jgab's picture

Hi, sorry for my newbie question, but is it possible to use windows AD users on the File Server appliance?

Thanks and regards.

Forum: 
Alon Swartz's picture

According to the Samba documentation, Samba cannot "interact with Windows DC's in the same domain".

But, looking through my notes I have managed to join an Active Directory domain in the past, unfortunately I don't recall in what capacity the connection works. Below is a dump of my notes in hope that they can help, but I cannot provide much support on this issue.

Good luck!

joining active directory
------------------------
resources
'''''''''
resources for setting up samba+kerberos -> AD     http://www.enterprisenetworkingplanet.com/netos/article.php/3487081     http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/domain-member.html     https://help.ubuntu.com/community/ActiveDirectoryHowto     https://help.ubuntu.com/community/ActiveDirectoryWinbindHowto dependencies
''''''''''''
apt-get install winbind apt-get install krb5-user apt-get install ntpdate files to configure
''''''''''''''''''
note: uppercase matters! /etc/hosts     1.0.0.63     ad.example.com     ad /etc/krb5.conf     [libdefaults]         default_realm = EXAMPLE.COM     [realms]         EXAMPLE.COM = {         kdc = ad.example.com         }     [domain_realm]         .example.com = EXAMPLE.COM /etc/samba/smb.conf     [global]         workgroup = EXAMPLE                 # required when joining domain         realm = EXAMPLE.COM         preferred master = no         security = ADS         encrypt passwords = yes         password server = ad.example.com    # shouldn't be req.         winbind separator = +         idmap uid = 10000-20000         idmap gid = 10000-20000         client use spnego = yes             # win2003 requires SMB signing /etc/hosts     1.0.0.1 nas.example.com nas /etc/nsswitch.conf     first 3 lines are most important, other vary according to the system    passwd:     compat winbind     group:      compat winbind     shadow:     compat     hosts:      files dns wins     networks:   files dns sync time with AD
'''''''''''''''''
kerberos is dependent on "the clock" its recommended to sync with the active directory     ntpdate ad.example.com gotcha: on win2ksrv the ntp server is disabled (use regedit) System Key: [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Parameters] Value Name: LocalNTP Data Type: REG_DWORD (DWORD Value) Value Data: (0 = disabled, 1 = enabled) tips:     - timezones are calculated, including daylight saving     - ntp is 123/udp     - win2ksrv will deny NTP service if its clock hasn't sync'ed with a       NTP server in a while         net (stop|start) w32time         net time /setsntp:pool.ntp.org     - ntpdate -d (debug) restarting services
'''''''''''''''''''
i found that winbind must be started before samba     but the docs say the opposite... authenticate using kerberos
'''''''''''''''''''''''''''
kinit Administrator@EXAMPLE.COM join the domain
'''''''''''''''
net ads join -U Administrator -S ad.example.com - its recommended to change the Administrator password on win2k after   first joining (regenerates the kerberos settings or something, not   sure...) testing
'''''''
# smbclient -k -L nas.example.com # wbinfo -u EXAMPLE+administrator EXAMPLE+guest EXAMPLE+tsinternetuser EXAMPLE+iusr_ad EXAMPLE+iwam_ad EXAMPLE+krbtgt # wbinfo -g BUILTIN+administrators BUILTIN+users EXAMPLE+domain computers EXAMPLE+domain controllers EXAMPLE+schema admins EXAMPLE+enterprise admins EXAMPLE+cert publishers EXAMPLE+domain admins EXAMPLE+domain users EXAMPLE+domain guests EXAMPLE+group policy creator owners EXAMPLE+dnsupdateproxy

  

 

Guest's picture

Add new comment