On Tue, 2011-07-19 at 14:34 -0400, Robert Freeman-Day wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On 07/19/2011 01:11 PM, Jonathan Buzzard wrote: > > Bruno Martins - GALILEU LISBOA wrote: > >> Hello guys, > >> > >> > >> > >> I am setting up a Samba server (based on CentOS 5.6) on my company which > >> will act as a print and file server. Also, it has dropbox installed. > >> > >> > >> > >> I have set up everything regarding to CUPS and Samba itself, but I'm not > >> being able to integrate my shares with Active Directory. > >> > >> > >> > >> All I want is that access control to Samba shares is made through Active > >> Directory users and their respective passwords, and not through > >> Unix-style users and groups. Is this possible? > >> > >> > >> > >> Some configuration files: > >> > >> /etc/nsswitch.conf - http://pastebin.com/rPgXSL6G > >> > >> /etc/samba/smb.conf - http://pastebin.com/9uffAyjV > >> > >> /etc/krb5.conf - http://pastebin.com/9zJFQR6J > >> > >> > >> > >> Can someone please give me some lights on this? > >> > > > > A quick looks shows a lack of an idmap setup in the smb.conf. You say > > you are using CentOS 5.6, in which case I strongly recommend that you > > use the samba3x packages over the plain samba packages if you are not > > doing so already > > > > Here is a example based on what I use with CentOS 5.6 using the samba3x > > packages. Note that I have the rfc2307 information set in the AD for all > > the users. I have a whole bunch of other options as well to do with > > CTDB, GPFS and other bits and bobs as well. However these are not > > relevant to getting it working. > > > > On the AD side you need to set the UID, home directory and primary group > > in the Unix Attributes tab, and then in the Member Of tab you need to > > add the user to the primary group that you set in the Unix Attriubutes > > tab and make that their primary group. All the groups need a GID setting > > in their Unix Attributes tab as well. > > > > The important thing about the idmap setting is that you must have a > > plain tdb backend (or something else that is allocatable) and the range > > must not overlap with the range for the domain or it does not work. Not > > quite sure why that is because in my setting all accounts exist in the > > AD with appropriate Unix attributes. Took me ages to work that nugget of > > information out. > > > > > > JAB. > > > > > > [global] > > netbios name = nemo > > security = ads > > workgroup = CAMPUS > > realm = CAMPUS.MYCORP.COM > > password server = * > > preferred master = no > > encrypt passwords = yes > > kerberos method = secrets only > > > > # deal with NSS and the whole UID/SID id mapping stuff > > idmap backend = tdb > > idmap uid = 2000000 - 2999999 > > idmap gid = 2000000 - 2999999 > > idmap config CAMPUS : backend = ad > > idmap config CAMPUS : schema_mode = rfc2307 > > idmap config CAMPUS : readonly = yes > > idmap config CAMPUS : range = 500 - 1999999 > > idmap cache time = 120 > > idmap negative cache time = 20 > > winbind nss info = rfc2307 > > winbind expand groups = 2 > > winbind nested groups = yes > > winbind use default domain = yes > > winbind enum users = yes > > winbind enum groups = yes > > winbind refresh tickets = yes > > winbind offline logon = false > > > > > You will also want to keep in mind some incompatibilities if your AD is > pretty new (2008 or higher). > > See the following for more info: > http://support.microsoft.com/kb/954387 > http://support.microsoft.com/kb/957441 > > - -- > ________ > > Robert Freeman-Day > > https://launchpad.net/~presgas > GPG Public Key: > http://keyserver.ubuntu.com:11371/pks/lookup?op=get&search=0xBA9DF9ED3E4C7D36 > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.11 (GNU/Linux) > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ > > iEYEARECAAYFAk4lzhgACgkQup357T5MfTZlEACgnzh2dDdLA/NImyeKAtSmNwp+ > YakAmwU54AxIcvpDyBBKB9INYQ4p0J+F > =5w+q > -----END PGP SIGNATURE-----
Good night Robert, My Domain Controller is running Windows Server 2003 R2 X64, so I may not be affected by those bulletins By the way, thanks for noticing. Best regards, Bruno Martins -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
