[Samba] Member Server Setup Assistance
James
lingpanda101 at gmail.com
Fri Jan 2 11:01:29 MST 2015
Rowland,
That did it! Thank you so much. I do have a question regarding the
'getent' command before setting up file shares. When I run 'getent group
Domain\ Users' I get
domain_users:x:10000:user1,user2,user3,user4,user5,user6,user7,user8
Why does it show these specific users? I would assume it would only show
my 'tuser'. I don't have uid's set for anyone else.
On 1/2/2015 12:38 PM, Rowland Penny wrote:
> On 02/01/15 17:26, James wrote:
>> Rowland,
>>
>> I did forget to change it. Is it as simple as renaming now or did
>> I screw up?
>>
>> On 1/2/2015 12:18 PM, Rowland Penny wrote:
>>> On 02/01/15 17:07, James wrote:
>>>> Rowland,
>>>>
>>>> I had a typo in my hosts file which is the reason my initial
>>>> DNS update failed. Corrected and joined again. Successfully joined
>>>> and updated DNS A record. I then made sure to give 'Domain users' a
>>>> id of 10000. I am now able to run' getent passwd' and see all my
>>>> domain users! YES! However I still see something that confuses me.
>>>> When I run 'id tuser' I get the following.
>>>>
>>>> uid=2155(tuser) gid=2002(domain_users)
>>>> groups=2002(domain_users),2004(remote_desktop_users_group),2001(BUILTIN\users)
>>>>
>>>> Why is the uid 2155 and not 10001?
>>>>
>>>>
>>>>
>>>> On 1/2/2015 12:00 PM, Rowland Penny wrote:
>>>>> On 02/01/15 16:57, James wrote:
>>>>>> Rowland,
>>>>>>
>>>>>> I've gotten a bit further. It appears my use of '.local' is
>>>>>> causing the issue from what I've researched. I ran
>>>>>> '|/etc/init.d/avahi-daemon stop'. |This allowed me to
>>>>>> successfully join the domain.
>>>>>>
>>>>>> Enter administrator at DOMAIN.LOCAL's password:
>>>>>> Using short domain name -- DOMAIN
>>>>>> Joined 'PFMEMBER1' to dns domain 'domain.local'
>>>>>> DNS Update for pfmember1.local failed: ERROR_DNS_UPDATE_FAILED
>>>>>> DNS update failed: NT_STATUS_UNSUCCESSFUL
>>>>>> ||
>>>>>> On 1/2/2015 8:55 AM, Rowland Penny wrote:
>>>>>>> On 02/01/15 13:41, James wrote:
>>>>>>>> Hi Rowland,
>>>>>>>>
>>>>>>>> If you don't mind I like to post my member server
>>>>>>>> configuration as I attempt again. This is how my member
>>>>>>>> server(Ubuntu 12.04) is configured after fresh install and
>>>>>>>> prior to Samba build. Anything I'm missing that could cause my
>>>>>>>> issue as I proceed? I assume no other prerequisites must be
>>>>>>>> done on the other DC's either? Thanks.
>>>>>>>>
>>>>>>>> /*# From Wiki for DC build*/
>>>>>>>> apt-get install build-essential libacl1-dev libattr1-dev
>>>>>>>> libblkid-dev libgnutls-dev libreadline-dev python-dev
>>>>>>>> libpam0g-dev python-dnspython gdb pkg-config libpopt-dev
>>>>>>>> libldap2-dev dnsutils libbsd-dev attr krb5-user docbook-xsl
>>>>>>>> libcups2-dev acl
>>>>>>>>
>>>>>>>>
>>>>>>>> /*# Fstab file*/
>>>>>>>> ext4 errors=remount-ro,user_xattr,acl,barrier=1 1 1
>>>>>>>>
>>>>>>>>
>>>>>>>> */# Hosts File/*
>>>>>>>> 127.0.0.1 localhost
>>>>>>>> 172.16.232.25 pfmember1.domain.local pfmember1
>>>>>>>>
>>>>>>>> # The following lines are desirable for IPv6 capable hosts
>>>>>>>> ::1 ip6-localhost ip6-loopback
>>>>>>>> fe00::0 ip6-localnet
>>>>>>>> ff00::0 ip6-mcastprefix
>>>>>>>> ff02::1 ip6-allnodes
>>>>>>>> ff02::2 ip6-allrouters
>>>>>>>>
>>>>>>>>
>>>>>>>> */# Hostname/* */File/*
>>>>>>>> pfmember1.domain.local
>>>>>>>
>>>>>>> if you are referring to /etc/hostname, then it should just
>>>>>>> contain 'pfmember1'.
>>>>>>>
>>>>>>> Also, are you fixed on using Ubuntu 12.04, if you were to use
>>>>>>> Debian Wheezy and backports, you wouldn't have to compile samba4.
>>>>>>>
>>>>>>> Rowland
>>>>>>>
>>>>>>>>
>>>>>>>> */#/network/interfaces/*
>>>>>>>> # This file describes the network interfaces available on your
>>>>>>>> system
>>>>>>>> # and how to activate them. For more information, see
>>>>>>>> interfaces(5).
>>>>>>>>
>>>>>>>> # The loopback network interface
>>>>>>>> auto lo
>>>>>>>> iface lo inet loopback
>>>>>>>>
>>>>>>>> # The primary network interface
>>>>>>>> auto eth0
>>>>>>>> iface eth0 inet static
>>>>>>>> address 172.16.232.25
>>>>>>>> netmask 255.255.255.0
>>>>>>>> gateway 172.16.232.201
>>>>>>>> network 172.16.232.0
>>>>>>>> broadcast 172.16.232.255
>>>>>>>> dns-search domain.local
>>>>>>>> dns-nameservers 172.16.232.29
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> On 1/1/2015 4:34 AM, Rowland Penny wrote:
>>>>>>>>> On 01/01/15 00:07, James wrote:
>>>>>>>>>> Hi Rowland,
>>>>>>>>>>
>>>>>>>>>> I forgot to tell you the results were from my Domain
>>>>>>>>>> Controller and not the member server. Member server returned
>>>>>>>>>> something to the effect of 'user not found'. I am only
>>>>>>>>>> starting the 3 services(smbd,nmbd and windbindd) listed in
>>>>>>>>>> the wiki. Should I be starting Samba with command line
>>>>>>>>>> switches to start as a member server? Is that even possible?
>>>>>>>>>
>>>>>>>>> Hi, there are two ways of running samba4, the classic or
>>>>>>>>> original way that samba3 was used, or as an AD DC. If you run
>>>>>>>>> samba4 in the classic way, you need to start the smbd & nmbd
>>>>>>>>> deamons and optionally the winbind daemon. If you use samba4
>>>>>>>>> as an AD DC, then you only start the samba daemon, this will
>>>>>>>>> start any other required deamons, you only start the samba
>>>>>>>>> daemon on an AD DC.
>>>>>>>>>
>>>>>>>>> As you are trying to set up a member server, you must carry
>>>>>>>>> out the tests on the member server.
>>>>>>>>>
>>>>>>>>> Rowland
>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> Thanks for you smb.conf. I will attempt again using your
>>>>>>>>>> smb.conf as a template and try again.
>>>>>>>>>>
>>>>>>>>>> On 12/31/2014 2:20 PM, Rowland Penny wrote:
>>>>>>>>>>> On 31/12/14 19:07, James wrote:
>>>>>>>>>>>> Rowland,
>>>>>>>>>>>>
>>>>>>>>>>>> I decided to start over with a fresh install and
>>>>>>>>>>>> attempted again. Only change I made was to start my
>>>>>>>>>>>> mappings at 10000. I gave 'Domain Users' group gid 10000
>>>>>>>>>>>> and 'tuser' has uid 10001. Still didn't work btw.
>>>>>>>>>>>>
>>>>>>>>>>>> dn: CN=Test User,CN=Users,DC=domain,DC=local
>>>>>>>>>>>> objectClass: top
>>>>>>>>>>>> objectClass: person
>>>>>>>>>>>> objectClass: organizationalPerson
>>>>>>>>>>>> objectClass: user
>>>>>>>>>>>> cn: Test User
>>>>>>>>>>>> sn: User
>>>>>>>>>>>> givenName: Test
>>>>>>>>>>>> instanceType: 4
>>>>>>>>>>>> whenCreated: 20141231172021.0Z
>>>>>>>>>>>> displayName: Test User
>>>>>>>>>>>> uSNCreated: 477557
>>>>>>>>>>>> name: Test User
>>>>>>>>>>>> objectGUID: 90f95763-fe52-42b9-af86-8a84a4d5dd78
>>>>>>>>>>>> userAccountControl: 66048
>>>>>>>>>>>> codePage: 0
>>>>>>>>>>>> countryCode: 0
>>>>>>>>>>>> pwdLastSet: 130645200220000000
>>>>>>>>>>>> primaryGroupID: 513
>>>>>>>>>>>> objectSid: S-1-5-21-940051827-2291820289-3341758437-3126
>>>>>>>>>>>> accountExpires: 9223372036854775807
>>>>>>>>>>>> sAMAccountName: tuser
>>>>>>>>>>>> sAMAccountType: 805306368
>>>>>>>>>>>> userPrincipalName: tuser at domain.local
>>>>>>>>>>>> objectCategory:
>>>>>>>>>>>> CN=Person,CN=Schema,CN=Configuration,DC=domain,DC=local
>>>>>>>>>>>> unixUserPassword: ABCD!efgh12345$67890
>>>>>>>>>>>> uid: tuser
>>>>>>>>>>>> msSFU30Name: tuser
>>>>>>>>>>>> msSFU30NisDomain: domain
>>>>>>>>>>>> uidNumber: 10001
>>>>>>>>>>>> loginShell: /bin/sh
>>>>>>>>>>>> unixHomeDirectory: /home/tuser
>>>>>>>>>>>> gidNumber: 10000
>>>>>>>>>>>> whenChanged: 20141231185807.0Z
>>>>>>>>>>>> uSNChanged: 477620
>>>>>>>>>>>> distinguishedName: CN=Test User,CN=Users,DC=domain,DC=local
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> On 12/31/2014 1:50 PM, Rowland Penny wrote:
>>>>>>>>>>>>> On 31/12/14 18:28, James wrote:
>>>>>>>>>>>>>> Hi Rowland,
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> passwd: compat winbind
>>>>>>>>>>>>>> group: compat winbind
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> 'getent passwd tuser' results in a blank terminal line.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> On 12/31/2014 1:12 PM, Rowland Penny wrote:
>>>>>>>>>>>>>>> On 31/12/14 17:55, James wrote:
>>>>>>>>>>>>>>>> Hi Rowland,
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> I did. Unfortunately something is still amiss. I do
>>>>>>>>>>>>>>>> receive a response from 'getent group domain
>>>>>>>>>>>>>>>> users'(users:x:100).
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> On 12/31/2014 12:26 PM, Rowland Penny wrote:
>>>>>>>>>>>>>>>>> On 31/12/14 17:23, James wrote:
>>>>>>>>>>>>>>>>>> Rowland,
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> I set a user with a uid and domain users group
>>>>>>>>>>>>>>>>>> with a gid but I'm still unable to view them using
>>>>>>>>>>>>>>>>>> 'id'. I do notice a few strange observations. If I go
>>>>>>>>>>>>>>>>>> to another user to attempt to assign a uid. I get the
>>>>>>>>>>>>>>>>>> default value of 10000. I would expect 2001 given I
>>>>>>>>>>>>>>>>>> set the first user with uid 2000. Groups however
>>>>>>>>>>>>>>>>>> appear to increment.
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> On 12/31/2014 10:52 AM, Rowland Penny wrote:
>>>>>>>>>>>>>>>>>>> On 31/12/14 15:42, James wrote:
>>>>>>>>>>>>>>>>>>>> Hello Stefan,
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> I learned the hard way about .local. I
>>>>>>>>>>>>>>>>>>>> understand going forward.
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> I do have an issue with the member server.
>>>>>>>>>>>>>>>>>>>> Following along with the wiki I get stuck at
>>>>>>>>>>>>>>>>>>>> 'Testing the Winbind user/group mapping'. Wbinfo
>>>>>>>>>>>>>>>>>>>> works as expected but not
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> #*id DomainUser*
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> #*getent passwd*
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> #*getent group*
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> #*chown DomainUser:DomainGroup file*
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> #*chgrp DomainGroup file*
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> etc.
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> I receive 'id: sambauser: No such user'. It will
>>>>>>>>>>>>>>>>>>>> only retrieve local machine users. Let me preface
>>>>>>>>>>>>>>>>>>>> by saying this is a Ubuntu 12.04 server with Samba
>>>>>>>>>>>>>>>>>>>> 4.1.14. Thanks.
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> On 12/31/2014 10:00 AM, Stefan Kania wrote:
>>>>>>>>>>>>>>>>>>>>> -----BEGIN PGP SIGNED MESSAGE-----
>>>>>>>>>>>>>>>>>>>>> Hash: SHA1
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> Hello James,
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> Am 31.12.2014 um 15:48 schrieb James:> Hello,
>>>>>>>>>>>>>>>>>>>>>> I'm following along with the wiki(Setup a Samba
>>>>>>>>>>>>>>>>>>>>>> AD Member Server)
>>>>>>>>>>>>>>>>>>>>>> and I have a question after reading the 'Set up a
>>>>>>>>>>>>>>>>>>>>>> basic smb.conf'
>>>>>>>>>>>>>>>>>>>>>> section.
>>>>>>>>>>>>>>>>>>>>> Please show us your smb.conf
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> Do I need to extend the schema in order for my
>>>>>>>>>>>>>>>>>>>>> member server to
>>>>>>>>>>>>>>>>>>>>>> successfully join and service file shares?
>>>>>>>>>>>>>>>>>>>>> No, you dont have to.
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> Do I need to configure a
>>>>>>>>>>>>>>>>>>>>>> krb5.conf file? Thanks.
>>>>>>>>>>>>>>>>>>>>> If your DC is a samba4 DC just copy krb5.conf to
>>>>>>>>>>>>>>>>>>>>> your new memberserver
>>>>>>>>>>>>>>>>>>>>> Stefan
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> - -- Stefan Kania
>>>>>>>>>>>>>>>>>>>>> Landweg 13
>>>>>>>>>>>>>>>>>>>>> 25693 St. Michaelisdonn
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> Signieren jeder E-Mail hilft Spam zu reduzieren.
>>>>>>>>>>>>>>>>>>>>> Signieren Sie ihre
>>>>>>>>>>>>>>>>>>>>> E-Mail. Weiter Informationen unter
>>>>>>>>>>>>>>>>>>>>> http://www.gnupg.org
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> Mein Schlüssel liegt auf
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> hkp://subkeys.pgp.net
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> -----BEGIN PGP SIGNATURE-----
>>>>>>>>>>>>>>>>>>>>> Version: GnuPG v1
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> iEYEARECAAYFAlSkD3EACgkQ2JOGcNAHDTZdlwCgwsQF0g/pFp65ldcTMWDcJ1O7
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> LScAoLDzorUJNDCik4FP9dBUxKCbAbGN
>>>>>>>>>>>>>>>>>>>>> =SOSt
>>>>>>>>>>>>>>>>>>>>> -----END PGP SIGNATURE-----
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> If you followed the wiki, you will be using the 'ad'
>>>>>>>>>>>>>>>>>>> backend. For this to work, you need to add
>>>>>>>>>>>>>>>>>>> 'uidNumber' attributes to your users and a
>>>>>>>>>>>>>>>>>>> 'gidNumber' attribute to at least the Domain Users
>>>>>>>>>>>>>>>>>>> group. the numbers that you add must be between the
>>>>>>>>>>>>>>>>>>> range you set in your smb.conf, again if you
>>>>>>>>>>>>>>>>>>> followed the wiki, this will be between 500-40000.
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> Rowland
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> You have restarted samba, haven't you ?
>>>>>>>>>>>>>>>>> You may have to wait a short time, or clear the cache
>>>>>>>>>>>>>>>>> with 'net cache flush'
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> Rowland
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> OK, can you post the 'passwd' & 'group' lines from
>>>>>>>>>>>>>>> /etc/nsswitch
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Do you get anything from 'getent passwd <a domain user>'
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Rowland
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>> OK, install ldb-tools if not already installed, then run:
>>>>>>>>>>>>>
>>>>>>>>>>>>> ldbedit -e nano -H /var/lib/samba/private/sam.ldb
>>>>>>>>>>>>> sAMAccountName=tuser
>>>>>>>>>>>>>
>>>>>>>>>>>>> Post the (sanitized) result
>>>>>>>>>>>>>
>>>>>>>>>>>>> Rowland
>>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> OK, you added that user with ADUC (RSAT) and as such you are
>>>>>>>>>>> using the std windows start number 10000, which is the way I
>>>>>>>>>>> run samba. Here is my smb.conf from the laptop I am writing
>>>>>>>>>>> this on:
>>>>>>>>>>>
>>>>>>>>>>> [global]
>>>>>>>>>>> workgroup = EXAMPLE
>>>>>>>>>>> security = ADS
>>>>>>>>>>> realm = EXAMPLE.COM
>>>>>>>>>>> dedicated keytab file = /etc/krb5.keytab
>>>>>>>>>>> kerberos method = secrets and keytab
>>>>>>>>>>> server string = Samba 4 Client %h
>>>>>>>>>>> winbind enum users = yes
>>>>>>>>>>> winbind enum groups = yes
>>>>>>>>>>> winbind use default domain = yes
>>>>>>>>>>> winbind expand groups = 4
>>>>>>>>>>> winbind nss info = rfc2307
>>>>>>>>>>> winbind refresh tickets = Yes
>>>>>>>>>>> winbind normalize names = Yes
>>>>>>>>>>> idmap config * : backend = tdb
>>>>>>>>>>> idmap config * : range = 2000-9999
>>>>>>>>>>> idmap config EXAMPLE : backend = ad
>>>>>>>>>>> idmap config EXAMPLE : range = 10000-999999
>>>>>>>>>>> idmap config EXAMPLE : schema_mode = rfc2307
>>>>>>>>>>> printcap name = cups
>>>>>>>>>>> cups options = raw
>>>>>>>>>>> usershare allow guests = yes
>>>>>>>>>>> domain master = no
>>>>>>>>>>> local master = no
>>>>>>>>>>> preferred master = no
>>>>>>>>>>> os level = 20
>>>>>>>>>>> map to guest = bad user
>>>>>>>>>>> vfs objects = acl_xattr
>>>>>>>>>>> map acl inherit = Yes
>>>>>>>>>>> store dos attributes = Yes
>>>>>>>>>>>
>>>>>>>>>>> Compare it with yours, I can assure you it works.
>>>>>>>>>>>
>>>>>>>>>>> Rowland
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>> --
>>>>>>>> -James
>>>>>>>
>>>>>>
>>>>>> --
>>>>>> -James
>>>>>
>>>>> OK, you have *now* found out one of the reasons you shouldn't use
>>>>> the .local suffix
>>>>>
>>>>> But does anything else work?
>>>>>
>>>>> Rowland
>>>>
>>>> --
>>>> -James
>>>
>>> OK, well it seems to be a step in the right direction :-)
>>>
>>> Have you changed 'EXAMPLE' in these lines:
>>>
>>> idmap config * : backend = tdb
>>> idmap config * : range = 2000-9999
>>> idmap config EXAMPLE : backend = ad
>>> idmap config EXAMPLE : range = 10000-999999
>>> idmap config EXAMPLE:schema_mode = rfc2307
>>>
>>> They need to be changed for your *WORKGROUP* name.
>>>
>>> Rowland
>>>
>>>
>>
>> --
>> -James
>
> Just change it, stop samba and winbind, run 'net cache flush' and
> restart samba & winbind.
>
> Rowland
>
--
-James
More information about the samba
mailing list