First, let's make some storage folders. On what filesystem doesn't matter here. ZFS would be nice to have!
Storage
#mkdir -p /datastore/dfs
#mkdir -p /datastore/homes
#mkdir -p /datastore/backups
#mkdir -p /datastore/filestore
And then we make a samba config file:
samba.conf
#nano /usr/local/etc/samba.conf
[global]
workgroup = DOMAIN
realm = DOMAIN.LOCAL
preferred master = No
server string = fileserver1
security = ADS
encrypt passwords = yes
# log level = 3
# log file = /var/log/samba/%m
max log size = 50
winbind enum users =Yes
winbind enum groups = Yes
winbind use default domain = Yes
winbind nested groups = Yes
winbind separator = +
idmap uid = 10000-20000
idmap gid = 10000-20000
template shell = /bin/bash
template primary group = "Domain Users"
load printers = No
disable spoolss = Yes
# local master = No
admin users = "@DOMAIN+Domain Admins"
host msdfs = Yes
[dfs]
path = /datastore/dfs
msdfs root = Yes
[homes]
comment = Home directories
valid users = %S
read only = No
writeable = Yes
browsable = No
path = /datastore/homes/%S
[backups$]
comment = Backups systeembeheer
valid users = @DOMAIN+Administrators
writable = Yes
browseable = Yes
path = /datastore/backups
[filestore]
comment = All the files for users
valid users = %S
read only = No
writeable = Yes
browsable = Yes
path = /datastore/filestore
-- store the file and start samba:
#service samba start
-- or use old style:
#/usr/local/etc/rc.d/samba start
Once samba is up and running with no errors, we add this server to the active directory:
active directory join
#net ads join -U administrator
Enter administrator's password: adminpass
Using short domain name -- DOMAIN
Joined 'fileserver1' to realm 'domain.local'
#net ads info
LDAP server: 172.20.1.1
LDAP server name: dc1.domain.local
REALM: DOMAIN.LOCAL
Bind Path: dc=DOMAIN,dc=LOCAL
LDAP port: 389
Server time: xxxxxxxxxx
KDC server: 172.20.1.1
server time offset: 0
If you receive the above, it means our server is joined in the active directory!
To verify this, login op either DC of the domain and go to the 'computers' folder in the root of AD. It should have the fileserver1 object.
From there, you can move it where you like according to your AD setup.
To verify that this user can 'see' the groups and users in the domain:
active directory join
#wbinfo -u
-- listing of all the found users in the domain is done. If not, something is wrong.
#wbinfo -g
-- listing of all the found groups in the domain. If not, something is wrong.
If something is wrong, check your logfiles, they probably will tell you why it can't find any groups or users.
Once all is working, it's time to tell the system how to use these users and groups by configuring nsswitch:
nsswitch.conf
#nano /etc/nsswitch.conf
group: files winbind
group_compat: nis
hosts: files dns wins
networks: files
shadow: files winbind
passwd: files winbind
passwd_compat: nis
shells: files
services: compat
services_compat: nis
protocols: files
rpc: files winbind
Note: we still are using the groups and passwd files also! This way, whenever something is wrong with AD we can still login to the system using the local usernames and passwords, including root!
You can check if things are ok using:
nsswitch.conf
#getent passwd
-- list of the content of /etc/passwd
-- list of all the users of AD, starting at uid 10000 and gid 100006
#getent group
-- list of the content of /etc/groups
-- list of the groups in AD, starting at gid 10006