[Samba] Sample smb.conf for ADs authentication
Rowland Penny
rpenny at samba.org
Fri Dec 14 09:41:41 UTC 2018
On Thu, 13 Dec 2018 19:10:38 -0500
Gilbert Soucy <gsoucy at 36pix.com> wrote:
> Hello,
>
> I was able to follow most of the steps in the wiki but I seem to
> have an issue with winbind :
>
> wbinfo --ping-dc
>
> is failing with:
>
> [root at tungsten-2 samba]# wbinfo --ping-dc
> checking the NETLOGON for domain[-not available-] dc connection to ""
> failed failed to call wbcPingDc: WBC_ERR_NOT_IMPLEMENTED
>
>
>
> Why is that all wrong since I was able to join the domain ?
> How to fix that ?
>
> Also, just to confirm, do I need to touch sssd at all ? Should it be
> running, with any specific config ?
Well, in my opinion, 'yum remove sssd' would be a very good idea ;-)
You do not need sssd, it isn't a Samba product and, as such, it
isn't supported here.
>
> See my config and details below.
>
> Thanks
>
> Gilbert
>
> ===============================================
>
> I have been able to join the domain:
>
> [root at server samba]# net ads join -U admin
> Enter admin's password:
> Using short domain name -- DOMAIN
> Joined 'SERVER' to dns domain 'DOMAIN'
Is your short domain name (aka workgroup) really the same as your dns
domain ?
>
>
> I can list the domain users on the windows AD server:
>
> [root at tungsten-2 samba]# net ads user
>
> Administrator
> user1
> user2
> ...
>
>
> Here is my smb.conf file
>
> [global]
> security = ADS
> workgroup = DOMAIN
> realm = DOMAIN.COM
>
> log file = /var/log/samba/log.%m
> log level = 2
>
> # Default ID mapping configuration for local BUILTIN accounts
> # and groups on a domain member. The default (*) domain:
> # - must not overlap with any domain ID mapping configuration!
> # - must use a read-write-enabled back end, such as tdb.
> idmap config * : backend = tdb
> idmap config * : range = 0-499
Why are you using '0-499' for the '*' domain ?
The '*' domain is for the 'Well Known SIDs' and anything outside the
'DOMAIN' domain, you are using the same numbers as the Unix system
users & groups.
Can I suggest you read this:
https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member
> # - You must set a DOMAIN backend configuration
> # idmap config for the SAMDOM domain
> idmap config DOMAIN:backend = ad
> idmap config DOMAIN:schema_mode = rfc2307
> idmap config DOMAIN:range = 500-20000
> idmap config DOMAIN:unix_nss_info = yes
>
Again, why '500-20000' ?
You have removed the possibility of having any local Unix users.
Have you added any uidNumber & gidNumber attributes to AD ?
> [Share]
> comment = Share
> path = /share
> hide dot files = no
> dos filemode = yes
> inherit acls = yes
> inherit permissions = yes
> create mode = 0664
> directory mode = 0775
> directory mask = 0775
> force create mode = 0664
> force directory mode = 0775
> force group = lab
> vfs objects = recycle
> recycle: keeptree = yes
> recycle: versions = yes
> recycle:directory_mode = 770
> recycle:touch_mtime = yes
> guest ok = Yes
You really would be better off using Windows ACL's and setting these
from a Windows computer.
>
>
> In my /etc/nsswitch.conf file (and I restarted all services after
> the edit)
>
> passwd: files sss winbind
> shadow: files sss
> group: files sss winbind
Remove all the 'sss'
>
>
>
> The output of realm list::
Pointless here, 'realmd' isn't a Samba product, so we wouldn't know a
good one from a bad one and you do not need it anyway.
More information about the samba
mailing list