I eventually got it working with the following configuration, in case any googlers find it helpful.
I wrote it all down here on this wiki http://wiki.sydit.se/teknik:ad_autentisering_foer_cifs_med_samba Just so I would not forget until tomorrow. :) It's in Swedish but all the configuration files are recognizable. I'm not sure about many of the options, like idmap backend, so I will investigate them in the morning when I write a proper installation manual. Just to remove things I don't need. 2013/6/23 Stefan Midjich <[email protected]> > My goal is to share a CIFS volume from Linux, to Windows clients, using > Samba 3.6 and only authenticate users over AD. > > I do not want one local Linux user for each AD user, in other words. I > want all users connecting to CIFS to use one shared local user for FS > operations. So the CIFS share will be owned by one local user that all AD > users will use when they use the CIFS volume. > > Is this possible in Samba 3.6? > > I ask because I can't make heads nor tails of the documentation. I've > managed to piece together a winbind/krb5 configuration that allows me to do > the following. > > * Get kerberos token from Windows 2008 AD server (not r2) > * net ads join my Linux host into the Windows 2008 AD > * List users and groups in the AD using wbinfo, and getent -s winbind > > But whenever I try to login to my share from a Windows server in the same > AD, it says the user "is invalid on this system". Unless I keep a local > user matching that same AD sAMAccountName as the user logging in. > > Here is my current smb.conf > > [global] > workgroup = DOMAIN > realm = DOMAIN.LOCAL > server string = %h server > security = ads > allow trusted domains = no > local master = no > domain master = no > interfaces = eth0 10.221.111.51/24 > bind interfaces only = yes > log level = 0 auth:10 smb:10 > log file = /var/log/samba/log.%m > max log size = 1000 > #syslog only = no > syslog = 0 > load printers = no > printing = bsd > printcap name = /etc/printcap > > # Bug #8676 workaround > idmap config * : backend = tdb > idmap config * : range = 2000-4999 > idmap config DOMAIN : backend = rid > idmap config DOMAIN : range = 10000-49999 > winbind use default domain = yes > winbind enum users = yes > winbind enum groups = yes > encrypt passwords = yes > valid users = @"Domain Users" > > [www] > comment = HTML share > path = /var/www/website.domain.local > valid users = share > writable = yes > force user = share > force group = share > force directory mode = 0775 > force create mode = 0664 > > Here is my current krb5.conf > > [libdefaults] > default_realm = DOMAIN.LOCAL > ticket_lifetime = 24000 > clock-skew = 300 > > [realms] > DOMAIN.LOCAL = { > kdc = DC02.DOMAIN.LOCAL:88 > admin_server = DC02.DOMAIN.LOCAL:464 > default_domain = DOMAIN.LOCAL > } > > [domain_realm] > .DOMAIN.LOCAL = DC02.DOMAIN.LOCAL > DOMAIN.LOCAL = DC02.DOMAIN.LOCAL > > There are several DC's but I picked one because the docs I was reading > made it seem like you had to pick one for kerberos. > > The machine is using the DC DNS so all domains involved here, all the > DC's, the machines domain, the clients, can be resolved. However, I have > despite this added some domains to /etc/hosts. > > 127.0.0.1 webb04.domain.local webb04 > 10.221.111.51 webb04.domain.local webb04 > > 10.221.111.16 DC02.DOMAIN.LOCAL DC02 > > 10.221.111.10 DOMAIN.LOCAL > > My /etc/resolv.conf reflects the AD setup in the network. > > domain domain.local > search domain.local > nameserver 10.221.111.10 > nameserver 10.221.111.16 > > With this configuration on Debian Wheezy I can run kinit to get a token > using an AD administrator account. > > Then I can run net ads join -U Administrator and enter the same accounts > password, to join the domain. > > After that I can run wbinfo -u to list all users in the Windows AD > servers. I can also run getent -s winbind passwd username to see > information for that user like this. > stemid:*:24750:10513::/home/DOMAIN/stemid:/bin/false > > Of course this is meta information, that user does not exist on my Linux > server. At least that is my understanding. > > -- > Hälsningar / Greetings > > http://Stefan.Midjich.name > -- Hälsningar / Greetings http://Stefan.Midjich.name -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
