This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision | ||
samba4_as_domain_member [2017/05/26 16:28] cbustillo@uclv [Compiling and installation] |
samba4_as_domain_member [2020/04/10 17:38] (current) |
||
---|---|---|---|
Line 36: | Line 36: | ||
# apt-get install sernet-samba sernet-samba-winbind attr acl krb5-user | # apt-get install sernet-samba sernet-samba-winbind attr acl krb5-user | ||
</code> | </code> | ||
- | |||
- | To enable smbd/nmbd/winbind deamons, edit "/etc/default/sernet-samba" and set SAMBA_START_MODE to "classic": | ||
- | <code> | ||
- | SAMBA_START_MODE="classic" | ||
- | </code> | ||
- | |||
===== Setting up Kerberos ===== | ===== Setting up Kerberos ===== | ||
---- | ---- | ||
Line 66: | Line 60: | ||
[libdefaults] | [libdefaults] | ||
default_realm = REDTIC.UCLV.CU | default_realm = REDTIC.UCLV.CU | ||
- | dns_lookup_realm = true | + | dns_lookup_realm = false |
dns_lookup_kdc = true | dns_lookup_kdc = true | ||
ticket_lifetime = 24h | ticket_lifetime = 24h | ||
Line 111: | Line 105: | ||
[global] | [global] | ||
- | netbios name = Member1 | ||
workgroup = REDTIC # SHORTDOMAINNAME | workgroup = REDTIC # SHORTDOMAINNAME | ||
security = ADS | security = ADS | ||
Line 118: | Line 111: | ||
kerberos method = secrets and keytab | kerberos method = secrets and keytab | ||
+ | # Default ID mapping configuration for local BUILTIN accounts | ||
+ | # and groups on a domain member. The default (*) domain: | ||
+ | # - must not overlap with any domain ID mapping configuration! | ||
+ | # - must use an read-write-enabled back end, such as tdb. | ||
idmap config *:backend = tdb | idmap config *:backend = tdb | ||
- | idmap config *:range = 70001-80000 | + | idmap config *:range = 3000-9999 |
idmap config REDTIC:backend = ad | idmap config REDTIC:backend = ad | ||
idmap config REDTIC:schema_mode = rfc2307 | idmap config REDTIC:schema_mode = rfc2307 | ||
- | idmap config REDTIC:range = 500-40000 | + | idmap config REDTIC:range = 10000-99999999 |
- | winbind nss info = rfc2307 | ||
winbind trusted domains only = no | winbind trusted domains only = no | ||
winbind use default domain = yes | winbind use default domain = yes | ||
Line 132: | Line 128: | ||
# Uncomment the following options if you needs really | # Uncomment the following options if you needs really | ||
- | # looking for these options in smb.conf before!! | + | # Looking for these options in smb.conf before!! |
#winbind expand groups = 4 | #winbind expand groups = 4 | ||
#winbind normalize names = Yes | #winbind normalize names = Yes | ||
#domain master = no | #domain master = no | ||
#local master = no | #local master = no | ||
+ | |||
+ | # Use template settings for login shell and home directory | ||
+ | winbind nss info = rfc2307 | ||
+ | template shell = /bin/bash | ||
+ | template homedir = /home/%D/%U | ||
# Disable CUPS errors | # Disable CUPS errors | ||
Line 154: | Line 155: | ||
This is just very a basic example that will make your member server part of your Active Directory. The ID mapping for domain users/groups is done via schema mode rfc2307. Users/groups having a uidNumber/gidNumber set in AD, are available on your member server with the same IDs as in your AD. If you use different UID/GID ranges in your AD, you have to adapt them. For all non-domain accounts (like BUILTIN, etc.) the mappings are stored in a local TDB file and the IDs are taken from the given range. | This is just very a basic example that will make your member server part of your Active Directory. The ID mapping for domain users/groups is done via schema mode rfc2307. Users/groups having a uidNumber/gidNumber set in AD, are available on your member server with the same IDs as in your AD. If you use different UID/GID ranges in your AD, you have to adapt them. For all non-domain accounts (like BUILTIN, etc.) the mappings are stored in a local TDB file and the IDs are taken from the given range. | ||
- | **NOTE:** If yours users/groups in AD don't have uidNumber/gidNumber change 'idmap config REDTIC:backend = ad' for 'idmap config REDTIC:backend = rid'. | + | **NOTE:** If yours users/groups in AD don't have uidNumber/gidNumber: |
+ | * Change line 'idmap config REDTIC:backend = ad' to 'idmap config REDTIC:backend = rid'. | ||
+ | * Change line 'winbind nss info = rfc2307' to 'winbind nss info = template'. | ||
+ | * Comment out the line: 'idmap config REDTIC:schema_mode = rfc2307' | ||
For further explanation on the 'smb.conf' parameters, see the manpage: | For further explanation on the 'smb.conf' parameters, see the manpage: | ||
Line 164: | Line 168: | ||
- The choice domain back-end depends of who provide the domain. If you have MSAD without "Services for Unix (SFU)", you should use 'rid' back-end; instead for Samba4 AD use 'ad' back-end, as showed in the previous example. | - The choice domain back-end depends of who provide the domain. If you have MSAD without "Services for Unix (SFU)", you should use 'rid' back-end; instead for Samba4 AD use 'ad' back-end, as showed in the previous example. | ||
- The parameter values of "idmap config *:range" can't not contained in "idmap config SHORTDOMAINNAME:range". | - The parameter values of "idmap config *:range" can't not contained in "idmap config SHORTDOMAINNAME:range". | ||
- | - In case that you have a big database, last number in the interval in "idmap config SHORTDOMAINNAME:range =" should be a big number, because some user are not detected by Samba. | + | - In case that you have a big database, last number in the interval in "idmap config SHORTDOMAINNAME:range =" should be a big number, because some users are not detected by Samba. |
- The 'dedicated keytab file = /etc/krb5.keytab' & 'kerberos method = secrets and keytab' lines will create the keytab when the machine joins the domain and set samba to use it, 'winbind refresh tickets = Yes' tells winbind to ensure that the keytab is kept updated. | - The 'dedicated keytab file = /etc/krb5.keytab' & 'kerberos method = secrets and keytab' lines will create the keytab when the machine joins the domain and set samba to use it, 'winbind refresh tickets = Yes' tells winbind to ensure that the keytab is kept updated. | ||
Line 180: | Line 184: | ||
---- | ---- | ||
- | To have your domain users and groups available on your member server, you have to place two links in your /lib (/lib64 for amd64) folder: | + | To enable hosts to receive user and group information from a domain using Winbind, you must create two symbolic links in a directory of the operating system's library path. |
+ | |||
+ | To determine the operating system's platform: | ||
- | **For i386:** | ||
<code> | <code> | ||
- | # ln -s /usr/local/samba/lib/libnss_winbind.so /lib | + | # uname -i |
- | # ln -s /lib/libnss_winbind.so /lib/libnss_winbind.so.2 | + | </code> |
+ | |||
+ | The 'libnss_winbind.so.2' library is installed in the Samba library directory set at compile time. To locate the folder: | ||
+ | |||
+ | <code> | ||
+ | # smbd -b | grep LIBDIR | ||
+ | LIBDIR: /usr/local/samba/lib/ | ||
+ | </code> | ||
+ | |||
+ | **For amd64 (x86_64):** | ||
+ | <code> | ||
+ | # ln -s /usr/local/samba/lib/libnss_winbind.so.2 /lib/x86_64-linux-gnu/ | ||
+ | # ln -s /lib/x86_64-linux-gnu/libnss_winbind.so.2 /lib/x86_64-linux-gnu/libnss_winbind.so | ||
# ldconfig | # ldconfig | ||
</code> | </code> | ||
- | **For amd64:** | + | **For i386:** |
<code> | <code> | ||
- | # ln -s /usr/local/samba/lib/libnss_winbind.so /lib64 | + | # ln -s /usr/local/samba/lib/libnss_winbind.so.2 /lib/i386-linux-gnu/ |
- | # ln -s /lib64/libnss_winbind.so /lib64/libnss_winbind.so.2 | + | # ln -s /lib/i386-linux-gnu/libnss_winbind.so.2 /lib/i386-linux-gnu/libnss_winbind.so |
# ldconfig | # ldconfig | ||
</code> | </code> | ||
- | //**For Samba4 Sernet: (you should not have to do the following normally, if not work try:)**// | + | //**For Samba4 Sernet or repository distro installation: (you should not have to do the following normally, if not work try:)**// |
+ | |||
+ | **For amd64(x86_64):** | ||
+ | |||
+ | You must have linked '/lib/x86_64-linux-gnu/libnss_winbind.so -> libnss_winbind.so.2'. To linked: | ||
- | **For i386:** | ||
<code> | <code> | ||
- | # ln -s /lib/i386-linux-gnu/libnss_winbind.so /lib | + | # ln -s /lib/x86_64-linux-gnu/libnss_winbind.so.2 /lib/x86_64-linux-gnu/libnss_winbind.so |
- | # ln -s /lib/libnss_winbind.so /lib/libnss_winbind.so.2 | + | |
# ldconfig | # ldconfig | ||
</code> | </code> | ||
- | **For amd64:** | + | **For i386:** |
+ | |||
+ | You must have linked '/lib/i386-linux-gnu/libnss_winbind.so -> libnss_winbind.so.2'. To linked: | ||
<code> | <code> | ||
- | # ln -s /lib/x86_64-linux-gnu/libnss_winbind.so /lib64 | + | # ln -s /lib/i386-linux-gnu/libnss_winbind.so.2 /lib/i386-linux-gnu/libnss_winbind.so |
- | # ln -s /lib64/libnss_winbind.so /lib64/libnss_winbind.so.2 | + | |
# ldconfig | # ldconfig | ||
</code> | </code> | ||
Line 226: | Line 247: | ||
===== Starting the daemons ===== | ===== Starting the daemons ===== | ||
---- | ---- | ||
- | |||
- | Before start Samba | ||
Once you have finished the above steps, you must start the following services: | Once you have finished the above steps, you must start the following services: | ||
Line 290: | Line 309: | ||
+ | ===== Verifying the File Server ===== | ||
+ | ---- | ||
+ | |||
+ | To list all shares provided by the Samba File Server: | ||
+ | |||
+ | <code> | ||
+ | # smbclient -L localhost -U% | ||
+ | </code> | ||
+ | |||
+ | To verify authentication, connect to the "Demo" share using the domain administrator account: | ||
+ | |||
+ | <code> | ||
+ | # smbclient //localhost/Demo -UAdministrator -c 'ls' | ||
+ | </code> | ||
+ | ===== Try out some net commands to see if Samba can communicate with AD: ===== | ||
+ | ---- | ||
+ | |||
+ | <code> | ||
+ | # net ads info | ||
+ | # net ads lookup | ||
+ | # net ads status -U administrator | less | ||
+ | </code> | ||
===== Leaving domain ===== | ===== Leaving domain ===== | ||
---- | ---- |