-   Red Hat (
-   -   samba : how to synchronize AD users & groups with Samba users &groups (

zelycorn 05-11-2011 02:52 AM

samba : how to synchronize AD users & groups with Samba users &groups

I am looking for the best way to make a Samba server to provide shared network files like actually the Windows Server branches do.

I have a RH5 server bind to an AD with ADS security level.

Samba3x is currently installed.

I have a test shared folder. How to proceed to have the best security and to use AD users and groups for granted access ?

I have read a lot of docs but so far I can't choose one because I don't know if the selected one will answer my issue.

I know that the main element to fix is the password for samba users. In facts, all is rely on synchronization.

Here is my smb.conf file :

#======================= Global Settings =====================================

workgroup = FORMATION
winbind separator = +
realm = FORMATION.*.FR
server string = Samba Server Version %v
security = ADS
#disable netbios = yes
#log level = 3 passdb:5 auth:10 winbind:10
log file = /var/log/samba/samba.%m
max log size = 25000
preferred master = no
local master = no
allow trusted domains = yes
idmap config *:backend = rid
idmap config *:base_rid = 0
idmap config *:range = 1000 - 100000000
idmap config *:backend = rid
idmap config *:base_rid = 0
idmap config *:range = 100000001 - 200000000
idmap config FORMATION:backend = rid
idmap config FORMATION:base_rid = 0
idmap config FORMATION:range = 200000001 - 300000000
idmap uid = 1000-300000000
idmap gid = 1000-300000000
template homedir = /home/%D/%U
template shell = /bin/bash
client NTLMv2 auth = Yes
ntlm auth = No
interfaces = eth0
bind interfaces only = True
invalid users = root @wheel
# Disable printers
load printers = no
printing = bsd
printcap name = /dev/null
disable spoolss = yes

writeable = yes
invalid users = root,@wheel
path = /home/test
guest ok = yes

zelycorn 05-11-2011 04:13 AM

I can access the test share with an AD account without password. How to synchronize the samba user password and the AD user password ? How to provide NTML transparent login to access samba shares ?

zelycorn 05-11-2011 04:32 AM

So, i can access the test shared folder with ntlm support :) I've just desactivated the No password for the user. Now, how to deploy this change to all the samba user (comes from AD) ?

zelycorn 05-12-2011 01:53 AM

Ldap is used to allow domain users access to the linux server.

Can I mix ldap and winbind to keep access and to share folders with domain groups ?

zelycorn 05-12-2011 03:38 AM

I can mix ldap auth and winbind.

But i always can't share the folder for AD security group.

browseable = yes
writeable = yes
create mask = 700
directory mask = 700
path = /home/test
# valid users=@domain users

If i uncomment valid users and with many others combinations like @domain+domain users or @domain+"domain users" or @"domain users", users can't accès the test shared folder.

zelycorn 05-12-2011 09:15 AM

so i'm ok with valid users=@"DOMAIN+Domain Users". Domain Users value could be all security groups in AD..

All times are GMT -5. The time now is 07:55 AM.