[Samba] Samba 4 problems
Rowland Penny
rowlandpenny at googlemail.com
Thu Dec 18 10:57:55 MST 2014
On 18/12/14 17:10, Brett Wynkoop wrote:
> Greeting-
>
> It has been years since I last set up a Samba server. The last one I
> did was a 2.x version!
>
> For the last two weeks I have been fighting with 2 issues with a samba
> 4 server I have set up for testing.
>
> . Encrypted transport seems to not work for me
>
> . Unix user smith and Samba user smith seem to have different UID
> numbers when files are created.
>
>
> At the moment the second issue is the most vexing, but if I do not
> solve the first issue as well the project I am testing this for will
> need to be implemented using some other technology.
>
> Here is my current smb4.conf file:
>
> # Global parameters
> [global]
> workgroup = EXAMPLE
> kerberos method = secrets and keytab
> local master = yes
> netbios name = HOSTNAME
> log level = 4
>
> dcerpc endpoint servers = epmapper, wkssvc, rpcecho, samr,
> netlogon, lsa rpc, spoolss, drsuapi, dssetup, unixinfo, browser,
> eventlog6, backupkey, winreg , srvsvc
>
> realm = EXAMPLE.COM
> os level = 20
> username map = /var/db/samba4/private/users.map
> client max protocol = SMB3
> # server min protocol = SMB3
> hide dot files = no
> winbind trusted domains only = yes
>
> server services = rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
> winbind, nt p_signd, kcc, smb
>
> winbind use default domain = yes
> dns forwarder = 192.168.1.1
> domain logons = yes
> smb encrypt = yes
> security = user
> encrypt passwords = yes
> preferred master = yes
> #
> # I have tried with and without the line below
> #
> #idmap_ldb:use rfc2307 = yes
> wins support = true
> server role = active directory domain controller
>
>
>
> [netlogon]
> path = /var/db/samba4/sysvol/example.com/scripts
> read only = No
>
> [sysvol]
> path = /var/db/samba4/sysvol
> read only = No
>
> [archive]
> writeable = yes
> browseable = yes
> valid users = smith
> write list = smith, at wheel
> path = /archive
> comment = /archive
> revalidate = yes
> # vfs objects = zfsacl
> # nfs4:mode = special
> # nfs4:chown = yes
> # zfsacl:acesort = dontcare
>
> The user was first created as a Unix user with a UID of 50 (historical
> reasons for the low uid). Then the user was added to samba using
> smbpasswd.
>
> It should be noted that all the kerberos bits seem to be working as
> doing a kinit then running smbclient -k //server/share yeilds a
> connection, but of course with the UID different from the UID of the
> same user at the unix shell level.
>
> Also unless I am using the kerberized smbclient it seems that all
> traffic is passed unencrypted according to my TCPDUMP tests. Tested
> clients at the moment are Mac OSX 10.6 and various *BSD GNU/Linux boxes
> with smbclient forced to V3. I probably will not move on to testing
> with a windows client if I can not solve the UID mismatch issue.
>
> Any ideas? I have been searching the net for some time with no joy.
>
> Thanks.
>
> -Brett
>
Hi, After sorting out your smb.conf, it would seem that you are running
samba4 as an AD DC and then trying to add parts to it that are either
the defaults or are not required. I would suggest that you reinstate the
original smb.conf (you did keep a copy, didn't you ?), delete most of,
if not all, the Unix users you have added, then add them again, but this
time to your AD. Unlike samba 2, when running samba 4 in AD mode, you
cannot have Unix users that are also AD users, you store everything in AD.
I would suggest that you have a read here:
https://wiki.samba.org/index.php/Main_Page
I know that you are testing here, but it would seem that samba 4.2 will
support OSX clients better, this version seems to be delayed due to
problems, but I am sure that the wait will be worth it.
Rowland
More information about the samba
mailing list