-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 07/19/2011 01:11 PM, Jonathan Buzzard wrote: > Bruno Martins - GALILEU LISBOA wrote: >> Hello guys, >> >> >> >> I am setting up a Samba server (based on CentOS 5.6) on my company which >> will act as a print and file server. Also, it has dropbox installed. >> >> >> >> I have set up everything regarding to CUPS and Samba itself, but I'm not >> being able to integrate my shares with Active Directory. >> >> >> >> All I want is that access control to Samba shares is made through Active >> Directory users and their respective passwords, and not through >> Unix-style users and groups. Is this possible? >> >> >> >> Some configuration files: >> >> /etc/nsswitch.conf - http://pastebin.com/rPgXSL6G >> >> /etc/samba/smb.conf - http://pastebin.com/9uffAyjV >> >> /etc/krb5.conf - http://pastebin.com/9zJFQR6J >> >> >> >> Can someone please give me some lights on this? >> > > A quick looks shows a lack of an idmap setup in the smb.conf. You say > you are using CentOS 5.6, in which case I strongly recommend that you > use the samba3x packages over the plain samba packages if you are not > doing so already > > Here is a example based on what I use with CentOS 5.6 using the samba3x > packages. Note that I have the rfc2307 information set in the AD for all > the users. I have a whole bunch of other options as well to do with > CTDB, GPFS and other bits and bobs as well. However these are not > relevant to getting it working. > > On the AD side you need to set the UID, home directory and primary group > in the Unix Attributes tab, and then in the Member Of tab you need to > add the user to the primary group that you set in the Unix Attriubutes > tab and make that their primary group. All the groups need a GID setting > in their Unix Attributes tab as well. > > The important thing about the idmap setting is that you must have a > plain tdb backend (or something else that is allocatable) and the range > must not overlap with the range for the domain or it does not work. Not > quite sure why that is because in my setting all accounts exist in the > AD with appropriate Unix attributes. Took me ages to work that nugget of > information out. > > > JAB. > > > [global] > netbios name = nemo > security = ads > workgroup = CAMPUS > realm = CAMPUS.MYCORP.COM > password server = * > preferred master = no > encrypt passwords = yes > kerberos method = secrets only > > # deal with NSS and the whole UID/SID id mapping stuff > idmap backend = tdb > idmap uid = 2000000 - 2999999 > idmap gid = 2000000 - 2999999 > idmap config CAMPUS : backend = ad > idmap config CAMPUS : schema_mode = rfc2307 > idmap config CAMPUS : readonly = yes > idmap config CAMPUS : range = 500 - 1999999 > idmap cache time = 120 > idmap negative cache time = 20 > winbind nss info = rfc2307 > winbind expand groups = 2 > winbind nested groups = yes > winbind use default domain = yes > winbind enum users = yes > winbind enum groups = yes > winbind refresh tickets = yes > winbind offline logon = false > > You will also want to keep in mind some incompatibilities if your AD is pretty new (2008 or higher).
See the following for more info: http://support.microsoft.com/kb/954387 http://support.microsoft.com/kb/957441 - -- ________ Robert Freeman-Day https://launchpad.net/~presgas GPG Public Key: http://keyserver.ubuntu.com:11371/pks/lookup?op=get&search=0xBA9DF9ED3E4C7D36 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk4lzhgACgkQup357T5MfTZlEACgnzh2dDdLA/NImyeKAtSmNwp+ YakAmwU54AxIcvpDyBBKB9INYQ4p0J+F =5w+q -----END PGP SIGNATURE----- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
