Samba 4 Domain Member - problem

Carlos Miguel Bustillo Rodriguez cbustillo at uclv.edu.cu
Sat Dec 21 08:10:13 MST 2013


Rowland:

I use Samba 4.1.3 from sernet on Debian Wheezy /x86_64. I made links in /lib and lib64, but in this case the library is located in /lib/x86_64-linux-gnu/:
ln -s lib/x86_64-linux-gnu/libnss_winbind.so.2 /lib/libnss_winbind.so
ln -s /lib/libnss_winbind.so /lib/libnss_winbind.so.2

and
ln -s lib/x86_64-linux-gnu/libnss_winbind.so.2 /lib64/libnss_winbind.so
ln -s /lib/libnss_winbind.so /lib64/libnss_winbind.so.2


>I also edited /etc/nsswitch.conf and added 'winbind' to the passwd &
>group lines

Yes I did it too.

>Then (with the ad backend) I got all the users via getent.

First I used ad backend, then I change to rid backend (following Denis's recomendation)

Have you started the 'winbindd' daemon ?

Yes, I have started winbindd, smbd and nmbd deamon

I will try Samba 4.1.3 from sources.

Regards, Carlos
________________________________________
From: Rowland Penny [repenny241155 at gmail.com]
Sent: Saturday, December 21, 2013 6:11
To: Carlos Miguel Bustillo  Rodriguez; samba-technical at lists.samba.org; denis.cardon at tranquil-it-systems.fr
Subject: Re: Samba 4 Domain Member - problem

On 20/12/13 21:12, Carlos Miguel Bustillo Rdguez wrote:
> I agree with you. Then I increase the range in
>
> idmap config MYDOMAIN:range =
>
>
> and chand backend to rid as say Denis in the next mail.
> Now more user are recognized by "id" command. I can see my domian groups
> with wbinfo -g and all domain user with wbinfo -u
> For example this user "bfeliu" is showed when I run "wbinfo -u" but when
> I run:
> # id bfeliu
> id: bfeliu: No such user
> # wbinfo -i bfeliu
> failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
> Could not get info for user bfeliu
>
> I note that if user is not recognized by "id" command, then can't logon
> in the network share.
>
> One more think: I note that libnss_winbind.so and libnss_winbind.so.2
> are linked by default in /lib/x86_64-linux-gnu/. Is necessary to add
> link this libraries in /lib for i386 or in /lib64 from amd64, as say in
> https://wiki.samba.org/index.php/Samba/Domain_Member??
>
The last time I tried Samba4 as a memberserver (compiled from source &
running on Linux Mint 13 x86_64)  I had to create the links myself:

ln -s /usr/local/samba/lib/libnss_winbind.so.2 /lib/libnss_winbind.so
ln -s /lib/libnss_winbind.so /lib/libnss_winbind.so.2

I also edited /etc/nsswitch.conf and added 'winbind' to the passwd &
group lines

Then (with the ad backend) I got all the users via getent.

Have you started the 'winbindd' daemon ?

Rowland

> Thanks for your help.
>
> Regards, Carlos
>
> On 12/20/2013 12:48 PM, Rowland Penny wrote:
>> On 20/12/13 17:39, Carlos Miguel Bustillo Rdguez wrote:
>>> Our domain is based entirely Windows Server 2008R2.
>>>
>>> I don't know really your question.
>>>
>>> Is necessary that domain users have a uidNumbers?? Where I can see this
>>> numbers??
>>>
>>> Thanks, Carlos
>>> On 12/20/2013 12:27 PM, Rowland Penny wrote:
>>>> On 20/12/13 17:11, Carlos Miguel Bustillo Rdguez wrote:
>>>>> Rowland:
>>>>>
>>>>>     thanks for your time. I have made your recomendation. But the
>>>>> problem
>>>>> remains:
>>>>>
>>>>> # wbinfo -i mmorales
>>>>> failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
>>>>> Could not get info for user mmorales
>>>>>
>>>>> # id mmorales
>>>>> id: mmorales: No such user
>>>>>
>>>>> Why the command "id" worked initially?
>>>>> Sometimes command "id" identify the users and others don't do it.
>>>>>
>>>>> Regards, Carlos
>>>>>
>>>>> PD: Happy Christmas for all!!
>>>>>
>>>>> On 12/20/2013 04:37 AM, Rowland Penny wrote:
>>>>>> On 19/12/13 23:12, Carlos Miguel Bustillo Rdguez wrote:
>>>>>>> Hello list:
>>>>>>>
>>>>>>> Recently I join my Samba 4.1.3 (from Sernet packages in Debian
>>>>>>> Wheezy)
>>>>>>> to my Microsoft Windows 2008R2 Domain as member server.
>>>>>>>
>>>>>>> I following the steps in
>>>>>>> https://wiki.samba.org/index.php/Samba/Domain_Member
>>>>>>>
>>>>>>> Initially all worked perfectly, but later I note that some user
>>>>>>> in my
>>>>>>> MSAD don't appear when I use "id" command:
>>>>>>> # id joe
>>>>>>> id: joe: No such user
>>>>>>>
>>>>>>> These are the result from "testparm" command:
>>>>>>> Load smb config files from /etc/samba/smb.conf
>>>>>>> rlimit_max: increasing rlimit_max (1024) to minimum Windows limit
>>>>>>> (16384)
>>>>>>> Processing section "[pkt]"
>>>>>>> Processing section "[test]"
>>>>>>> Loaded services file OK.
>>>>>>> Server role: ROLE_DOMAIN_MEMBER
>>>>>>> Press enter to see a dump of your service definitions
>>>>>>>
>>>>>>> [global]
>>>>>>>        workgroup = MYDOMAIN
>>>>>>>        realm = MYDOMAIN.COM
>>>>>>>        security = ADS
>>>>>>>        winbind enum users = Yes
>>>>>>>        winbind enum groups = Yes
>>>>>>>        winbind use default domain = Yes
>>>>>>>        winbind nss info = rfc2307
>>>>>>>        idmap config MYDOMAIN:range = 500-100000
>>>>>>>        idmap config MYDOMAIN:schema_mode = rfc2307
>>>>>>>        idmap config MYDOMAIN:backend = ad
>>>>>>>        idmap config *:range = 70001-80000
>>>>>>>        idmap config * : backend = tdb
>>>>>>>        map acl inherit = Yes
>>>>>>>        printing = bsd
>>>>>>>        print command = lpr -r -P'%p' %s
>>>>>>>        lpq command = lpq -P'%p'
>>>>>>>        lprm command = lprm -P'%p' %j
>>>>>>>        store dos attributes = Yes
>>>>>>>        vfs objects = acl_xattr
>>>>>>>
>>>>>>> [pkt]
>>>>>>>        path = /home/big
>>>>>>>        read only = No
>>>>>>>
>>>>>>> [test]
>>>>>>>        path = /home/test
>>>>>>>        read only = No
>>>>>>>
>>>>>>> The big problem is when I add new users to the shares above (pkt
>>>>>>> and
>>>>>>> test), they cannot login.
>>>>>>>
>>>>>>> I think that the problem is associated with winbind and
>>>>>>> libnss_winbind.so.2 library:
>>>>>>>
>>>>>>> I put the necessary symbolic links in /lib64 (my hardware is
>>>>>>> x86_64),
>>>>>>> the I ran the following to check if the libraries are activated:
>>>>>>> #ldconfig -v | grep winbind
>>>>>>> ldconfig: Path `/lib/x86_64-linux-gnu' given more than once
>>>>>>> ldconfig: Path `/usr/lib/x86_64-linux-gnu' given more than once
>>>>>>>        libnss_winbind.so -> libnss_winbind.so.2
>>>>>>>        libnss_winbind.so -> libnss_winbind.so.2
>>>>>>>
>>>>>>>
>>>>>>> I appreciate some help about it.
>>>>>>>
>>>>>>> Regards, Carlos
>>>>>>>
>>>>>>>
>>>>>>> La Universidad Central "Marta Abreu" de Las Villas en su 60
>>>>>>> Aniversario. Fundada el 30 de noviembre de 1952. Visítenos en:
>>>>>>> http://www.uclv.edu.cu
>>>>>>> Participe en Universidad 2014, del 10 al 14 de febrero de 2014.
>>>>>>> Habana. Cuba. http://www.congresouniversidad.cu/
>>>>>>>
>>>>>>>
>>>>>> First thing that you need to fix is your ranges, 'idmap config
>>>>>> *:range =
>>>>>> 70001-80000' is inside 'idmap config MYDOMAIN:range = 500-100000'
>>>>>> The *:range needs to come before or after MYDOMAIN:range
>>>>>> i.e.
>>>>>> idmap config MYDOMAIN:range = 500-100000
>>>>>> idmap config *:range = 100001-101000
>>>>>>
>>>>>> Rowland
>>>>>>
>>>>>>
>>>>>> La Universidad Central "Marta Abreu" de Las Villas en su 60
>>>>>> Aniversario. Fundada el 30 de noviembre de 1952. Visítenos en:
>>>>>> http://www.uclv.edu.cu
>>>>>> Participe en Universidad 2014, del 10 al 14 de febrero de 2014.
>>>>>> Habana. Cuba. http://www.congresouniversidad.cu/
>>>>>>
>>>>>>
>>>>>> .
>>>>>>
>>>>> La Universidad Central "Marta Abreu" de Las Villas en su 60
>>>>> Aniversario. Fundada el 30 de noviembre de 1952. Visítenos en:
>>>>> http://www.uclv.edu.cu
>>>>> Participe en Universidad 2014, del 10 al 14 de febrero de 2014.
>>>>> Habana. Cuba. http://www.congresouniversidad.cu/
>>>>>
>>>>>
>>>> Do the users that do not appear have uidNumbers in AD and if they do,
>>>> are these numbers inside the range you set for your domain ?
>>>>
>>>> Rowland
>>>>
>>>>
>>>> La Universidad Central "Marta Abreu" de Las Villas en su 60
>>>> Aniversario. Fundada el 30 de noviembre de 1952. Visítenos en:
>>>> http://www.uclv.edu.cu
>>>> Participe en Universidad 2014, del 10 al 14 de febrero de 2014.
>>>> Habana. Cuba. http://www.congresouniversidad.cu/
>>>>
>>>>
>>>> .
>>>>
>>>
>>> La Universidad Central "Marta Abreu" de Las Villas en su 60
>>> Aniversario. Fundada el 30 de noviembre de 1952. Visítenos en:
>>> http://www.uclv.edu.cu
>>> Participe en Universidad 2014, del 10 al 14 de febrero de 2014.
>>> Habana. Cuba. http://www.congresouniversidad.cu/
>>>
>>>
>> If you don't know about them, then that is the problem. You are using
>> the ad backend in your smb.conf and this relies on finding uidNumber &
>> gidNumber in the users & groups CN's and these numbers have to be inside
>> the range you set.
>> As for adding them, go to ADUC, select a user or group and then go to
>> the 'UNIX Attributes' tab, here you can add the required info.
>>
>> Rowland
>>
>> La Universidad Central "Marta Abreu" de Las Villas en su 60
>> Aniversario. Fundada el 30 de noviembre de 1952. Visítenos en:
>> http://www.uclv.edu.cu
>> Participe en Universidad 2014, del 10 al 14 de febrero de 2014.
>> Habana. Cuba. http://www.congresouniversidad.cu/
>>
>>
>> .
>>
>
>
> La Universidad Central "Marta Abreu" de Las Villas en su 60
> Aniversario. Fundada el 30 de noviembre de 1952. Visítenos en:
> http://www.uclv.edu.cu
> Participe en Universidad 2014, del 10 al 14 de febrero de 2014.
> Habana. Cuba. http://www.congresouniversidad.cu/
>
>


La Universidad Central "Marta Abreu" de Las Villas en su 60 Aniversario. Fundada el 30 de noviembre de 1952. Visítenos en:  http://www.uclv.edu.cu
Participe en Universidad 2014, del 10 al 14 de febrero de 2014. Habana. Cuba. http://www.congresouniversidad.cu/



La Universidad Central "Marta Abreu" de Las Villas en su 60 Aniversario. Fundada el 30 de noviembre de 1952. Visítenos en:  http://www.uclv.edu.cu
Participe en Universidad 2014, del 10 al 14 de febrero de 2014. Habana. Cuba. http://www.congresouniversidad.cu/




More information about the samba-technical mailing list