Sunday, October 17, 2010

Samba / Winbind auth to ADS 2008 R2

I'd been having problems connecting CentOS 5.5 to a Active Directory 2008 R2 domain.

1) use the samba3x packages

Winbind would refuse to show entries in getent passwd, and Samba would not allow domain users access to shares. There were problems observable in a packet trace... for example Wireshark would decode STATUS_LOGON_FAILURE in SMB transactions.

Anyway, it turns out that you MUST specify a "idmap config " for the domain! Otherwise UID/GID mappings fail and then users cannot login.

2) use idmap config configuration options

Resulting configuration looks like this:

[global]
log level = 0

workgroup = ad
password server = ad-box-1.ad.local ad-box-2.ad.local
realm = AD.LOCAL
security = ads
encrypt passwords = yes

idmap uid = 1500-999999
idmap gid = 1500-999999
idmap backend = ad

idmap config AD : backend = ad
idmap config AD : range = 1500-999999

template shell = /bin/bash

ldap ssl ads = no

preferred master = no
local master = no
domain master = no

winbind use default domain = true
winbind offline logon = true
winbind nss info = rfc2307
winbind enum users = yes
winbind enum groups = yes
winbind separator = +

server string = File server


[temp]
comment = samba test server tmp directory
path = /tmp
valid users = @AD+Administrators
read only = No
writeable = Yes
guest ok = No
browseable = Yes

No comments:

Post a Comment