On 23/12/2012 03:31, Carlos R. Pena Evertsz wrote:
Hi Pieter,
I need to do the same, join a Ubuntu 12.04 samba server to an existing
Win2k3.
Could you post an example of the shares configuration (users and group
read and write permitions) to be used in your example of a samba
server as a domain member?
Thanks.
Carlos Pena
Santo Domingo, Dominican Republic
On 12/21/2012 5:36 PM, Pieter De Wit wrote:
On 18/12/2012 10:47, Andrew Bartlett wrote:
On Mon, 2012-12-17 at 17:00 +1300, Pieter De Wit wrote:
Hi list,
I have tried with all my might to get a samba3 server (Ubuntu
12.04.1 LTS) to join a Windows 2003 domain as a member server,
without any luck. I have used,from memory, the official way of
doing this (aka, from the samba.org website). No matter what
settings I use in smb.conf, the server always joins as a domain
controller. This doesn't seem to break the domain how ever. All I
am after is that my users do not need to enter a username/password
for access from a domain PC to shares on my Linux box.
Any pointers please or is this intended as the server does single
sign?
If you can list exactly the steps you took, we might be able to help.
But to answer your question: Yes, Samba will happily join Windows 2003
as a domain member. The key command is 'net ads join'.
Andrew Bartlett
Hi Andrew,
Sorry for the delay in my reply, things has been hectic closing down
for the holidays. In a nut shell, there is what I do/did:
1) apt-get install samba winbindd krb5-user
2) Configure smb.conf as per :
[global]
workgroup = WORK
realm = WORK.LOCAL
preferred master = no
server string = Linux Test Machine
security = ADS
encrypt passwords = yes
log level = 3
log file = /var/log/samba/%m
max log size = 50
printcap name = cups
printing = cups
# winbind enum users = Yes
# winbind enum groups = Yes
# winbind use default domain = Yes
winbind nested groups = Yes
winbind separator = +
idmap uid = 2000-20000
idmap gid = 2000-20000
template shell = /bin/bash
veto files = lost+found
3) Configure krb5.conf:
[libdefaults]
default_realm = WORK.LOCAL
[realms]
YPG.LOCAL={
kdc=DC.WORK.LOCAL
}
[domain_realm]
.kerberos.server=WORK.LOCAL
4) Restart Samba/Winbind
5) In /etc/nsswitch.conf add winbind to passwd and group
5) Join the domain : net ads join -U <my_admin_account>
6) kinit <my_admin_account>
From then, users can connect to the shares on the server using Single
Sign On. The "issue" is that if I look under my Active Directory, the
server will state that it is a "Domain Controller". Running the usual
DC Info tools they seem to think the domain is ok. I would prefer to
have the server say Member server, rather than DC :)
I would like to send you a screenshot of what "Active Directory Users
and Computers" shows but this will be hard to do remotely.
Thanks,
Pieter
P.S. Good work on the AD integration btw, I am using the above for
Squid aswell and it's pretty neat ! :)
Hi Carlos,
My shares are create like normal shares. The only part that changes is
the ref to Domain users. They are "WORK+<USERNAME>", using a previous
naming setup, my user account would be as follow:
WORK+dewitp
So I could have something like:
[dump]
comment=Data Dump
read only=no
browseable=yes
path=/srv/exports/dump
valid user=WORK+user1,WORK+user2
I also noted that if you have ext4 (havn't tried the rest) and you
create user permissions on a folder, it is added as extended attribs -
WELL DONE SAMBA ! :)
HTH,
Pieter
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
