I am using Jeff Bales' procedure for configuring SAMBA with Active Directory https://thingsdomakesense.wordpress.com/2017/06/06/installing-samba-4-6-5-active-directory-on-centos-7-1611/ When everything is all said & done everything seems to work, but I am not able to configure home directories because the users don't have local Linux accounts - I suspect I need to bind Linux's user table to Active Directory, but cannot seem to make this happen. Any advise? I am using this to add users: samba-tool user create user P at ssrod4 --uid=user --uid-number=10001 --gid-number=100 --unix-home=/home/user --home-directory=/home/user --login-shell=/bin/bash --gecos='user' --given-name=Happy --surname=User
Follow this steps. https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_Domain_Controller Em 1 de jul de 2017 19:16, "John Schmerold via samba" <samba at lists.samba.org> escreveu:> I am using Jeff Bales' procedure for configuring SAMBA with Active > Directory > https://thingsdomakesense.wordpress.com/2017/06/06/installin > g-samba-4-6-5-active-directory-on-centos-7-1611/ > > When everything is all said & done everything seems to work, but I am not > able to configure home directories because the users don't have local Linux > accounts - I suspect I need to bind Linux's user table to Active Directory, > but cannot seem to make this happen. Any advise? > > I am using this to add users: > > samba-tool user create user P at ssrod4 --uid=user --uid-number=10001 > --gid-number=100 --unix-home=/home/user --home-directory=/home/user > --login-shell=/bin/bash --gecos='user' --given-name=Happy --surname=User > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba
On Sat, 1 Jul 2017 17:12:30 -0500 John Schmerold via samba <samba at lists.samba.org> wrote:> I am using Jeff Bales' procedure for configuring SAMBA with Active > Directory > https://thingsdomakesense.wordpress.com/2017/06/06/installing-samba-4-6-5-active-directory-on-centos-7-1611/ > > When everything is all said & done everything seems to work, but I am > not able to configure home directories because the users don't have > local Linux accounts - I suspect I need to bind Linux's user table to > Active Directory, but cannot seem to make this happen. Any advise? > > I am using this to add users: > > samba-tool user create user P at ssrod4 --uid=user --uid-number=10001 > --gid-number=100 --unix-home=/home/user --home-directory=/home/user > --login-shell=/bin/bash --gecos='user' --given-name=Happy > --surname=User > >Not much wrong with that howto, as far as it goes, apart from this step: mv /etc/krb5.conf /etc/krb5.conf.bak cp /usr/local/samba/share/setup/krb5.conf /etc/krb5.conf Yes, you might want to make a copy of the original krb5.conf, but you should do it after the provision and the krb5.conf it tells you to copy is the wrong one. The last line is totally redundant anyway, it tells you to copy the correct one after the provision. Now for what is probably wrong with your DC: The howto tells you start Samba by just running 'samba' , did this actually work ? Probably not, because 'samba' will be in /usr/local/samba/sbin and this will not be in your path. The howto also doesn't tell you that if you want to use a DC as a fileserver, you need to create a few links for libnss_winbind.so. Without these links, getent etc will not work and you need them to work to have Unix users (and no, you cannot have users in /etc/passwd and AD, same goes for groups) See here for howto create the links: https://wiki.samba.org/index.php/Libnss_winbind_Links The howto also doesn't tell you that, on a DC, the 'unixHomeDirectory' and 'loginShell' attributes are ignored. Once you have 'getent' working, you will find that all your users have their Unix home directories set to '/home/DOMAIN/username' and their shell will be '/bin/false', see here for how to fix this: https://wiki.samba.org/index.php/Configuring_Winbindd_on_a_Samba_AD_DC Finally, [homes] doesn't work on a DC, see here: https://wiki.samba.org/index.php/User_Home_Folders Rowland
On 7/2/2017 3:30 AM, Rowland Penny via samba wrote:> On Sat, 1 Jul 2017 17:12:30 -0500 > John Schmerold via samba <samba at lists.samba.org> wrote: > >> I am using Jeff Bales' procedure for configuring SAMBA with Active >> Directory >> https://thingsdomakesense.wordpress.com/2017/06/06/installing-samba-4-6-5-active-directory-on-centos-7-1611/ >> >> When everything is all said & done everything seems to work, but I am >> not able to configure home directories because the users don't have >> local Linux accounts - I suspect I need to bind Linux's user table to >> Active Directory, but cannot seem to make this happen. Any advise? >> >> I am using this to add users: >> >> samba-tool user create user P at ssrod4 --uid=user --uid-number=10001 >> --gid-number=100 --unix-home=/home/user --home-directory=/home/user >> --login-shell=/bin/bash --gecos='user' --given-name=Happy >> --surname=User >> >> > Not much wrong with that howto, as far as it goes, apart from this step: > > mv /etc/krb5.conf /etc/krb5.conf.bak > cp /usr/local/samba/share/setup/krb5.conf /etc/krb5.conf > > Yes, you might want to make a copy of the original krb5.conf, but you > should do it after the provision and the krb5.conf it tells you to > copy is the wrong one. The last line is totally redundant anyway, it > tells you to copy the correct one after the provision. > > Now for what is probably wrong with your DC: > > The howto tells you start Samba by just running 'samba' , did this > actually work ? Probably not, because 'samba' will be > in /usr/local/samba/sbin and this will not be in your path. > > The howto also doesn't tell you that if you want to use a DC as a > fileserver, you need to create a few links for libnss_winbind.so. > Without these links, getent etc will not work and you need them to work > to have Unix users (and no, you cannot have users in /etc/passwd and > AD, same goes for groups) > > See here for howto create the links: > > https://wiki.samba.org/index.php/Libnss_winbind_Links > > The howto also doesn't tell you that, on a DC, the 'unixHomeDirectory' > and 'loginShell' attributes are ignored. Once you have 'getent' > working, you will find that all your users have their Unix home > directories set to '/home/DOMAIN/username' and their shell will be > '/bin/false', see here for how to fix this: > > https://wiki.samba.org/index.php/Configuring_Winbindd_on_a_Samba_AD_DC > > Finally, [homes] doesn't work on a DC, see here: > > https://wiki.samba.org/index.php/User_Home_Folders > > Rowland >Thanks for the spot-on advice. Jeff Bales' procedure was a great start, needed a few tweaks. The server fully functioning as a DC, I was able to get homes working by adding this bit of magic to [homes]: root preexec = bash -c '[[ -d /home/%U ]] || mkdir -p -m 0700 /home/%U && chown %U:users /home/%U' I have this configured in a VMWare environment, so there is no reason not to setup a separate DC, but that will have to keep for another day. John Schmerold St Louis, MO
Mandi! Rowland Penny via samba In chel di` si favelave... [Sorry for that late post... i was very busy on other things!]> The howto also doesn't tell you that, on a DC, the 'unixHomeDirectory' > and 'loginShell' attributes are ignored. Once you have 'getent' > working, you will find that all your users have their Unix home > directories set to '/home/DOMAIN/username' and their shell will be > '/bin/false', see here for how to fix this: > https://wiki.samba.org/index.php/Configuring_Winbindd_on_a_Samba_AD_DCA-HA! This is exactly my experience in migrating from NT to AD mode the domain, and finally i've switched to sssd to have home and shell correctly working (eg, rfc2307 data).> Finally, [homes] doesn't work on a DC, see here: > https://wiki.samba.org/index.php/User_Home_FoldersUh. So, practically speaking, migrating an existing domain from NT do AD pose me the need to modify substantially the overral samba configuration, or split the server's domain in two, one running the DC and other as members? -- dott. Marco Gaiarin GNUPG Key ID: 240A3D66 Associazione ``La Nostra Famiglia'' http://www.lanostrafamiglia.it/ Polo FVG - Via della Bontà , 7 - 33078 - San Vito al Tagliamento (PN) marco.gaiarin(at)lanostrafamiglia.it t +39-0434-842711 f +39-0434-842797 Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA! http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000 (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)