Sunday, February 3, 2008

Samba - How to authenticate linux system via winbind using idmap_rid

I only paste my smb.conf here which I think may be useful for others. This smb.conf works fine on RHEL4-U6 and RHEL5 which uses idmap_rid module for mapping AD users/groups sids to linux uids/gids. idmap_rid plugin generates uid/gid for AD users by adding a configurable base value to the rid of an AD user. Eg,

Suppose if I define "idmap uid = 1500 - 10000" in my smb.conf and the rid of the AD user is 1546, then the uid of that user would be 1500 + 1546 which is 3046. If there are multiple domains which are trusted, then the smb.conf wouldn't work. I would create a separate post for that.

Sid for user "u1" would look like as below.

# wbinfo -n u1
S-1-5-21-2913803998-3319354983-1616611311-1106 User (1)

Here the rid of the u1 is 1106.

In this configuration we assume that our AD domain is test.example.com

[global]
workgroup = WORKGROUP
netbios name = netbiosname
realm = REALM
server string = RHEL4 Test Server
security = ads
password server =
log file = /var/log/samba/%m.log
max log size = 50
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
printcap name = /etc/printcap
idmap backend = idmap_rid:EXAMPLE=1500-100000
idmap uid = 1500-100000
idmap gid = 1500-100000
allow trusted domains = no
winbind separator = +
winbind use default domain = yes
cups options = raw
winbind nss info = rfc2307 sfu template

[homes]
comment = Home Directories
read only = No
browseable = No

[printers]
comment = All Printers
path = /var/spool/samba
printable = Yes
browseable = No

Configure /etc/krb5.conf appropriately, if using kerberos for authentication.

Join the system to Active Directory Domain.

# net ads join -U administrator

Run authconfig and chose winbind for name service and kerberos for authentication. Don't join the system to domain in this attempt since we have already joined it.

Restart winbind. Now every ad user should be able to log in to linux system.

No comments: