[NTLUG:Discuss] Samba server + AD domain

Chris Cox cjcox at acm.org
Thu May 3 11:00:21 CDT 2007 

. Daniel wrote:
> I'm wondering what I'm missing.  What's more, this has got the be a fairly 
> common implementation and I'm surprised I haven't found any specific 
> examples on the subject.  (Perhaps I am searching the wrong terms?)  I know 
> this can be done.  Just don't know why it's not working exactly.  (I 
> suspect something to do with LDAP but I haven't read much on configuring or 
> setting it up)

So:

net ads testjoin

says that it is joined?

# net ads testjoin
Join is OK


Are your referencing winbind in your /etc/nsswitch.conf??

e.g.

password:   files winbind
group:      files winbind

Does your
smb.conf spell out which ids (numeric ranges) will be used for dynamic
user creation for the AD users?

e.g.
        idmap uid = 10000-20000
        idmap gid = 10000-20000


There are a lot of variables.  There are ways of doing default
mapping of Linux ids to AD ids... etc.  Really depends
on what you want to do.  The Samba team's recommended
deployment is that the Linux Samba box is a total
extension of the AD domain... so no "real" ids on the
Linux box, only the dynamic created ids derived from
the AD infrastructure.  And yes, you can have those
ids log into the box and get a shell... and then we
can talk about the myriad of differences surrounding
AD permissions and POSIX (draft) ACLs implemented
in MOST filesystems in Linux (and again... things
start getting complicated.... basically if Windows
starts to take ownership of the ACLs you DON'T
want to modify permissions and such from the Linux
side)... etc... etc...

SUSE currently has probably the most advanced out-of-the-box
implementation and ease of use when joining to an AD domain.
So the idea that this is all "easy to setup"... no it isn't,
BUT for a simple known scenario SUSE does make things pretty
easy (can get setup in seconds).  But you know... I don't
think I've ever seen people that were satisfied with ONE
supplied scenario (actually SUSE handes a few well known
scenarios... but still... there's just too many variables).

More information about the Discuss mailing list