On Fri, Dec 11, 2009 at 12:40:50PM -0800, Kevin Keane wrote:
> First of all, I have Samba working in an Active Directory environment. The
> Samba server has been basically unchanged for a couple of years now, and
> survived an upgrade to Windows 2008 without changes. So it can be done.
>
> Here are the relevant settings from my [global] section in smb.conf (for a
> domain called ad.mydomain.local. Note the capitalization):
>
> realm = AD.MYDOMAIN.LOCAL
> security = ADS
> encrypt passwords = yes
> domain logons = no
> domain master = no
> idmap domains = AD
> idmap config AD:backend = rid
> idmap config AD:base_rid = 0
> idmap config AD:range = 10000-20000
> winbind enum users = yes
> winbind enum groups = yes
> client use spnego = yes
> # set smb ports to turn of NetBT. Be aware that this makes your server
> invisible
> # in the Network Neighborhood.
> smb ports = 445
> idmap gid = 10000-20000
> idmap uid = 10000-20000
>
> Next, you need to make sure that DNS resolution works and uses the Windows
> box as DNS server. This is critically important.
Well you have to make your DNS use the windows box as the DNS server
for the mydomain.local domain. To make the DNS go to the windows box
at all times is not necesary and is frustratingly slow compared to bind9
for example.
> In addition, you need to set up Kerberos using krb5.conf:
>
> [libdefaults]
> default_realm = AD.MYDOMAIN.LOCAL
> clockskew = 300
>
> [logging]
> kdc = FILE:/var/log/krb5/krb5kdc.log
> admin_server = FILE:/var/log/krb5/kadmind.log
> default = SYSLOG:NOTICE:DAEMON
> [appdefaults]
> pam = {
> ticket_lifetime = 1d
> renew_lifetime = 1d
> forwardable = true
> proxiable = false
> retain_after_close = false
> minimum_uid = 1
> use_shmem = sshd
> }
>
> (not sure if the pam section is needed - I believe Samba uses Kerberos
> directly. Pam would allow you to use Windows accounts to log in to a Linux
> box without creating accounts on the Linux box).
>
> Some sites also recommend using a [realms] section to specify which server
> serves up Kerberos tickets. I found that not necessary, and in fact harmful.
> Kerberos uses SRV records in DNS to find the correct server, and Windows
> creates the correct ones.
>
>
> Finally, you have to join the AD domain (use the net join command in Samba)
>
> One catch: Server 2008 prefers IPv6. In IPv6, you cannot support NetBT/WINS.
> Samba does not support Network Discovery very well, so your server becomes
> invisible.
Hmm, that's an interesting change.
> If I recall correctly, the advantages and drawbacks of enum users and groups
> are documented quite well in the Samba docs. The reason this setting exists
> is exactly to accommodate a situation such as yours, with a very large number
> of users.
--
Len Sorensen
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
