Alan Munter
2003-Oct-21 21:18 UTC
[Samba] comments/questions about HOWTO collection contents
I am trying to get Samba 3.0.0 going on a RedHat 9.0 machine to join my Win 2003 ADS domain and use winbind for authentication and running into snags getting shares, local login permissions, and PAM to work consistently. I am trying to follow the instructions in chapter 7 (mostly 7.4) and chapter 21 and am finding some confusing things. In 7.4.1 the first line that must be in smb.conf is realm = your.kerberos.REALM given all of the issues with case-sensitivity and kerberos realms I am not sure if that means that I should use the FQDN of my AD domain, if it should be in all caps, or lowercase or what. Does the case matter for that statement? Next, in 7.6.3 it says that Windows 2003 requires SMB signing and gives the option "client use snpego = yes" to use. Well, I forgot to add this one before doing the "net ads join" stuff (since it was at the end of the chapter way after the net ads commands and I did not read the whole chapter first), and I was still able to join the domain and verify that it created a computer account for my Samba workstation. Not sure what the signing is used for. Maybe this is the result of the functional level of my AD domain? Actually, I am also confused about functional levels. Microsoft, in the help pages for domain functional levels in Server 2003, lists 4 different domain functional levels and 3 different forest functional levels for the Windows 2003 Server. The 4 domain functional levels are: Windows 2000 mixed, Windows 2000 native, Windows Server 2003 interim, and Windows Server 2003. The 3 forest functional levels are: Windows 2000, Windows Server 2003 interim, Windows Server 2003. The interim levels are related to upgrading from an NT4 to 2003 domain, but the others are all selectable on the Win2003 DC. I have gotten various responses to questions about which of those functional levels is compatible with having Samba 3.0 join the domain as a full member. I think that section 7.6.3 should include that kind of info (or if it exists elsewhere in the docs and I am just an idiot for not finding it I take the blame. 8) ). Next, in 21.5.3.3 the uid and gid map lines given in the winbind config example look wierd to me since the two of them are not consistent: one uses idmap and one uses winbind. In searching the lists I see some people using idmap uid and idmap gid and some people using winbind uid and winbind gid and even others using winbind idmap uid and winbind idmap gid. Which is it? Next, in 21.5.3.4 the example does not seem to match the paragraph above it. The whole command confuses me. I thought the command would be something like root# net ads join -S PDC -U Administrator not root# net rpc join... also the paragraph says that the commands makes the Samba server join the PDC domain. Seems like it should read "make the Samba server join the domain controlled by the server called PDC." It goes on to say "where DOMAIN is the name of your Windows domain." but DOMAIN is not used in the example. Anyway, I think I understand what it is trying to say, but it is still confusing. Lastly, the last sentence of 21.5.3.6 says "If you restart the smbd, nmbd, and winbindd daemons at this point, you should be able to connect to the Samba server as a Domain Member just as if you were a local user." I am not sure how to test this. Does that mean that I should be able to go to some Windows machine that is part of the domain, log on with a domain account, browse to my Samba server, double-click, type my domain username/password, and access the server? Basically since I am new to this stuff I am just adding options and taking them out randomly in some cases. For instance, like the "winbind use default domain = yes" option in smb.conf (which I found out about through reading the list archives). This is not in the HOWTO collection anywhere, but it seems to have a big difference on how it all works. It stops the domain from being prepended to your users and groups. I briefly had the sshd setup working with winbindd in PAM and before adding the winbind use default domain line I had to type "MYDOMAIN+username" to log in locally to the Linux machine. Not sure if that is how it is supposed to work or not. OK. Too long already. The most valuable feedback for me from one of the samba.org addresses would be probably info about how much they charge per hour for configuration consulting (over the phone, email, or using a login to poke at the config files) if such is available. That would solve two of my problems: give something back to the creators of this amazing product and get my config up and humming in the shortest amount of time. Thanks, Alan -- Alan E. Munter NIST Center for Neutron Research Physical Scientist 100 Bureau Dr., Stop 8562 alan.munter@nist.gov Gaithersburg, MD 20899-8562 http://www.ncnr.nist.gov/ (301)975-6244