samba - Jul 2011 - Integrate Samba with Active Directory

Hello guys,

 

I am setting up a Samba server (based on CentOS 5.6) on my company which
will act as a print and file server. Also, it has dropbox installed.

 

I have set up everything regarding to CUPS and Samba itself, but I'm not
being able to integrate my shares with Active Directory.

 

All I want is that access control to Samba shares is made through Active
Directory users and their respective passwords, and not through
Unix-style users and groups. Is this possible?

 

Some configuration files:

/etc/nsswitch.conf - http://pastebin.com/rPgXSL6G

/etc/samba/smb.conf - http://pastebin.com/9uffAyjV

/etc/krb5.conf - http://pastebin.com/9zJFQR6J

 

Can someone please give me some lights on this?

 

If you need more information, just tell me. ;-)

 

Thanks for your cooperation.

 

Best regards,

 

Bruno Martins

Bruno Martins - GALILEU LISBOA wrote:
> Hello guys,
> 
>  
> 
> I am setting up a Samba server (based on CentOS 5.6) on my company which
> will act as a print and file server. Also, it has dropbox installed.
> 
>  
> 
> I have set up everything regarding to CUPS and Samba itself, but I'm
not
> being able to integrate my shares with Active Directory.
> 
>  
> 
> All I want is that access control to Samba shares is made through Active
> Directory users and their respective passwords, and not through
> Unix-style users and groups. Is this possible?
> 
>  
> 
> Some configuration files:
> 
> /etc/nsswitch.conf - http://pastebin.com/rPgXSL6G
> 
> /etc/samba/smb.conf - http://pastebin.com/9uffAyjV
> 
> /etc/krb5.conf - http://pastebin.com/9zJFQR6J
> 
>  
> 
> Can someone please give me some lights on this?
> 
A quick looks shows a lack of an idmap setup in the smb.conf. You say 
you are using CentOS 5.6, in which case I strongly recommend that you 
use the samba3x packages over the plain samba packages if you are not 
doing so already

Here is a example based on what I use with CentOS 5.6 using the samba3x 
packages. Note that I have the rfc2307 information set in the AD for all 
the users. I have a whole bunch of other options as well to do with 
CTDB, GPFS and other bits and bobs as well. However these are not 
relevant to getting it working.

On the AD side you need to set the UID, home directory and primary group 
in the Unix Attributes tab, and then in the Member Of tab you need to 
add the user to the primary group that you set in the Unix Attriubutes 
tab and make that their primary group. All the groups need a GID setting 
in their Unix Attributes tab as well.

The important thing about the idmap setting is that you must have a 
plain tdb backend (or something else that is allocatable) and the range 
must not overlap with the range for the domain or it does not work. Not 
quite sure why that is because in my setting all accounts exist in the 
AD with appropriate Unix attributes. Took me ages to work that nugget of 
information out.


JAB.


[global]
         netbios name = nemo
         security = ads
         workgroup = CAMPUS
	realm = CAMPUS.MYCORP.COM
	password server = *
	preferred master = no
	encrypt passwords = yes
	kerberos method = secrets only

# deal with NSS and the whole UID/SID id mapping stuff
	idmap backend = tdb
	idmap uid = 2000000 - 2999999
	idmap gid = 2000000 - 2999999
	idmap config CAMPUS : backend = ad
	idmap config CAMPUS : schema_mode = rfc2307
	idmap config CAMPUS : readonly = yes
	idmap config CAMPUS : range = 500 - 1999999
	idmap cache time = 120
	idmap negative cache time = 20
	winbind nss info = rfc2307
	winbind expand groups = 2
	winbind nested groups = yes
	winbind use default domain = yes
	winbind enum users = yes
	winbind enum groups = yes
	winbind refresh tickets = yes
	winbind offline logon = false


-- 
Jonathan A. Buzzard                 Email: jonathan (at) buzzard.me.uk
Fife, United Kingdom.

On 07/19/2011 10:05 AM, Bruno Martins - GALILEU LISBOA
wrote:
> Hello guys,
>
>
>
> I am setting up a Samba server (based on CentOS 5.6) on my company which
> will act as a print and file server. Also, it has dropbox installed.
>
>
>
> I have set up everything regarding to CUPS and Samba itself, but I'm
not
> being able to integrate my shares with Active Directory.
>
>
>
> All I want is that access control to Samba shares is made through Active
> Directory users and their respective passwords, and not through
> Unix-style users and groups. Is this possible?
>
>
>
> Some configuration files:
>
> /etc/nsswitch.conf - http://pastebin.com/rPgXSL6G
Bruno,

To start, change this:

   1.
      passwd: files ldap
   2.
      shadow:     files winbind
   3.
      group:      files winbind

To this:

     passwd: files winbind ldap  (Are you using ldap for anything?)
     shadow: files
     group: files winbind

kinit Administrator at GALILEU-F.GALILEU.PT
This should return nothing after entering the password.

Is the join OK? net ads testjoin

Try wbinfo -u and wbinfo -g to see if you get AD users and groups.

If using PAM, is it configured for winbind?
http://www.enterprisenetworkingplanet.com/netsysm/article.php/3502441/Join-Linux-to-Active-Directory-With-Winbind.htm

Dale
> /etc/samba/smb.conf - http://pastebin.com/9uffAyjV
>
> /etc/krb5.conf - http://pastebin.com/9zJFQR6J
>
>
>
> Can someone please give me some lights on this?
>
>
>
> If you need more information, just tell me. ;-)
>
>
>
> Thanks for your cooperation.
>
>
>
> Best regards,
>
>
>
> Bruno Martins
>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 07/19/2011 07:12 PM, Jonathan Buzzard wrote:
> Bruno Martins wrote:
> 
> [SNIP]
> 
>>
>> Good night Robert,
>>
>> My Domain Controller is running Windows Server 2003 R2 X64, so I may
not
>> be affected by those bulletins
>>
>> By the way, thanks for noticing.
>>
> 
> Unless I am reading the release notes incorrectly, if you use the
> samba3x packages in CentOS 5.6 which gets you 3.5.4 with security
> patches as opposed to the plain samba packages which only get you a
> hideously old 3.0.x then the NTLM V2 issue goes away as samba supports it.
> 
> If you are doing anything with AD and are using CentOS 5.x, then I
> cannot stress the value in upgrading to 5.6 and swapping the samba
> packages for the samba3x packages. Basically the samba3x packages get
> you the same samba as RHEL/CentOS 6, which makes shifting your file
> servers to CentOS 6 in due course much easier.
> 
> 
> JAB.
> 
JAB is right on that one.  There are still NTLMv2 issues with even 2003
and samba 3.0.x.  Besides, people should use a currently supported
version anyway (...thanking RH for FINALLY stopping backport of patches
to the ancient 3.0.x code!!!):

http://wiki.samba.org/index.php/Samba3_Release_Planning

Robert

- -- 
________

Robert Freeman-Day

https://launchpad.net/~presgas
GPG Public Key:
http://keyserver.ubuntu.com:11371/pks/lookup?op=get&search=0xBA9DF9ED3E4C7D36
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk4m1y4ACgkQup357T5MfTaPhwCdE9llnvFepXUcvkArqLR7nplz
IdAAniPEMRQyo+3L0oEl4cQibTpX8ODp
=CW3P
-----END PGP SIGNATURE-----

On 07/19/2011 4:49 PM, Bruno Martins wrote:
> On Tue, 2011-07-19 at 13:11 -0500, Dale Schroeder wrote:
>> On 07/19/2011 10:05 AM, Bruno Martins - GALILEU LISBOA wrote:
>>> Hello guys,
>>>
>>>
>>>
>>> I am setting up a Samba server (based on CentOS 5.6) on my company
which
>>> will act as a print and file server. Also, it has dropbox
installed.
>>>
>>>
>>>
>>> I have set up everything regarding to CUPS and Samba itself, but
I'm not
>>> being able to integrate my shares with Active Directory.
>>>
>>>
>>>
>>> All I want is that access control to Samba shares is made through
Active
>>> Directory users and their respective passwords, and not through
>>> Unix-style users and groups. Is this possible?
>>>
>>>
>>>
>>> Some configuration files:
>>>
>>> /etc/nsswitch.conf - http://pastebin.com/rPgXSL6G
>> Bruno,
>>
>> To start, change this:
>>          passwd: files ldap
>>          shadow:     files winbind
>>          group:      files winbind
>> To this:
>>
>>      passwd: files winbind ldap  (Are you using ldap for anything?)
>>      shadow: files
>>      group: files winbind
>>
>> kinit Administrator at GALILEU-F.GALILEU.PT
>> This should return nothing after entering the password.
>>
>> Is the join OK? net ads testjoin
>>
>> Try wbinfo -u and wbinfo -g to see if you get AD users and groups.
>>
>> If using PAM, is it configured for winbind?
>>
http://www.enterprisenetworkingplanet.com/netsysm/article.php/3502441/Join-Linux-to-Active-Directory-With-Winbind.htm
>>
>> Dale
>>
>>> /etc/samba/smb.conf - http://pastebin.com/9uffAyjV
>>>
>>> /etc/krb5.conf - http://pastebin.com/9zJFQR6J
>>>
>>>
>>>
>>> Can someone please give me some lights on this?
>>>
>>>
>>>
>>> If you need more information, just tell me. ;-)
>>>
>>>
>>>
>>> Thanks for your cooperation.
>>>
>>>
>>>
>>> Best regards,
>>>
>>>
>>>
>>> Bruno Martins
>>>
> Hello Dale,
>
> Files have been corrected.
>
> How do you make 'net ads testjoin' as a certain user?
I believe you have to do this as root.
>
> I did this, to see if it helps you:
> http://paste2.org/p/1529126
>
> By the way, also take a look at kinit's result:
> http://paste2.org/p/1529128
That looks OK.

Do you get a listing of your AD users and groups with "wbinfo -u" and 
"wbinfo -g"?

As others have suggested, consider upgrading to a newer version.

For completeness, verify that the times are in sync between the samba 
server and the DC.

Dale
>
> I don't know if I'm using, but I'll take a look into that
article as
> well.
>
> Thanks for your cooperation on this.
>
> Best regards,
>
> Bruno Martins
> .
>

From: "Bruno Martins - GALILEU LISBOA" <bmartins at galileu.pt>
Date: Tue, 19 Jul 2011 16:05:48 +0100
> I have set up everything regarding to CUPS and Samba itself, but I'm
not
> being able to integrate my shares with Active Directory.
What do you mean "integrate" ?

Have you successfully joined to the Active Directory?

If not, have you correctly set /etc/hosts (or other facility) to
resolve your netbios name, sputnik and FQDN during joining to the AD?

And try to remove "auth methods" line, "auth methods" is
automatically
set according to "security" and "encrypt passwords"
parameter. You
should not change this.

And "guest ok" line is not functioned because of a lack of "map
to
guest" parameter.
> All I want is that access control to Samba shares is made through Active
> Directory users and their respective passwords, and not through
> Unix-style users and groups. Is this possible?
Basically yes with using Winbind.

From: Jonathan Buzzard <jonathan at buzzard.me.uk>
Date: Tue, 19 Jul 2011 18:11:25 +0100
> A quick looks shows a lack of an idmap setup in the smb.conf.
There are both "idmap uid" and "idmap gid" line, so minimum
configuration is done.

---
TAKAHASHI Motonobu <monyo at samba.gr.jp>

On 09:07:40 wrote Bruno Martins - GALILEU LISBOA:
> Hello guys,
> 
> 
> 
> I am setting up a Samba server (based on CentOS 5.6) on my company
> which will act as a print and file server. Also, it has dropbox
> installed.
> 
> 
> 
> I have set up everything regarding to CUPS and Samba itself, but I'm
> not being able to integrate my shares with Active Directory.
> 
> 
> 
> All I want is that access control to Samba shares is made through
> Active Directory users and their respective passwords, and not
> through Unix-style users and groups. Is this possible?
> 
> 
> 
> Some configuration files:
> 
> /etc/nsswitch.conf - http://pastebin.com/rPgXSL6G
your config:
passwd: files ldap
shadow:     files winbind
group:      files winbind

should be all the same ;-) ie
files winbind
> /etc/samba/smb.conf - http://pastebin.com/9uffAyjV
> 
> /etc/krb5.conf - http://pastebin.com/9zJFQR6J
> 
> 
> 
> Can someone please give me some lights on this?
> 
> 
> 
> If you need more information, just tell me. ;-)
> 
> 
> 
> Thanks for your cooperation.
> 
> 
> 
> Best regards,
> 
> 
> 
> Bruno Martins

-- 

Gruss
	Harry Jede