1) use the samba3x packages
Winbind would refuse to show entries in getent passwd, and Samba would not allow domain users access to shares. There were problems observable in a packet trace... for example Wireshark would decode STATUS_LOGON_FAILURE in SMB transactions.
Anyway, it turns out that you MUST specify a "idmap config
2) use idmap config
Resulting configuration looks like this:
[global]
log level = 0
workgroup = ad
password server = ad-box-1.ad.local ad-box-2.ad.local
realm = AD.LOCAL
security = ads
encrypt passwords = yes
idmap uid = 1500-999999
idmap gid = 1500-999999
idmap backend = ad
idmap config AD : backend = ad
idmap config AD : range = 1500-999999
template shell = /bin/bash
ldap ssl ads = no
preferred master = no
local master = no
domain master = no
winbind use default domain = true
winbind offline logon = true
winbind nss info = rfc2307
winbind enum users = yes
winbind enum groups = yes
winbind separator = +
server string = File server
[temp]
comment = samba test server tmp directory
path = /tmp
valid users = @AD+Administrators
read only = No
writeable = Yes
guest ok = No
browseable = Yes
No comments:
Post a Comment