Thanks to all that replied. I will give the suggestions a try.
Asst. Prof. Joel M. Therrien
Ph: 978-934-3324
Fax: 978-934-3027
[email protected]
Dept. of Electrical & Computer Engineering
U. Massachusetts-Lowell
1 University Ave
Lowell, MA 01854
Robert LeBlanc wrote:
On Fri, Dec 11, 2009 at 12:57 PM, Joel Therrien <[email protected]
<mailto:[email protected]>> wrote:
Hello,
Due to a couple of circumstances, I am rebuilding my file
server. In the process
I want to see if I can iron out the last few issues I have had
with getting active directory
authentication to work. Ideally I would appreciate it if anyone
can provide a link to a
website that gives decently detailed instructions for setting up
samba with user authentication
via Active Directory running on a windows server 2008 box. If it
matters, I will be installing
Debian squeeze, since I believe that version has a version of
samba that is able to work with
2008 (our IT department upgraded over the weekend and thus broke
my authentication).
On top of that, one other question: Is it absolutely necessary
to enable enum users and groups?
I ask because with a student population of more that 13,000 I do
not want to choke either my
server or the university's server by making a request for that
large a number of people. And if one
can get away without, what are the side effects? For example, the
university's server has faculty
and staff in a separate group from the students, such that an
authentication call via wbinfo
requires specifying for example FACULTY+John_Doe and
STUDENT+Dave_Smith to
work correctly. This was the one remaining hitch I did have, I
used an account in the FACULTY
group to bind my server to the AD server and thereafter had no
issues with authenticating myself
with samba, but I could not get it to work for any students.
This works very well in our environment (Windows 2008 DCs) with
trusted domains. I would suggest using idmap backend = hash over
anything else if you are using 3.4.x, it is consistent across machines
without having to worry about much configuration. You will be able to
login both your FACULTY+user and STUDENT+user without any problem in
this configuration. Beware that if you are doing AD logins to the box
that you may have to disable the kerberos method = system keytab.
There is a bug that prevents password challenges if you don't have a
Kerberos ticket on your machine (if you have a kerberos ticket on your
machine and ssh in, then it works fine because it doesn't challenge
for a password. It is suspected that the cause of this the the cache
file option in PAM, you could probably disable that instead (for more
info see https://bugzilla.samba.org/show_bug.cgi?id=6833 for more
info). If you are not using Kerberos for login, just comment out the
line in smb.conf regular file share requests will still use Kerberos.
Our AD domain is delegated by our campus DNS servers, we don't have to
change the DHCP settings to get things to work. If your campus has not
delegated the AD DNS domain, it might be wise to have them look into
it. All that needs to happen is they put in the DC addresses as the NS
for that domain or sub-domain.
#======================= Global Settings =======================
[global]
workgroup = ad
realm = AD.LOCAL
preferred master = no
server string = %h server
dns proxy = no
#### Debugging/Accounting ####
log file = /var/log/samba/log.%m
max log size = 1000
syslog = 0
panic action = /usr/share/samba/panic-action %d
####### Authentication #######
security = ADS
encrypt passwords = true
passdb backend = tdbsam
obey pam restrictions = yes
invalid users = root
unix password sync = yes
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\s*\spassword:* %n\n
*Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
pam password change = yes
guest account = nobody
map to guest = bad user
########## Printing ##########
load printers = no
printing = bsd
printcap name = /dev/null
show add printer wizard = no
disable spoolss = yes
############ Misc ############
idmap backend = hash
winbind nss info = hash
winbind use default domain = yes
winbind separator = +
winbind enum groups = no
winbind enum users = no
winbind nested groups = yes
template homedir = /ls/users/%U
template shell = /bin/bash
winbind refresh tickets = yes
kerberos method = system keytab
winbind offline logon = yes
# get quota command = /root/sambaquota.sh
#======================= Share Definitions =======================
Robert LeBlanc
Life Sciences & Undergraduate Education Computer Support
Brigham Young University
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
