[Samba] Member Server Setup Assistance
Rowland Penny
rowlandpenny at googlemail.com
Mon Jan 5 09:00:42 MST 2015
On 05/01/15 14:59, James wrote:
> That is actually the wiki page I am currently referencing in my
> question. From the wiki you can see the 'Everyone' group. I would
> normally remove and add domain users or authenticated users. That
> prompted me to ask myself "what if I wanted the everyone group to have
> access"? How does the member server know who the everyone group is
> since the share is created on the server. What mappings if any do I
> need to make sure are in place.
OK, this is a good question :-)
If you examine your smb.conf, you should find these two lines:
idmap config * : backend = tdb
idmap config * : range = 2000-9999
What do they mean ?
Well, idmap is fairly obvious, map the ID, '*' is for trusted domains
and local groups, 'backend = tdb' is where to store the result, 'range =
2000-9999' is for the numbers to use.
So the first line means, store trusted domains and local groups in a tdb
file, the second line gives the number to start at (2000) and what the
last number will be (9999). The users & groups are allocated numbers as
they are found, this means that they could have different numbers on
different machines, this is not a problem as they are treated as local
identities. It works in a similar way to idmap.ldb on the DC, this is a
problem when it comes to 'sysvol', which is why it is advisable to sync
idmap.ldb between DC's.
OK, how do we prove that it works ?
Well you referred to 'Everyone', this has the well know SID 'S-1-1-0'
Run (on the member server): 'sudo wbinfo -Y S-1-1-0'
on mine it returns '2002'
So if we now create a directory on the member server
sudo mkdir /home/acltest
and set an ACL for 'Everyone'
sudo setfacl -m g:2002:rwx /home/acltest
read the directories ACL's
getfacl /home/acltest
getfacl: Removing leading '/' from absolute path names
# file: home/acltest
# owner: root
# group: root
user::rwx
group::r-x
group:2002:rwx
mask::rwx
other::r-x
It shows here that group '2002' has full permissions on the directory,
but if you share the directory via samba and go to the share on a
windows machine, it would show that 'Everyone' has full permissions on
the share.
Rowland
>
> On 1/5/2015 9:12 AM, Rowland Penny wrote:
>> On 05/01/15 14:00, James wrote:
>>> Hi Rowland,
>>>
>>> Yes. When I create a share I get the expected 'Everyone' group
>>> under 'Share Permissions' for example. I'm assuming I must map this
>>> object to Unix so all windows users can access this share. However
>>> in AD there is no 'Everyone' group to set a gid. I wouldn't
>>> necessarily expect one either. I'm currently under the mind set that
>>> with a member server I must have a uid/gid for every object assigned
>>> on the share.
>>
>> AH, light dawns, you are creating a share on a windows machine and
>> setting the permissions from windows. You cannot really map the users
>> & groups you refer to, because they are windows only users.
>>
>> Samba 4 does map them to xidNumber's via idmap.ldb, you can see them
>> via:
>>
>> ldbedit -e nano -H /var/lib/samba/private/idmap.ldb
>>
>> There is a wiki page you might like to take a look at:
>> https://wiki.samba.org/index.php/Setup_and_configure_file_shares_with_Windows_ACLs
>>
>> Rowland
>>
>>>
>>> On 1/5/2015 8:37 AM, Rowland Penny wrote:
>>>> On 05/01/15 13:28, James wrote:
>>>>> Rowland,
>>>>>
>>>>> Thanks so far for the assistance. I have a question about
>>>>> setting up shares on a member server. How do I map to users or
>>>>> groups that do not display in AD(Everyone,System,Authenticated
>>>>> Users)?
>>>>
>>>> Could you be a bit more specific here, are you talking about
>>>> mapping these windows objects to Unix, or something else ?
>>>>
>>>> Rowland
>>>>>
>>>>> On 1/2/2015 2:08 PM, Rowland Penny wrote:
>>>>>> On 02/01/15 18:59, James wrote:
>>>>>>> Rowland,
>>>>>>>
>>>>>>> That was the issue. Windows computer management console
>>>>>>> showed 0 connections. That obviously wasn't correct. A reboot
>>>>>>> corrected the issue. ACL's working as expected. I probably
>>>>>>> should have ran a 'netstat' to verify.
>>>>>>>
>>>>>>> Any best practices on who should or shouldn't have uid's or
>>>>>>> gid's set in AD? I've read where the Administrator account
>>>>>>> should not have one set.
>>>>>>
>>>>>> Cannot say that I know of any best practices, but I only give
>>>>>> Domain Admins and Domain Users a gidNumber and Administrator
>>>>>> should already be mapped to root (that is if you changed
>>>>>> 'Example' in /etc/samba/smbmap).
>>>>>>
>>>>>> Rowland
>>>>>>>
>>>>>>> On 1/2/2015 1:47 PM, Rowland Penny wrote:
>>>>>>>> On 02/01/15 18:35, James wrote:
>>>>>>>>> Rowland,
>>>>>>>>>
>>>>>>>>> Thanks for the clarification. It appears the member server
>>>>>>>>> is joined and I have created a share.
>>>>>>>>>
>>>>>>>>> [demoshare]
>>>>>>>>> path = /srv/samba/test
>>>>>>>>> read only = no
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> I have enabled ACL support and given 'SeDiskOperatorPrivilege'
>>>>>>>>> per the wiki. I can navigate to the share using Windows
>>>>>>>>> Explorer. If I set the share permissions to only me(Full
>>>>>>>>> Control). I can't access the share. The 'Everyone' and 'Domain
>>>>>>>>> Users' group allows me access. On my DC's this has worked in
>>>>>>>>> the past. Am I missing something? This is the error I receive.
>>>>>>>>>
>>>>>>>>> \\pfmember1\demoshare is not accessible. You might not have
>>>>>>>>> permission to use this network resource. Contact the
>>>>>>>>> administrator of this server to find out if you have access
>>>>>>>>> permissions.
>>>>>>>>>
>>>>>>>>> Multiple connections to a server or shared resource by the
>>>>>>>>> same user, using more than one user name, are not allowed.
>>>>>>>>> Disconnect all previous connections to the server or shared
>>>>>>>>> resource and try again.
>>>>>>>>
>>>>>>>> You seem to have a connection to the share already open, close
>>>>>>>> this and try again.
>>>>>>>> If this fails, post the results of:
>>>>>>>>
>>>>>>>> ls -la /srv/samba/test
>>>>>>>>
>>>>>>>> and
>>>>>>>>
>>>>>>>> getfacl /srv/samba/test
>>>>>>>>
>>>>>>>> Rowland
>>>>>>>>
>>>>>>>>>
>>>>>>>>> On 1/2/2015 1:14 PM, Rowland Penny wrote:
>>>>>>>>>> On 02/01/15 18:01, James wrote:
>>>>>>>>>>> Rowland,
>>>>>>>>>>>
>>>>>>>>>>> That did it! Thank you so much. I do have a question
>>>>>>>>>>> regarding the 'getent' command before setting up file
>>>>>>>>>>> shares. When I run 'getent group Domain\ Users' I get
>>>>>>>>>>>
>>>>>>>>>>> domain_users:x:10000:user1,user2,user3,user4,user5,user6,user7,user8
>>>>>>>>>>>
>>>>>>>>>>> Why does it show these specific users? I would assume it
>>>>>>>>>>> would only show my 'tuser'. I don't have uid's set for
>>>>>>>>>>> anyone else.
>>>>>>>>>>
>>>>>>>>>> When you run 'getent group Domain\ Users' it gets the groups
>>>>>>>>>> gidNumber (10000 in your case) and the contents any 'member'
>>>>>>>>>> attributes, so I presume if you examine the groups AD object,
>>>>>>>>>> you would find 8 'member' attribute lines.
>>>>>>>>>>
>>>>>>>>>> But if you were to run 'getent passwd user5', you would only
>>>>>>>>>> get a response if 'user5' has a 'uidNumber'.
>>>>>>>>>>
>>>>>>>>>> Rowland
>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> On 1/2/2015 12:38 PM, Rowland Penny wrote:
>>>>>>>>>>>> On 02/01/15 17:26, James wrote:
>>>>>>>>>>>>> Rowland,
>>>>>>>>>>>>>
>>>>>>>>>>>>> I did forget to change it. Is it as simple as renaming
>>>>>>>>>>>>> now or did I screw up?
>>>>>>>>>>>>>
>>>>>>>>>>>>> On 1/2/2015 12:18 PM, Rowland Penny wrote:
>>>>>>>>>>>>>> On 02/01/15 17:07, James wrote:
>>>>>>>>>>>>>>> Rowland,
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> I had a typo in my hosts file which is the reason my
>>>>>>>>>>>>>>> initial DNS update failed. Corrected and joined again.
>>>>>>>>>>>>>>> Successfully joined and updated DNS A record. I then
>>>>>>>>>>>>>>> made sure to give 'Domain users' a id of 10000. I am now
>>>>>>>>>>>>>>> able to run' getent passwd' and see all my domain users!
>>>>>>>>>>>>>>> YES! However I still see something that confuses me.
>>>>>>>>>>>>>>> When I run 'id tuser' I get the following.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> uid=2155(tuser) gid=2002(domain_users)
>>>>>>>>>>>>>>> groups=2002(domain_users),2004(remote_desktop_users_group),2001(BUILTIN\users)
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Why is the uid 2155 and not 10001?
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> On 1/2/2015 12:00 PM, Rowland Penny wrote:
>>>>>>>>>>>>>>>> On 02/01/15 16:57, James wrote:
>>>>>>>>>>>>>>>>> Rowland,
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> I've gotten a bit further. It appears my use of
>>>>>>>>>>>>>>>>> '.local' is causing the issue from what I've
>>>>>>>>>>>>>>>>> researched. I ran '|/etc/init.d/avahi-daemon stop'.
>>>>>>>>>>>>>>>>> |This allowed me to successfully join the domain.
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> Enter administrator at DOMAIN.LOCAL's password:
>>>>>>>>>>>>>>>>> Using short domain name -- DOMAIN
>>>>>>>>>>>>>>>>> Joined 'PFMEMBER1' to dns domain 'domain.local'
>>>>>>>>>>>>>>>>> DNS Update for pfmember1.local failed:
>>>>>>>>>>>>>>>>> ERROR_DNS_UPDATE_FAILED
>>>>>>>>>>>>>>>>> DNS update failed: NT_STATUS_UNSUCCESSFUL
>>>>>>>>>>>>>>>>> ||
>>>>>>>>>>>>>>>>> On 1/2/2015 8:55 AM, Rowland Penny wrote:
>>>>>>>>>>>>>>>>>> On 02/01/15 13:41, James wrote:
>>>>>>>>>>>>>>>>>>> Hi Rowland,
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> If you don't mind I like to post my member
>>>>>>>>>>>>>>>>>>> server configuration as I attempt again. This is how
>>>>>>>>>>>>>>>>>>> my member server(Ubuntu 12.04) is configured after
>>>>>>>>>>>>>>>>>>> fresh install and prior to Samba build. Anything I'm
>>>>>>>>>>>>>>>>>>> missing that could cause my issue as I proceed? I
>>>>>>>>>>>>>>>>>>> assume no other prerequisites must be done on the
>>>>>>>>>>>>>>>>>>> other DC's either? Thanks.
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> /*# From Wiki for DC build*/
>>>>>>>>>>>>>>>>>>> apt-get install build-essential libacl1-dev
>>>>>>>>>>>>>>>>>>> libattr1-dev libblkid-dev libgnutls-dev
>>>>>>>>>>>>>>>>>>> libreadline-dev python-dev libpam0g-dev
>>>>>>>>>>>>>>>>>>> python-dnspython gdb pkg-config libpopt-dev
>>>>>>>>>>>>>>>>>>> libldap2-dev dnsutils libbsd-dev attr krb5-user
>>>>>>>>>>>>>>>>>>> docbook-xsl libcups2-dev acl
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> /*# Fstab file*/
>>>>>>>>>>>>>>>>>>> ext4 errors=remount-ro,user_xattr,acl,barrier=1
>>>>>>>>>>>>>>>>>>> 1 1
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> */# Hosts File/*
>>>>>>>>>>>>>>>>>>> 127.0.0.1 localhost
>>>>>>>>>>>>>>>>>>> 172.16.232.25 pfmember1.domain.local pfmember1
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> # The following lines are desirable for IPv6 capable
>>>>>>>>>>>>>>>>>>> hosts
>>>>>>>>>>>>>>>>>>> ::1 ip6-localhost ip6-loopback
>>>>>>>>>>>>>>>>>>> fe00::0 ip6-localnet
>>>>>>>>>>>>>>>>>>> ff00::0 ip6-mcastprefix
>>>>>>>>>>>>>>>>>>> ff02::1 ip6-allnodes
>>>>>>>>>>>>>>>>>>> ff02::2 ip6-allrouters
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> */# Hostname/* */File/*
>>>>>>>>>>>>>>>>>>> pfmember1.domain.local
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> if you are referring to /etc/hostname, then it should
>>>>>>>>>>>>>>>>>> just contain 'pfmember1'.
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> Also, are you fixed on using Ubuntu 12.04, if you
>>>>>>>>>>>>>>>>>> were to use Debian Wheezy and backports, you wouldn't
>>>>>>>>>>>>>>>>>> have to compile samba4.
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> Rowland
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> */#/network/interfaces/*
>>>>>>>>>>>>>>>>>>> # This file describes the network interfaces
>>>>>>>>>>>>>>>>>>> available on your system
>>>>>>>>>>>>>>>>>>> # and how to activate them. For more information,
>>>>>>>>>>>>>>>>>>> see interfaces(5).
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> # The loopback network interface
>>>>>>>>>>>>>>>>>>> auto lo
>>>>>>>>>>>>>>>>>>> iface lo inet loopback
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> # The primary network interface
>>>>>>>>>>>>>>>>>>> auto eth0
>>>>>>>>>>>>>>>>>>> iface eth0 inet static
>>>>>>>>>>>>>>>>>>> address 172.16.232.25
>>>>>>>>>>>>>>>>>>> netmask 255.255.255.0
>>>>>>>>>>>>>>>>>>> gateway 172.16.232.201
>>>>>>>>>>>>>>>>>>> network 172.16.232.0
>>>>>>>>>>>>>>>>>>> broadcast 172.16.232.255
>>>>>>>>>>>>>>>>>>> dns-search domain.local
>>>>>>>>>>>>>>>>>>> dns-nameservers 172.16.232.29
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> On 1/1/2015 4:34 AM, Rowland Penny wrote:
>>>>>>>>>>>>>>>>>>>> On 01/01/15 00:07, James wrote:
>>>>>>>>>>>>>>>>>>>>> Hi Rowland,
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> I forgot to tell you the results were from my
>>>>>>>>>>>>>>>>>>>>> Domain Controller and not the member server.
>>>>>>>>>>>>>>>>>>>>> Member server returned something to the effect of
>>>>>>>>>>>>>>>>>>>>> 'user not found'. I am only starting the 3
>>>>>>>>>>>>>>>>>>>>> services(smbd,nmbd and windbindd) listed in the
>>>>>>>>>>>>>>>>>>>>> wiki. Should I be starting Samba with command line
>>>>>>>>>>>>>>>>>>>>> switches to start as a member server? Is that even
>>>>>>>>>>>>>>>>>>>>> possible?
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> Hi, there are two ways of running samba4, the
>>>>>>>>>>>>>>>>>>>> classic or original way that samba3 was used, or as
>>>>>>>>>>>>>>>>>>>> an AD DC. If you run samba4 in the classic way, you
>>>>>>>>>>>>>>>>>>>> need to start the smbd & nmbd deamons and
>>>>>>>>>>>>>>>>>>>> optionally the winbind daemon. If you use samba4 as
>>>>>>>>>>>>>>>>>>>> an AD DC, then you only start the samba daemon,
>>>>>>>>>>>>>>>>>>>> this will start any other required deamons, you
>>>>>>>>>>>>>>>>>>>> only start the samba daemon on an AD DC.
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> As you are trying to set up a member server, you
>>>>>>>>>>>>>>>>>>>> must carry out the tests on the member server.
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> Rowland
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> Thanks for you smb.conf. I will attempt again
>>>>>>>>>>>>>>>>>>>>> using your smb.conf as a template and try again.
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> On 12/31/2014 2:20 PM, Rowland Penny wrote:
>>>>>>>>>>>>>>>>>>>>>> On 31/12/14 19:07, James wrote:
>>>>>>>>>>>>>>>>>>>>>>> Rowland,
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>> I decided to start over with a fresh install
>>>>>>>>>>>>>>>>>>>>>>> and attempted again. Only change I made was to
>>>>>>>>>>>>>>>>>>>>>>> start my mappings at 10000. I gave 'Domain
>>>>>>>>>>>>>>>>>>>>>>> Users' group gid 10000 and 'tuser' has uid
>>>>>>>>>>>>>>>>>>>>>>> 10001. Still didn't work btw.
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>> dn: CN=Test User,CN=Users,DC=domain,DC=local
>>>>>>>>>>>>>>>>>>>>>>> objectClass: top
>>>>>>>>>>>>>>>>>>>>>>> objectClass: person
>>>>>>>>>>>>>>>>>>>>>>> objectClass: organizationalPerson
>>>>>>>>>>>>>>>>>>>>>>> objectClass: user
>>>>>>>>>>>>>>>>>>>>>>> cn: Test User
>>>>>>>>>>>>>>>>>>>>>>> sn: User
>>>>>>>>>>>>>>>>>>>>>>> givenName: Test
>>>>>>>>>>>>>>>>>>>>>>> instanceType: 4
>>>>>>>>>>>>>>>>>>>>>>> whenCreated: 20141231172021.0Z
>>>>>>>>>>>>>>>>>>>>>>> displayName: Test User
>>>>>>>>>>>>>>>>>>>>>>> uSNCreated: 477557
>>>>>>>>>>>>>>>>>>>>>>> name: Test User
>>>>>>>>>>>>>>>>>>>>>>> objectGUID: 90f95763-fe52-42b9-af86-8a84a4d5dd78
>>>>>>>>>>>>>>>>>>>>>>> userAccountControl: 66048
>>>>>>>>>>>>>>>>>>>>>>> codePage: 0
>>>>>>>>>>>>>>>>>>>>>>> countryCode: 0
>>>>>>>>>>>>>>>>>>>>>>> pwdLastSet: 130645200220000000
>>>>>>>>>>>>>>>>>>>>>>> primaryGroupID: 513
>>>>>>>>>>>>>>>>>>>>>>> objectSid:
>>>>>>>>>>>>>>>>>>>>>>> S-1-5-21-940051827-2291820289-3341758437-3126
>>>>>>>>>>>>>>>>>>>>>>> accountExpires: 9223372036854775807
>>>>>>>>>>>>>>>>>>>>>>> sAMAccountName: tuser
>>>>>>>>>>>>>>>>>>>>>>> sAMAccountType: 805306368
>>>>>>>>>>>>>>>>>>>>>>> userPrincipalName: tuser at domain.local
>>>>>>>>>>>>>>>>>>>>>>> objectCategory:
>>>>>>>>>>>>>>>>>>>>>>> CN=Person,CN=Schema,CN=Configuration,DC=domain,DC=local
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>> unixUserPassword: ABCD!efgh12345$67890
>>>>>>>>>>>>>>>>>>>>>>> uid: tuser
>>>>>>>>>>>>>>>>>>>>>>> msSFU30Name: tuser
>>>>>>>>>>>>>>>>>>>>>>> msSFU30NisDomain: domain
>>>>>>>>>>>>>>>>>>>>>>> uidNumber: 10001
>>>>>>>>>>>>>>>>>>>>>>> loginShell: /bin/sh
>>>>>>>>>>>>>>>>>>>>>>> unixHomeDirectory: /home/tuser
>>>>>>>>>>>>>>>>>>>>>>> gidNumber: 10000
>>>>>>>>>>>>>>>>>>>>>>> whenChanged: 20141231185807.0Z
>>>>>>>>>>>>>>>>>>>>>>> uSNChanged: 477620
>>>>>>>>>>>>>>>>>>>>>>> distinguishedName: CN=Test
>>>>>>>>>>>>>>>>>>>>>>> User,CN=Users,DC=domain,DC=local
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>> On 12/31/2014 1:50 PM, Rowland Penny wrote:
>>>>>>>>>>>>>>>>>>>>>>>> On 31/12/14 18:28, James wrote:
>>>>>>>>>>>>>>>>>>>>>>>>> Hi Rowland,
>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>> passwd: compat winbind
>>>>>>>>>>>>>>>>>>>>>>>>> group: compat winbind
>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>> 'getent passwd tuser' results in a blank
>>>>>>>>>>>>>>>>>>>>>>>>> terminal line.
>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>> On 12/31/2014 1:12 PM, Rowland Penny wrote:
>>>>>>>>>>>>>>>>>>>>>>>>>> On 31/12/14 17:55, James wrote:
>>>>>>>>>>>>>>>>>>>>>>>>>>> Hi Rowland,
>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>> I did. Unfortunately something is still
>>>>>>>>>>>>>>>>>>>>>>>>>>> amiss. I do receive a response from 'getent
>>>>>>>>>>>>>>>>>>>>>>>>>>> group domain users'(users:x:100).
>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>> On 12/31/2014 12:26 PM, Rowland Penny wrote:
>>>>>>>>>>>>>>>>>>>>>>>>>>>> On 31/12/14 17:23, James wrote:
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Rowland,
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> I set a user with a uid and domain
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> users group with a gid but I'm still
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> unable to view them using 'id'. I do
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> notice a few strange observations. If I go
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> to another user to attempt to assign a
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> uid. I get the default value of 10000. I
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> would expect 2001 given I set the first
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> user with uid 2000. Groups however appear
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> to increment.
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> On 12/31/2014 10:52 AM, Rowland Penny wrote:
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> On 31/12/14 15:42, James wrote:
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Hello Stefan,
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> I learned the hard way about .local.
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> I understand going forward.
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> I do have an issue with the member
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> server. Following along with the wiki I
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> get stuck at 'Testing the Winbind
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> user/group mapping'. Wbinfo works as
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> expected but not
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> #*id DomainUser*
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> #*getent passwd*
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> #*getent group*
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> #*chown DomainUser:DomainGroup file*
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> #*chgrp DomainGroup file*
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> etc.
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> I receive 'id: sambauser: No such user'.
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> It will only retrieve local machine
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> users. Let me preface by saying this is
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> a Ubuntu 12.04 server with Samba 4.1.14.
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Thanks.
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> On 12/31/2014 10:00 AM, Stefan Kania wrote:
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> -----BEGIN PGP SIGNED MESSAGE-----
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Hash: SHA1
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Hello James,
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Am 31.12.2014 um 15:48 schrieb James:>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Hello,
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> I'm following along with the
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> wiki(Setup a Samba AD Member Server)
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> and I have a question after reading
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> the 'Set up a basic smb.conf'
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> section.
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Please show us your smb.conf
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Do I need to extend the schema in
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> order for my member server to
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> successfully join and service file
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> shares?
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> No, you dont have to.
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Do I need to configure a
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> krb5.conf file? Thanks.
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> If your DC is a samba4 DC just copy
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> krb5.conf to your new memberserver
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Stefan
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> - -- Stefan Kania
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Landweg 13
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> 25693 St. Michaelisdonn
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Signieren jeder E-Mail hilft Spam zu
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> reduzieren. Signieren Sie ihre
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> E-Mail. Weiter Informationen unter
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> http://www.gnupg.org
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Mein Schlüssel liegt auf
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> hkp://subkeys.pgp.net
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> -----BEGIN PGP SIGNATURE-----
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Version: GnuPG v1
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> iEYEARECAAYFAlSkD3EACgkQ2JOGcNAHDTZdlwCgwsQF0g/pFp65ldcTMWDcJ1O7
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> LScAoLDzorUJNDCik4FP9dBUxKCbAbGN
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> =SOSt
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> -----END PGP SIGNATURE-----
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> If you followed the wiki, you will be
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> using the 'ad' backend. For this to work,
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> you need to add 'uidNumber' attributes to
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> your users and a 'gidNumber' attribute to
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> at least the Domain Users group. the
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> numbers that you add must be between the
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> range you set in your smb.conf, again if
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> you followed the wiki, this will be
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> between 500-40000.
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Rowland
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>> You have restarted samba, haven't you ?
>>>>>>>>>>>>>>>>>>>>>>>>>>>> You may have to wait a short time, or clear
>>>>>>>>>>>>>>>>>>>>>>>>>>>> the cache with 'net cache flush'
>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>> Rowland
>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>> OK, can you post the 'passwd' & 'group' lines
>>>>>>>>>>>>>>>>>>>>>>>>>> from /etc/nsswitch
>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>> Do you get anything from 'getent passwd <a
>>>>>>>>>>>>>>>>>>>>>>>>>> domain user>'
>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>> Rowland
>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>> OK, install ldb-tools if not already installed,
>>>>>>>>>>>>>>>>>>>>>>>> then run:
>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>> ldbedit -e nano -H
>>>>>>>>>>>>>>>>>>>>>>>> /var/lib/samba/private/sam.ldb
>>>>>>>>>>>>>>>>>>>>>>>> sAMAccountName=tuser
>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>> Post the (sanitized) result
>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>> Rowland
>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>> OK, you added that user with ADUC (RSAT) and as
>>>>>>>>>>>>>>>>>>>>>> such you are using the std windows start number
>>>>>>>>>>>>>>>>>>>>>> 10000, which is the way I run samba. Here is my
>>>>>>>>>>>>>>>>>>>>>> smb.conf from the laptop I am writing this on:
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>> [global]
>>>>>>>>>>>>>>>>>>>>>> workgroup = EXAMPLE
>>>>>>>>>>>>>>>>>>>>>> security = ADS
>>>>>>>>>>>>>>>>>>>>>> realm = EXAMPLE.COM
>>>>>>>>>>>>>>>>>>>>>> dedicated keytab file = /etc/krb5.keytab
>>>>>>>>>>>>>>>>>>>>>> kerberos method = secrets and keytab
>>>>>>>>>>>>>>>>>>>>>> server string = Samba 4 Client %h
>>>>>>>>>>>>>>>>>>>>>> winbind enum users = yes
>>>>>>>>>>>>>>>>>>>>>> winbind enum groups = yes
>>>>>>>>>>>>>>>>>>>>>> winbind use default domain = yes
>>>>>>>>>>>>>>>>>>>>>> winbind expand groups = 4
>>>>>>>>>>>>>>>>>>>>>> winbind nss info = rfc2307
>>>>>>>>>>>>>>>>>>>>>> winbind refresh tickets = Yes
>>>>>>>>>>>>>>>>>>>>>> winbind normalize names = Yes
>>>>>>>>>>>>>>>>>>>>>> idmap config * : backend = tdb
>>>>>>>>>>>>>>>>>>>>>> idmap config * : range = 2000-9999
>>>>>>>>>>>>>>>>>>>>>> idmap config EXAMPLE : backend = ad
>>>>>>>>>>>>>>>>>>>>>> idmap config EXAMPLE : range = 10000-999999
>>>>>>>>>>>>>>>>>>>>>> idmap config EXAMPLE : schema_mode = rfc2307
>>>>>>>>>>>>>>>>>>>>>> printcap name = cups
>>>>>>>>>>>>>>>>>>>>>> cups options = raw
>>>>>>>>>>>>>>>>>>>>>> usershare allow guests = yes
>>>>>>>>>>>>>>>>>>>>>> domain master = no
>>>>>>>>>>>>>>>>>>>>>> local master = no
>>>>>>>>>>>>>>>>>>>>>> preferred master = no
>>>>>>>>>>>>>>>>>>>>>> os level = 20
>>>>>>>>>>>>>>>>>>>>>> map to guest = bad user
>>>>>>>>>>>>>>>>>>>>>> vfs objects = acl_xattr
>>>>>>>>>>>>>>>>>>>>>> map acl inherit = Yes
>>>>>>>>>>>>>>>>>>>>>> store dos attributes = Yes
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>> Compare it with yours, I can assure you it works.
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>> Rowland
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> --
>>>>>>>>>>>>>>>>>>> -James
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> --
>>>>>>>>>>>>>>>>> -James
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> OK, you have *now* found out one of the reasons you
>>>>>>>>>>>>>>>> shouldn't use the .local suffix
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> But does anything else work?
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> Rowland
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> --
>>>>>>>>>>>>>>> -James
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> OK, well it seems to be a step in the right direction :-)
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Have you changed 'EXAMPLE' in these lines:
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> idmap config * : backend = tdb
>>>>>>>>>>>>>> idmap config * : range = 2000-9999
>>>>>>>>>>>>>> idmap config EXAMPLE : backend = ad
>>>>>>>>>>>>>> idmap config EXAMPLE : range = 10000-999999
>>>>>>>>>>>>>> idmap config EXAMPLE:schema_mode = rfc2307
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> They need to be changed for your *WORKGROUP* name.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Rowland
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> --
>>>>>>>>>>>>> -James
>>>>>>>>>>>>
>>>>>>>>>>>> Just change it, stop samba and winbind, run 'net cache
>>>>>>>>>>>> flush' and restart samba & winbind.
>>>>>>>>>>>>
>>>>>>>>>>>> Rowland
>>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> --
>>>>>>>>>>> -James
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>> --
>>>>>>>>> -James
>>>>>>>>
>>>>>>>
>>>>>>> --
>>>>>>> -James
>>>>>>
>>>>>
>>>>> --
>>>>> -James
>>>>
>>>
>>> --
>>> -James
>>
>
> --
> -James
More information about the samba
mailing list