Re: [Samba] debian 10: errors with my server samba-ad
- Date: Thu, 16 May 2019 15:39:45 +0200
- From: nathalie ramat via samba <samba@xxxxxxxxxxxxxxx>
- Subject: Re: [Samba] debian 10: errors with my server samba-ad
I have successfully integrated my linux client in my domain.
my problem was that for Linux client was in a virtual machine under
proxmox - and some ports seem to block
A test with a machine under Virtual box I managed to integrate my client
into my ad
But I still have questions.
I put to unixHomeDirectory the directory of my user . How can I mount it
on my client linux ?
Is it possible to use the information with pam_mount module?
I configurate my smb.conf on my client
security = ads
workgroup = LENZSPITZE2
netbios name = clientlinux
winbind separator = /
# idmap uid = 0-50000
# idmap gid = 0-50000
idmap config * : backend= tdb
idmap config * : range =0-1000
winbind enum users = yes
winbind enum groups = yes
# idmap config LENZSPITZE :backend=rid
# idmap config LENZSPITZE :base_rid=0
idmap config LENZSPITZE2 : backend = ad
idmap config LENZSPITZE2 : schema_mode =rfc2307
idmap config LENZSPITZE2 : range = 10000-399999999
idmap config LENZSPITZE2 : unix_nss_info = yes
#template homedir = /etudiants/%U
#template shell = /bin/bash
encrypt passwords = yes
winbind nss info = rfc2307
kerberos method = secrets and keytab
winbind use default domain = yes
log file =/var/log/samba/log.%m
log level = 3
vfs objects = acl_xattr
map acl inherit = yes
store dos attributes = yes
When I use mount -t cifs //namserver/test /etudiants/test -o
username=test,rw,file_mode=0700,dir_mode=0700,cifsacl - the irectory
mount - I don't see acl for the directory while i see them on the server.
Thanks for your help.
Le 14/05/2019 à 12:40, Rowland penny via samba a écrit :
On 14/05/2019 10:58, nathalie ramat wrote:
My user must be able to connect under windows and under linux. The
home is common. Their home is on the server.
This is easy
Then you MUST use the winbind 'ad' backend and set smb.conf to use the
info stored in AD.
Like there are students - they are identified by their formation(
group) and by their login
for example /home/specifique/testlundi
Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â /home/l1info/testmardi
For me the etudiant belong to a groupÂ and i have create each group
and i take the last number for sid group for gidnumber - it was to
find out which group he belonged to - It's not a good idea ?
Definitely not, SID's start at '1000' and so do the Unix ID's, this
means that you cannot have any local Unix users. There is also the
problem of Domain Users, its RID is '513' and all your users and
groups must have Unix ID's (set by uidNumber & gidNumber attributes in
AD) inside the range you set in smb.conf
on my smb.conf on the server i put
Â Â Â path=/home/%G/%U
Â Â Â read only = no
Actually - i can't put my client linux in my ad.
net ads join -S nameofsever -U administrator --> doestn't give my
response -- It waitÂ ...
You shouldn't need the '-S' option, so is your DNS set up correctly ?
Once you get everything working, remove the two lines above, you only
need them for testing purposes.
my client linux smb.conf is
Â Â Â security =ADS
Â Â Â realm = LENZSPITZE2.CALAIS.FR
Â Â Â workgroup =LENZSPITZE2
Â Â Â netbios name = testbugsterl
Â Â Â winbind separator = /
Â Â Â winbind enum users = yes
Â Â Â winbind enum groups = yes
Â Â Â idmap config LENZSPITZE2 : backend = ad
Â Â Â idmap config LENZSPITZE2 : schema_mode =rfc2307
Â Â Â idmap config LENZSPITZE2 : range = 10000-399999999
Hmm, your lowest ID is probably the one from Domain Users '513', which
is less than '10000', this isn't going to work. I would change the
uidNumber & gidNumber attributes in AD to match the above range.
Remove the two lines above, for what you want to do, you must obtain
this information from AD
Â Â Â idmap config LENZSPITZE2 : unix_nss_info = yes
Â Â Â template homedir =/etudiants/%U
Â Â Â template shell =/bin/bash
Â Â Â winbind nss info = rfc2307
You do not require the line above
Â Â Â kerberos method =Â secrets and keytab
Â Â Â dedicated keytab file =/etc/krb5.keytab
Â Â Â winbind refresh tickets =yes
Â Â Â username map = /etc/samba/samba_usermapping
Â Â Â winbind use default domain = yes
Â Â Â log file =/var/log/samba/log.%m
Â Â Â log level = 3
# for acl support on members servers with shares
Â Â Â vfs object = acl_xattr
Â Â Â map acl inherit = yes
Â Â Â store dos attributes = yes
Â Â Â winbind nss info = rfc2307
You still don't need the line above ;-)
Universite du Littoral-Côte d'Opale
SCoSI - Service Commun du Système d'Information
Pôle Systèmes et réseaux
Centre de Gestion Universitaire de Calais
50 rue ferdinand Buisson
62228 CALAIS CEDEX
To unsubscribe from this list go to the following URL and read the