[Samba] help, please, troubleshooting winbind testing during setup of Samba 4 AD member server
BISI
d3r3kshaw at gmail.com
Mon Jan 12 18:07:17 MST 2015
Found it! (Thanks to Louis van Belle and Rowland Penny for their guidance).
The wiki page for
https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server *really*
needs a note about this to be added. It will save a lot of frustration
and wasted time for others coming behind.
The reason I say this is that a default Windows Server 2008 R2 install,
*does not provide* the necessary tools to allow a Samba 4 AD Member
Server to enumerate the users and groups for the domain. So it will
join the domain, and wbinfo -u and wbinfo -g report info, but the member
server is still essentially useless - unavailable to the domain users.
Thus, if you using the wiki as a guide, with a Windows server 2008 R2
Domain Controller, you will hit the same wall as I have.
To fix this situation, somewhere in "Section 2 Preconditions" there
should be a mention (say, section 2.3) of installing said tools.
Feel free to cut and paste the following in place if you have editing
privileges (formatted for mediaWiki).
==Windows Domain Controller==
'''This will require a server reboot'''
If you have a windows Domain Controller you are '''strongly advised'''
add the "Identity Management for Unix" Role (IDMU), so that you will be
able to use the schema_mode = rfc2307 option of Samba to keep userIDs in
sync on multiple member servers. Not doing so invites a lot of
problems, and all the documentation presented here assumes you will be
using the schema_mode = rfc2307 option.
Here's what Microsoft have to say about IDMU:
<blockquote>Identity Management for UNIX is deprecated. If you try to
upgrade a computer that runs Identity Management for UNIX, you may
receive a warning that it must be removed before the upgrade can
proceed. In that case, see Installing or removing Identity Management
for UNIX by using a command line.</blockquote>
[http://technet.microsoft.com/en-us/library/cc772571.aspx MS Technet
Article cc772571]
*Damn the torpedos! (install IDMU on server 2008 r2)
#Control Panel -> administrative tools -> server manager
#Expand Roles
#Click on "Active Directory Domain Services" (AD DS, in the technet docs)
#Scroll down to "Role Services" section
#Click on "Add Role Services" (link)
#Select "Identity Management for UNIX"
##That will also select 3 sub-services, including "Server for Network
Information Services" and "Administration Tools"
#Next (button)
#Install (button)
Now you can use ADUC to see and set the "UNIX Attributes" tab in
properties for users and groups.
Next step is to set the UID and GID for users/groups you want to be able
to see from the Member Server.
some people say you need to to match your settings in the smb.conf for
the member server (or vice-versa). I'm not sure that's true -- windows
defaults to 10000, and using that number or 500 had no apparent affect
on the reported UID or GID at the member server.
So, using the example smb.conf from the
[https://wiki.samba.org/index.php?title=Setup_a_Samba_AD_Member_Server
AD Member Server page], matching the UID/GID numbers means:
<blockquote> idmap config SAMDOM:range = 500-40000 </blockquote>
nb - this is probably *not* a good range to use, since 500 is well
within the normal linux userID ranges.
Start with the groups in Builtin OU ('cause the users need a primary
group) (Assuming a stock Server 2008 R2 Server Standard install)
Administrators
NIS domain: samdom; GID: 500
Now go to the Users OU and do the groups:
Domain Admins
NIS Domain: samdom; GID: 501
Domain Users
NIS Domain: samdom; GID: 502
Enterprise Admins
NIS Domain: samdom; GID 503
etc.
NOTE - I think you have to manually keep track of the NEXT UID number
'cause ADUC always pops up with 10000 by default (I'm sure there's a way
to configure it -- I've spent enough time on this already. Future me
(or future you) can figure that out.
Now edit the built-in Administrator user
Administrator
NIS Domain: samdom; UID: 500; Login Shell: /bin/whatever; Home
Directory: /home/administrator; Primary group name/GID:Administrators
(Should be what you set up in the Builtin OU)
Now edit any existing users in any other OUs you might be using...
Fred
NIS Domain: samdom; UID: 501; Login Shell: /bin/false; Home
Directory: /home/fred Primary group name/GID: Domain Users
Sally
etc.
Now you should be able to enumerate the users and groups of the AD
Domain from the member server with the tests shown in Section 9 of the
wiki (id DomainUser, getent passwd, etc.). At least I was finally able
to do so.
Cheers!
d.
On 15-01-08 07:16 PM, BISI wrote:
> Hello, all!
>
> Well, third time is *not* the charm for me. (I've been through the
> process 3 times with 3 different DCs).
>
> I am trying to set up a member server, using Samba 4.1.14, and washing
> out when getting to the winbind testing. I've tried ignoring the failure
> and pressing on, but that didn't get anywhere.
>
> In this instance, I have a freshly-installed, configured and functioning
> Server 2008r2 Domain Controller, operating at server 2003 forest and
> domain functional level.
>
> following the instructions in:
> https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server
> https://wiki.samba.org/index.php/OS_Requirements
>
>
> Completely stock compile from the tarball. I am using Debian 7.7
> (wheezy), and samba 4.1.14,
>
> ./configure --with-ads --with-shared-modules=idmap_ad --enable-cups \
> --enable-selftest
>
> make quicktest passes:
> make quicktest
> ...ALL OK (2086 tests in 310 testsuites)
>
> ...A summary with detailed information can be found in:
> ... ./st/summary
> ...'testonly' finished successfully (11m24.779s)
>
> ./st/summary is found here:
> http://pastebin.com/zjkHDYUX
>
>
> daemons started manually with
> /usr/local/samba/sbin/smbd --daemon -l /var/log/samba/ -d 1
> /usr/local/samba/sbin/nmbd --daemon -l /var/log/samba/ -d 1
> /usr/local/samba/sbin/winbindd --daemon -l /var/log/samba/ -d 1
>
>
> The commands:
> wbinfo -u
> wbinfo -g
> show the users and groups from the AD Domain.
>
> but the other tests
> # id DomainUser
> # getent passwd
> # getent group
> # chown DomainUser:DomainGroup file
> # chgrp DomainGroup file
> etc.
> do not get any information from the domain, seemingly only working with
> the local user information.
>
> Where do I begin troubleshooting?
>
> Any help/guidance is greatly appreciated.
>
> my smb.conf is here:
> http://pastebin.com/QJfh4RLN
>
> log.winbindd (created with debug level 1) is here:
> http://pastebin.com/S2maUADf
>
> Kerberos seems to be working:
> root at testmember:~# klist
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: userID at HO.NAME.ORG
>
> Valid starting Expires Service principal
> 08/01/2015 18:46 09/01/2015 04:46 krbtgt/HO.NAME.ORG at HO.NAME.ORG
> renew until 09/01/2015 18:46
>
>
> root at testmember:~# cat /etc/nsswitch.conf
> # /etc/nsswitch.conf
>
> passwd: compat winbind
> group: compat winbind
> shadow: compat
> <snip>
>
> DNS seems to be working:
> root at testmember:~# host -t SRV _ldap._tcp.ho.name.org.
> _ldap._tcp.ho.name.org has SRV record 0 100 389 namedc.ho.name.org.
>
> root at testmember:~# host -t SRV _kerberos._udp.ho.name.org.
> _kerberos._udp.ho.name.org has SRV record 0 100 88 namedc.ho.name.org.
>
> root at testmember:~# host -t A namedc.ho.name.org.
> namedc.ho.name.org has address 192.168.8.1
>
> Thanks in advance for any help!
> d.
>
More information about the samba
mailing list