OK, try this smb.conf, don't add anything else until you have getent working:> > [global] > workgroup = DOMAIN > security = ADS > realm = DOMAIN.COM > dedicated keytab file = /etc/krb5.keytab > kerberos method = secrets and keytab > idmap config * : range = 1000000-2000000 > idmap config * : backend = tdb > idmap config DOMAIN : range = 1000-2000 > idmap config DOMAIN : backend = rid > winbind nss info = template > winbind trusted domains only = no > winbind use default domain = yes > winbind enum users = Yes > winbind enum groups = Yes > winbind refresh tickets = Yes > winbind offline logon = Yes > username map = /etc/samba/users.map > template homedir = /data/users/%U > template shell = /bin/bash > vfs objects = acl_xattr > map acl inherit = yes > store dos attributes = yes > > The above should work against an AD DC > > Your users.map should be: > > !root = DOMAIN\Administrator DOMAIN\administrator > > Rowland > >Thanks, Rowland. I've gotten it working for the most part. There are some permissions issues with vfs recycle, but I'll have to work those out later. Just to satisfy my curiosity more than anything, I'd like to clarify a few things. 1. What is the benefit of using 'secrets and keytab'? All of my other member servers seem to function OK with the default 'secrets only'. 2. What does the syntax of the users.map file that you have presented mean, or maybe it would be better stated as what does it do? That is nothing at all like the mapping files I have used for the past 12 years. I have seen this before, but have never seen an explanation of it. 3. Some time back, you mentioned the name of the file in Debian that listed the default mount options. Would you please state it again? I can't seem to locate that particular email in the archives. Thanks again, Dale
On 12/11/15 20:31, Dale Schroeder wrote:> OK, try this smb.conf, don't add anything else until you have getent > working: >> >> [global] >> workgroup = DOMAIN >> security = ADS >> realm = DOMAIN.COM >> dedicated keytab file = /etc/krb5.keytab >> kerberos method = secrets and keytab >> idmap config * : range = 1000000-2000000 >> idmap config * : backend = tdb >> idmap config DOMAIN : range = 1000-2000 >> idmap config DOMAIN : backend = rid >> winbind nss info = template >> winbind trusted domains only = no >> winbind use default domain = yes >> winbind enum users = Yes >> winbind enum groups = Yes >> winbind refresh tickets = Yes >> winbind offline logon = Yes >> username map = /etc/samba/users.map >> template homedir = /data/users/%U >> template shell = /bin/bash >> vfs objects = acl_xattr >> map acl inherit = yes >> store dos attributes = yes >> >> The above should work against an AD DC >> >> Your users.map should be: >> >> !root = DOMAIN\Administrator DOMAIN\administrator >> >> Rowland >> >> > Thanks, Rowland. I've gotten it working for the most part. There are > some permissions issues with vfs recycle, but I'll have to work those > out later. > > Just to satisfy my curiosity more than anything, I'd like to clarify a > few things. > > 1. What is the benefit of using 'secrets and keytab'? All of my > other member servers seem to function OK with the default 'secrets only'.It tries to use the secrets.tdb first for kerberos verification and if it cannot do this, it uses the system keytab, bit of a belt & braces situation really.> 2. What does the syntax of the users.map file that you have presented > mean, or maybe it would be better stated as what does it do? That is > nothing at all like the mapping files I have used for the past 12 > years. I have seen this before, but have never seen an explanation of it.Fairly simple, it maps the windows domain Administrator to the local Unix 'root' user, you can then change file permissions on samba Unix shares from windows.> > 3. Some time back, you mentioned the name of the file in Debian that > listed the default mount options. Would you please state it again? I > can't seem to locate that particular email in the archives.Well I would if could, but what do you mean by 'default mount options' ? autofs ? cifs ? ??? Rowland> > Thanks again, > Dale >
On Thu, 12 Nov 2015, Rowland Penny wrote:>> 1. What is the benefit of using 'secrets and keytab'? All of my other >> member servers seem to function OK with the default 'secrets only'. > > It tries to use the secrets.tdb first for kerberos verification and if it > cannot do this, it uses the system keytab, bit of a belt & braces situation > really.I would think the only reason you need the keytab file is for compatibility with other apps on the system. kinit/klist, ssh, or any other type of local kerberos authentication you want to do may need access to the system keytab. Note that if system keytab isn't set when you do the join, samba wont create the /etc/krb5.keytab file. BTW, dedicated keytab file = /etc/krb5.keytab is the default system keytab file, so there's no need to specifically set it other than to make your config file larger.
On 11/12/2015 2:59 PM, Rowland Penny wrote:> On 12/11/15 20:31, Dale Schroeder wrote: >> OK, try this smb.conf, don't add anything else until you have getent >> working: >>> >>> [global] >>> workgroup = DOMAIN >>> security = ADS >>> realm = DOMAIN.COM >>> dedicated keytab file = /etc/krb5.keytab >>> kerberos method = secrets and keytab >>> idmap config * : range = 1000000-2000000 >>> idmap config * : backend = tdb >>> idmap config DOMAIN : range = 1000-2000 >>> idmap config DOMAIN : backend = rid >>> winbind nss info = template >>> winbind trusted domains only = no >>> winbind use default domain = yes >>> winbind enum users = Yes >>> winbind enum groups = Yes >>> winbind refresh tickets = Yes >>> winbind offline logon = Yes >>> username map = /etc/samba/users.map >>> template homedir = /data/users/%U >>> template shell = /bin/bash >>> vfs objects = acl_xattr >>> map acl inherit = yes >>> store dos attributes = yes >>> >>> The above should work against an AD DC >>> >>> Your users.map should be: >>> >>> !root = DOMAIN\Administrator DOMAIN\administrator >>> >>> Rowland >>> >>> >> Thanks, Rowland. I've gotten it working for the most part. There are >> some permissions issues with vfs recycle, but I'll have to work those >> out later. >> >> Just to satisfy my curiosity more than anything, I'd like to clarify >> a few things. >> >> 1. What is the benefit of using 'secrets and keytab'? All of my >> other member servers seem to function OK with the default 'secrets >> only'. > > It tries to use the secrets.tdb first for kerberos verification and if > it cannot do this, it uses the system keytab, bit of a belt & braces > situation really. > >> 2. What does the syntax of the users.map file that you have >> presented mean, or maybe it would be better stated as what does it >> do? That is nothing at all like the mapping files I have used for >> the past 12 years. I have seen this before, but have never seen an >> explanation of it. > > Fairly simple, it maps the windows domain Administrator to the local > Unix 'root' user, you can then change file permissions on samba Unix > shares from windows.Then ! is not being interpreted as "not", which is how I interpreted it. :-D To me, it looks like it's saying the users on the right side of the equal sign are "not root". Like I said, it's hard to wrap my head around the syntax. It looks like the inverse of what it actually is.> >> >> 3. Some time back, you mentioned the name of the file in Debian that >> listed the default mount options. Would you please state it again? >> I can't seem to locate that particular email in the archives. > > Well I would if could, but what do you mean by 'default mount options' > ? autofs ? cifs ? ???Actually, I was thinking of the ext4 defaults for mount options in fstab. At least, that's how I'm remembering it. Then again, my memory is not what it used to be. ;-) Dale> > Rowland > >> >> Thanks again, >> Dale >> > >