[Samba] Cooperation with the samba and the Windows ActiveDirectory

Tue Sep 6 00:43:22 UTC 2016

By the way, do you thing that can be realized in samba3?

On 2016/09/02 19:58, mathias dufresne via samba wrote:
> Hi Takano,
>
> You wrote:
> ※The direction of the trust Samba server → Windows server
>
> Which should mean, according to some MS book sitting on my desk, that you
> want Samba domain to trust MS domain.
>
> In the Samba FAQ, here:
> https://wiki.samba.org/index.php/FAQ#Does_Samba_support_trust_relationship_with_AD.3F
> you can read "Samba can be trusted, but can't trust yet."
>
> According to that, if your arrow was in right direction, you just can't
> achieve what you want to, for now.
>
>
> 2016-08-30 2:10 GMT+02:00 satoshi takano via samba <samba at lists.samba.org>:
>
>> I'm Takano.
>>
>> Now, a system such as the following by cooperation with the Samba and
>> Windows ActiveDirectory
>> We would like to build.
>>
>> ☆Samba
>>
>> OS：CentOS7
>> Samba：(ver4.4.5)
>>
>> ☆Windows(ActiveDirectory)
>>
>> OS：Windows Server 2003
>> ※State functional level is raised from 2000 to 2003.
>>
>> That you want to achieve it will be following.
>>
>> ・Create a domain controller (samba.test) on the Samba server side.
>> ・And set up a trust relationship Windows server side of the domain
>> controller (ad.adtest).
>> ※The direction of the trust Samba server → Windows server
>> ・WindowsStorage to build a server (Windows2012R2) as a file server, the
>> domain controller of the Samba server
>> To participate.
>> ・Restrict access, etc. of both the domain controller of the user in the
>> WindowsStorage server side.
>> ・It is joined to a domain controller of the user ・ Windows servers that
>> are joined to a domain controller of the Samba server
>> We want to be able to access (login) to the file server at the user.
>>
>> Current situation, I tried various, user that is joined to the domain
>> controller of the Samba server
>> You can access the file server, but is joined to the domain controller of
>> the Windows server
>> The user can not access the file server.
>> ※Access restrictions on the file server side can only be set to the user
>> of the Samba server.
>>
>> The thing that you have made, will be the following.
>>
>> - Install samba4.4.5 to the Samba server
>> - Implement the following command
>> /usr/local/samba/bin/samba-tool domain provision --use-rfc2307
>> --interactive
>> Realm [TEST]: samba.test
>>   Domain [samba]:
>>   Server Role (dc, member, standalone) [dc]:
>>   DNS backend (SAMBA_INTERNAL, BIND9_FLATFILE, BIND9_DLZ, NONE)
>> [SAMBA_INTERNAL]:
>>   DNS forwarder IP address (write 'none' to disable forwarding)
>> [127.0.0.1]:xxx.xxx.xxx.xxx
>> Administrator password:xxxxxxx
>> Retype password:xxxxxxx
>> - Start the samba
>> - Set the input direction of the trust relationship in the Windows server
>> - Set the output direction of the trust relationship from the Samba server
>> by running the following command
>> /usr/local/samba/bin/samba-tool domain trust create ad.adtest
>> --type=external --direction=outgoing -U administrator at xxx.adtest
>> --create-location=local --ipaddress=xxx.xxx.xxx.xxx
>> - A state in which it was able to confirm to try and trust relationship
>> verified in Windows server ・ Samba server both are tied.
>>
>> Here it is up.
>> Create a adtest user to the Windows server
>>
>> When you run the following command user information is displayed.
>> /usr/local/samba/bin/wbinfo --user-info AD\\adtest
>>
>> Authentication and run the following command (krb5) will also pass.
>> /usr/local/samba/bin/wbinfo -K AD\\adtest%password
>>
>> So the winbind basis seems to be a state in which the user is visible.
>>
>> Global section of smb.conf are as follows.
>>
>> [global]
>>          netbios name = HOSTNAME
>>          realm = SAMBA.TEST
>>          workgroup = SAMBA
>>          dns forwarder = xxx.xxx.xxx.xxx
>>          server role = active directory domain controller
>>          idmap_ldb:use rfc2307 = yes
>>
>> Very it will be saved and enjoy your help to resolve this matter.
>>
>> regards
>>
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>>