[Samba] debian 10: errors with my server samba-ad

nathalie ramat nathalie.ramat at univ-littoral.fr
Thu May 16 13:39:45 UTC 2019


hi

I have successfully integrated my linux client in my domain.
my problem was that for Linux client was in a virtual machine under 
proxmox - and some ports seem to block
A test with a machine under Virtual box I managed to integrate my client 
into my ad

But I still have questions.

I put to unixHomeDirectory the directory of my user . How can I mount it 
on my client linux ?
Is it possible to use the information with pam_mount module?

I configurate my smb.conf on my client

[global]
     security = ads
     realm= lenzspitze2.calais.fr
     workgroup = LENZSPITZE2
     netbios name = clientlinux
     winbind separator = /
#    idmap uid = 0-50000
#    idmap gid = 0-50000

     idmap config * : backend= tdb
     idmap config * : range =0-1000
     winbind enum users = yes
     winbind enum groups = yes
#    idmap config LENZSPITZE :backend=rid
#    idmap config LENZSPITZE :base_rid=0

     idmap config LENZSPITZE2 : backend = ad
     idmap config LENZSPITZE2 : schema_mode =rfc2307
     idmap config LENZSPITZE2 : range = 10000-399999999
     idmap config LENZSPITZE2 : unix_nss_info = yes

     #template homedir = /etudiants/%U
     #template shell = /bin/bash
     encrypt passwords = yes
     winbind nss info = rfc2307
     kerberos method = secrets and keytab
     winbind use default domain = yes
     log file =/var/log/samba/log.%m
     log level = 3
     vfs objects = acl_xattr
     map acl inherit = yes
     store dos attributes = yes



When I use mount -t cifs //namserver/test /etudiants/test -o 
username=test,rw,file_mode=0700,dir_mode=0700,cifsacl - the irectory 
mount - I don't see acl for the directory while i see them on the server.




Thanks for your help.





Le 14/05/2019 à 12:40, Rowland penny via samba a écrit :
> On 14/05/2019 10:58, nathalie ramat wrote:
>> hi,
>>
>> My user must be able to connect under windows and under linux. The 
>> home is common. Their home is on the server.
>
> This is easy
>
>>
>> Like there are students - they are identified by their formation( 
>> group) and by their login
>>
>> for example /home/specifique/testlundi
>>                   /home/l1info/testmardi
>>
>> For me the etudiant belong to a group  and i have create each group 
>> on OU
> Then you MUST use the winbind 'ad' backend and set smb.conf to use the 
> info stored in AD.
>>
>> and i take the last number for sid group for gidnumber - it was to 
>> find out which group he belonged to - It's not a good idea ?
>
> Definitely not, SID's start at '1000' and so do the Unix ID's, this 
> means that you cannot have any local Unix users. There is also the 
> problem of Domain Users, its RID is '513' and all your users and 
> groups must have Unix ID's (set by uidNumber & gidNumber attributes in 
> AD) inside the range you set in smb.conf
>
>>
>>
>> on my smb.conf on the server i put
>>
>> [homes]
>>     path=/home/%G/%U
>>     read only = no
>>
>>
>> Actually - i can't put my client linux in my ad.
>> net ads join -S nameofsever -U administrator --> doestn't give my 
>> response -- It wait  ...
>>
> You shouldn't need the '-S' option, so is your DNS set up correctly ?
>> my client linux smb.conf is
>>
>>
>>  [global]
>>     security =ADS
>>     realm = LENZSPITZE2.CALAIS.FR
>>     workgroup =LENZSPITZE2
>>     netbios name = testbugsterl
>>     winbind separator = /
>>     winbind enum users = yes
>>     winbind enum groups = yes
> Once you get everything working, remove the two lines above, you only 
> need them for testing purposes.
>>     idmap config LENZSPITZE2 : backend = ad
>>     idmap config LENZSPITZE2 : schema_mode =rfc2307
>>     idmap config LENZSPITZE2 : range = 10000-399999999
>
> Hmm, your lowest ID is probably the one from Domain Users '513', which 
> is less than '10000', this isn't going to work. I would change the 
> uidNumber & gidNumber attributes in AD to match the above range.
>
>
>>     idmap config LENZSPITZE2 : unix_nss_info = yes
>>     template homedir =/etudiants/%U
>>     template shell =/bin/bash
> Remove the two lines above, for what you want to do, you must obtain 
> this information from AD
>>     winbind nss info = rfc2307
> You do not require the line above
>>     kerberos method =  secrets and keytab
>>     dedicated keytab file =/etc/krb5.keytab
>>     winbind refresh tickets =yes
>>     username map = /etc/samba/samba_usermapping
>>     winbind use default domain = yes
>>     log file =/var/log/samba/log.%m
>>     log level = 3
>> # for acl support on members servers with shares
>>     vfs object = acl_xattr
>>     map acl inherit = yes
>>     store dos attributes = yes
>>     winbind nss info = rfc2307
>
> You still don't need the line above ;-)
>
> Rowland
>
>
>

-- 
Nathalie RAMAT-LECLERCQ

Service Informatique

Universite du Littoral-Côte d'Opale
SCoSI - Service Commun du Système d'Information
Pôle Systèmes et réseaux

Centre de Gestion Universitaire de Calais
50 rue ferdinand Buisson
C.S 80699
62228 CALAIS CEDEX







More information about the samba mailing list