samba4_as_domain_member
Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision | ||
|
samba4_as_domain_member [2017/05/26 16:29] cbustillo@uclv [Setting up Kerberos] |
samba4_as_domain_member [2020/04/10 17:38] (current) |
||
|---|---|---|---|
| Line 105: | Line 105: | ||
| [global] | [global] | ||
| - | netbios name = Member1 | ||
| workgroup = REDTIC # SHORTDOMAINNAME | workgroup = REDTIC # SHORTDOMAINNAME | ||
| security = ADS | security = ADS | ||
| Line 112: | Line 111: | ||
| kerberos method = secrets and keytab | kerberos method = secrets and keytab | ||
| + | # Default ID mapping configuration for local BUILTIN accounts | ||
| + | # and groups on a domain member. The default (*) domain: | ||
| + | # - must not overlap with any domain ID mapping configuration! | ||
| + | # - must use an read-write-enabled back end, such as tdb. | ||
| idmap config *:backend = tdb | idmap config *:backend = tdb | ||
| - | idmap config *:range = 70001-80000 | + | idmap config *:range = 3000-9999 |
| idmap config REDTIC:backend = ad | idmap config REDTIC:backend = ad | ||
| idmap config REDTIC:schema_mode = rfc2307 | idmap config REDTIC:schema_mode = rfc2307 | ||
| - | idmap config REDTIC:range = 500-40000 | + | idmap config REDTIC:range = 10000-99999999 |
| - | winbind nss info = rfc2307 | ||
| winbind trusted domains only = no | winbind trusted domains only = no | ||
| winbind use default domain = yes | winbind use default domain = yes | ||
| Line 126: | Line 128: | ||
| # Uncomment the following options if you needs really | # Uncomment the following options if you needs really | ||
| - | # looking for these options in smb.conf before!! | + | # Looking for these options in smb.conf before!! |
| #winbind expand groups = 4 | #winbind expand groups = 4 | ||
| #winbind normalize names = Yes | #winbind normalize names = Yes | ||
| #domain master = no | #domain master = no | ||
| #local master = no | #local master = no | ||
| + | |||
| + | # Use template settings for login shell and home directory | ||
| + | winbind nss info = rfc2307 | ||
| + | template shell = /bin/bash | ||
| + | template homedir = /home/%D/%U | ||
| # Disable CUPS errors | # Disable CUPS errors | ||
| Line 148: | Line 155: | ||
| This is just very a basic example that will make your member server part of your Active Directory. The ID mapping for domain users/groups is done via schema mode rfc2307. Users/groups having a uidNumber/gidNumber set in AD, are available on your member server with the same IDs as in your AD. If you use different UID/GID ranges in your AD, you have to adapt them. For all non-domain accounts (like BUILTIN, etc.) the mappings are stored in a local TDB file and the IDs are taken from the given range. | This is just very a basic example that will make your member server part of your Active Directory. The ID mapping for domain users/groups is done via schema mode rfc2307. Users/groups having a uidNumber/gidNumber set in AD, are available on your member server with the same IDs as in your AD. If you use different UID/GID ranges in your AD, you have to adapt them. For all non-domain accounts (like BUILTIN, etc.) the mappings are stored in a local TDB file and the IDs are taken from the given range. | ||
| - | **NOTE:** If yours users/groups in AD don't have uidNumber/gidNumber change 'idmap config REDTIC:backend = ad' for 'idmap config REDTIC:backend = rid'. | + | **NOTE:** If yours users/groups in AD don't have uidNumber/gidNumber: |
| + | * Change line 'idmap config REDTIC:backend = ad' to 'idmap config REDTIC:backend = rid'. | ||
| + | * Change line 'winbind nss info = rfc2307' to 'winbind nss info = template'. | ||
| + | * Comment out the line: 'idmap config REDTIC:schema_mode = rfc2307' | ||
| For further explanation on the 'smb.conf' parameters, see the manpage: | For further explanation on the 'smb.conf' parameters, see the manpage: | ||
| Line 158: | Line 168: | ||
| - The choice domain back-end depends of who provide the domain. If you have MSAD without "Services for Unix (SFU)", you should use 'rid' back-end; instead for Samba4 AD use 'ad' back-end, as showed in the previous example. | - The choice domain back-end depends of who provide the domain. If you have MSAD without "Services for Unix (SFU)", you should use 'rid' back-end; instead for Samba4 AD use 'ad' back-end, as showed in the previous example. | ||
| - The parameter values of "idmap config *:range" can't not contained in "idmap config SHORTDOMAINNAME:range". | - The parameter values of "idmap config *:range" can't not contained in "idmap config SHORTDOMAINNAME:range". | ||
| - | - In case that you have a big database, last number in the interval in "idmap config SHORTDOMAINNAME:range =" should be a big number, because some user are not detected by Samba. | + | - In case that you have a big database, last number in the interval in "idmap config SHORTDOMAINNAME:range =" should be a big number, because some users are not detected by Samba. |
| - The 'dedicated keytab file = /etc/krb5.keytab' & 'kerberos method = secrets and keytab' lines will create the keytab when the machine joins the domain and set samba to use it, 'winbind refresh tickets = Yes' tells winbind to ensure that the keytab is kept updated. | - The 'dedicated keytab file = /etc/krb5.keytab' & 'kerberos method = secrets and keytab' lines will create the keytab when the machine joins the domain and set samba to use it, 'winbind refresh tickets = Yes' tells winbind to ensure that the keytab is kept updated. | ||
| Line 174: | Line 184: | ||
| ---- | ---- | ||
| - | To have your domain users and groups available on your member server, you have to place two links in your /lib (/lib64 for amd64) folder: | + | To enable hosts to receive user and group information from a domain using Winbind, you must create two symbolic links in a directory of the operating system's library path. |
| - | **For i386:** | + | To determine the operating system's platform: |
| + | |||
| + | <code> | ||
| + | # uname -i | ||
| + | </code> | ||
| + | |||
| + | The 'libnss_winbind.so.2' library is installed in the Samba library directory set at compile time. To locate the folder: | ||
| + | |||
| + | <code> | ||
| + | # smbd -b | grep LIBDIR | ||
| + | LIBDIR: /usr/local/samba/lib/ | ||
| + | </code> | ||
| + | |||
| + | **For amd64 (x86_64):** | ||
| <code> | <code> | ||
| - | # ln -s /usr/local/samba/lib/libnss_winbind.so /lib | + | # ln -s /usr/local/samba/lib/libnss_winbind.so.2 /lib/x86_64-linux-gnu/ |
| - | # ln -s /lib/libnss_winbind.so /lib/libnss_winbind.so.2 | + | # ln -s /lib/x86_64-linux-gnu/libnss_winbind.so.2 /lib/x86_64-linux-gnu/libnss_winbind.so |
| # ldconfig | # ldconfig | ||
| </code> | </code> | ||
| - | **For amd64:** | + | **For i386:** |
| <code> | <code> | ||
| - | # ln -s /usr/local/samba/lib/libnss_winbind.so /lib64 | + | # ln -s /usr/local/samba/lib/libnss_winbind.so.2 /lib/i386-linux-gnu/ |
| - | # ln -s /lib64/libnss_winbind.so /lib64/libnss_winbind.so.2 | + | # ln -s /lib/i386-linux-gnu/libnss_winbind.so.2 /lib/i386-linux-gnu/libnss_winbind.so |
| # ldconfig | # ldconfig | ||
| </code> | </code> | ||
| - | //**For Samba4 Sernet: (you should not have to do the following normally, if not work try:)**// | + | //**For Samba4 Sernet or repository distro installation: (you should not have to do the following normally, if not work try:)**// |
| + | |||
| + | **For amd64(x86_64):** | ||
| + | |||
| + | You must have linked '/lib/x86_64-linux-gnu/libnss_winbind.so -> libnss_winbind.so.2'. To linked: | ||
| - | **For i386:** | ||
| <code> | <code> | ||
| - | # ln -s /lib/i386-linux-gnu/libnss_winbind.so /lib | + | # ln -s /lib/x86_64-linux-gnu/libnss_winbind.so.2 /lib/x86_64-linux-gnu/libnss_winbind.so |
| - | # ln -s /lib/libnss_winbind.so /lib/libnss_winbind.so.2 | + | |
| # ldconfig | # ldconfig | ||
| </code> | </code> | ||
| - | **For amd64:** | + | **For i386:** |
| + | |||
| + | You must have linked '/lib/i386-linux-gnu/libnss_winbind.so -> libnss_winbind.so.2'. To linked: | ||
| <code> | <code> | ||
| - | # ln -s /lib/x86_64-linux-gnu/libnss_winbind.so /lib64 | + | # ln -s /lib/i386-linux-gnu/libnss_winbind.so.2 /lib/i386-linux-gnu/libnss_winbind.so |
| - | # ln -s /lib64/libnss_winbind.so /lib64/libnss_winbind.so.2 | + | |
| # ldconfig | # ldconfig | ||
| </code> | </code> | ||
| Line 220: | Line 247: | ||
| ===== Starting the daemons ===== | ===== Starting the daemons ===== | ||
| ---- | ---- | ||
| - | |||
| - | Before start Samba | ||
| Once you have finished the above steps, you must start the following services: | Once you have finished the above steps, you must start the following services: | ||
| Line 284: | Line 309: | ||
| + | ===== Verifying the File Server ===== | ||
| + | ---- | ||
| + | |||
| + | To list all shares provided by the Samba File Server: | ||
| + | |||
| + | <code> | ||
| + | # smbclient -L localhost -U% | ||
| + | </code> | ||
| + | |||
| + | To verify authentication, connect to the "Demo" share using the domain administrator account: | ||
| + | |||
| + | <code> | ||
| + | # smbclient //localhost/Demo -UAdministrator -c 'ls' | ||
| + | </code> | ||
| + | ===== Try out some net commands to see if Samba can communicate with AD: ===== | ||
| + | ---- | ||
| + | |||
| + | <code> | ||
| + | # net ads info | ||
| + | # net ads lookup | ||
| + | # net ads status -U administrator | less | ||
| + | </code> | ||
| ===== Leaving domain ===== | ===== Leaving domain ===== | ||
| ---- | ---- | ||
samba4_as_domain_member.1495816191.txt.gz · Last modified: 2020/04/10 17:38 (external edit)
Except where otherwise noted, content on this wiki is licensed under the following license: GNU Free Documentation License 1.3
