TurnKey Linux Virtual Appliance Library

Windows Active Directory users on File Server appliance

Hi, sorry for my newbie question, but is it possible to use windows AD users on the File Server appliance?

Thanks and regards.

Alon Swartz's picture

dump of my notes on this issue

According to the Samba documentation, Samba cannot "interact with Windows DC's in the same domain".

But, looking through my notes I have managed to join an Active Directory domain in the past, unfortunately I don't recall in what capacity the connection works. Below is a dump of my notes in hope that they can help, but I cannot provide much support on this issue.

Good luck!

joining active directory
------------------------
resources
'''''''''
resources for setting up samba+kerberos -> AD     http://www.enterprisenetworkingplanet.com/netos/article.php/3487081     http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/domain-member...     https://help.ubuntu.com/community/ActiveDirectoryHowto     https://help.ubuntu.com/community/ActiveDirectoryWinbindHowto dependencies
''''''''''''
apt-get install winbind apt-get install krb5-user apt-get install ntpdate files to configure
''''''''''''''''''
note: uppercase matters! /etc/hosts     1.0.0.63     ad.example.com     ad /etc/krb5.conf     [libdefaults]         default_realm = EXAMPLE.COM     [realms]         EXAMPLE.COM = {         kdc = ad.example.com         }     [domain_realm]         .example.com = EXAMPLE.COM /etc/samba/smb.conf     [global]         workgroup = EXAMPLE                 # required when joining domain         realm = EXAMPLE.COM         preferred master = no         security = ADS         encrypt passwords = yes         password server = ad.example.com    # shouldn't be req.         winbind separator = +         idmap uid = 10000-20000         idmap gid = 10000-20000         client use spnego = yes             # win2003 requires SMB signing /etc/hosts     1.0.0.1 nas.example.com nas /etc/nsswitch.conf     first 3 lines are most important, other vary according to the system    passwd:     compat winbind     group:      compat winbind     shadow:     compat     hosts:      files dns wins     networks:   files dns sync time with AD
'''''''''''''''''
kerberos is dependent on "the clock" its recommended to sync with the active directory     ntpdate ad.example.com gotcha: on win2ksrv the ntp server is disabled (use regedit) System Key: [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Parameters] Value Name: LocalNTP Data Type: REG_DWORD (DWORD Value) Value Data: (0 = disabled, 1 = enabled) tips:     - timezones are calculated, including daylight saving     - ntp is 123/udp     - win2ksrv will deny NTP service if its clock hasn't sync'ed with a       NTP server in a while         net (stop|start) w32time         net time /setsntp:pool.ntp.org     - ntpdate -d (debug) restarting services
'''''''''''''''''''
i found that winbind must be started before samba     but the docs say the opposite... authenticate using kerberos
'''''''''''''''''''''''''''
kinit Administrator@EXAMPLE.COM join the domain
'''''''''''''''
net ads join -U Administrator -S ad.example.com - its recommended to change the Administrator password on win2k after   first joining (regenerates the kerberos settings or something, not   sure...) testing
'''''''
# smbclient -k -L nas.example.com # wbinfo -u EXAMPLE+administrator EXAMPLE+guest EXAMPLE+tsinternetuser EXAMPLE+iusr_ad EXAMPLE+iwam_ad EXAMPLE+krbtgt # wbinfo -g BUILTIN+administrators BUILTIN+users EXAMPLE+domain computers EXAMPLE+domain controllers EXAMPLE+schema admins EXAMPLE+enterprise admins EXAMPLE+cert publishers EXAMPLE+domain admins EXAMPLE+domain users EXAMPLE+domain guests EXAMPLE+group policy creator owners EXAMPLE+dnsupdateproxy

  

 

http://www.samba.org/samba/do

Post new comment

The content of this field is kept private and will not be shown publicly. If you have a Gravatar account, used to display your avatar.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Allowed HTML tags: <a> <p> <span> <div> <h1> <h2> <h3> <h4> <h5> <h6> <img> <map> <area> <hr> <br> <br /> <ul> <ol> <li> <dl> <dt> <dd> <table> <tr> <td> <em> <b> <u> <i> <strong> <font> <del> <ins> <sub> <sup> <quote> <blockquote> <pre> <address> <code> <cite> <strike> <caption>

More information about formatting options

Leave this field empty. It's part of a security mechanism.
(Dear spammers: moderators are notified of all new posts. Spam is deleted immediately)