You still need UNIX users and groups, but you don't need to create them
by hand; winbind can take care of that for you.
Other than the buzzword of ADS, there is not much different between ADS
and NT4 style auth (at least to the user, the protocals are different).
I'd look at the winbind chapter first.
-Tom
James McDonald wrote:> I have read and followed
>
http://samba.mirror.aarnet.edu.au/samba/docs/man/domain-member.html#ads-member
> regarding setting up a samba 3 box as an ADS Domain Member.
>
> But am unsure of how it is suppose to work in real life.
>
> Do you still need unix groups on the samba 3 machine to map to the ADS
> groups? I noticed some ldap idmap dn settings but am uncertain if this
> can work off the Win2k ADS or does it require a special schema.
>
> When I run smbclient -k //windows2000server/share from my samba 3 box it
> fails until I run kinit USER@MY.REALM is this correct?
>
> I suppose my understanding of the samba 3 ADS architecture is somewhat
> limited and reading the documentation helps though perhaps assumes a lot
> of givens so maybe I need to have a dialogue with some one who has
'been
> there done that' in relation to setitng up a samba 3 box as a windows
> 2000 member server. If what I am providing is not correct please flame
> me till I get it right.... I would like to learn more about Samba's
> setup/configuration.
>
>
> My setup is a follows
>
> A Win2k DC Running in a VMWARE Session on a "Linux RH9 box running
Samba
> Version CVS 3.1.0alpha1"
>
> my /etc/krb5.conf
>
> [libdefaults]
> ticket_lifetime = 24000
> default_realm = JMCD.LOCAL
>
> [realms]
> JMCD.LOCAL = {
> kdc = dc1.jmcd.local:88
> admin_server = dc1.jmcd.local:749
> default_domain = jmcd.local
> }
>
> [domain_realm]
> .jmcd.local = JMCD.LOCAL
> jmcd.local = JMCD.LOCAL
>
>
> # /etc/smb.conf
>
> # Global parameters
> [global]
> workgroup = JMCD
> realm = JMCD.LOCAL
> security = ADS
> password server = dc1.jmcd.local:389
> client NTLMv2 auth = Yes
> client lanman auth = No
> client plaintext auth = No
> local master = No
> ldap ssl = no
> idmap backend = ldap:ldap://dc1.jmcd.local
> printing = cups
>
> [homes]
> valid users = %S
> read only = No
> browseable = No
>
> [printers]
> path = /tmp
> printable = Yes
> browseable = No
>
>
>