satoshi takano
2016-Aug-30 00:10 UTC
[Samba] Cooperation with the samba and the Windows ActiveDirectory
I'm Takano. Now, a system such as the following by cooperation with the Samba and Windows ActiveDirectory We would like to build. ☆Samba OS:CentOS7 Samba:(ver4.4.5) ☆Windows(ActiveDirectory) OS:Windows Server 2003 ※State functional level is raised from 2000 to 2003. That you want to achieve it will be following. ・Create a domain controller (samba.test) on the Samba server side. ・And set up a trust relationship Windows server side of the domain controller (ad.adtest). ※The direction of the trust Samba server → Windows server ・WindowsStorage to build a server (Windows2012R2) as a file server, the domain controller of the Samba server To participate. ・Restrict access, etc. of both the domain controller of the user in the WindowsStorage server side. ・It is joined to a domain controller of the user ・ Windows servers that are joined to a domain controller of the Samba server We want to be able to access (login) to the file server at the user. Current situation, I tried various, user that is joined to the domain controller of the Samba server You can access the file server, but is joined to the domain controller of the Windows server The user can not access the file server. ※Access restrictions on the file server side can only be set to the user of the Samba server. The thing that you have made, will be the following. - Install samba4.4.5 to the Samba server - Implement the following command /usr/local/samba/bin/samba-tool domain provision --use-rfc2307 --interactive Realm [TEST]: samba.test Domain [samba]: Server Role (dc, member, standalone) [dc]: DNS backend (SAMBA_INTERNAL, BIND9_FLATFILE, BIND9_DLZ, NONE) [SAMBA_INTERNAL]: DNS forwarder IP address (write 'none' to disable forwarding) [127.0.0.1]:xxx.xxx.xxx.xxx Administrator password:xxxxxxx Retype password:xxxxxxx - Start the samba - Set the input direction of the trust relationship in the Windows server - Set the output direction of the trust relationship from the Samba server by running the following command /usr/local/samba/bin/samba-tool domain trust create ad.adtest --type=external --direction=outgoing -U administrator at xxx.adtest --create-location=local --ipaddress=xxx.xxx.xxx.xxx - A state in which it was able to confirm to try and trust relationship verified in Windows server ・ Samba server both are tied. Here it is up. Create a adtest user to the Windows server When you run the following command user information is displayed. /usr/local/samba/bin/wbinfo --user-info AD\\adtest Authentication and run the following command (krb5) will also pass. /usr/local/samba/bin/wbinfo -K AD\\adtest%password So the winbind basis seems to be a state in which the user is visible. Global section of smb.conf are as follows. [global] netbios name = HOSTNAME realm = SAMBA.TEST workgroup = SAMBA dns forwarder = xxx.xxx.xxx.xxx server role = active directory domain controller idmap_ldb:use rfc2307 = yes Very it will be saved and enjoy your help to resolve this matter. regards
mathias dufresne
2016-Sep-02 10:58 UTC
[Samba] Cooperation with the samba and the Windows ActiveDirectory
Hi Takano, You wrote: ※The direction of the trust Samba server → Windows server Which should mean, according to some MS book sitting on my desk, that you want Samba domain to trust MS domain. In the Samba FAQ, here: https://wiki.samba.org/index.php/FAQ#Does_Samba_support_trust_relationship_with_AD.3F you can read "Samba can be trusted, but can't trust yet." According to that, if your arrow was in right direction, you just can't achieve what you want to, for now. 2016-08-30 2:10 GMT+02:00 satoshi takano via samba <samba at lists.samba.org>:> I'm Takano. > > Now, a system such as the following by cooperation with the Samba and > Windows ActiveDirectory > We would like to build. > > ☆Samba > > OS:CentOS7 > Samba:(ver4.4.5) > > ☆Windows(ActiveDirectory) > > OS:Windows Server 2003 > ※State functional level is raised from 2000 to 2003. > > That you want to achieve it will be following. > > ・Create a domain controller (samba.test) on the Samba server side. > ・And set up a trust relationship Windows server side of the domain > controller (ad.adtest). > ※The direction of the trust Samba server → Windows server > ・WindowsStorage to build a server (Windows2012R2) as a file server, the > domain controller of the Samba server > To participate. > ・Restrict access, etc. of both the domain controller of the user in the > WindowsStorage server side. > ・It is joined to a domain controller of the user ・ Windows servers that > are joined to a domain controller of the Samba server > We want to be able to access (login) to the file server at the user. > > Current situation, I tried various, user that is joined to the domain > controller of the Samba server > You can access the file server, but is joined to the domain controller of > the Windows server > The user can not access the file server. > ※Access restrictions on the file server side can only be set to the user > of the Samba server. > > The thing that you have made, will be the following. > > - Install samba4.4.5 to the Samba server > - Implement the following command > /usr/local/samba/bin/samba-tool domain provision --use-rfc2307 > --interactive > Realm [TEST]: samba.test > Domain [samba]: > Server Role (dc, member, standalone) [dc]: > DNS backend (SAMBA_INTERNAL, BIND9_FLATFILE, BIND9_DLZ, NONE) > [SAMBA_INTERNAL]: > DNS forwarder IP address (write 'none' to disable forwarding) > [127.0.0.1]:xxx.xxx.xxx.xxx > Administrator password:xxxxxxx > Retype password:xxxxxxx > - Start the samba > - Set the input direction of the trust relationship in the Windows server > - Set the output direction of the trust relationship from the Samba server > by running the following command > /usr/local/samba/bin/samba-tool domain trust create ad.adtest > --type=external --direction=outgoing -U administrator at xxx.adtest > --create-location=local --ipaddress=xxx.xxx.xxx.xxx > - A state in which it was able to confirm to try and trust relationship > verified in Windows server ・ Samba server both are tied. > > Here it is up. > Create a adtest user to the Windows server > > When you run the following command user information is displayed. > /usr/local/samba/bin/wbinfo --user-info AD\\adtest > > Authentication and run the following command (krb5) will also pass. > /usr/local/samba/bin/wbinfo -K AD\\adtest%password > > So the winbind basis seems to be a state in which the user is visible. > > Global section of smb.conf are as follows. > > [global] > netbios name = HOSTNAME > realm = SAMBA.TEST > workgroup = SAMBA > dns forwarder = xxx.xxx.xxx.xxx > server role = active directory domain controller > idmap_ldb:use rfc2307 = yes > > Very it will be saved and enjoy your help to resolve this matter. > > regards > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
satoshi takano
2016-Sep-06 00:43 UTC
[Samba] Cooperation with the samba and the Windows ActiveDirectory
By the way, do you thing that can be realized in samba3? On 2016/09/02 19:58, mathias dufresne via samba wrote:> Hi Takano, > > You wrote: > ※The direction of the trust Samba server → Windows server > > Which should mean, according to some MS book sitting on my desk, that you > want Samba domain to trust MS domain. > > In the Samba FAQ, here: > https://wiki.samba.org/index.php/FAQ#Does_Samba_support_trust_relationship_with_AD.3F > you can read "Samba can be trusted, but can't trust yet." > > According to that, if your arrow was in right direction, you just can't > achieve what you want to, for now. > > > 2016-08-30 2:10 GMT+02:00 satoshi takano via samba <samba at lists.samba.org>: > >> I'm Takano. >> >> Now, a system such as the following by cooperation with the Samba and >> Windows ActiveDirectory >> We would like to build. >> >> ☆Samba >> >> OS:CentOS7 >> Samba:(ver4.4.5) >> >> ☆Windows(ActiveDirectory) >> >> OS:Windows Server 2003 >> ※State functional level is raised from 2000 to 2003. >> >> That you want to achieve it will be following. >> >> ・Create a domain controller (samba.test) on the Samba server side. >> ・And set up a trust relationship Windows server side of the domain >> controller (ad.adtest). >> ※The direction of the trust Samba server → Windows server >> ・WindowsStorage to build a server (Windows2012R2) as a file server, the >> domain controller of the Samba server >> To participate. >> ・Restrict access, etc. of both the domain controller of the user in the >> WindowsStorage server side. >> ・It is joined to a domain controller of the user ・ Windows servers that >> are joined to a domain controller of the Samba server >> We want to be able to access (login) to the file server at the user. >> >> Current situation, I tried various, user that is joined to the domain >> controller of the Samba server >> You can access the file server, but is joined to the domain controller of >> the Windows server >> The user can not access the file server. >> ※Access restrictions on the file server side can only be set to the user >> of the Samba server. >> >> The thing that you have made, will be the following. >> >> - Install samba4.4.5 to the Samba server >> - Implement the following command >> /usr/local/samba/bin/samba-tool domain provision --use-rfc2307 >> --interactive >> Realm [TEST]: samba.test >> Domain [samba]: >> Server Role (dc, member, standalone) [dc]: >> DNS backend (SAMBA_INTERNAL, BIND9_FLATFILE, BIND9_DLZ, NONE) >> [SAMBA_INTERNAL]: >> DNS forwarder IP address (write 'none' to disable forwarding) >> [127.0.0.1]:xxx.xxx.xxx.xxx >> Administrator password:xxxxxxx >> Retype password:xxxxxxx >> - Start the samba >> - Set the input direction of the trust relationship in the Windows server >> - Set the output direction of the trust relationship from the Samba server >> by running the following command >> /usr/local/samba/bin/samba-tool domain trust create ad.adtest >> --type=external --direction=outgoing -U administrator at xxx.adtest >> --create-location=local --ipaddress=xxx.xxx.xxx.xxx >> - A state in which it was able to confirm to try and trust relationship >> verified in Windows server ・ Samba server both are tied. >> >> Here it is up. >> Create a adtest user to the Windows server >> >> When you run the following command user information is displayed. >> /usr/local/samba/bin/wbinfo --user-info AD\\adtest >> >> Authentication and run the following command (krb5) will also pass. >> /usr/local/samba/bin/wbinfo -K AD\\adtest%password >> >> So the winbind basis seems to be a state in which the user is visible. >> >> Global section of smb.conf are as follows. >> >> [global] >> netbios name = HOSTNAME >> realm = SAMBA.TEST >> workgroup = SAMBA >> dns forwarder = xxx.xxx.xxx.xxx >> server role = active directory domain controller >> idmap_ldb:use rfc2307 = yes >> >> Very it will be saved and enjoy your help to resolve this matter. >> >> regards >> >> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba >>
Apparently Analagous Threads
- Cooperation with the samba and the Windows ActiveDirectory
- winbind: homeDirectory being ignored
- NIS extensions - only 3 of 55 entries present
- FW: Followup Restricting to a subset of the domain controllers on a site
- Samba SSSD authentication via userPrincipalName does not work because samba claims that the username does not exist.