Hi,
We are in the process of migrating to QAS. And I have a few questions about Samba configuration.
Q1
Firstly, on running vas-samba-config -f
lrwxrwxrwx 1 root root 27 Jun 13 12:26 /etc/krb5.conf -> /etc/opt/quest/vas/vas.conf
Should I continue to update this file? [no]:
Now we have this linked to allow other kerberized apps to work OpenSSH for example. Should we be adding to the central config any options this would normally want to put into this file in order to allow samba to work properly. For example should we add :
"password-change-script = /opt/quest/libexec/vas-set-samba-password"
, to be pushed out to vas.conf from group policy? Or should I copy in a krb5.conf that is vas.conf and let the script play with it? Will it still work with openSSH?
I notice if I do let it play with this file it hard codes kdc's, what happens if these machines are changed?
What is best practice with krb5.conf ?
Q2
I get,
* NOTE: Winbind not found
AD authentication will still be available to Samba, but access
control entries and file ownership will appear to be for local
users instead of domain users. To correct this, please install
and start winbind and then re-run this script.
Is winbindd supposed to be running? Or just installed? How does it fit in? Doesn't seem to make much difference with my present level of functionally
Q3
When samba is up and running and I go into the permissions. I see my users listed as "Unix Users\blah" "Unix Group\foo"?
Is this correct or should they now be listed as domain users. If I try to add a domain user in, it comes up properly in the list (as a domain account not Unix\Users) but disappears when applied. and an error gets logged:
Jul 7 17:49:55 testvas smbd[4885]: create_canon_ace_lists: unable to map SID S-1-5-21-790525478-2049760794-839522125-6178 to uid or gid.
, so I presume something is wrong with my samba setup. I'd assumed with the vasidmapd the list would appear as domain users and I'd be able to edit the ACL (ACL's work with set and getfacl on the command line). My smb.conf looks like:
[global]
workgroup = IONEU
max log size = 1000000
preserve case = yes
short preserve case = yes
security = ads
realm = IONEU.IONGEO.COM
encrypt passwords = yes
load printers = no
local master = no
client use spnego = yes
log level = 1
map to guest = Bad User
guest account = cifsguest
hide dot files = yes
nt acl support = yes
;--- begin options added by vas-samba-config (20110707) ---
domain master = no
domain logons = no
machine password timeout = 0
obey pam restrictions = yes
kerberos method = dedicated keytab
dedicated keytab file = /etc/opt/quest/vas/host.keytab
;--- end options added by vas-samba-config (20110707) ---
;--- begin options added by vas-samba-config (20110707) ---
winbind nested groups = no
ldap admin dn = CN=VasIdmapAdmin
idmap backend = ldap:ldap://localhost
idmap uid = 1-2147483647
idmap gid = 1-2147483647
idmap cache time = 300
;--- end options added by vas-samba-config (20110707) ---
[homes]
writeable = yes
guest ok = no
; Local disk configurations
Thanks
We are in the process of migrating to QAS. And I have a few questions about Samba configuration.
Q1
Firstly, on running vas-samba-config -f
lrwxrwxrwx 1 root root 27 Jun 13 12:26 /etc/krb5.conf -> /etc/opt/quest/vas/vas.conf
Should I continue to update this file? [no]:
Now we have this linked to allow other kerberized apps to work OpenSSH for example. Should we be adding to the central config any options this would normally want to put into this file in order to allow samba to work properly. For example should we add :
"password-change-script = /opt/quest/libexec/vas-set-samba-password"
, to be pushed out to vas.conf from group policy? Or should I copy in a krb5.conf that is vas.conf and let the script play with it? Will it still work with openSSH?
I notice if I do let it play with this file it hard codes kdc's, what happens if these machines are changed?
What is best practice with krb5.conf ?
Q2
I get,
* NOTE: Winbind not found
AD authentication will still be available to Samba, but access
control entries and file ownership will appear to be for local
users instead of domain users. To correct this, please install
and start winbind and then re-run this script.
Is winbindd supposed to be running? Or just installed? How does it fit in? Doesn't seem to make much difference with my present level of functionally
Q3
When samba is up and running and I go into the permissions. I see my users listed as "Unix Users\blah" "Unix Group\foo"?
Is this correct or should they now be listed as domain users. If I try to add a domain user in, it comes up properly in the list (as a domain account not Unix\Users) but disappears when applied. and an error gets logged:
Jul 7 17:49:55 testvas smbd[4885]: create_canon_ace_lists: unable to map SID S-1-5-21-790525478-2049760794-839522125-6178 to uid or gid.
, so I presume something is wrong with my samba setup. I'd assumed with the vasidmapd the list would appear as domain users and I'd be able to edit the ACL (ACL's work with set and getfacl on the command line). My smb.conf looks like:
[global]
workgroup = IONEU
max log size = 1000000
preserve case = yes
short preserve case = yes
security = ads
realm = IONEU.IONGEO.COM
encrypt passwords = yes
load printers = no
local master = no
client use spnego = yes
log level = 1
map to guest = Bad User
guest account = cifsguest
hide dot files = yes
nt acl support = yes
;--- begin options added by vas-samba-config (20110707) ---
domain master = no
domain logons = no
machine password timeout = 0
obey pam restrictions = yes
kerberos method = dedicated keytab
dedicated keytab file = /etc/opt/quest/vas/host.keytab
;--- end options added by vas-samba-config (20110707) ---
;--- begin options added by vas-samba-config (20110707) ---
winbind nested groups = no
ldap admin dn = CN=VasIdmapAdmin
idmap backend = ldap:ldap://localhost
idmap uid = 1-2147483647
idmap gid = 1-2147483647
idmap cache time = 300
;--- end options added by vas-samba-config (20110707) ---
[homes]
writeable = yes
guest ok = no
; Local disk configurations
Thanks