I only paste my smb.conf here which I think may be useful for others. This smb.conf works fine on RHEL4-U6 and RHEL5 which uses idmap_rid module for mapping AD users/groups sids to linux uids/gids. idmap_rid plugin generates uid/gid mapping for AD users by adding a configurable minmum value to the rid of an AD user after substracting the base_rid specified from user rid. Eg,
Suppose if I define idmap config range as "1500 - 10000" in my smb.conf and base_rid as 500 and the rid of the AD user is 1546, then the uid of that user would be 1546 - 500 + 1500 which is 2546.
Sid for user "u1" would look like as below.
# wbinfo -n u1
S-1-5-21-2913803998-3319354983-1616611311-1106 User (1)
Here the rid of the u1 is 1106 and his uid = 1106 - 500 + 1500 which is 2106
In this configuration we assume that our AD domain is test.example.com
[global]
workgroup = WORKGROUP
netbios name = netbiosname
realm = REALM
server string = RHEL4 Test Server
security = ads
password server =
log file = /var/log/samba/%m.log
max log size = 50
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
printcap name = /etc/printcap
idmap domains = EXAMPLE
idmap config EXAMPLE: default = yes
idmap config EXAMPLE: backend = rid
idmap config EXAMPLE: base_rid = 500
idmap config EXAMPLE: range = 1500-10000
winbind separator = +
winbind use default domain = yes
cups options = raw
winbind nss info = rfc2307 sfu template
[homes]
comment = Home Directories
read only = No
browseable = No
[printers]
comment = All Printers
path = /var/spool/samba
printable = Yes
browseable = No
Configure /etc/krb5.conf appropriately, if using kerberos for authentication.
Join the system to Active Directory Domain.
# net ads join -U administrator
Run authconfig and chose winbind for name service and kerberos for authentication. Don't join the system to domain in this attempt since we have already joined it.
Restart winbind. Now every ad user should be able to log in to linux system.
1 comment:
Thank you for that explanation! Saved my life!
Post a Comment