| bktpl |
04-01-2018 04:54 AM |
smb.conf snf idmap configuration for DC and member server
Hi guys, please help me with configuration which i should made for DC and member server, to use UIDs, GUIDs and all other parameters from AD.
I am not sure what should i have in smb.conf. Currently i got 2 smb.conf on DC1 server. First is in vim /usr/local/samba/etc/smb.conf:
Code:
[root@dc1 ~]# vim /usr/local/samba/etc/smb.conf
# Global parameters
[global]
netbios name = DC1
realm = sub.domain.com
server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate
workgroup = domain
server role = active directory domain controller
idmap_ldb:use rfc2307 = yes
idmap config DOMAIN:unix_nss_info = yes
#builtin accounts and groups
#idmap config * : backend = tdb
#idmap config * : range = 3000-7999
#domain domain
#idmap config domain:backend = ad
#idmap config domain:schema_mode = rfc2307
#idmap config domain:range = 15000-999999
[netlogon]
path = /usr/local/samba/var/locks/sysvol/sub.domain.com/scripts
read only = No
[sysvol]
path = /usr/local/samba/var/locks/sysvol
read only = No
Second one in vim /etc/samba/smb.conf:
Code:
[root@dc1 ~]# vim /etc/samba/smb.conf
# See smb.conf.example for a more detailed config file or
# read the smb.conf manpage.
# Run 'testparm' to verify the config is correct after
# you modified it.
[global]
workgroup = DOMAIN
netbios name= DC1.sub.domain.com
security = user
log file= /var/log/samba/%U.log
path = /etc/samba/smb.conf
template shell = /bin/bash
passdb backend = ldapsam
printing = cups
printcap name = cups
load printers = yes
cups options = raw
[homes]
comment = Home Directories
valid users = %S, %D%w%S
browseable = No
read only = No
inherit acls = Yes
[printers]
comment = All Printers
path = /var/tmp
printable = Yes
create mask = 0600
browseable = No
[print$]
comment = Printer Drivers
path = /var/lib/samba/drivers
write list = root
create mask = 0664
directory mask = 0775
~
I am not really sure what idmap records should i use here, default when i have been installing my AD i did not know that i can decide and i SHOULD plan it.
I have only one user, administrator so changing it should not be a problem now. Also i use here passdb backend = ldapsam and i think its OK.
On second server, named vsfiles i got only one smb.conf (and only samba and winbindd should be installed i think):
Code:
[root@vsfiles ~]# vim /etc/samba/smb.conf
# See smb.conf.example for a more detailed config file or
# read the smb.conf manpage.
# Run 'testparm' to verify the config is correct after
# you modified it.
[global]
workgroup = sub.domain.com
security = ADS
realm = sub.domain.com
passdb backend = tdbsam
#passdb backend = ldapsam
#idmap config * :
printing = cups
printcap name = cups
load printers = yes
cups options = raw
[homes]
comment = Home Directories
valid users = %S, %D%w%S
browseable = No
read only = No
inherit acls = Yes
[printers]
comment = All Printers
path = /var/tmp
printable = Yes
create mask = 0600
browseable = No
[print$]
comment = Printer Drivers
path = /var/lib/samba/drivers
write list = root
create mask = 0664
directory mask = 0775
Please tell me what should i use here, specially on vsfiles machine (domain joined machine - it looks it is in domain but cant start winbindd and cant use wbinfo commands).
As i understand i should use passdb backend = ldapsam for vsfiles but i dont know how to change the range of idmaps on both servers. Thanx for help.
Both machines are Centos 7 on virtualbox.
Edit
I forgot about one thing. As i read, default idmap numbers for domain should begin ftom 10000. When i check my domain admin account its very big number, smth like 1996xxxxx. Is it normal?
Is there a way to move created account from 1000 to other number? |
