[Samba] Samba4 member of an another « Samba4 » domain
Matthieu Patou
mat at samba.org
Tue Apr 9 01:34:19 MDT 2013
On 04/08/2013 06:01 PM, François Lafont wrote:
> Thank you Matthieu for your answer.
>
> Le 08/04/2013 01:37, Matthieu Patou a écrit :
>>> 1) First attempt to join the domain in the member server
>>>
>>> root at member~# samba-tool domain join chezmoi.priv member -U
>>> administrator --realm=chezmoi.priv
>>> Password for [CHEZMOI\administrator]:
>>> Joined domain CHEZMOI (S-1-5-21-3370545617-3166960116-3193249687)
>>>
>>> root at member~# ldconfig
>>>
>>> root at member~# smbd && nmbd
>>>
>>> And now impossible to run winbindd.
>>>
>>> -----------------------------------------------
>>> root at member~# winbindd -i -d 10
> [...]
>
>>> pack_tdc_domains: Packing 2 trusted domains
>>> pack_tdc_domains: Packing domain BUILTIN ()
>>> pack_tdc_domains: Packing domain WHEEZY-2 ()
>>> idmap config WHEEZY-2 : range = not defined
>>> Added domain WHEEZY-2 S-1-5-21-210096926-4033722923-1792459932
>>> Could not fetch our SID - did we join?
>>> unable to initialize domain list
>>> -----------------------------------------------
>> Hum, interesting, would be worth to check that from a clean setup you
>> have this issue again and again.
> I have 2 "virtualbox" snapshots of Debian Wheezy with a Samba 4.0.4 installation in /usr/local/samba/. And I have the problem each time. Let me explain you what I have done exactly.
>
> In the DC server *and* in the MEMBER server (both in static IP), I have done this:
>
> -----------------------------------------------
> apt-get update
> apt-get dist-upgrade
> apt-get install build-essential libacl1-dev libattr1-dev libblkid-dev libgnutls-dev libreadline-dev python-dev python-dnspython gdb pkg-config libpopt-dev libldap2-dev dnsutils libtool xsltproc libpam0g-dev attr acl psmisc ntp libtalloc2 libtalloc-dev
> vi /etc/fstab # I add the acl and user_xattr options for "/" partition
> mount -o remount /
> cd /usr/local/src/
> wget https://ftp.samba.org/pub/ldb/ldb-1.1.15.tar.gz && tar -zxvf ldb-1.1.15.tar.gz
> wget http://ftp.samba.org/pub/samba/samba-4.0.4.tar.gz && tar -zxvf samba-4.0.4.tar.gz
> cd /usr/local/src/ldb-1.1.15/ && ./configure && make && make install
> cd /usr/local/src/samba-4.0.4 && ./configure && make && make install
> echo 'export PATH="/usr/local/samba/bin/:/usr/local/samba/sbin/:$PATH"' > ~/.bashrc
> halt
> -----------------------------------------------
>
> Couic ! Snapshot of the DC server and snapshot of the MEMBER server. :-)
>
> Then, in the DC server, I have done:
>
> -----------------------------------------------
> samba-tool domain provision # I keep the default answers each time, seems to work fine
>
> # 192.168.0.21 = IP of DC server which are DNS server (internal DNS)
> echo "nameserver 192.168.0.21" > /etc/resolv.conf
>
> ln -s /usr/local/samba/lib/libnss_winbind.so /lib/libnss_winbind.so
> ln -s /lib/libnss_winbind.so /lib/libnss_winbind.so.2
> vi /etc/nsswitch.conf # add winbind for passwd and group
> ldconfig
> samba
> -----------------------------------------------
>
> Just for information, here is the smb.conf on the DC server after this commands:
>
> -----------------------------------------------
> # Global parameters
> [global]
> workgroup = CHEZMOI
> realm = CHEZMOI.PRIV
> netbios name = WHEEZY-SERVER
> server role = active directory domain controller
> dns forwarder = 212.27.40.241
>
> [netlogon]
> path = /usr/local/samba/var/locks/sysvol/chezmoi.priv/scripts
> read only = No
>
> [sysvol]
> path = /usr/local/samba/var/locks/sysvol
> read only = No
> -----------------------------------------------
>
> In the MEMBER server, I have done:
>
> -----------------------------------------------
> echo "nameserver 192.168.0.21" > /etc/resolv.conf
> samba-tool domain join chezmoi.priv MEMBER -U administrator --realm=CHEZMOI.PRIV # seems to work fine
> ln -s /usr/local/samba/lib/libnss_winbind.so /lib/libnss_winbind.so
> ln -s /lib/libnss_winbind.so /lib/libnss_winbind.so.2
> vi /etc/nsswitch.conf # add winbind for passwd and group
> ldconfig
> vi /usr/local/samba/etc/smb.conf # see below
> smbd && nmbd
> winbindd -i -d 10
> -----------------------------------------------
>
> And Boum ! I have the same error which I have described in my previous message. The winbindd command is stopped.
>
> Just for information, here is the smb.conf in the MEMBER server:
>
> -----------------------------------------------
> [global]
> workgroup = CHEZMOI
> security = ADS
> realm = CHEZMOI.PRIV
> encrypt passwords = yes
> idmap config *:backend = tdb
> idmap config *:range = 70001-80000
> idmap config CHEZMOI:backend = ad
> idmap config CHEZMOI:schema_mode = rfc2307
> idmap config CHEZMOI:range = 500-40000
> winbind nss info = rfc2307
> winbind trusted domains only = no
> winbind use default domain = yes
> winbind enum users = yes
> winbind enum groups = yes
> -----------------------------------------------
>
> Do I have forgotten one step ?
Are you sure that the two host have a different name as you are creating
everything from the same base ?
Also could you do a net join -d 10 and attach the secrets.tdb after the
first join ?
>
>>> 2) Second attempt to join the domain in the member server. It's better
>>> but It doesn't work too.
>>>
>>> root at member:~# net ads join -U administrator
>>> Enter administrator's password:
>>> Using short domain name -- CHEZMOI
>>> Joined 'WHEEZY-2' to dns domain 'chezmoi.priv'
>>> DNS Update for wheezy-2.chezmoi.priv failed: ERROR_DNS_UPDATE_FAILED
>>> DNS update failed: NT_STATUS_UNSUCCESSFUL
>>>
>>> root at member:~# ldconfig
>>> root at member:~# smbd && nmbd
>>> root at member:~# winbindd -i -d 10
>>>
>>> And winbindd seems to be ok. I have :
>>>
>>> root at member:~# wbinfo -u
>>> administrator
>>> krbtgt
>>> test10
>>> test11
>>> guest
>>> test1
>>> test2
>>> test3
>>> test4
>>> test5
>>> test6
>>> ...
>>>
>>> root at member:~# wbinfo -i test9
>>> test9:*:70004:70001:test9:/home/CHEZMOI/test9:/bin/false
>>>
>>> But if I create an user in the domain controller server:
>>>
>>> root at dc:~# samba-tool user add test12 --random-password
>>> User 'test12' created successfully
>>>
>>> after in the member server:
>>>
>>> root at member:~# wbinfo -i test12
>>> failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
>>> Could not get info for user test12
>>>
>>> Here is the stdout of winbindd during the command :
>>>
>>> -----------------------------------------------
>>> info : *
>>> info: struct wbint_userinfo
>>> acct_name : *
>>> acct_name : 'test12'
>>> full_name : NULL
>>> homedir : NULL
>>> shell : NULL
>>> primary_gid : 0x00000000ffffffff
>>> (4294967295)
>>> user_sid :
>>> S-1-5-21-3370545617-3166960116-3193249687-1115
>>> group_sid :
>>> S-1-5-21-3370545617-3166960116-3193249687-513
>>> result : NT_STATUS_NOT_FOUND
>>> Could not convert sid S-1-5-21-3370545617-3166960116-3193249687-1115:
>>> NT_STATUS_NOT_FOUND
>>> wb_request_done[2813:GETPWNAM]: NT_STATUS_NOT_FOUND
>>> winbind_client_response_written[2813:GETPWNAM]: delivered response to
>>> client
>>> closing socket 23, client exited
>>> -----------------------------------------------
>> Don't you have rfc2307 configured ?
> The smb.conf of DC server and the smb.conf of MEMBER server are exacty like above in this message. So, I have « winbind nss info = rfc2307 » in the smb.conf of the MEMBER server.
>
>> if so for the new user did you set the needed attributes ?
> I have just run: samba-tool user add test12 --random-password
> That's all. Which are the needed attributes?
When you specify rfc2307 winbindd expect to use uidNumber and gidNumber
in order to convert the SID to uid/gid, hence the error message.
Matthieu.
--
Matthieu Patou
Samba Team
http://samba.org
More information about the samba
mailing list