:use rfc2307 = yes
>
> Very it will be saved and enjoy your help to resolve this matter.
>
> regards
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>