This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision | ||
samba4_as_domain_member [2017/05/26 16:43] cbustillo@uclv [Setting up a basic smb.conf] |
samba4_as_domain_member [2020/04/10 17:38] (current) |
||
---|---|---|---|
Line 135: | Line 135: | ||
# Use template settings for login shell and home directory | # Use template settings for login shell and home directory | ||
- | winbind nss info = template | + | winbind nss info = rfc2307 |
template shell = /bin/bash | template shell = /bin/bash | ||
template homedir = /home/%D/%U | template homedir = /home/%D/%U | ||
Line 155: | Line 155: | ||
This is just very a basic example that will make your member server part of your Active Directory. The ID mapping for domain users/groups is done via schema mode rfc2307. Users/groups having a uidNumber/gidNumber set in AD, are available on your member server with the same IDs as in your AD. If you use different UID/GID ranges in your AD, you have to adapt them. For all non-domain accounts (like BUILTIN, etc.) the mappings are stored in a local TDB file and the IDs are taken from the given range. | This is just very a basic example that will make your member server part of your Active Directory. The ID mapping for domain users/groups is done via schema mode rfc2307. Users/groups having a uidNumber/gidNumber set in AD, are available on your member server with the same IDs as in your AD. If you use different UID/GID ranges in your AD, you have to adapt them. For all non-domain accounts (like BUILTIN, etc.) the mappings are stored in a local TDB file and the IDs are taken from the given range. | ||
- | **NOTE:** If yours users/groups in AD don't have uidNumber/gidNumber change line 'idmap config REDTIC:backend = ad' to 'idmap config REDTIC:backend = rid' and line 'winbind nss info = rfc2307' to 'winbind nss info = template'. Also comment the line: 'idmap config REDTIC:schema_mode = rfc2307' | + | **NOTE:** If yours users/groups in AD don't have uidNumber/gidNumber: |
+ | * Change line 'idmap config REDTIC:backend = ad' to 'idmap config REDTIC:backend = rid'. | ||
+ | * Change line 'winbind nss info = rfc2307' to 'winbind nss info = template'. | ||
+ | * Comment out the line: 'idmap config REDTIC:schema_mode = rfc2307' | ||
For further explanation on the 'smb.conf' parameters, see the manpage: | For further explanation on the 'smb.conf' parameters, see the manpage: | ||
Line 181: | Line 184: | ||
---- | ---- | ||
- | To have your domain users and groups available on your member server, you have to place two links in your /lib (/lib64 for amd64) folder: | + | To enable hosts to receive user and group information from a domain using Winbind, you must create two symbolic links in a directory of the operating system's library path. |
+ | |||
+ | To determine the operating system's platform: | ||
- | **For i386:** | ||
<code> | <code> | ||
- | # ln -s /usr/local/samba/lib/libnss_winbind.so /lib | + | # uname -i |
- | # ln -s /lib/libnss_winbind.so /lib/libnss_winbind.so.2 | + | </code> |
+ | |||
+ | The 'libnss_winbind.so.2' library is installed in the Samba library directory set at compile time. To locate the folder: | ||
+ | |||
+ | <code> | ||
+ | # smbd -b | grep LIBDIR | ||
+ | LIBDIR: /usr/local/samba/lib/ | ||
+ | </code> | ||
+ | |||
+ | **For amd64 (x86_64):** | ||
+ | <code> | ||
+ | # ln -s /usr/local/samba/lib/libnss_winbind.so.2 /lib/x86_64-linux-gnu/ | ||
+ | # ln -s /lib/x86_64-linux-gnu/libnss_winbind.so.2 /lib/x86_64-linux-gnu/libnss_winbind.so | ||
# ldconfig | # ldconfig | ||
</code> | </code> | ||
- | **For amd64:** | + | **For i386:** |
<code> | <code> | ||
- | # ln -s /usr/local/samba/lib/libnss_winbind.so /lib64 | + | # ln -s /usr/local/samba/lib/libnss_winbind.so.2 /lib/i386-linux-gnu/ |
- | # ln -s /lib64/libnss_winbind.so /lib64/libnss_winbind.so.2 | + | # ln -s /lib/i386-linux-gnu/libnss_winbind.so.2 /lib/i386-linux-gnu/libnss_winbind.so |
# ldconfig | # ldconfig | ||
</code> | </code> | ||
- | //**For Samba4 Sernet: (you should not have to do the following normally, if not work try:)**// | + | //**For Samba4 Sernet or repository distro installation: (you should not have to do the following normally, if not work try:)**// |
+ | |||
+ | **For amd64(x86_64):** | ||
+ | |||
+ | You must have linked '/lib/x86_64-linux-gnu/libnss_winbind.so -> libnss_winbind.so.2'. To linked: | ||
- | **For i386:** | ||
<code> | <code> | ||
- | # ln -s /lib/i386-linux-gnu/libnss_winbind.so /lib | + | # ln -s /lib/x86_64-linux-gnu/libnss_winbind.so.2 /lib/x86_64-linux-gnu/libnss_winbind.so |
- | # ln -s /lib/libnss_winbind.so /lib/libnss_winbind.so.2 | + | |
# ldconfig | # ldconfig | ||
</code> | </code> | ||
- | **For amd64:** | + | **For i386:** |
+ | |||
+ | You must have linked '/lib/i386-linux-gnu/libnss_winbind.so -> libnss_winbind.so.2'. To linked: | ||
<code> | <code> | ||
- | # ln -s /lib/x86_64-linux-gnu/libnss_winbind.so /lib64 | + | # ln -s /lib/i386-linux-gnu/libnss_winbind.so.2 /lib/i386-linux-gnu/libnss_winbind.so |
- | # ln -s /lib64/libnss_winbind.so /lib64/libnss_winbind.so.2 | + | |
# ldconfig | # ldconfig | ||
</code> | </code> | ||
Line 227: | Line 247: | ||
===== Starting the daemons ===== | ===== Starting the daemons ===== | ||
---- | ---- | ||
- | |||
- | Before start Samba | ||
Once you have finished the above steps, you must start the following services: | Once you have finished the above steps, you must start the following services: | ||
Line 291: | Line 309: | ||
+ | ===== Verifying the File Server ===== | ||
+ | ---- | ||
+ | |||
+ | To list all shares provided by the Samba File Server: | ||
+ | |||
+ | <code> | ||
+ | # smbclient -L localhost -U% | ||
+ | </code> | ||
+ | |||
+ | To verify authentication, connect to the "Demo" share using the domain administrator account: | ||
+ | |||
+ | <code> | ||
+ | # smbclient //localhost/Demo -UAdministrator -c 'ls' | ||
+ | </code> | ||
+ | ===== Try out some net commands to see if Samba can communicate with AD: ===== | ||
+ | ---- | ||
+ | |||
+ | <code> | ||
+ | # net ads info | ||
+ | # net ads lookup | ||
+ | # net ads status -U administrator | less | ||
+ | </code> | ||
===== Leaving domain ===== | ===== Leaving domain ===== | ||
---- | ---- |