[Samba] I have issue in configuring file servers with AD integration.

Rowland Penny rpenny at samba.org
Tue Jan 8 09:42:58 UTC 2019 

On Tue, 8 Jan 2019 09:38:54 +0530
venkat ramu <ramut123 at gmail.com> wrote:

> Hi Rowland,
> 
> Please find the attached requested details. also Could you please
> share right document for the SAMBA configuration with AD
> authentication for file server. Thank you the help.
> 
> Thanks,
> Venkat

OK, you have a choice here, you can either do what I do, which is make
the network settings work for me (this involves removing netplan) or
try and work with the OS, for the latter, see here (at the bottom):

https://github.com/thctlo/samba4/blob/master/full-howto-Ubuntu18.04-samba-AD_DC.txt

I am sure that Louis will correct any differences between a DC setup
and a Unix domain member ;-)

If you follow how I do it, remove netplan and then make /etc/hosts look
like this:

127.0.0.1       localhost
<UBUNTU-BASE IP>       ubuntu-base.testlab.com ubuntu-base

# The following lines are desirable for IPv6 capable hosts
::1     ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

make /etc/resolv.conf look like this:

search testlab.com
nameserver 192.168.0.81

/etc/krb5.conf only needs to contain this:

[libdefaults]
default_realm = TESTLAB.COM
dns_lookup_realm = false
dns_lookup_kdc = true

I would suggest you make your smb.conf look like this:

[global]
        workgroup = TESTLAB
        security = ADS
        realm = TESTLAB.COM
        server string = %h server (Samba, Ubuntu)

        winbind use default domain = yes
        winbind expand groups = 2

        ## map ids outside of domain to tdb files.
        idmap config * : backend = tdb
        idmap config * : range = 2000-9999
        ## map ids from the domain  the ranges may not overlap !
        idmap config TESTLAB : backend = rid
        idmap config TESTLAB : range = 10000-20000

        template shell = /bin/bash
        domain master = no
        local master = no
        preferred master = no
        os level = 20

        # user Administrator workaround, without it you are unable to set privileges
        username map = /etc/samba/user.map

        # For ACL support on domain member
        vfs objects = acl_xattr
        map acl inherit = Yes
        store dos attributes = Yes

        max log size = 1000
        log file = /var/log/samba/log.%m
        syslog = 0
        log level = 3 passdb:5 auth:5
        panic action = /usr/share/samba/panic-action %d

[printers]
   comment = All Printers
   browseable = no
   path = /var/spool/samba
   printable = yes
   create mask = 0700

[print$]
   comment = Printer Drivers
   path = /var/lib/samba/printers

It assumes you haven't added anything to AD and will use the winbind
'rid' backend.

You will also have to create /etc/samba/user.map with this content:

!root = TESTLAB\Administrator

Rowland

More information about the samba mailing list