Rowland penny
2020-Jun-19 13:13 UTC
[Samba] SAMBA using existing users and passwords on Linux
On 19/06/2020 14:08, Fernando Gon?alves wrote:> Hello Rowland. Thanks for answering.Please post your present smb.conf Tell us what your AD DC's are. How did you join the domain ? Rowland
Fernando Gonçalves
2020-Jun-19 14:06 UTC
[Samba] SAMBA using existing users and passwords on Linux
I will pass all the commands I used for installation and inclusion of the
linux server server in AD.
Installation of KERBEROS 5 packages:
#yum install krb5-server krb5-libs krb5-workstation
I added the following lines to the /etc/krb5.conf file
[libdefaults]
default_realm = SAMDOM.EXAMPLE.COM
dns_lookup_realm = false
dns_lookup_kdc = false
I installed realmd
# yum install realmd
I ran the command to find the domain and check the necessary packages to be
installed
#realm discover tjsc.ad --client-software = winbind
tjsc.ad
type: kerberos
realm-name: TJSC.AD
domain-name: tjsc.ad
configured: no
server-software: active-directory
client-software: winbind
required-package: oddjob-mkhomedir
required-package: oddjob
required-package: samba-winbind-clients
required-package: samba-winbind
required-package: samba-common-tools
I installed required packages
# yum install oddjob-mkhomedir oddjob samba-winbind-clients samba-winbind
samba-common-tools
Includes server in the domain with winbind
# realm join tjsc.ad --client-software = winbind -U adm.fernando
Verifying that the operation was successfully completed
# realm list
tjsc.ad
type: kerberos
realm-name: TJSC.AD
domain-name: tjsc.ad
configured: kerberos-member
server-software: active-directory
client-software: winbind
required-package: oddjob-mkhomedir
required-package: oddjob
required-package: samba-winbind-clients
required-package: samba-winbind
required-package: samba-common-tools
login-formats: TJSC\%U
login-policy: allow-any-login
Enable authentication via Winbind
# authconfig --enablewinbind --enablewinbindauth --smbsecurity ads
--enablewinbindoffline --smbworkgroup=TJSC --update --smbrealm TJSC.AD
--winbindtemplateshell=/bin/bash --update
Install samba
# yum install samba
And that was it.
SMB.CONF
[global]
kerberos method = system keytab
template homedir = /home/%D/%U
workgroup = TJSC
template shell = /bin/bash
security = ads
realm = TJSC.AD
idmap config TJSC : range = 2000000-2999999
idmap config TJSC : backend = rid
idmap config * : range = 10000-999999
idmap config * : backend = tdb
winbind use default domain = yes
winbind refresh tickets = yes
winbind offline logon = yes
winbind enum groups = no
winbind enum users = no
vfs objects = acl_xattr
map acl inherit = yes
[demo]
path = /srv/samba/demo
read only = no
create mask = 0777
directory mask = 0777
Em sex., 19 de jun. de 2020 ?s 10:14, Rowland penny via samba <
samba at lists.samba.org> escreveu:
> On 19/06/2020 14:08, Fernando Gon?alves wrote:
> > Hello Rowland. Thanks for answering.
>
> Please post your present smb.conf
>
> Tell us what your AD DC's are.
>
> How did you join the domain ?
>
> Rowland
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
Rowland penny
2020-Jun-19 14:42 UTC
[Samba] SAMBA using existing users and passwords on Linux
On 19/06/2020 15:06, Fernando Gon?alves wrote:> I will pass all the commands I used for installation and inclusion of > the linux server server in AD. > > Installation of KERBEROS 5 packages: > #yum install krb5-server krb5-libs krb5-workstationWhy install krb5-server ? this is not required on a Unix domain member.> > I added the following lines to the /etc/krb5.conf file > [libdefaults] > default_realm = SAMDOM.EXAMPLE.COM <http://SAMDOM.EXAMPLE.COM> > dns_lookup_realm = false > dns_lookup_kdc = falseChange the last line to true> > I installed realmd > # yum install realmdWhy, what is wrong with 'net ads join' ? Nothing really wrong, apart from, you do not seem to understand that any users in /etc/passwd are unknown to AD. You can have the same username in /etc/passwd and AD, but they will be different users. The only Samba supported way of making users known to both AD and the local Linux OS, is for the users to be in AD and use Samba to make them Unix users as well. You are half way there, you have in smb.conf: idmap config TJSC : range = 2000000-2999999 idmap config TJSC : backend = rid This will take any AD users (and groups), extract the RID and then calculate the Unix ID using the lower range, so from what you have posted, I am very sure that 'getent group Domain\ Users' will return the ID '2000513'. So to cut to a shorter version, create your users in AD and delete them from /etc/passwd. Your way is not supported. Rowland