[Samba] Samba 4.6.5 Active Directory on CentOS

John Schmerold schmerold2 at gmail.com
Mon Jul 3 12:27:28 UTC 2017 

On 7/2/2017 3:30 AM, Rowland Penny via samba wrote:
> On Sat, 1 Jul 2017 17:12:30 -0500
> John Schmerold via samba <samba at lists.samba.org> wrote:
>
>> I am using Jeff Bales' procedure for configuring SAMBA with Active
>> Directory
>> https://thingsdomakesense.wordpress.com/2017/06/06/installing-samba-4-6-5-active-directory-on-centos-7-1611/
>>
>> When everything is all said & done everything seems to work, but I am
>> not able to configure home directories because the users don't have
>> local Linux accounts - I suspect I need to bind Linux's user table to
>> Active Directory, but cannot seem to make this happen. Any advise?
>>
>> I am using this to add users:
>>
>> samba-tool user create user P at ssrod4 --uid=user --uid-number=10001
>> --gid-number=100 --unix-home=/home/user --home-directory=/home/user
>> --login-shell=/bin/bash --gecos='user' --given-name=Happy
>> --surname=User
>>
>>
> Not much wrong with that howto, as far as it goes, apart from this step:
>
> mv /etc/krb5.conf /etc/krb5.conf.bak
> cp /usr/local/samba/share/setup/krb5.conf /etc/krb5.conf
>
> Yes, you might want to make a copy of the original krb5.conf, but you
> should do it after the provision and the krb5.conf it tells you to
> copy is the wrong one. The last line is totally redundant anyway, it
> tells you to copy the correct one after the provision.
>
> Now for what is probably wrong with your DC:
>
> The howto tells you start Samba by just running 'samba' , did this
> actually work ? Probably not, because 'samba' will be
> in /usr/local/samba/sbin and this will not be in your path.
>
> The howto also doesn't tell you that if you want to use a DC as a
> fileserver, you need to create a few links for libnss_winbind.so.
> Without these links, getent etc will not work and you need them to work
> to have Unix users (and no, you cannot have users in /etc/passwd and
> AD, same goes for groups)
>
> See here for howto create the links:
>
> https://wiki.samba.org/index.php/Libnss_winbind_Links
>
> The howto also doesn't tell you that, on a DC, the 'unixHomeDirectory'
> and 'loginShell' attributes are ignored. Once you have 'getent'
> working, you will find that all your users have their Unix home
> directories set to '/home/DOMAIN/username' and their shell will be
> '/bin/false', see here for how to fix this:
>
> https://wiki.samba.org/index.php/Configuring_Winbindd_on_a_Samba_AD_DC
>
> Finally, [homes] doesn't work on a DC, see here:
>
> https://wiki.samba.org/index.php/User_Home_Folders
>
> Rowland
>
Thanks for the spot-on advice. Jeff Bales' procedure was a great start, 
needed a few tweaks. The server fully functioning as a DC, I was able to 
get homes working by adding this bit of magic to [homes]:
     root preexec = bash -c '[[ -d /home/%U ]] || mkdir -p -m 0700 
/home/%U && chown %U:users /home/%U'

I have this configured in a VMWare environment, so there is no reason 
not to setup a separate DC, but that will have to keep for another day.

John Schmerold
St Louis, MO

More information about the samba mailing list