samba - Feb 2008 - Samba server joining domain and browsing group shares

Hello I have a small network and would like to add samba to our environment. 
This what I would like to accomplish:
- We have a ADS PDC ( windows 2000 server)
-  We have 27 workstations windows XP-PRO

We have recently bought a new server, and installed OPENSUSE 10.3 and we have 
installed and configure samba. Basically we want to use the new samba server 
as a data repository server. 

In the windows environment we have 4 groups, management which has 4 users, 
Accounting which has 5 users, sales which has 3 users and ingeneering that 
has  15 users.

we would like that the users in each group only have access to the files for 
their corresponding group in the samba server. i.e accounting sees the 
accounting share only etc. this groups are defined in the PDC ADS machine not 
in the samba server.

My question is how do I configure the samba server to inherit the groups 
defined in the windows PDC ADS machine.

I  Include a copy of the /etc/samba/samba.conf file:

 # smb.conf is the main Samba configuration file. You find a full commented
# version at /usr/share/doc/packages/samba/examples/smb.conf.SUSE if the
# samba-doc package is installed.
# Date: 2007-12-04
[global]
	workgroup = NETSYS
	realm = NETSYSTEMSINFO.COM
	preferred master = no
	server string = Linux file server
	security = ADS
	encrypt passwords = yes
	log level = 3
	printcap name = cups
	printing = cups
	cups options = raw
	winbind enum users  = yes
	winbind enum groups = yes
	winbind use default domain = yes
	winbind nested groups = yes
	winbind separator = +
	map to guest = Bad User
	logon path = \\%L\profiles\.msprofile
	logon home = \\%L\%U\.9xprofile
	logon drive = P:
	#security = user
	add machine script = /usr/sbin/useradd  -c 
Machine -d /var/lib/nobody -s /bin/false %m$
	domain logons = No
	domain master = No
	netbios name = cuzco
	usershare allow guests = No
	use kerberos keytab = true
	idmap gid = 10000-20000
	idmap uid = 10000-20000
	template homedir = /home/%D/%U
	#winbind refresh tickets = yes
	password server     = arequipa.netsystemsinfo.com
	#winbind cache time  = 600
	allow trusted domains = yes

[homes]
	comment = Home Directories
	valid users = %S, %D%w%S
	browseable = No
	read only = No
	inherit acls = Yes

[users]
	comment = All users
	path = /home
	read only = No
	inherit acls = Yes
	veto files = /aquota.user/groups/shares/

[printers]
	comment = All Printers
	path = /var/tmp
	printable = Yes
	create mask = 0600
	browseable = No

[print$]
	comment = Printer Drivers
	path = /var/lib/samba/drivers
	write list = @ntadmin root
	force group = ntadmin
	create mask = 0664
	directory mask = 0775

[management]
	comment = Management files
	inherit acls = Yes
	path = /Management
	read only = No
	valid users = @Documentaries
	admin users = vmendez

[accounting]
	comment = Accounting  files
	inherit acls = Yes
	path = /Accounting
	read only = No
	valid users = @Movies
	admin users = vmendez

[sales]
	comment = Sales files
	inherit acls = Yes
	path = /Sales
	read only = No
	valid users = @Series
	admin users = vmendez
[ingeneering]
	comment = Ingeneering files
	inherit acls = Yes
	path = /Ingeneering
	read only = No
	valid users = @Series
	admin users = vmendez

## Share disabled by YaST
# [netlogon]
-------------------------------------------------------------------------------------------------------------------------
I also include a copy of my /etc/krb5.conf file
[libdefaults]
	default_realm    = NETSYSTEMSINFO.COM
	dns_lookup_realm = false
	dns_lookup_kdc   = false
	ticket_lifetime  = 24h
	forwardable      = yes
	#clockskew = 300

[realms]
	NETSYSTEMSINFO.COM = {
	kdc = arequipa.netsystemsinfo.com
	admin_server = arequipa.netsystemsinfo.com
	default_domain = netsystemsinfo.com
}

[logging]
	kdc = FILE:/var/log/krb5/krb5kdc.log
	admin_server = FILE:/var/log/krb5/kadmind.log
	default = SYSLOG:NOTICE:DAEMON

[domain_realm]
	#*.netsystemsinfo.com = NETSYSTEMSINFO.COM
	.kerberos.server    = NETSYSTEMSINFO.COM
	.netsystemsinfo.com = NETSYSTEMSINFO.COM

[appdefaults]
	pam = {
	ticket_lifetime = 36000
	renew_lifetime  = 36000
	forwardable = true
	proxiable = false
	retain_after_close = false
	minimum_uid = 1
	use_shmem = sshd
	krb4_convert   = false
}
-------------------------------------------------------------------------------------------------------------------------

The problem that we have is that users in the domain cannot logon into the 
samba machine and browse their group shares. 

Any help will be appreciated, we are really trying to move away from windows 
and solving this could help us convince management that this is the way to 
go.

Victor

Hello,

Want you want is rather easy, I have it running.

My Samba server (on Red Hat) is Domain member of a W2k3 native AD, so it is
joined to the domain (net ads join -Uusername%password)

This is how my smb.conf looks like:


# Global Parameters Needed For Samba 3.0.27a
[global]
    workgroup = TEST
    realm = TEST.COM
    server string = %h server (Samba %v)
    security = ADS
    password server = adm04.test.com, adm01.test.com
    log file = /var/log/samba/%m.log
    max log size = 200
    socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
    printcap cache time = 660
    domain master = No
    ldap timeout = 15
    idmap uid = 10000-30000
    idmap gid = 10000-30000
    template homedir = /data/hom/%U
    template shell = /bin/bash
    winbind cache time = 660
    printer admin = "@TEST.COM\Domain Admins", @TEST.COM\DEP_ADMIN
    oplocks = No
    level2 oplocks = No
    default devmode = No
    enable privileges = Yes
    host msdfs = No
    msdfs root = No
    winbind enum users = Yes
    winbind enum groups = Yes
    winbind nested groups = No
    printing = cups
    strict locking = Yes

[homes]
    comment = Home Directories
    read only = No
    create mask = 0600
    directory mask = 0700
    browseable = No

[grp]
    comment = Group Directory
    path = /data/grp
    valid users = @TEST.COM\DEP_TEST_MEMBER
    read only = No
    inherit permissions = Yes
    hide unreadable = Yes


On the server you have to use the chown command and chmod command to give
the AD group DEP_TEST_MEMBER access on the Linux filesystem:
chmod g+s /data/grp
chown 0:"TEST\DEP_TEST_MEMBER" /data/grp

I have 200+ sites running like this... ;-)

Regards,
Alex.

Thank you, Alex I would try this as soon as possible today and let you know 
the resuslts.

Regards

victor

Alex thanks a lot. The problem was solved. The configuration information you 
provided me was very precise and correct. The problem was with SuSE and the 
YAST2 SAMBA GUI.

What we did  basically was re-install SuSE 10.3, edit /etc/samba/smb.conf 
manually using the parameter you provided, We then commented out the 
parameters SuSE puts on the file by default. Manually modify 
the /etc/krb5.conf file again following your instructions and sample files 
and bingo everything works just fine.

Thanks a lot,  over the weekend we converted the 1st production server with 
this setup and we are converting 2 more win2k servers to samba servers. We 
are only keeping the PDC(It only contains the Active directory information, 
nothing else).

The following is for SuSE user with 10.3 x-64,  shares names defined 
in /etc/samba/smb.conf should be in lower case. It will not work when using 
upper case characters. Another thing when creating groups on the windows PDC 
make sure that the groups are global not local otherwise linux function 
getent will not see them.

Well that does it for us.

Cheers Alex and thanks again ;-)

Regards

Victor