Hello all, Im having the latest centos that should be integrated into win 2012 active directory domain. Im having Authentication running, an AD user can login via ssh, getent and id working But Im not able to get the samba shares running with AD [sfu-erp] comment = Mandant path = /share # ; valid users = @"RZ-DOMAIN\linuxtest" @"RZ-DOMAIN\linuxtest" valid users = DOMAIN # valid users = @"RZ-DOMAIN+dom?nen-benutzer" # valid users = @"RZ-DOMAIN" #valid users = %S, RDOMAIN\%S #valid users = @DOMAIN #valid users = linuxtest # force user = fuhste # guest ok = yes # force group = @"RZ-DOMAIN+dom?nen-benutzer" # force group = @"RZ-ODOMAIN" # ; force group = dom?nen-benutzer force create mode = 0660 force directory mode = 0770 readonly = no writeable = yes As you can see Itried a lot with valid users with no success. Im trying some days now but Im not able to get it running. Need more information? Can someone help? Tia Stefan
----- Mail original -----> De: "Stefan Fuhrmann" <stefan at fuhrmann.homedns.org> > ?: "centos" <centos at centos.org> > Envoy?: Jeudi 7 Avril 2016 16:13:26 > Objet: [CentOS] centos samba sssd active directory> Hello all, > Im having the latest centos that should be integrated into win 2012 active > directory domain. > Im having Authentication running, an AD user can login via ssh, getent and id > working > But Im not able to get the samba shares running with ADTo make samba work with SSSD, I had to make some tuning in smb.conf : security = ads workgroup = MYDOMAIN realm = MYDOMAIN.TLD encrypt passwords = yes passdb backend = tdbsam kerberos method = secrets and keytab winbind enum users = yes winbind enum groups = yes winbind nested groups = yes winbind refresh tickets = yes To use the "valid users" directive, I have to deal with the AD SIDs. You can get it by running : $ wbinfo --name-to-sid ad_user $ wbinfo --name-to-sid ad_group The RID idmap backend doesn't work as expected. So I use the NSS backend : idmap config MYDOMAIN : backend = nss idmap config MYDOMAIN : range = 10000-99999 idmap config * : backend = tdb idmap config * : range = 100000-999999 And in /etc/nsswitch.conf : passwd: files sss shadow: files sss group: files sss Hope this helps. Sylvain. Pensez ENVIRONNEMENT : n'imprimer que si ncessaire
Hello Sylvain, Am Thursday 07 April 2016, 17:16:55 schrieb Sylvain CANOINE:> ----- Mail original ----- >.... > > Hope this helps.... yes! The other issue I had was on filesystem level, cause I had to chown -R linuxtest:domainusergroup /share Thanks for your help! Stefan
Hello all, with the great help of Sumit Bose from sssd- mailinglist the issue is solved: "ah, can you try to add 'use_fully_qualified_names = True' to the [domain/...] section of sssd.conf, restart SSSD and try again? Now 'wbinfo -s ....' (lower-case s) should return a result as well." That did the trick!! Stefan