[SOLVED] Samba 4 Domain Member - problem
Rowland Penny
repenny241155 at gmail.com
Fri Dec 27 05:14:09 MST 2013
On 27/12/13 06:08, Carlos Miguel Bustillo Rodriguez wrote:
> Hello:
>
> Finally I have working Samba 4.1.3 (from SerNet) as Member Server in a MSAD environment.
>
> How I can solved the problem?
> After serveral test, I note that the problem was associated with ldconfig (not load the libraries automatically, it seems) on Debian Wheezy because with "wbinfo-u" and "wbinfo -g" I can see all users and groups in my domain, but "getent" and "id" command not works correctly.
>
> My domain don't have installed Services for Unix (SFU), therefore I haved to use rid backend for my domain and increase the range as following:
Unless you are using windows 2003 server or earlier, all the SFU
attributes are present in AD
> [global]
> workgroup = MYDOMAIN
> security = ADS
> realm = MYDOMAIN.COM
> encrypt passwords = yes
>
> idmap config *:backend = tdb
> idmap config *:range = 40000001-60000000
> idmap config MYDOMAIN:backend = rid
> idmap config MYDOMAIN:schema_mode = rfc2307
> idmap config MYDOMAIN:range = 500-30000000
>
>
> winbind nss info = rfc2307
> winbind trusted domains only = no
> winbind use default domain = yes
> winbind enum users = yes
> winbind enum groups = yes
>
> # For ACL support on member server
> vfs objects = acl_xattr
> map acl inherit = Yes
> store dos attributes = Yes
>
> log level = 3
> printing = bsd
>
> [Demo]
> path = /srv/samba/Demo/
> read only = no
>
>
>
> To load the libraries (my system is 64 bits):
> cd /lib64
> cp /lib/x86_64-linux-gnu/libnss_winbind.so.2 .
> ldconfig -l libnss_winbind.so.2
> ldconfig -i
If this is all you had to do to get getent to work, then this is a bug
in the Sernet packages and should be reported to them.
Rowland
> Finally I restarted the server and "getent" and "id" command works perfectly. Now the domain users can access to the shares in my Samba 4 Member Server.
>
> Thanks to Rowland and Denis, for your help and time.
>
> Merry Christmas to all.
>
> Regards, Carlos
>
> ________________________________________
> From: Rowland Penny [repenny241155 at gmail.com]
> Sent: Saturday, December 21, 2013 6:11
> To: Carlos Miguel Bustillo Rodriguez; samba-technical at lists.samba.org; denis.cardon at tranquil-it-systems.fr
> Subject: Re: Samba 4 Domain Member - problem
>
> On 20/12/13 21:12, Carlos Miguel Bustillo Rdguez wrote:
>> I agree with you. Then I increase the range in
>>
>> idmap config MYDOMAIN:range =
>>
>>
>> and chand backend to rid as say Denis in the next mail.
>> Now more user are recognized by "id" command. I can see my domian groups
>> with wbinfo -g and all domain user with wbinfo -u
>> For example this user "bfeliu" is showed when I run "wbinfo -u" but when
>> I run:
>> # id bfeliu
>> id: bfeliu: No such user
>> # wbinfo -i bfeliu
>> failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
>> Could not get info for user bfeliu
>>
>> I note that if user is not recognized by "id" command, then can't logon
>> in the network share.
>>
>> One more think: I note that libnss_winbind.so and libnss_winbind.so.2
>> are linked by default in /lib/x86_64-linux-gnu/. Is necessary to add
>> link this libraries in /lib for i386 or in /lib64 from amd64, as say in
>> https://wiki.samba.org/index.php/Samba/Domain_Member??
>>
> The last time I tried Samba4 as a memberserver (compiled from source &
> running on Linux Mint 13 x86_64) I had to create the links myself:
>
> ln -s /usr/local/samba/lib/libnss_winbind.so.2 /lib/libnss_winbind.so
> ln -s /lib/libnss_winbind.so /lib/libnss_winbind.so.2
>
> I also edited /etc/nsswitch.conf and added 'winbind' to the passwd &
> group lines
>
> Then (with the ad backend) I got all the users via getent.
>
> Have you started the 'winbindd' daemon ?
>
> Rowland
>
>> Thanks for your help.
>>
>> Regards, Carlos
>>
>> On 12/20/2013 12:48 PM, Rowland Penny wrote:
>>> On 20/12/13 17:39, Carlos Miguel Bustillo Rdguez wrote:
>>>> Our domain is based entirely Windows Server 2008R2.
>>>>
>>>> I don't know really your question.
>>>>
>>>> Is necessary that domain users have a uidNumbers?? Where I can see this
>>>> numbers??
>>>>
>>>> Thanks, Carlos
>>>> On 12/20/2013 12:27 PM, Rowland Penny wrote:
>>>>> On 20/12/13 17:11, Carlos Miguel Bustillo Rdguez wrote:
>>>>>> Rowland:
>>>>>>
>>>>>> thanks for your time. I have made your recomendation. But the
>>>>>> problem
>>>>>> remains:
>>>>>>
>>>>>> # wbinfo -i mmorales
>>>>>> failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
>>>>>> Could not get info for user mmorales
>>>>>>
>>>>>> # id mmorales
>>>>>> id: mmorales: No such user
>>>>>>
>>>>>> Why the command "id" worked initially?
>>>>>> Sometimes command "id" identify the users and others don't do it.
>>>>>>
>>>>>> Regards, Carlos
>>>>>>
>>>>>> PD: Happy Christmas for all!!
>>>>>>
>>>>>> On 12/20/2013 04:37 AM, Rowland Penny wrote:
>>>>>>> On 19/12/13 23:12, Carlos Miguel Bustillo Rdguez wrote:
>>>>>>>> Hello list:
>>>>>>>>
>>>>>>>> Recently I join my Samba 4.1.3 (from Sernet packages in Debian
>>>>>>>> Wheezy)
>>>>>>>> to my Microsoft Windows 2008R2 Domain as member server.
>>>>>>>>
>>>>>>>> I following the steps in
>>>>>>>> https://wiki.samba.org/index.php/Samba/Domain_Member
>>>>>>>>
>>>>>>>> Initially all worked perfectly, but later I note that some user
>>>>>>>> in my
>>>>>>>> MSAD don't appear when I use "id" command:
>>>>>>>> # id joe
>>>>>>>> id: joe: No such user
>>>>>>>>
>>>>>>>> These are the result from "testparm" command:
>>>>>>>> Load smb config files from /etc/samba/smb.conf
>>>>>>>> rlimit_max: increasing rlimit_max (1024) to minimum Windows limit
>>>>>>>> (16384)
>>>>>>>> Processing section "[pkt]"
>>>>>>>> Processing section "[test]"
>>>>>>>> Loaded services file OK.
>>>>>>>> Server role: ROLE_DOMAIN_MEMBER
>>>>>>>> Press enter to see a dump of your service definitions
>>>>>>>>
>>>>>>>> [global]
>>>>>>>> workgroup = MYDOMAIN
>>>>>>>> realm = MYDOMAIN.COM
>>>>>>>> security = ADS
>>>>>>>> winbind enum users = Yes
>>>>>>>> winbind enum groups = Yes
>>>>>>>> winbind use default domain = Yes
>>>>>>>> winbind nss info = rfc2307
>>>>>>>> idmap config MYDOMAIN:range = 500-100000
>>>>>>>> idmap config MYDOMAIN:schema_mode = rfc2307
>>>>>>>> idmap config MYDOMAIN:backend = ad
>>>>>>>> idmap config *:range = 70001-80000
>>>>>>>> idmap config * : backend = tdb
>>>>>>>> map acl inherit = Yes
>>>>>>>> printing = bsd
>>>>>>>> print command = lpr -r -P'%p' %s
>>>>>>>> lpq command = lpq -P'%p'
>>>>>>>> lprm command = lprm -P'%p' %j
>>>>>>>> store dos attributes = Yes
>>>>>>>> vfs objects = acl_xattr
>>>>>>>>
>>>>>>>> [pkt]
>>>>>>>> path = /home/big
>>>>>>>> read only = No
>>>>>>>>
>>>>>>>> [test]
>>>>>>>> path = /home/test
>>>>>>>> read only = No
>>>>>>>>
>>>>>>>> The big problem is when I add new users to the shares above (pkt
>>>>>>>> and
>>>>>>>> test), they cannot login.
>>>>>>>>
>>>>>>>> I think that the problem is associated with winbind and
>>>>>>>> libnss_winbind.so.2 library:
>>>>>>>>
>>>>>>>> I put the necessary symbolic links in /lib64 (my hardware is
>>>>>>>> x86_64),
>>>>>>>> the I ran the following to check if the libraries are activated:
>>>>>>>> #ldconfig -v | grep winbind
>>>>>>>> ldconfig: Path `/lib/x86_64-linux-gnu' given more than once
>>>>>>>> ldconfig: Path `/usr/lib/x86_64-linux-gnu' given more than once
>>>>>>>> libnss_winbind.so -> libnss_winbind.so.2
>>>>>>>> libnss_winbind.so -> libnss_winbind.so.2
>>>>>>>>
>>>>>>>>
>>>>>>>> I appreciate some help about it.
>>>>>>>>
>>>>>>>> Regards, Carlos
>>>>>>>>
>>>>>>>>
>>>>>>>> La Universidad Central "Marta Abreu" de Las Villas en su 60
>>>>>>>> Aniversario. Fundada el 30 de noviembre de 1952. Visítenos en:
>>>>>>>> http://www.uclv.edu.cu
>>>>>>>> Participe en Universidad 2014, del 10 al 14 de febrero de 2014.
>>>>>>>> Habana. Cuba. http://www.congresouniversidad.cu/
>>>>>>>>
>>>>>>>>
>>>>>>> First thing that you need to fix is your ranges, 'idmap config
>>>>>>> *:range =
>>>>>>> 70001-80000' is inside 'idmap config MYDOMAIN:range = 500-100000'
>>>>>>> The *:range needs to come before or after MYDOMAIN:range
>>>>>>> i.e.
>>>>>>> idmap config MYDOMAIN:range = 500-100000
>>>>>>> idmap config *:range = 100001-101000
>>>>>>>
>>>>>>> Rowland
>>>>>>>
>>>>>>>
>>>>>>> La Universidad Central "Marta Abreu" de Las Villas en su 60
>>>>>>> Aniversario. Fundada el 30 de noviembre de 1952. Visítenos en:
>>>>>>> http://www.uclv.edu.cu
>>>>>>> Participe en Universidad 2014, del 10 al 14 de febrero de 2014.
>>>>>>> Habana. Cuba. http://www.congresouniversidad.cu/
>>>>>>>
>>>>>>>
>>>>>>> .
>>>>>>>
>>>>>> La Universidad Central "Marta Abreu" de Las Villas en su 60
>>>>>> Aniversario. Fundada el 30 de noviembre de 1952. Visítenos en:
>>>>>> http://www.uclv.edu.cu
>>>>>> Participe en Universidad 2014, del 10 al 14 de febrero de 2014.
>>>>>> Habana. Cuba. http://www.congresouniversidad.cu/
>>>>>>
>>>>>>
>>>>> Do the users that do not appear have uidNumbers in AD and if they do,
>>>>> are these numbers inside the range you set for your domain ?
>>>>>
>>>>> Rowland
>>>>>
>>>>>
>>>>> La Universidad Central "Marta Abreu" de Las Villas en su 60
>>>>> Aniversario. Fundada el 30 de noviembre de 1952. Visítenos en:
>>>>> http://www.uclv.edu.cu
>>>>> Participe en Universidad 2014, del 10 al 14 de febrero de 2014.
>>>>> Habana. Cuba. http://www.congresouniversidad.cu/
>>>>>
>>>>>
>>>>> .
>>>>>
>>>> La Universidad Central "Marta Abreu" de Las Villas en su 60
>>>> Aniversario. Fundada el 30 de noviembre de 1952. Visítenos en:
>>>> http://www.uclv.edu.cu
>>>> Participe en Universidad 2014, del 10 al 14 de febrero de 2014.
>>>> Habana. Cuba. http://www.congresouniversidad.cu/
>>>>
>>>>
>>> If you don't know about them, then that is the problem. You are using
>>> the ad backend in your smb.conf and this relies on finding uidNumber &
>>> gidNumber in the users & groups CN's and these numbers have to be inside
>>> the range you set.
>>> As for adding them, go to ADUC, select a user or group and then go to
>>> the 'UNIX Attributes' tab, here you can add the required info.
>>>
>>> Rowland
>>>
>>> La Universidad Central "Marta Abreu" de Las Villas en su 60
>>> Aniversario. Fundada el 30 de noviembre de 1952. Visítenos en:
>>> http://www.uclv.edu.cu
>>> Participe en Universidad 2014, del 10 al 14 de febrero de 2014.
>>> Habana. Cuba. http://www.congresouniversidad.cu/
>>>
>>>
>>> .
>>>
>>
>> La Universidad Central "Marta Abreu" de Las Villas en su 60
>> Aniversario. Fundada el 30 de noviembre de 1952. Visítenos en:
>> http://www.uclv.edu.cu
>> Participe en Universidad 2014, del 10 al 14 de febrero de 2014.
>> Habana. Cuba. http://www.congresouniversidad.cu/
>>
>>
>
> La Universidad Central "Marta Abreu" de Las Villas en su 60 Aniversario. Fundada el 30 de noviembre de 1952. Visítenos en: http://www.uclv.edu.cu
> Participe en Universidad 2014, del 10 al 14 de febrero de 2014. Habana. Cuba. http://www.congresouniversidad.cu/
>
>
>
> La Universidad Central "Marta Abreu" de Las Villas en su 60 Aniversario. Fundada el 30 de noviembre de 1952. Visítenos en: http://www.uclv.edu.cu
> Participe en Universidad 2014, del 10 al 14 de febrero de 2014. Habana. Cuba. http://www.congresouniversidad.cu/
>
>
More information about the samba-technical
mailing list