[prev in list] [next in list] [prev in thread] [next in thread] 

List:       samba
Subject:    [Samba] Cooperation with the samba and the Windows ActiveDirectory
From:       satoshi takano via samba <samba () lists ! samba ! org>
Date:       2016-08-30 0:10:23
Message-ID: d78dc993-3c48-4488-a9d3-562eab69f22f () designet ! co ! jp
[Download RAW message or body]

I'm Takano.

Now, a system such as the following by cooperation with the Samba and Windows \
ActiveDirectory We would like to build.

☆Samba

OS：CentOS7
Samba：(ver4.4.5)

☆Windows(ActiveDirectory)

OS：Windows Server 2003
※State functional level is raised from 2000 to 2003.

That you want to achieve it will be following.

・Create a domain controller (samba.test) on the Samba server side.
・And set up a trust relationship Windows server side of the domain controller \
(ad.adtest). ※The direction of the trust Samba server → Windows server
・WindowsStorage to build a server (Windows2012R2) as a file server, the domain \
controller of the Samba server To participate.
・Restrict access, etc. of both the domain controller of the user in the \
WindowsStorage server side. ・It is joined to a domain controller of the user ・ \
Windows servers that are joined to a domain controller of the Samba server We want to \
be able to access (login) to the file server at the user.

Current situation, I tried various, user that is joined to the domain controller of \
the Samba server You can access the file server, but is joined to the domain \
controller of the Windows server The user can not access the file server.
※Access restrictions on the file server side can only be set to the user of the \
Samba server.

The thing that you have made, will be the following.

- Install samba4.4.5 to the Samba server
- Implement the following command
/usr/local/samba/bin/samba-tool domain provision --use-rfc2307 --interactive
Realm [TEST]: samba.test
   Domain [samba]:
   Server Role (dc, member, standalone) [dc]:
   DNS backend (SAMBA_INTERNAL, BIND9_FLATFILE, BIND9_DLZ, NONE) [SAMBA_INTERNAL]:
   DNS forwarder IP address (write 'none' to disable forwarding) \
[127.0.0.1]:xxx.xxx.xxx.xxx Administrator password:xxxxxxx
Retype password:xxxxxxx
- Start the samba
- Set the input direction of the trust relationship in the Windows server
- Set the output direction of the trust relationship from the Samba server by running \
                the following command
/usr/local/samba/bin/samba-tool domain trust create ad.adtest --type=external \
--direction=outgoing -U administrator@xxx.adtest --create-location=local \
                --ipaddress=xxx.xxx.xxx.xxx
- A state in which it was able to confirm to try and trust relationship verified in \
Windows server ・ Samba server both are tied.

Here it is up.
Create a adtest user to the Windows server

When you run the following command user information is displayed.
/usr/local/samba/bin/wbinfo --user-info AD\\adtest

Authentication and run the following command (krb5) will also pass.
/usr/local/samba/bin/wbinfo -K AD\\adtest%password

So the winbind basis seems to be a state in which the user is visible.

Global section of smb.conf are as follows.

[global]
          netbios name = HOSTNAME
          realm = SAMBA.TEST
          workgroup = SAMBA
          dns forwarder = xxx.xxx.xxx.xxx
          server role = active directory domain controller
          idmap_ldb:use rfc2307 = yes

Very it will be saved and enjoy your help to resolve this matter.

regards


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba


[prev in list] [next in list] [prev in thread] [next in thread]