The trouble with Windows Vista Home Premium is that it doesn't allow access to the local users and groups snap-in. This means that usernames expected by network devices (other computers, i.e. file servers) cannot be specified for users whilst keeping "pretty names" such as "Joe Blogs" (username: joeb).
Solution is to use: Netplwiz.exe in system32.
Thursday, October 21, 2010
Sunday, October 17, 2010
Samba / Winbind auth to ADS 2008 R2
I'd been having problems connecting CentOS 5.5 to a Active Directory 2008 R2 domain.
1) use the samba3x packages
Winbind would refuse to show entries in getent passwd, and Samba would not allow domain users access to shares. There were problems observable in a packet trace... for example Wireshark would decode STATUS_LOGON_FAILURE in SMB transactions.
Anyway, it turns out that you MUST specify a "idmap config" for the domain! Otherwise UID/GID mappings fail and then users cannot login.
2) use idmap config configuration options
Resulting configuration looks like this:
[global]
log level = 0
workgroup = ad
password server = ad-box-1.ad.local ad-box-2.ad.local
realm = AD.LOCAL
security = ads
encrypt passwords = yes
idmap uid = 1500-999999
idmap gid = 1500-999999
idmap backend = ad
idmap config AD : backend = ad
idmap config AD : range = 1500-999999
template shell = /bin/bash
ldap ssl ads = no
preferred master = no
local master = no
domain master = no
winbind use default domain = true
winbind offline logon = true
winbind nss info = rfc2307
winbind enum users = yes
winbind enum groups = yes
winbind separator = +
server string = File server
[temp]
comment = samba test server tmp directory
path = /tmp
valid users = @AD+Administrators
read only = No
writeable = Yes
guest ok = No
browseable = Yes
1) use the samba3x packages
Winbind would refuse to show entries in getent passwd, and Samba would not allow domain users access to shares. There were problems observable in a packet trace... for example Wireshark would decode STATUS_LOGON_FAILURE in SMB transactions.
Anyway, it turns out that you MUST specify a "idmap config
2) use idmap config
Resulting configuration looks like this:
[global]
log level = 0
workgroup = ad
password server = ad-box-1.ad.local ad-box-2.ad.local
realm = AD.LOCAL
security = ads
encrypt passwords = yes
idmap uid = 1500-999999
idmap gid = 1500-999999
idmap backend = ad
idmap config AD : backend = ad
idmap config AD : range = 1500-999999
template shell = /bin/bash
ldap ssl ads = no
preferred master = no
local master = no
domain master = no
winbind use default domain = true
winbind offline logon = true
winbind nss info = rfc2307
winbind enum users = yes
winbind enum groups = yes
winbind separator = +
server string = File server
[temp]
comment = samba test server tmp directory
path = /tmp
valid users = @AD+Administrators
read only = No
writeable = Yes
guest ok = No
browseable = Yes
Subscribe to:
Posts (Atom)