[Samba] Using samba AD in mixed OS environment
nirayah at gmail.com
Sun Apr 29 10:35:08 UTC 2018
Server and clients are CentOS7.
Server was configured using samba-tool domain provision.
*smb.conf* from server
> netbios name = AD
> realm = XXXXXX
> server role = active directory domain controller
> server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
> winbindd, ntp_signd, kcc, dnsupdate
> workgroup = XXXX
> idmap config XXXX:unix_nss_info = yes
> log file = /var/log/samba/samba.log
> log level = 3
> path = /usr/local/samba/var/locks/sysvol/XXXXXX/scripts
> read only = No
> path = /usr/local/samba/var/locks/sysvol
> read only = No
*sssd.conf* from client
> domains = xxxx
> config_file_version = 2
> services = nss, pam
> ad_domain = xxxx
> krb5_realm = XXXX
> realmd_tags = manages-system joined-with-samba
> cache_credentials = True
> id_provider = ad
> krb5_store_password_if_offline = True
> default_shell = /bin/bash
> ldap_id_mapping = True
> use_fully_qualified_names = False
> fallback_homedir = /home/%u
> access_provider = ad
*nsswitch.conf* on client (part of it)
passwd: files sss
> shadow: files sss
> group: files sss
getent passwd pj (for example) provides this:
On Sat, Apr 28, 2018 at 1:36 PM, Rowland Penny <rpenny at samba.org> wrote:
> On Sat, 28 Apr 2018 13:10:14 +0100
> Zdravko Zdravkov via samba <samba at lists.samba.org> wrote:
> > Hi guys.
> > I've got working samba AD server. It is playing nicely with Windows
> > 10 and also successfully authenticating Linux machines with SSSD.
> If you want help with sssd, sorry, but this isn't the place.
> > On the Windows machines I have our EMC storage smb mounted via group
> > policy. Managing permissions for users and groups there, as you know,
> > happens with right click, security etc..
> > As you may have already guessed the troubles come when my Linux
> > machines, that access the storage via nfs mount, need to work with
> > folders and files created from the Windows PCs. Linux doesn't "see"
> > the actual user/group that owns given folder. It interprets it into
> > numbers, some kind of UID that comes from the Windows machines.
> For a Linux machine to know an AD user, then 'getent passwd username'
> must produce output e.g. getent passwd rowland
> rowland:*:10000:10000:Rowland Penny:/home/rowland:/bin/bash
> To get this to work, you need to configure several things. The correct
> packages need to be installed.
> Pamm, smb.conf and /etc/nsswitch.conf need to be configured correctly.
> Just how they need to be configured depends on what you are
> configuring, a DC or a Unix domain member.
> > I'm quite sure that this is common and known issue, but I don't know
> > what is the right way to deal with it.
> Yes it is and neither do I, well not until you give us more info ;-)
> smb.conf from the DC and any Unix domain members.
> What OS you are using ?
> How are the 'passwd' & 'group' lines set in /etc/nsswitch ?
More information about the samba