satoshi takano
2016-Aug-30 00:10 UTC
[Samba] Cooperation with the samba and the Windows ActiveDirectory
I'm Takano.
Now, a system such as the following by cooperation with the Samba and Windows
ActiveDirectory
We would like to build.
☆Samba
OS:CentOS7
Samba:(ver4.4.5)
☆Windows(ActiveDirectory)
OS:Windows Server 2003
※State functional level is raised from 2000 to 2003.
That you want to achieve it will be following.
・Create a domain controller (samba.test) on the Samba server side.
・And set up a trust relationship Windows server side of the domain controller
(ad.adtest).
※The direction of the trust Samba server → Windows server
・WindowsStorage to build a server (Windows2012R2) as a file server, the domain
controller of the Samba server
To participate.
・Restrict access, etc. of both the domain controller of the user in the
WindowsStorage server side.
・It is joined to a domain controller of the user ・ Windows servers that are
joined to a domain controller of the Samba server
We want to be able to access (login) to the file server at the user.
Current situation, I tried various, user that is joined to the domain controller
of the Samba server
You can access the file server, but is joined to the domain controller of the
Windows server
The user can not access the file server.
※Access restrictions on the file server side can only be set to the user of the
Samba server.
The thing that you have made, will be the following.
- Install samba4.4.5 to the Samba server
- Implement the following command
/usr/local/samba/bin/samba-tool domain provision --use-rfc2307 --interactive
Realm [TEST]: samba.test
Domain [samba]:
Server Role (dc, member, standalone) [dc]:
DNS backend (SAMBA_INTERNAL, BIND9_FLATFILE, BIND9_DLZ, NONE)
[SAMBA_INTERNAL]:
DNS forwarder IP address (write 'none' to disable forwarding)
[127.0.0.1]:xxx.xxx.xxx.xxx
Administrator password:xxxxxxx
Retype password:xxxxxxx
- Start the samba
- Set the input direction of the trust relationship in the Windows server
- Set the output direction of the trust relationship from the Samba server by
running the following command
/usr/local/samba/bin/samba-tool domain trust create ad.adtest --type=external
--direction=outgoing -U administrator at xxx.adtest --create-location=local
--ipaddress=xxx.xxx.xxx.xxx
- A state in which it was able to confirm to try and trust relationship verified
in Windows server ・ Samba server both are tied.
Here it is up.
Create a adtest user to the Windows server
When you run the following command user information is displayed.
/usr/local/samba/bin/wbinfo --user-info AD\\adtest
Authentication and run the following command (krb5) will also pass.
/usr/local/samba/bin/wbinfo -K AD\\adtest%password
So the winbind basis seems to be a state in which the user is visible.
Global section of smb.conf are as follows.
[global]
netbios name = HOSTNAME
realm = SAMBA.TEST
workgroup = SAMBA
dns forwarder = xxx.xxx.xxx.xxx
server role = active directory domain controller
idmap_ldb:use rfc2307 = yes
Very it will be saved and enjoy your help to resolve this matter.
regards
mathias dufresne
2016-Sep-02 10:58 UTC
[Samba] Cooperation with the samba and the Windows ActiveDirectory
Hi Takano, You wrote: ※The direction of the trust Samba server → Windows server Which should mean, according to some MS book sitting on my desk, that you want Samba domain to trust MS domain. In the Samba FAQ, here: https://wiki.samba.org/index.php/FAQ#Does_Samba_support_trust_relationship_with_AD.3F you can read "Samba can be trusted, but can't trust yet." According to that, if your arrow was in right direction, you just can't achieve what you want to, for now. 2016-08-30 2:10 GMT+02:00 satoshi takano via samba <samba at lists.samba.org>:> I'm Takano. > > Now, a system such as the following by cooperation with the Samba and > Windows ActiveDirectory > We would like to build. > > ☆Samba > > OS:CentOS7 > Samba:(ver4.4.5) > > ☆Windows(ActiveDirectory) > > OS:Windows Server 2003 > ※State functional level is raised from 2000 to 2003. > > That you want to achieve it will be following. > > ・Create a domain controller (samba.test) on the Samba server side. > ・And set up a trust relationship Windows server side of the domain > controller (ad.adtest). > ※The direction of the trust Samba server → Windows server > ・WindowsStorage to build a server (Windows2012R2) as a file server, the > domain controller of the Samba server > To participate. > ・Restrict access, etc. of both the domain controller of the user in the > WindowsStorage server side. > ・It is joined to a domain controller of the user ・ Windows servers that > are joined to a domain controller of the Samba server > We want to be able to access (login) to the file server at the user. > > Current situation, I tried various, user that is joined to the domain > controller of the Samba server > You can access the file server, but is joined to the domain controller of > the Windows server > The user can not access the file server. > ※Access restrictions on the file server side can only be set to the user > of the Samba server. > > The thing that you have made, will be the following. > > - Install samba4.4.5 to the Samba server > - Implement the following command > /usr/local/samba/bin/samba-tool domain provision --use-rfc2307 > --interactive > Realm [TEST]: samba.test > Domain [samba]: > Server Role (dc, member, standalone) [dc]: > DNS backend (SAMBA_INTERNAL, BIND9_FLATFILE, BIND9_DLZ, NONE) > [SAMBA_INTERNAL]: > DNS forwarder IP address (write 'none' to disable forwarding) > [127.0.0.1]:xxx.xxx.xxx.xxx > Administrator password:xxxxxxx > Retype password:xxxxxxx > - Start the samba > - Set the input direction of the trust relationship in the Windows server > - Set the output direction of the trust relationship from the Samba server > by running the following command > /usr/local/samba/bin/samba-tool domain trust create ad.adtest > --type=external --direction=outgoing -U administrator at xxx.adtest > --create-location=local --ipaddress=xxx.xxx.xxx.xxx > - A state in which it was able to confirm to try and trust relationship > verified in Windows server ・ Samba server both are tied. > > Here it is up. > Create a adtest user to the Windows server > > When you run the following command user information is displayed. > /usr/local/samba/bin/wbinfo --user-info AD\\adtest > > Authentication and run the following command (krb5) will also pass. > /usr/local/samba/bin/wbinfo -K AD\\adtest%password > > So the winbind basis seems to be a state in which the user is visible. > > Global section of smb.conf are as follows. > > [global] > netbios name = HOSTNAME > realm = SAMBA.TEST > workgroup = SAMBA > dns forwarder = xxx.xxx.xxx.xxx > server role = active directory domain controller > idmap_ldb:use rfc2307 = yes > > Very it will be saved and enjoy your help to resolve this matter. > > regards > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
satoshi takano
2016-Sep-06 00:43 UTC
[Samba] Cooperation with the samba and the Windows ActiveDirectory
By the way, do you thing that can be realized in samba3? On 2016/09/02 19:58, mathias dufresne via samba wrote:> Hi Takano, > > You wrote: > ※The direction of the trust Samba server → Windows server > > Which should mean, according to some MS book sitting on my desk, that you > want Samba domain to trust MS domain. > > In the Samba FAQ, here: > https://wiki.samba.org/index.php/FAQ#Does_Samba_support_trust_relationship_with_AD.3F > you can read "Samba can be trusted, but can't trust yet." > > According to that, if your arrow was in right direction, you just can't > achieve what you want to, for now. > > > 2016-08-30 2:10 GMT+02:00 satoshi takano via samba <samba at lists.samba.org>: > >> I'm Takano. >> >> Now, a system such as the following by cooperation with the Samba and >> Windows ActiveDirectory >> We would like to build. >> >> ☆Samba >> >> OS:CentOS7 >> Samba:(ver4.4.5) >> >> ☆Windows(ActiveDirectory) >> >> OS:Windows Server 2003 >> ※State functional level is raised from 2000 to 2003. >> >> That you want to achieve it will be following. >> >> ・Create a domain controller (samba.test) on the Samba server side. >> ・And set up a trust relationship Windows server side of the domain >> controller (ad.adtest). >> ※The direction of the trust Samba server → Windows server >> ・WindowsStorage to build a server (Windows2012R2) as a file server, the >> domain controller of the Samba server >> To participate. >> ・Restrict access, etc. of both the domain controller of the user in the >> WindowsStorage server side. >> ・It is joined to a domain controller of the user ・ Windows servers that >> are joined to a domain controller of the Samba server >> We want to be able to access (login) to the file server at the user. >> >> Current situation, I tried various, user that is joined to the domain >> controller of the Samba server >> You can access the file server, but is joined to the domain controller of >> the Windows server >> The user can not access the file server. >> ※Access restrictions on the file server side can only be set to the user >> of the Samba server. >> >> The thing that you have made, will be the following. >> >> - Install samba4.4.5 to the Samba server >> - Implement the following command >> /usr/local/samba/bin/samba-tool domain provision --use-rfc2307 >> --interactive >> Realm [TEST]: samba.test >> Domain [samba]: >> Server Role (dc, member, standalone) [dc]: >> DNS backend (SAMBA_INTERNAL, BIND9_FLATFILE, BIND9_DLZ, NONE) >> [SAMBA_INTERNAL]: >> DNS forwarder IP address (write 'none' to disable forwarding) >> [127.0.0.1]:xxx.xxx.xxx.xxx >> Administrator password:xxxxxxx >> Retype password:xxxxxxx >> - Start the samba >> - Set the input direction of the trust relationship in the Windows server >> - Set the output direction of the trust relationship from the Samba server >> by running the following command >> /usr/local/samba/bin/samba-tool domain trust create ad.adtest >> --type=external --direction=outgoing -U administrator at xxx.adtest >> --create-location=local --ipaddress=xxx.xxx.xxx.xxx >> - A state in which it was able to confirm to try and trust relationship >> verified in Windows server ・ Samba server both are tied. >> >> Here it is up. >> Create a adtest user to the Windows server >> >> When you run the following command user information is displayed. >> /usr/local/samba/bin/wbinfo --user-info AD\\adtest >> >> Authentication and run the following command (krb5) will also pass. >> /usr/local/samba/bin/wbinfo -K AD\\adtest%password >> >> So the winbind basis seems to be a state in which the user is visible. >> >> Global section of smb.conf are as follows. >> >> [global] >> netbios name = HOSTNAME >> realm = SAMBA.TEST >> workgroup = SAMBA >> dns forwarder = xxx.xxx.xxx.xxx >> server role = active directory domain controller >> idmap_ldb:use rfc2307 = yes >> >> Very it will be saved and enjoy your help to resolve this matter. >> >> regards >> >> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba >>
Maybe Matching Threads
- Cooperation with the samba and the Windows ActiveDirectory
- winbind: homeDirectory being ignored
- NIS extensions - only 3 of 55 entries present
- FW: Followup Restricting to a subset of the domain controllers on a site
- Samba SSSD authentication via userPrincipalName does not work because samba claims that the username does not exist.