[Samba] Samba 4.1.9 member server config in a samba 4 ADS Domain
Daniel Müller
mueller at tropenklinik.de
Wed Jul 23 01:18:14 MDT 2014
I did update the range in my smb.conf to fit.
I did in my
/etc/nsswitch.conf
passwd: files winbind
shadow: files
group: files winbind
hosts: files dns
The member server is logged on my DC
smbstatus|grep centclust
25275 TPLK\centclust1$ TPLK\Domain Computers 192.168.135.36 (ipv4:192.168.135.36:54761)
So we have two range definitions here:
idmap config *:backend = tdb
idmap config *:range = 100001-990000 #<-- What about this range!???I think MemberServer
idmap config TPLK:backend = ad
idmap config TPLK:schema_mode = rfc2307
idmap config TPLK:range = 500-99999 #<-- think this is the Domain Range!???
winbind nss info = rfc2307
winbind trusted domains only = no
winbind use default domain = yes
winbind enum users = yes
winbind enum groups = yes
Which of one to fit?
Wbinfo is working but I need getent to work as well. Ican not log in my Demoshare on the MemberServer!?
smbclient //centclust1/Demoshare -Uadministrator
Enter administrator's password:
session setup failed: NT_STATUS_LOGON_FAILURE
[root at centclust1 var]# smbclient //centclust1/Demoshare -UTPLK\\administrator
Enter TPLK\administrator's password:
session setup failed: NT_STATUS_LOGON_FAILURE
[root at centclust1 var]# smbclient //centclust1/Demoshare -UTPLK.LOC\\administrator
Enter TPLK.LOC\administrator's password:
session setup failed: NT_STATUS_LOGON_FAILURE
Greetiings
Daniel
EDV Daniel Müller
Leitung EDV
Tropenklinik Paul-Lechler-Krankenhaus
Paul-Lechler-Str. 24
72076 Tübingen
Tel.: 07071/206-463, Fax: 07071/206-499
eMail: mueller at tropenklinik.de
Internet: www.tropenklinik.de
-----Ursprüngliche Nachricht-----
Von: samba-bounces at lists.samba.org [mailto:samba-bounces at lists.samba.org] Im Auftrag von steve
Gesendet: Mittwoch, 23. Juli 2014 08:27
An: samba at lists.samba.org
Betreff: Re: [Samba] Samba 4.1.9 member server config in a samba 4 ADS Domain
On Wed, 2014-07-23 at 08:16 +0200, Daniel Müller wrote:
> I did mange this with ADUC Unix-Attr. Set the range according, no
> chance to see anything.
> Id TPLK\administrator gives nothing:
> There is no such user!??
> Things that where running with samba 3.6 on the fly?
>
>
>
> EDV Daniel Müller
>
> Leitung EDV
> Tropenklinik Paul-Lechler-Krankenhaus
> Paul-Lechler-Str. 24
> 72076 Tübingen
> Tel.: 07071/206-463, Fax: 07071/206-499
> eMail: mueller at tropenklinik.de
> Internet: www.tropenklinik.de
>
>
>
>
> -----Ursprüngliche Nachricht-----
> Von: samba-bounces at lists.samba.org
> [mailto:samba-bounces at lists.samba.org] Im Auftrag von Rowland Penny
> Gesendet: Dienstag, 22. Juli 2014 16:27
> An: samba at lists.samba.org
> Betreff: Re: [Samba] Samba 4.1.9 member server config in a samba 4 ADS
> Domain
>
> On 22/07/14 15:17, Daniel Müller wrote:
> > Now I did this smb.conf:
> >
> > [global]
> > workgroup = TPLK
> > realm = TPLK.LOC
> > security = ADS
> > winbind enum users = Yes
> > winbind enum groups = Yes
> > winbind use default domain = Yes
> > winbind nss info = rfc2307
> > idmap config TPLK:range = 500-40000
**_____________________________________^^^^^^^^^
If as Rowland has suggested and you have added a minimum of uidNumber to your users && you have winbind specified for nss, then I can only think that the uidNumbers you have added are not within the range you have set.
Cheers,
Steve
> > idmap config TPLK:schema_mode = rfc2307
> > idmap config TPLK:backend = ad
> > idmap config *:range = 70001-80000
> > idmap config * : backend = tdb
> >
> > and after joining:
> > net ads join -U administrator
> > Enter administrator's password:
> > Using short domain name -- TPLK
> > Joined 'CENTCLUST1' to dns domain 'tplk.loc'
> >
> > when I start manually smbd then nmbd and winbindd by hand it results in:
> >
> >
> > STATUS=daemon 'smbd' finished starting up and ready to serve
> > connectionsUnable to connect to CUPS server localhost:631 -
> > Verbindungsaufbau abgelehnt
> > Jul 22 16:13:01 centclust1 smbd[4364]: STATUS=daemon 'smbd' finished
> > starting up and ready to serve connectionsfailed to retrieve printer list:
> > NT_STATUS_UNSUCCESSFUL
> > Jul 22 16:13:09 centclust1 nmbd[4369]: [2014/07/22 16:13:09.366916,
> > 0]
> > ../source3/nmbd/nmbd.c:945(main)
> > Jul 22 16:13:09 centclust1 nmbd[4369]: standard input is not a socket,
> > assuming -D option
> > Jul 22 16:13:09 centclust1 nmbd[4370]: [2014/07/22 16:13:09.370087,
> > 0]
> > ../lib/util/become_daemon.c:136(daemon_ready)
> > Jul 22 16:13:21 centclust1 winbindd[4425]: [2014/07/22
> > 16:13:21.183036, 0]
> > ../source3/winbindd/winbindd_cache.c:3196(initialize_winbindd_cache)
> > Jul 22 16:13:21 centclust1 winbindd[4425]: initialize_winbindd_cache:
> > clearing cache and re-creating with version number 2 Jul 22 16:13:21
> > centclust1 winbindd[4425]: [2014/07/22 16:13:21.185657, 0]
> > ../lib/util/become_daemon.c:136(daemon_ready)
> > Jul 22 16:13:33 centclust1 nmbd[4370]: STATUS=daemon 'nmbd' finished
> > starting up and ready to serve connections*****
> >
> > And wbinfo -u:
> >
> > [root at centclust1 sbin]# wbinfo -u
> > fcbraun
> > reiser
> > stoyanopoulos
> > fischerkeller
> > michaletz-stolz
> > drumm
> > schlotterbeck
> > hahn
> > droessler
> > schaeffer
> > zanzinger
> > rueda
> > walker...
> >
> >
> > And wbinfo -g
> >
> > wbinfo -g
> > allowed rodc password replication group enterprise read-only domain
> > controllers denied rodc password replication group read-only domain
> > controllers group policy creator owners ras and ias servers
> > terminalserver user patientenverwaltung domain controllers..-
> >
> >
> > getent passwd and group leaves me with local users and groups no ads
> > stuff!!!
>
> Have you given your users a uidNumber and Domain Users a gidNumber ?
>
> Without these, getent will not show any domain users (the numbers you
> give your users must be inside the range you have set in smb.conf)
>
> Even with Domain Users having a gidNumber, getent group will not
> display anything, you must use 'getent group Domain\ Users'. The cure,
> I am lead to believe, is to give all your domain groups a gidNumber.
>
> Rowland
> >
> >
> >
> >
> > When I set this properties in my smb.conf [global]
> >
> > server services = +smb, +winbind
> > It does not start up with this error:
> >
> > Jul 22 16:09:25 centclust1 samba[3323]: STATUS=daemon 'samba' finished
> > starting up and ready to serve
> > connectionssamba_terminate: Cannot start Winbind (domainmember):
> > Failed to find record for TPLK in /usr/local/samba/private/secrets.ldb:
> > No such object: (null): Have you joined the TPLK domain?
> >
> >
> > EDV Daniel Müller
> >
> > Leitung EDV
> > Tropenklinik Paul-Lechler-Krankenhaus Paul-Lechler-Str. 24
> > 72076 Tübingen
> > Tel.: 07071/206-463, Fax: 07071/206-499
> > eMail: mueller at tropenklinik.de
> > Internet: www.tropenklinik.de
> >
> >
> >
> >
> > -----Ursprüngliche Nachricht-----
> > Von: samba-bounces at lists.samba.org
> > [mailto:samba-bounces at lists.samba.org] Im Auftrag von Rowland Penny
> > Gesendet: Dienstag, 22. Juli 2014 15:20
> > An: samba at lists.samba.org
> > Betreff: Re: [Samba] Samba 4.1.9 member server config in a samba 4 ADS
> > Domain
> >
> > On 22/07/14 14:03, Daniel Müller wrote:
> >> Dear all,
> >>
> >> I try to setup a samba 4 member server on centos 6.5. The wikis and
> >> howtos I have found are very confusing.
> >> Which is the right way to do this. So winbind can map the domain
> >> users and groups.
> >> What I have done yet is,
> >> Set up Kerberos working and can contact my ADS-kerberos Servers:
> >> klist
> >> Ticket cache: FILE:/tmp/krb5cc_0
> >> Default principal: Administrator at TPLK.LOC
> >>
> >> Valid starting Expires Service principal
> >> 07/22/14 12:34:21 07/22/14 22:34:21 krbtgt/TPLK.LOC at TPLK.LOC
> >> renew until 07/29/14 12:34:18
> >>
> >> Installed samba4.1.9 from gz without any provision.
> >> Set winbind right : ldconfig -v |grep winbind
> >> ldconfig: /etc/ld.so.conf.d/kernel-2.6.32-431.20.3.el6.x86_64.conf:6:
> >> duplicate hwcap 1 nosegneg
> >> libnss_winbind.so -> libnss_winbind.so.2
> >> libnss_winbind.so -> libnss_winbind.so.2
> >>
> >> set /etc/nsswitch.conf
> >> to:
> >> passwd: files winbind
> >> shadow: files
> >> group: files winbind
> >>
> >> hosts: files dns
> >>
> >> Do I have to provision the samba4 server in any way to establish a
> >> /usr/local/samba/etc/smb.conf?
> > No, you do not provision.
> >
> >> Or do I make smb.conf by hand?
> > Yes, you will have to create your smb.conf, this is usually where the
> > problems start, easiest way is to use RFC2307 attributes and the ad
> > backend, but you could use the rid backend or some other backend that
> > virtually few people use.
> >
> >> Do I have to start windbind in server protocols im [global]!?
> > winbind is a deamon just like smbd, so you need to start it just like
> > smbd, but I think that you mean 'do I have to add winbind lines to the
> > global part of smb.conf', if so, then yes if you want to use winbind.
> >
> >> What is the way to join right to the samba4 ads domain?
> > I normally just use the 'net' command:
> >
> > net ads join -U Administrator at EXAMPLE.COM
> >
> > Rowland
> >
> >> Greetings
> >> Daniel
> >>
> >>
> >>
> >> EDV Daniel Müller
> >>
> >> Leitung EDV
> >> Tropenklinik Paul-Lechler-Krankenhaus Paul-Lechler-Str. 24
> >> 72076 Tübingen
> >> Tel.: 07071/206-463, Fax: 07071/206-499
> >> eMail: mueller at tropenklinik.de
> >> Internet: www.tropenklinik.de
> >>
> >>
> >>
> >>
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions: https://lists.samba.org/mailman/options/samba
> >
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
More information about the samba
mailing list