[Samba] Samba 4.6.5 Active Directory on CentOS

Rowland Penny rpenny at samba.org
Sun Jul 2 08:30:04 UTC 2017 

On Sat, 1 Jul 2017 17:12:30 -0500
John Schmerold via samba <samba at lists.samba.org> wrote:

> I am using Jeff Bales' procedure for configuring SAMBA with Active
> Directory
> https://thingsdomakesense.wordpress.com/2017/06/06/installing-samba-4-6-5-active-directory-on-centos-7-1611/
> 
> When everything is all said & done everything seems to work, but I am 
> not able to configure home directories because the users don't have 
> local Linux accounts - I suspect I need to bind Linux's user table to 
> Active Directory, but cannot seem to make this happen. Any advise?
> 
> I am using this to add users:
> 
> samba-tool user create user P at ssrod4 --uid=user --uid-number=10001 
> --gid-number=100 --unix-home=/home/user --home-directory=/home/user 
> --login-shell=/bin/bash --gecos='user' --given-name=Happy
> --surname=User
> 
> 

Not much wrong with that howto, as far as it goes, apart from this step:

mv /etc/krb5.conf /etc/krb5.conf.bak
cp /usr/local/samba/share/setup/krb5.conf /etc/krb5.conf

Yes, you might want to make a copy of the original krb5.conf, but you
should do it after the provision and the krb5.conf it tells you to
copy is the wrong one. The last line is totally redundant anyway, it
tells you to copy the correct one after the provision.

Now for what is probably wrong with your DC:

The howto tells you start Samba by just running 'samba' , did this
actually work ? Probably not, because 'samba' will be
in /usr/local/samba/sbin and this will not be in your path.

The howto also doesn't tell you that if you want to use a DC as a
fileserver, you need to create a few links for libnss_winbind.so.
Without these links, getent etc will not work and you need them to work
to have Unix users (and no, you cannot have users in /etc/passwd and
AD, same goes for groups)

See here for howto create the links:

https://wiki.samba.org/index.php/Libnss_winbind_Links

The howto also doesn't tell you that, on a DC, the 'unixHomeDirectory'
and 'loginShell' attributes are ignored. Once you have 'getent'
working, you will find that all your users have their Unix home
directories set to '/home/DOMAIN/username' and their shell will be
'/bin/false', see here for how to fix this:

https://wiki.samba.org/index.php/Configuring_Winbindd_on_a_Samba_AD_DC

Finally, [homes] doesn't work on a DC, see here:

https://wiki.samba.org/index.php/User_Home_Folders

Rowland

More information about the samba mailing list