[NTLUG:Discuss] Samba server + AD domain

Thu May 3 14:34:49 CDT 2007

>. Daniel wrote:
> > I'm wondering what I'm missing.  What's more, this has got the be a 
fairly
> > common implementation and I'm surprised I haven't found any specific
> > examples on the subject.  (Perhaps I am searching the wrong terms?)  I 
know
> > this can be done.  Just don't know why it's not working exactly.  (I
> > suspect something to do with LDAP but I haven't read much on 
configuring or
> > setting it up)
>
>So:
>
>net ads testjoin
>
>says that it is joined?
>
># net ads testjoin
>Join is OK
>
Yes, I got that.

>
>Are your referencing winbind in your /etc/nsswitch.conf??
>
>e.g.
>
>password:   files winbind
>group:      files winbind
>
Got that too.

>Does your
>smb.conf spell out which ids (numeric ranges) will be used for dynamic
>user creation for the AD users?
>
>e.g.
>         idmap uid = 10000-20000
>         idmap gid = 10000-20000
>
Here's the main part of my smb.conf:
------------------------------------
[global]
	log file = /var/log/samba/%m.log
	idmap gid = 16777216-33554431
	map acl inherit = yes
	username map = /etc/samba/user.map
	encrypt passwords = yes
	winbind trusted domains only = no
	realm = ADOMAIN.COM
	winbind use default domain = true
	nt acl support = yes
	dns proxy = no
	netbios name = LINUX
	cups options = raw
	writeable = yes
	server string = Samba Server
	winbind enum users = yes
	idmap uid = 16777216-33554431
	password server = adcentral
	workgroup = ADOMAIN
	os level = 20
	winbind enum groups = yes
	auto services = html
	valid users = 
administrator,ADOMAIN\administrator, at ADOMAIN\administrators, at ADOMAIN\users
	security = ads
	max log size = 50
#	ldap idmap suffix = ou=Idmap
#	idmap backend = ldap:ldap://adcentral
#	ldap admin dn = cn=administrator,dc=adomain,dc=com
#	ldap suffix = dc=huckabee-inc,dc=com
#	ldap machine suffix = ou=Computers
#	ldap user suffix = ou=Users
#	ldap group suffic = ou=Groups

Yes, I was attempting to play with ldap too thinking that might be the 
problem... no dice... couldn't even figure out what to do exactly.

>
>There are a lot of variables.  There are ways of doing default
>mapping of Linux ids to AD ids... etc.  Really depends
>on what you want to do.  The Samba team's recommended
>deployment is that the Linux Samba box is a total
>extension of the AD domain... so no "real" ids on the
>Linux box, only the dynamic created ids derived from
>the AD infrastructure.  And yes, you can have those
>ids log into the box and get a shell... and then we
>can talk about the myriad of differences surrounding
>AD permissions and POSIX (draft) ACLs implemented
>in MOST filesystems in Linux (and again... things
>start getting complicated.... basically if Windows
>starts to take ownership of the ACLs you DON'T
>want to modify permissions and such from the Linux
>side)... etc... etc...
>
>SUSE currently has probably the most advanced out-of-the-box
>implementation and ease of use when joining to an AD domain.
>So the idea that this is all "easy to setup"... no it isn't,
>BUT for a simple known scenario SUSE does make things pretty
>easy (can get setup in seconds).  But you know... I don't
>think I've ever seen people that were satisfied with ONE
>supplied scenario (actually SUSE handes a few well known
>scenarios... but still... there's just too many variables).
>

Basically, this server will be an intranet server.  It will run Apache and 
PHP and MySQL.  The files access, however, will be just another drive 
letter to these people.  And I don't want to go about setting up user 
accounts and passwords when, from what I have heard, ADS can work to do the 
same stuff.  So I'd like to be able to just manage user rights from a 
windows machine, granting and removing permissions or whatever.  And I 
especially don't want people coming to me every time they change their 
password.

I hope I am making and keeping this simple enough.  We only have one 
domain.  A single domain controller, a single backup controller, and a few 
other servers laying around.  We have a relatively small pool of users. 
(less than 100)  I just wonder what mechanism let's me log into the Linux 
box as "domain administrator" to assign permissions allowing other users 
access to what they need.

_________________________________________________________________
20、30年前に見ていたTVドラマが甦る【らいぶ寿司】 http://livesushi.jp/ 