[Samba] Sample smb.conf for ADs authentication

Rowland Penny rpenny at samba.org
Fri Dec 14 16:32:35 UTC 2018 

On Fri, 14 Dec 2018 10:47:42 -0500
Gilbert Soucy <gsoucy at 36pix.com> wrote:

> Thanks for the help.
> 
> > Yes it is an issue.
> >
> > As I said, 0-500 is reserved for Unix system users and groups (it's
> > actually 0-999) so you cannot use these numbers for AD
> 
> I changed smb.conf to follow the range rules.  I dont expect to see my
> users below 3000 but    *wbinfo --ping-dc  * should work, isnt it ?
> It is still failing the same way.
> 
> Is there any log that would give more info ?

It should work, lets start again with a few questions ;-)

what is in /etc/hostname
what is in /etc/hosts
what is in /etc/krb5.conf

> 
> > Was the old ldap machine also a Samba PDC ?
> > If so, then use classicupgrade.
> 
> I see that it is not reversible so I am a bit scared to try it.

Yes, if your clients see the AD DC, there is no going back, but most
people do the classicupgrade in a test network first.

> 
> > Better still, set up a new AD domain and transfer your users, groups
> > and data to this.
> 
> In some sense, we are doing that now. We created a brand new domain
> and AD server ( windows ). Previously the domain controller was
> samba-ldap on Linux.
> We wish to transfer the users by preserving their uids and guids (we
> will enter them by hand in the windows AD server).

And there is your problem, if you want to use the 'ad' backend on the
Unix domain members, you need to create the users & groups first, along
with the required uidNumber & gidNumber attributes.

> 
> We have first successfully connected a smb service on a VM runing
> centos 7.4. What we are trying now is a clone of a production machine
> to see whether we can really
> switch a production machine. And it is not as smooth.

It wouldn't be without users & groups.

> 
> We have many servers and shares on other servers that also need to
> have the same user ids. Creating new ids would be more painful.

I would take the pain and create users & groups with uidNumber &
gidNumber attributes containing numbers from '10000'
 
> However, is it really what prevents
>  *wbinfo --ping-dc*  from working now ?  I set up smb.conf as per the
> spec and it cannot connect. Is it because of the user range ? Can we
> know the low level reason
> why it is not connecting ?

Is there a firewall in the way ?
 
Rowland

More information about the samba mailing list