samba - Jul 2014 - Samba 4.1.9 member server config in a samba 4 ADS Domain

Dear all,

I try to setup a samba 4 member server on centos 6.5. The wikis and howtos I
have found are very confusing.
Which is the right way to do this. So winbind can map the domain users and
groups.
What I have done yet is,
Set up Kerberos working and can contact my ADS-kerberos Servers:
  klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: Administrator at TPLK.LOC

Valid starting     Expires            Service principal
07/22/14 12:34:21  07/22/14 22:34:21  krbtgt/TPLK.LOC at TPLK.LOC
        renew until 07/29/14 12:34:18

Installed samba4.1.9 from gz without any provision. 
Set winbind right : ldconfig -v |grep winbind
ldconfig: /etc/ld.so.conf.d/kernel-2.6.32-431.20.3.el6.x86_64.conf:6:
duplicate hwcap 1 nosegneg
        libnss_winbind.so -> libnss_winbind.so.2
        libnss_winbind.so -> libnss_winbind.so.2

set /etc/nsswitch.conf
to: 
passwd:     files winbind
shadow:     files
group:      files  winbind

hosts:      files dns

Do I have to provision the samba4 server in any way to establish a
/usr/local/samba/etc/smb.conf?
Or do I make smb.conf by hand?
Do I have to start windbind in server protocols im [global]!?
What is the way to join right to the samba4 ads domain?

Greetings 
Daniel



EDV Daniel M?ller

Leitung EDV
Tropenklinik Paul-Lechler-Krankenhaus
Paul-Lechler-Str. 24
72076 T?bingen 
Tel.: 07071/206-463, Fax: 07071/206-499
eMail: mueller at tropenklinik.de
Internet: www.tropenklinik.de

On 22/07/14 14:03, Daniel M?ller wrote:
> Dear all,
>
> I try to setup a samba 4 member server on centos 6.5. The wikis and howtos
I
> have found are very confusing.
> Which is the right way to do this. So winbind can map the domain users and
> groups.
> What I have done yet is,
> Set up Kerberos working and can contact my ADS-kerberos Servers:
>    klist
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: Administrator at TPLK.LOC
>
> Valid starting     Expires            Service principal
> 07/22/14 12:34:21  07/22/14 22:34:21  krbtgt/TPLK.LOC at TPLK.LOC
>          renew until 07/29/14 12:34:18
>
> Installed samba4.1.9 from gz without any provision.
> Set winbind right : ldconfig -v |grep winbind
> ldconfig: /etc/ld.so.conf.d/kernel-2.6.32-431.20.3.el6.x86_64.conf:6:
> duplicate hwcap 1 nosegneg
>          libnss_winbind.so -> libnss_winbind.so.2
>          libnss_winbind.so -> libnss_winbind.so.2
>
> set /etc/nsswitch.conf
> to:
> passwd:     files winbind
> shadow:     files
> group:      files  winbind
>
> hosts:      files dns
>
> Do I have to provision the samba4 server in any way to establish a
> /usr/local/samba/etc/smb.conf?
No, you do not provision.
> Or do I make smb.conf by hand?
Yes, you will have to create your smb.conf, this is usually where the 
problems start, easiest way is to use RFC2307 attributes and the ad 
backend, but you could use the rid backend or some other backend that 
virtually few people use.
> Do I have to start windbind in server protocols im [global]!?
winbind is a deamon just like smbd, so you need to start it just like 
smbd, but I think that you mean 'do I have to add winbind lines to the 
global part of smb.conf', if so, then yes if you want to use winbind.
> What is the way to join right to the samba4 ads domain?
I normally just use the 'net' command:

net ads join -U Administrator at EXAMPLE.COM

Rowland
>
> Greetings
> Daniel
>
>
>
> EDV Daniel M?ller
>
> Leitung EDV
> Tropenklinik Paul-Lechler-Krankenhaus
> Paul-Lechler-Str. 24
> 72076 T?bingen
> Tel.: 07071/206-463, Fax: 07071/206-499
> eMail: mueller at tropenklinik.de
> Internet: www.tropenklinik.de
>
>   
>
>

Hello Daniel,

Am 22.07.2014 15:03, schrieb Daniel M?ller:
> I try to setup a samba 4 member server on centos 6.5. The wikis and howtos
I
> have found are very confusing.
Did you followed
https://wiki.samba.org/index.php/Join_a_domain_as_a_DC

This explains everything that is needed. But it currently describes the
usage of RFC2307. If you don't have the Unix account stuff (UID, etc.)
in your AD and don't want to manage it central, then you can choose a
different backend like RID.

If this was the HowTo confusing you, then let me know what should be
explained better and I'll try to improve the documentation. :-)



About your other questions, I saw Rowland already helping.


Regards,
Marc