Samba 4.6.5 Active Directory on CentOS

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Samba 4.6.5 Active Directory on CentOS

Samba - General mailing list
I am using Jeff Bales' procedure for configuring SAMBA with Active Directory
https://thingsdomakesense.wordpress.com/2017/06/06/installing-samba-4-6-5-active-directory-on-centos-7-1611/

When everything is all said & done everything seems to work, but I am
not able to configure home directories because the users don't have
local Linux accounts - I suspect I need to bind Linux's user table to
Active Directory, but cannot seem to make this happen. Any advise?

I am using this to add users:

samba-tool user create user P@ssrod4 --uid=user --uid-number=10001
--gid-number=100 --unix-home=/home/user --home-directory=/home/user
--login-shell=/bin/bash --gecos='user' --given-name=Happy --surname=User


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Samba 4.6.5 Active Directory on CentOS

Samba - General mailing list
Follow this steps.
https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_Domain_Controller

Em 1 de jul de 2017 19:16, "John Schmerold via samba" <[hidden email]>
escreveu:

> I am using Jeff Bales' procedure for configuring SAMBA with Active
> Directory
> https://thingsdomakesense.wordpress.com/2017/06/06/installin
> g-samba-4-6-5-active-directory-on-centos-7-1611/
>
> When everything is all said & done everything seems to work, but I am not
> able to configure home directories because the users don't have local Linux
> accounts - I suspect I need to bind Linux's user table to Active Directory,
> but cannot seem to make this happen. Any advise?
>
> I am using this to add users:
>
> samba-tool user create user P@ssrod4 --uid=user --uid-number=10001
> --gid-number=100 --unix-home=/home/user --home-directory=/home/user
> --login-shell=/bin/bash --gecos='user' --given-name=Happy --surname=User
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Samba 4.6.5 Active Directory on CentOS

Samba - General mailing list
In reply to this post by Samba - General mailing list
On Sat, 1 Jul 2017 17:12:30 -0500
John Schmerold via samba <[hidden email]> wrote:

> I am using Jeff Bales' procedure for configuring SAMBA with Active
> Directory
> https://thingsdomakesense.wordpress.com/2017/06/06/installing-samba-4-6-5-active-directory-on-centos-7-1611/
>
> When everything is all said & done everything seems to work, but I am
> not able to configure home directories because the users don't have
> local Linux accounts - I suspect I need to bind Linux's user table to
> Active Directory, but cannot seem to make this happen. Any advise?
>
> I am using this to add users:
>
> samba-tool user create user P@ssrod4 --uid=user --uid-number=10001
> --gid-number=100 --unix-home=/home/user --home-directory=/home/user
> --login-shell=/bin/bash --gecos='user' --given-name=Happy
> --surname=User
>
>

Not much wrong with that howto, as far as it goes, apart from this step:

mv /etc/krb5.conf /etc/krb5.conf.bak
cp /usr/local/samba/share/setup/krb5.conf /etc/krb5.conf

Yes, you might want to make a copy of the original krb5.conf, but you
should do it after the provision and the krb5.conf it tells you to
copy is the wrong one. The last line is totally redundant anyway, it
tells you to copy the correct one after the provision.

Now for what is probably wrong with your DC:

The howto tells you start Samba by just running 'samba' , did this
actually work ? Probably not, because 'samba' will be
in /usr/local/samba/sbin and this will not be in your path.

The howto also doesn't tell you that if you want to use a DC as a
fileserver, you need to create a few links for libnss_winbind.so.
Without these links, getent etc will not work and you need them to work
to have Unix users (and no, you cannot have users in /etc/passwd and
AD, same goes for groups)

See here for howto create the links:

https://wiki.samba.org/index.php/Libnss_winbind_Links

The howto also doesn't tell you that, on a DC, the 'unixHomeDirectory'
and 'loginShell' attributes are ignored. Once you have 'getent'
working, you will find that all your users have their Unix home
directories set to '/home/DOMAIN/username' and their shell will be
'/bin/false', see here for how to fix this:

https://wiki.samba.org/index.php/Configuring_Winbindd_on_a_Samba_AD_DC

Finally, [homes] doesn't work on a DC, see here:

https://wiki.samba.org/index.php/User_Home_Folders

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Samba 4.6.5 Active Directory on CentOS

Samba - General mailing list
On 7/2/2017 3:30 AM, Rowland Penny via samba wrote:

> On Sat, 1 Jul 2017 17:12:30 -0500
> John Schmerold via samba <[hidden email]> wrote:
>
>> I am using Jeff Bales' procedure for configuring SAMBA with Active
>> Directory
>> https://thingsdomakesense.wordpress.com/2017/06/06/installing-samba-4-6-5-active-directory-on-centos-7-1611/
>>
>> When everything is all said & done everything seems to work, but I am
>> not able to configure home directories because the users don't have
>> local Linux accounts - I suspect I need to bind Linux's user table to
>> Active Directory, but cannot seem to make this happen. Any advise?
>>
>> I am using this to add users:
>>
>> samba-tool user create user P@ssrod4 --uid=user --uid-number=10001
>> --gid-number=100 --unix-home=/home/user --home-directory=/home/user
>> --login-shell=/bin/bash --gecos='user' --given-name=Happy
>> --surname=User
>>
>>
> Not much wrong with that howto, as far as it goes, apart from this step:
>
> mv /etc/krb5.conf /etc/krb5.conf.bak
> cp /usr/local/samba/share/setup/krb5.conf /etc/krb5.conf
>
> Yes, you might want to make a copy of the original krb5.conf, but you
> should do it after the provision and the krb5.conf it tells you to
> copy is the wrong one. The last line is totally redundant anyway, it
> tells you to copy the correct one after the provision.
>
> Now for what is probably wrong with your DC:
>
> The howto tells you start Samba by just running 'samba' , did this
> actually work ? Probably not, because 'samba' will be
> in /usr/local/samba/sbin and this will not be in your path.
>
> The howto also doesn't tell you that if you want to use a DC as a
> fileserver, you need to create a few links for libnss_winbind.so.
> Without these links, getent etc will not work and you need them to work
> to have Unix users (and no, you cannot have users in /etc/passwd and
> AD, same goes for groups)
>
> See here for howto create the links:
>
> https://wiki.samba.org/index.php/Libnss_winbind_Links
>
> The howto also doesn't tell you that, on a DC, the 'unixHomeDirectory'
> and 'loginShell' attributes are ignored. Once you have 'getent'
> working, you will find that all your users have their Unix home
> directories set to '/home/DOMAIN/username' and their shell will be
> '/bin/false', see here for how to fix this:
>
> https://wiki.samba.org/index.php/Configuring_Winbindd_on_a_Samba_AD_DC
>
> Finally, [homes] doesn't work on a DC, see here:
>
> https://wiki.samba.org/index.php/User_Home_Folders
>
> Rowland
>
Thanks for the spot-on advice. Jeff Bales' procedure was a great start,
needed a few tweaks. The server fully functioning as a DC, I was able to
get homes working by adding this bit of magic to [homes]:
     root preexec = bash -c '[[ -d /home/%U ]] || mkdir -p -m 0700
/home/%U && chown %U:users /home/%U'

I have this configured in a VMWare environment, so there is no reason
not to setup a separate DC, but that will have to keep for another day.

John Schmerold
St Louis, MO

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Samba 4.6.5 Active Directory on CentOS

Samba - General mailing list
In reply to this post by Samba - General mailing list
Mandi! Rowland Penny via samba
  In chel di` si favelave...

[Sorry for that late post... i was very busy on other things!]

> The howto also doesn't tell you that, on a DC, the 'unixHomeDirectory'
> and 'loginShell' attributes are ignored. Once you have 'getent'
> working, you will find that all your users have their Unix home
> directories set to '/home/DOMAIN/username' and their shell will be
> '/bin/false', see here for how to fix this:
> https://wiki.samba.org/index.php/Configuring_Winbindd_on_a_Samba_AD_DC

A-HA!

This is exactly my experience in migrating from NT to AD mode the
domain, and finally i've switched to sssd to have home and shell
correctly working (eg, rfc2307 data).


> Finally, [homes] doesn't work on a DC, see here:
> https://wiki.samba.org/index.php/User_Home_Folders

Uh. So, practically speaking, migrating an existing domain from NT do
AD pose me the need to modify substantially the overral samba
configuration, or split the server's domain in two, one running the DC
and other as members?

--
dott. Marco Gaiarin        GNUPG Key ID: 240A3D66
  Associazione ``La Nostra Famiglia''          http://www.lanostrafamiglia.it/
  Polo FVG   -   Via della Bontà, 7 - 33078   -   San Vito al Tagliamento (PN)
  marco.gaiarin(at)lanostrafamiglia.it   t +39-0434-842711   f +39-0434-842797

                Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
      http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000
        (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Samba 4.6.5 Active Directory on CentOS

Samba - General mailing list
On Mon, 10 Jul 2017 15:26:01 +0200
Marco Gaiarin via samba <[hidden email]> wrote:

> Mandi! Rowland Penny via samba
>   In chel di` si favelave...
>
> [Sorry for that late post... i was very busy on other things!]
>
> > The howto also doesn't tell you that, on a DC, the
> > 'unixHomeDirectory' and 'loginShell' attributes are ignored. Once
> > you have 'getent' working, you will find that all your users have
> > their Unix home directories set to '/home/DOMAIN/username' and
> > their shell will be '/bin/false', see here for how to fix this:
> > https://wiki.samba.org/index.php/Configuring_Winbindd_on_a_Samba_AD_DC
>
> A-HA!
>
> This is exactly my experience in migrating from NT to AD mode the
> domain, and finally i've switched to sssd to have home and shell
> correctly working (eg, rfc2307 data).

You don't have to use sssd, you can use the template lines, but it does
mean that you have to use the same settings for all users.
 

>
>
> > Finally, [homes] doesn't work on a DC, see here:
> > https://wiki.samba.org/index.php/User_Home_Folders
>
> Uh. So, practically speaking, migrating an existing domain from NT do
> AD pose me the need to modify substantially the overral samba
> configuration, or split the server's domain in two, one running the DC
> and other as members?
>

Using two computers is the recommended way of doing it, but you can use
a DC as a fileserver, you just have to know the limitations.

Rowland
 


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Loading...