bleifuss
Goto Top

Samba Share mit Active Directory

Hallo zusammen,

ich kann meine Samba Share im AD leider nur mit der IP-Adresse \\10.0.xx.xx erreichen. Nicht aber mit dem Hostnamen. \\mytest
Vielleicht hat jemand eine Idee, an was es liegen könnte:

cat /etc/hostname
vi-10.mytest.mydomain.de


smb.conf: 

#======================= Global Settings =====================================

[global]

# ----------------------- Network-Related Options -------------------------
#
# workgroup = the Windows NT domain name or workgroup name, for example, MYGROUP.
#
# server string = the equivalent of the Windows NT Description field.
#
# netbios name = used to specify a server name that is not tied to the hostname.
#
# interfaces = used to configure Samba to listen on multiple network interfaces.
# If you have multiple interfaces, you can use the "interfaces =" option to  
# configure which of those interfaces Samba listens on. Never omit the localhost
# interface (lo).
#
# hosts allow = the hosts allowed to connect. This option can also be used on a
# per-share basis.
#
# hosts deny = the hosts not allowed to connect. This option can also be used on
# a per-share basis.
#
# max protocol = used to define the supported protocol. The default is NT1. You
# can set it to SMB2 if you want experimental SMB2 support.
#
;       workgroup = MYGROUP
        workgroup = mytest-MG
        server string = Samba Server Version %v

        netbios name = vi-10

;       interfaces = lo eth0 192.168.12.2/24 192.168.13.2/24
;       hosts allow = 127. 192.168.12. 192.168.13.

;       max protocol = SMB2
        max protocol = SMB3

        # --------------------------- Logging Options -----------------------------
#
# log file = specify where log files are written to and how they are split.
#
# max log size = specify the maximum size log files are allowed to reach. Log
# files are rotated when they reach the size specified with "max log size".  
#

        # log files split per-machine:
        log file = /var/log/samba/log.%m
        # maximum size of 50KB per log file, then rotate:
        max log size = 50
        log level = 3

# ----------------------- Standalone Server Options ------------------------
#
# security = the mode Samba runs in. This can be set to user, share
# (deprecated), or server (deprecated).
#
# passdb backend = the backend used to store user information in. New
# installations should use either tdbsam or ldapsam. No additional configuration
# is required for tdbsam. The "smbpasswd" utility is available for backwards  
# compatibility.
#

;       security = user
;       passdb backend = tdbsam


# ----------------------- Domain Members Options ------------------------
#
# security = must be set to domain or ads.
#
# passdb backend = the backend used to store user information in. New
# installations should use either tdbsam or ldapsam. No additional configuration
# is required for tdbsam. The "smbpasswd" utility is available for backwards  
# compatibility.
#
# realm = only use the realm option when the "security = ads" option is set.  
# The realm option specifies the Active Directory realm the host is a part of.
#
# password server = only use this option when the "security = server"  
# option is set, or if you cannot use DNS to locate a Domain Controller. The
# argument list can include My_PDC_Name, [My_BDC_Name], and [My_Next_BDC_Name]:
#
# password server = My_PDC_Name [My_BDC_Name] [My_Next_BDC_Name]
#
# Use "password server = *" to automatically locate Domain Controllers.  

;       security = domain
        security = ads
        encrypt passwords = yes
        passdb backend = tdbsam
;       realm = MY_REALM
        realm = mytest.mydomain.DE
        kerberos method = system keytab

;       password server = <NT-Server-Name>

# ----------------------- Domain Controller Options ------------------------
#
# security = must be set to user for domain controllers.
#
# passdb backend = the backend used to store user information in. New
# installations should use either tdbsam or ldapsam. No additional configuration
# is required for tdbsam. The "smbpasswd" utility is available for backwards  
# compatibility.
#
# domain master = specifies Samba to be the Domain Master Browser, allowing
# Samba to collate browse lists between subnets. Do not use the "domain master"  
# option if you already have a Windows NT domain controller performing this task.
#
# domain logons = allows Samba to provide a network logon service for Windows
# workstations.
#
# logon script = specifies a script to run at login time on the client. These
# scripts must be provided in a share named NETLOGON.
#
# logon path = specifies (with a UNC path) where user profiles are stored.
;       security = user
;       passdb backend = tdbsam

;       domain master = yes
;       domain logons = yes

        # the following login script name is determined by the machine name
        # (%m):
;       logon script = %m.bat
        # the following login script name is determined by the UNIX user used:
;       logon script = %u.bat
;       logon path = \\%L\Profiles\%u
        # use an empty path to disable profile support:
;       logon path =

        # various scripts can be used on a domain controller or a stand-alone
        # machine to add or delete corresponding UNIX accounts:

;       add user script = /usr/sbin/useradd "%u" -n -g users  
;       add group script = /usr/sbin/groupadd "%g"  
;       add machine script = /usr/sbin/useradd -n -c "Workstation (%u)" -M -d /nohome -s /bin/false "%u"  
;       delete user script = /usr/sbin/userdel "%u"  
;       delete user from group script = /usr/sbin/userdel "%u" "%g"  
;       delete group script = /usr/sbin/groupdel "%g"  


# ----------------------- Browser Control Options ----------------------------
#
# local master = when set to no, Samba does not become the master browser on
# your network. When set to yes, normal election rules apply.
#
# os level = determines the precedence the server has in master browser
# elections. The default value should be reasonable.
#
# preferred master = when set to yes, Samba forces a local browser election at
# start up (and gives itself a slightly higher chance of winning the election).
#
;       local master = no
;       os level = 33
;       preferred master = yes

#----------------------------- Name Resolution -------------------------------
#
# This section details the support for the Windows Internet Name Service (WINS).
#
# Note: Samba can be either a WINS server or a WINS client, but not both.
#
# wins support = when set to yes, the NMBD component of Samba enables its WINS
# server.
#
# wins server = tells the NMBD component of Samba to be a WINS client.
#
# wins proxy = when set to yes, Samba answers name resolution queries on behalf
# of a non WINS capable client. For this to work, there must be at least one
# WINS server on the network. The default is no.
#
# dns proxy = when set to yes, Samba attempts to resolve NetBIOS names via DNS
# nslookups.
        wins support = yes
;       wins server = w.x.y.z
;       wins proxy = yes

;       dns proxy = yes

# --------------------------- Printing Options -----------------------------
#
# The options in this section allow you to configure a non-default printing
# system.
#
# load printers = when set you yes, the list of printers is automatically
# loaded, rather than setting them up individually.
#
# cups options = allows you to pass options to the CUPS library. Setting this
# option to raw, for example, allows you to use drivers on your Windows clients.
#
# printcap name = used to specify an alternative printcap file.
#

;       load printers = yes
        load printers = no
        cups options = raw

;       printcap name = /etc/printcap
        # obtain a list of printers automatically on UNIX System V systems:
;       printcap name = lpstat
;       printing = cups
        printcap name = /dev/null

# --------------------------- File System Options ---------------------------
#
# The options in this section can be un-commented if the file system supports
# extended attributes, and those attributes are enabled (usually via the
# "user_xattr" mount option). These options allow the administrator to specify  
# that DOS attributes are stored in extended attributes and also make sure that
# Samba does not change the permission bits.
#
# Note: These options can be used on a per-share basis. Setting them globally
# (in the [global] section) makes them the default for all shares.

;       map archive = no
;       map hidden = no
;       map read only = no
;       map system = no
;       store dos attributes = yes


#============================ Share Definitions ==============================

[homes]
        comment = Home Directories
        browseable = no
        writable = yes
;       valid users = %S
;       valid users = MYDOMAIN\%S

[printers]
        comment = All Printers
        path = /var/spool/samba
        browseable = no
        guest ok = no
        writable = no
        printable = yes

[www]
        writeable = yes
        path = /var/www
        force group = apache
        force user = apache
        public = yes
        browseable = yes
;       store dos attributes = yes

Content-ID: 381142

Url: https://administrator.de/contentid/381142

Ausgedruckt am: 08.11.2024 um 21:11 Uhr

dodo30
dodo30 24.07.2018 aktualisiert um 10:08:10 Uhr
Goto Top
hi,

kennt dein DNS Server denn den Host \\mytest ?
Bleifuss
Bleifuss 24.07.2018 um 10:25:17 Uhr
Goto Top
Hallo,

danke für die Antwort.

ja, der A Eintrag ist gesetzt. Außer Samba scheint auch alles zu funktionieren. Wir haben auf dem Server mehrere Tools installiert
dodo30
dodo30 24.07.2018 aktualisiert um 10:35:30 Uhr
Goto Top
ja und dann hast du ein Share namens "www"

du solltest dann mit \\mytest\www draufkommen ?

wenn du im Explorer das angezeigt bekommen willst, dann stell folgendes in der smb.conf ein

local master = yes 
       os level = 255
       preferred master = yes 
chiefteddy
chiefteddy 24.07.2018 um 10:37:18 Uhr
Goto Top
Hallo,

was liefert denn ein PING oder TRACERT auf den FQDN des Samba-Servers?

Jürgen
emeriks
emeriks 24.07.2018 um 10:51:35 Uhr
Goto Top
Hi,
vi-10.mytest.mydomain.de
Wenn das der FQDN ist, dann heißt doch der Server "VI-10"?

Zumal weiter unten doch noch steht:
netbios name = vi-10

E.
Bleifuss
Bleifuss 24.07.2018 um 11:44:38 Uhr
Goto Top
Hi,

ein Ping oder Tracert auf den FQDN liefert mir die richtige IP zurück
Bleifuss
Bleifuss 24.07.2018 um 11:48:26 Uhr
Goto Top
ich komme auch mit dem Eintrag nicht auf \\mytest\www\ ---
mit \\10.0.x.x\www\ funktioniert es wieder...
Bleifuss
Bleifuss 24.07.2018 um 11:50:05 Uhr
Goto Top
Zitat von @emeriks:

Hi,
vi-10.mytest.mydomain.de
Wenn das der FQDN ist, dann heißt doch der Server "VI-10"?

Zumal weiter unten doch noch steht:
netbios name = vi-10

E.

ja, dass ist richtig. Ich habe das \\mytest nur zur Vereinheitlichung genommen
emeriks
emeriks 24.07.2018 um 11:57:42 Uhr
Goto Top
# ----------------------- Domain Members Options ------------------------
realm = mytest.mydomain.DE
Die Samba-Kiste ist Member in einem AD? Mit Windows DC's? Und diese Domäne heißt "mytest.mydomain.DE"?

Falls alles ja, dann kannst Du nicht von einem anderen Windows Member über diesen FQDN auf die Samba-Kiste zugreifen.
Bleifuss
Bleifuss 24.07.2018 um 12:06:43 Uhr
Goto Top
Zitat von @emeriks:

# ----------------------- Domain Members Options ------------------------
realm = mytest.mydomain.DE
Die Samba-Kiste ist Member in einem AD? Mit Windows DC's? Und diese Domäne heißt "mytest.mydomain.DE"?

Falls alles ja, dann kannst Du nicht von einem anderen Windows Member über diesen FQDN auf die Samba-Kiste zugreifen.

ja, das ist richtig. Sie heißt jetzt natürlich nicht "mytest.mydomain.DE" - ich wollte unsere Domäne hier nicht preisgeben
Warum kann ich das dann nicht?
emeriks
emeriks 24.07.2018 um 12:56:14 Uhr
Goto Top
Weil Du dafür eine interne DNS-Zone haben solltest. Entweder für "mydomain.DE " mit Sub-Domain "mytest" oder eine Zone für "mytest.mydomain.DE". Egal: In dieser stehen für jeden Domaincontroller bereits A-Records ohne Namen mit den IP-Adressen der Domaincontroller. (Bei Zone "mydomain.DE" in der Sub-Domain, bei Zone "mytest.mydomain.DE" direkt in der Root der Zone)
Ein Windows Client, welcher Mitglied in dieser Domäne ist, wird bei Eingabe von "\\mytest.mydomain.DE\irgendwas" immer auf einen der DC auflösen wollen. Du kannst das testen, in dem Du testweise auf allen DC der Domäne eine Freigabe erstellst, mit Namen wie auch auf dem Samba. Dann ruf auf "\\mytest\sambafreigabe" und Du solltest auf einem der DC landen. Einfach mal eine Datei dort erstellen, dann siehst Du, welcher DC das war.
Bleifuss
Bleifuss 09.08.2018 aktualisiert um 16:23:40 Uhr
Goto Top
Noch kurz zum Abschluss:
Es hatte sich rausgestellt, dass eine Datei namens "host_0" im Ordner /var/tmp/ defekt war. Nachdem man das File gelöscht hat, legt es sich automatisch neu an und es funktioniert.