[Samba] Using samba AD in mixed OS environment

Zdravko Zdravkov nirayah at gmail.com
Sun Apr 29 10:35:08 UTC 2018


So, so..

Server and clients are CentOS7.
Server was configured using samba-tool domain provision.

*smb.conf* from server

[global]

>         netbios name = AD
>         realm = XXXXXX
>         server role = active directory domain controller
>         server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
> winbindd, ntp_signd, kcc, dnsupdate
>         workgroup = XXXX
>         idmap config XXXX:unix_nss_info = yes
>         log file = /var/log/samba/samba.log
>         log level = 3
> [netlogon]
>         path = /usr/local/samba/var/locks/sysvol/XXXXXX/scripts
>         read only = No
> [sysvol]
>         path = /usr/local/samba/var/locks/sysvol
>         read only = No



*sssd.conf* from client

[sssd]
> domains = xxxx
> config_file_version = 2
> services = nss, pam
> [domain/xxxx]
> ad_domain = xxxx
> krb5_realm = XXXX
> realmd_tags = manages-system joined-with-samba
> cache_credentials = True
> id_provider = ad
> krb5_store_password_if_offline = True
> default_shell = /bin/bash
> ldap_id_mapping = True
> use_fully_qualified_names = False
> fallback_homedir = /home/%u
> access_provider = ad



*nsswitch.conf* on client (part of it)

passwd:     files sss
> shadow:     files sss
> group:      files sss




getent passwd pj (for example) provides this:

pj:*:1115001179:1115000513:xxxxxx:/home/pj:/bin/bash



Cheers

On Sat, Apr 28, 2018 at 1:36 PM, Rowland Penny <rpenny at samba.org> wrote:

> On Sat, 28 Apr 2018 13:10:14 +0100
> Zdravko Zdravkov via samba <samba at lists.samba.org> wrote:
>
> > Hi guys.
> >
> > I've got working samba AD server. It is playing nicely with Windows
> > 10 and also successfully authenticating Linux machines with SSSD.
>
> If you want help with sssd, sorry, but this isn't the place.
>
> > On the Windows machines I have our EMC storage smb mounted via group
> > policy. Managing permissions for users and groups there, as you know,
> > happens with right click, security etc..
> > As you may have already guessed the troubles come when my Linux
> > machines, that access the storage via nfs mount, need to work with
> > folders and files created from the Windows PCs. Linux doesn't "see"
> > the actual user/group that owns given folder. It interprets it into
> > numbers, some kind of UID that comes from the Windows machines.
>
> For a Linux machine to know an AD user, then 'getent passwd username'
> must produce output e.g. getent passwd rowland
> rowland:*:10000:10000:Rowland Penny:/home/rowland:/bin/bash
>
> To get this to work, you need to configure several things. The correct
> packages need to be installed.
> Pamm, smb.conf and /etc/nsswitch.conf need to be configured correctly.
> Just how they need to be configured depends on what you are
> configuring, a DC or a Unix domain member.
>
> > I'm quite sure that this is common and known issue, but I don't know
> > what is the right way to deal with it.
>
> Yes it is and neither do I, well not until you give us more info ;-)
>
> smb.conf from the DC and any Unix domain members.
> What OS you are using ?
> How are the 'passwd' & 'group' lines set in /etc/nsswitch ?
>
> Rowland
>
>


More information about the samba mailing list