Thanks for the answer.
So net join ads work fine
Here is my smb.conf :
[global]
workgroup = DDCS67
security = ADS
realm = DDCS67.INTRA
encrypt passwords = yes
idmap config *:backend = tdb
idmap config *:range = 70001-80000
idmap config SHORTDOMAINNAME:backend = ad
idmap config SHORTDOMAINNAME:schema_mode = rfc2307
idmap config SHORTDOMAINNAME:range = 500-40000
winbind nss info = rfc2307
winbind trusted domains only = no
winbind use default domain = yes
winbind enum users = yes
winbind enum groups = yes
[test]
path = /samba/test
read only = no
nsswitch.conf
passwd: compat winbind
group: compat winbind
shadow: compat
hosts: files dns
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
After starting smbd/nmbd/winbindd, I run this
* /samba/bin/wbinfo -t works fine
* /samba/bin/wbinfo -u get the users domain
* /samba/bin/wbinfo -g get the group domain
* getent passwd get local AND ad users
* getent group get local AND ad groups
Next step is to set acl
setfacl with ad group or user works well on the domain member. Looks good !
From an XP, I go to the share \\ddcs67-imp\test and create
subdirectories and files without any problem !
Next I would to manage the share security trough the ADTools.
I see the DDCS67-IMP in the "Computers" OU.
The share "test" is available and i can get the properties. I add an AD
group in the security options. The group is resolved and appear in the
list. When I validate the box I got this error: Access Denied
Is It normal ? The ACL on a domain member must be set on the member ?
Regards
Le 11/02/2013 22:51, > Andrew Bartlett (par Internet) a écrit :
On Mon, 2013-02-11 at 16:54 +0100, BOTZ Franck (Informaticien) - DDT
67/SG/MGI/CI wrote:
Hi !
I have installed a DC with samba-tool command and it works perfectly !
Control AD with the 2003 tools is very amazing, thanks for the job !
So, my next step is to install a file server as a member of the AD and
not as a DC
I read carfully this one :
https://wiki.samba.org/index.php/Samba4/Domain_Member
Compiling samba :
* ./configure --with-ads --with-shared-modules=idmap_ad
--enable-debug --enable-selftest --prefix=/samba
First of all why --with-ads ? It is not the default feature ?
It is, but what this changes is that the compile will fail (prompting
you to install some development headers, typically) if the right things
are not found. The is very helpful, and long ago I promised to make
that the default behaviour. Sadly I never got around to it.
* make
* make install
The krb5.conf was fill with that :
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = DDCS67.INTRA
dns_lookup_realm = true
dns_lookup_kdc = true
ticket_lifetime = 24h
forwardable = yes
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
What is appsection ? It is not necessary in a DC wich sharing a
directory. But why not.
After that , the smb.conf
I was wondering that the smb.conf must be fill by the hand. For the DC,
running samba-tool command will generate a smb.conf. Before doing this I
search the options of samba-tool and i find this :
samba-tool domain join DDCS67 --realm=DDCS67.intra -U Administrator
Password for [WORKGROUP\Administrator]:
Joined domain DDCS67 (S-1-5-21-1814795784-576591386-2449700327)
Fine, the domain is join !! And the server appear as a Computer in the
MMC. Good !
Let's run /samba/sbin/samba
The log are :
At this time the 'samba' binary should only be used for either: 'server
role = active directory domain controller' or to access the ntvfs file
server with 'server services = +smb' or the rpc proxy with 'dcerpc
endpoint servers = remote'
You should start smbd/nmbd/winbindd instead for domain member and
standalone file server tasks
Is it me or i read the ntvfs is deprecatted ?
So I run the/samba/sbin/smbd, but with no smb.conf the server does not start
Tesparm give me :
Load smb config files from /samba/etc/smb.conf
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
params.c:OpenConfFile() - Unable to open configuration file
"/samba/etc/smb.conf":
Can i Genrate a valid smb.conf for a member with samba-tool ?
I do apologise for this not being as integrated as you would expect.
I'm very proud of the new level of ease of use found in 'samba-tool' and
in the AD DC configuration. Sadly while this command will successfully
join you to the domain, it does not currently generate the smb.conf.
You don't need much, just set:
[globals]
server role = domain member
workgroup = DDCS67
realm = DDCS67.intra
BTW, while I've hooked up 'samba-tool' to work, the advertised command
for joining a domain member is 'net ads join'. We are working to
consolidate the code, but currently it is a different codebase. From my
understanding however, it also will not generate the smb.conf.
I hope this helps, and feel free to file a bug as fixing this should not
be difficult.
Andrew Bartlett
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
