HomeSoHoUser managementHome folders and mounting

Homes - Samba

in

1. Kerberos

Let's assume that your Windows server has a VPN IP address 10.20.1.1, and we want it to mount user home folders from our CentOS server. Edit /etc/krb5.conf:

[realms]
...
OURDOM.LOCAL = {
  kdc = 10.20.1.1:88
  admin_server = 10.20.1.1:749
  default_domain = ourdom.local
}

[domain_realm]
...
 .ourdom.local = OURDOM.LOCAL
 ourdom.local = OURDOM.LOCAL

Check:

$ kinit winadmin@OURDOM.LOCAL
Password: our_pass
$ klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: winadmin@OURDOM.LOCAL
Valid starting     Expires            Service principal
05/12/08 23:22:52  05/13/08 09:24:00  krbtgt/OURDOM.LOCAL@OURDOM.LOCAL
              renew until 05/13/08 23:22:52
Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached
$ kdestroy

2. Join domain

Edit /etc/samba/smb.conf using attached file as a reference.

Start samba by default:

chkconfig smb on
service smb restart

chkconfig winbind on
service winbind restart

For samba 3.3 you will additionally need

chkconfig nmb on
service nmb restart

Temporarily add winsrv.ourdom.local to /etc/hosts as 10.20.1.1 (this is required by net join).

Join the domain:

$ kinit winadmin@OURDOM.LOCAL
Password: our_pass
$ net ads join -Uwinadmin
winadmin's password: пароль
Using short domain name -- OURDOM
Joined 'SRV' to realm 'OURDOM.LOCAL'

How to debug:

net -d9 ads info
net ads lookup

If Windows and Samba are physically on different networks, samba should use UDP unicasts to announce its presence to Windows:

remote announce = 10.20.1.1
remote browse sync = 10.20.1.1

3. Unix to Windows ID map

Edit nsswitch.conf:

passwd:  files ldap winbind
shadow:  files ldap winbind
group:   files ldap winbind

Edit smb.conf:

winbind use default domain = yes
winbind offline logon = yes
winbind refresh tickets = yes
winbind separator = +
winbind nss info = rfc2307

idmap uid = 10000-30000
idmap gid = 10000-30000
winbind cache time = 10
idmap cache time = 10

idmap backend = ad
idmap config:default = yes
idmap config:schema_mode = rfc2307
idmap config:range = 10000-19999

idmap alloc backend = rid
idmap alloc config:range = 20000-29999
idmap alloc config:base_rid = 1000

winbind enum users = yes
winbind enum groups = yes
winbind nested groups = yes

This will instruct winbind/samba to attempt to inquire AD for user ID (2K3 R2 schema), otherwise use rid to allocate a new ID.

See here for details. It seems that only idmap_rid provides for real user enumeration.

How to test:

wbinfo -u
wbinfo -g
wbinfo -i vandreev
wbinfo -i winadmin

How to debug:

service winbind stop
winbindd -i -S -Y -d10 -n
^C

See idmap.ad, idmap.nss, idmap.ldap, idmap_alloc_backend.

Attachments

text/plain icon/etc/samba/smb.conf
soho-homes-smb.conf.txt 3.44 KB
Bookmark this post on:
  • Twitter
  • Facebook
  • LiveJournal
  • VKontakte
  • Print

Comments

Post new comment

The content of this field is kept private and will not be shown publicly.
To prevent automated spam submissions leave this field empty.