I've swapped in my domain name/etc and commented the lines that I believe don't apply to my environment, if I disabled something necessary please let me know. Here's the smb.conf I tried: [global] netbios name = HAPPYTOBEHERE security = ads workgroup = FOO realm = FOO.ORG password server = dcx.foo.org dcy.foo.org dcz.foo.org <----I also tried it with a single DC entry preferred master = no encrypt passwords = yes kerberos method = secrets only
# general options # vfs objects = shadow_copy2 fileid gpfs # unix extensions = no # mangled names = no # case sensitive = no # map untrusted to domain = yes deadtime = 0 log level = 1 log file = /var/log/samba/%I.log max log size = 100 socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 SO_REUSEADDR SO_KEEPALIVE # store DOS attributes in extended attributes (vfs_gpfs then stores them in the file system) # ea support = yes # store dos attributes = yes # map readonly = no # map archive = no # map system = no # the ctdb clustering and GPFS stuff # clustering = yes # ctdbd socket = /tmp/ctdb.socket # fileid : algorithm = fsname # gpfs : sharemodes = yes # gpfs : winattr = yes # force unknown acl user = yes # nfs4 : mode = special # nfs4 : chown = no # nfs4 : acedup = merge # enable shadow copies # shadow : snapdir = /happytobehere/.snapshots # shadow : basedir = /happytobehere # shadow : fixinodes = yes # silence warnings about CUPS # printing = bsd # printcap name = /etc/printcap # load printers = yes cups options = raw # stuff necessary for guest logins to work where required # guest account = nobody # map to guest = bad user # fake the dfree information to match the fileset quota if it exists # dfree cache time = 15 # dfree command = /var/lib/samba/scripts/mmdfree # deal with NSS and the whole UID/SID id mapping stuff idmap backend = tdb idmap uid = 2000000 - 2999999 idmap gid = 2000000 - 2999999 idmap config FOO : backend = ad idmap config FOO : schema_mode = rfc2307 idmap config FOO : readonly = yes idmap config FOO : range = 500 - 1999999 idmap cache time = 604800 idmap negative cache time = 20 winbind cache time = 600 winbind nss info = rfc2307 winbind expand groups = 2 winbind nested groups = yes winbind use default domain = yes winbind enum users = yes winbind enum groups = yes winbind refresh tickets = yes winbind offline logon = false Here's /etc/pam.d/password-auth-ac if that helps: [root@happytobehere samba]# cat /etc/pam.d/password-auth-ac #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth sufficient pam_succeed_if.so user ingroup adm_it_sops_lessadmins_mod auth sufficient pam_succeed_if.so user ingroup "domain admins" auth sufficient pam_krb5.so use_first_pass auth sufficient pam_winbind.so use_first_pass auth required pam_deny.so account required pam_access.so account sufficient pam_unix.so broken_shadow account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 500 quiet account [default=bad success=ok user_unknown=ignore] pam_krb5.so account [default=bad success=ok user_unknown=ignore] pam_winbind.so account required pam_permit.so password requisite pam_cracklib.so try_first_pass retry=3 type= password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok password sufficient pam_krb5.so use_authtok password sufficient pam_winbind.so use_authtok password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so session optional pam_mkhomedir.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_krb5.so [BTW, when this does work I still see errors in syslog about accounts I know are Domain Admins still not being recognized as members of the group "domain," do I need to do something else to escape that space in the group name? Maybe a backslash?] And here's what syslog sees for an attempt via SSH: May 31 08:11:54 happytobehere sshd[12713]: Invalid user should_work from www.xxx.yyy.zzz May 31 08:11:54 happytobehere sshd[12716]: input_userauth_request: invalid user should_work May 31 08:12:01 happytobehere sshd[12713]: pam_succeed_if(sshd:auth): error retrieving information about user should_work May 31 08:12:01 happytobehere sshd[12713]: pam_succeed_if(sshd:auth): error retrieving information about user should_work May 31 08:12:01 happytobehere sshd[12713]: pam_unix(sshd:auth): check pass; user unknown May 31 08:12:01 happytobehere sshd[12713]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=machineX.foo.org May 31 08:12:01 happytobehere sshd[12713]: pam_succeed_if(sshd:auth): error retrieving information about user should_work May 31 08:12:03 happytobehere sshd[12713]: Failed password for invalid user should_work from www.xxx.yyy.zzz port 51602 ssh2 May 31 08:12:06 happytobehere sshd[12716]: Received disconnect from www.xxx.yyy.zzz: 13: Unable to authenticate Grateful for you help... Randy Rue -----Original Message----- From: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] On Behalf Of Jonathan Buzzard Sent: Thursday, May 31, 2012 5:36 AM To: samba@lists.samba.org Subject: Re: [Samba] idmap backend = ad and Active Directory 2008R2 This is a working smb.conf CentOS 6.2 latest aka 3.5.10-116.el6_2.x86_6 configuration against a Windows 2008R2 domain. Note we are using GPFS as our underlying file system and CTDB. All I have changed is the names [global] netbios name = NEMO security = ads workgroup = MYDOMAIN realm = MYDOMAIN.MEGACORP.COM password server = * preferred master = no encrypt passwords = yes kerberos method = secrets only # general options vfs objects = shadow_copy2 fileid gpfs unix extensions = no mangled names = no case sensitive = no map untrusted to domain = yes deadtime = 0 log level = 1 log file = /var/log/samba/%I.log max log size = 100 socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 SO_REUSEADDR SO_KEEPALIVE # store DOS attributes in extended attributes (vfs_gpfs then stores them in the file system) ea support = yes store dos attributes = yes map readonly = no map archive = no map system = no # the ctdb clustering and GPFS stuff clustering = yes ctdbd socket = /tmp/ctdb.socket fileid : algorithm = fsname gpfs : sharemodes = yes gpfs : winattr = yes force unknown acl user = yes nfs4 : mode = special nfs4 : chown = no nfs4 : acedup = merge # enable shadow copies shadow : snapdir = /nemo/.snapshots shadow : basedir = /nemo shadow : fixinodes = yes # silence warnings about CUPS printing = bsd printcap name = /etc/printcap load printers = yes cups options = raw # stuff necessary for guest logins to work where required guest account = nobody map to guest = bad user # fake the dfree information to match the fileset quota if it exists dfree cache time = 15 dfree command = /var/lib/samba/scripts/mmdfree # deal with NSS and the whole UID/SID id mapping stuff idmap backend = tdb idmap uid = 2000000 - 2999999 idmap gid = 2000000 - 2999999 idmap config MYDOMAIN : backend = ad idmap config MYDOMAIN : schema_mode = rfc2307 idmap config MYDOMAIN : readonly = yes idmap config MYDOMAIN : range = 500 - 1999999 idmap cache time = 604800 idmap negative cache time = 20 winbind cache time = 600 winbind nss info = rfc2307 winbind expand groups = 2 winbind nested groups = yes winbind use default domain = yes winbind enum users = yes winbind enum groups = yes winbind refresh tickets = yes winbind offline logon = false -- Jonathan A. Buzzard Email: jonathan (at) buzzard.me.uk Fife, United Kingdom. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba