Hello I have a small network and would like to add samba to our environment.
This what I would like to accomplish:
- We have a ADS PDC ( windows 2000 server)
- We have 27 workstations windows XP-PRO
We have recently bought a new server, and installed OPENSUSE 10.3 and we have
installed and configure samba. Basically we want to use the new samba server
as a data repository server.
In the windows environment we have 4 groups, management which has 4 users,
Accounting which has 5 users, sales which has 3 users and ingeneering that
has 15 users.
we would like that the users in each group only have access to the files for
their corresponding group in the samba server. i.e accounting sees the
accounting share only etc. this groups are defined in the PDC ADS machine not
in the samba server.
My question is how do I configure the samba server to inherit the groups
defined in the windows PDC ADS machine.
I Include a copy of the /etc/samba/samba.conf file:
# smb.conf is the main Samba configuration file. You find a full commented
# version at /usr/share/doc/packages/samba/examples/smb.conf.SUSE if the
# samba-doc package is installed.
# Date: 2007-12-04
[global]
workgroup = NETSYS
realm = NETSYSTEMSINFO.COM
preferred master = no
server string = Linux file server
security = ADS
encrypt passwords = yes
log level = 3
printcap name = cups
printing = cups
cups options = raw
winbind enum users = yes
winbind enum groups = yes
winbind use default domain = yes
winbind nested groups = yes
winbind separator = +
map to guest = Bad User
logon path = \\%L\profiles\.msprofile
logon home = \\%L\%U\.9xprofile
logon drive = P:
#security = user
add machine script = /usr/sbin/useradd -c
Machine -d /var/lib/nobody -s /bin/false %m$
domain logons = No
domain master = No
netbios name = cuzco
usershare allow guests = No
use kerberos keytab = true
idmap gid = 10000-20000
idmap uid = 10000-20000
template homedir = /home/%D/%U
#winbind refresh tickets = yes
password server = arequipa.netsystemsinfo.com
#winbind cache time = 600
allow trusted domains = yes
[homes]
comment = Home Directories
valid users = %S, %D%w%S
browseable = No
read only = No
inherit acls = Yes
[users]
comment = All users
path = /home
read only = No
inherit acls = Yes
veto files = /aquota.user/groups/shares/
[printers]
comment = All Printers
path = /var/tmp
printable = Yes
create mask = 0600
browseable = No
[print$]
comment = Printer Drivers
path = /var/lib/samba/drivers
write list = @ntadmin root
force group = ntadmin
create mask = 0664
directory mask = 0775
[management]
comment = Management files
inherit acls = Yes
path = /Management
read only = No
valid users = @Documentaries
admin users = vmendez
[accounting]
comment = Accounting files
inherit acls = Yes
path = /Accounting
read only = No
valid users = @Movies
admin users = vmendez
[sales]
comment = Sales files
inherit acls = Yes
path = /Sales
read only = No
valid users = @Series
admin users = vmendez
[ingeneering]
comment = Ingeneering files
inherit acls = Yes
path = /Ingeneering
read only = No
valid users = @Series
admin users = vmendez
## Share disabled by YaST
# [netlogon]
-------------------------------------------------------------------------------------------------------------------------
I also include a copy of my /etc/krb5.conf file
[libdefaults]
default_realm = NETSYSTEMSINFO.COM
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
forwardable = yes
#clockskew = 300
[realms]
NETSYSTEMSINFO.COM = {
kdc = arequipa.netsystemsinfo.com
admin_server = arequipa.netsystemsinfo.com
default_domain = netsystemsinfo.com
}
[logging]
kdc = FILE:/var/log/krb5/krb5kdc.log
admin_server = FILE:/var/log/krb5/kadmind.log
default = SYSLOG:NOTICE:DAEMON
[domain_realm]
#*.netsystemsinfo.com = NETSYSTEMSINFO.COM
.kerberos.server = NETSYSTEMSINFO.COM
.netsystemsinfo.com = NETSYSTEMSINFO.COM
[appdefaults]
pam = {
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
proxiable = false
retain_after_close = false
minimum_uid = 1
use_shmem = sshd
krb4_convert = false
}
-------------------------------------------------------------------------------------------------------------------------
The problem that we have is that users in the domain cannot logon into the
samba machine and browse their group shares.
Any help will be appreciated, we are really trying to move away from windows
and solving this could help us convince management that this is the way to
go.
Victor
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
