[SOLVED] Samba 4 Domain Member - problem

Rowland Penny repenny241155 at gmail.com
Fri Dec 27 05:14:09 MST 2013


On 27/12/13 06:08, Carlos Miguel Bustillo Rodriguez wrote:
> Hello:
>
>   Finally I have working Samba 4.1.3 (from SerNet) as Member Server in a MSAD environment.
>
> How I can solved the problem?
> After serveral test, I note that the problem was associated with ldconfig (not load the libraries automatically, it seems) on Debian Wheezy because with "wbinfo-u" and "wbinfo -g" I can see all users and groups in my domain, but "getent" and "id" command not works correctly.
>
> My domain don't have installed Services for Unix (SFU), therefore I haved to use rid backend for my domain and increase the range as following:
Unless you are using windows 2003 server or earlier, all the SFU 
attributes are present in AD

> [global]
>     workgroup = MYDOMAIN
>     security = ADS
>     realm = MYDOMAIN.COM
>     encrypt passwords = yes
>
>     idmap config *:backend = tdb
>     idmap config *:range =  40000001-60000000
>     idmap config MYDOMAIN:backend = rid
>     idmap config MYDOMAIN:schema_mode = rfc2307
>     idmap config MYDOMAIN:range = 500-30000000
>
>
>     winbind nss info = rfc2307
>     winbind trusted domains only = no
>     winbind use default domain = yes
>     winbind enum users  = yes
>     winbind enum groups = yes
>
>     # For ACL support on member server
>     vfs objects = acl_xattr
>     map acl inherit = Yes
>     store dos attributes = Yes
>
>     log level = 3
>     printing = bsd
>
>   [Demo]
>       path = /srv/samba/Demo/
>       read only = no
>
>
>
> To load the libraries (my system is 64 bits):
>          cd /lib64
>          cp /lib/x86_64-linux-gnu/libnss_winbind.so.2 .
>          ldconfig -l libnss_winbind.so.2
>          ldconfig -i

If this is all you had to do to get getent to work, then this is a bug 
in the Sernet packages and should be reported to them.

Rowland

> Finally I restarted the server and "getent" and "id" command works perfectly. Now the domain users can access to the shares in my Samba 4 Member Server.
>
> Thanks to Rowland and Denis, for your help and time.
>
> Merry Christmas to all.
>
> Regards, Carlos
>
> ________________________________________
> From: Rowland Penny [repenny241155 at gmail.com]
> Sent: Saturday, December 21, 2013 6:11
> To: Carlos Miguel Bustillo  Rodriguez; samba-technical at lists.samba.org; denis.cardon at tranquil-it-systems.fr
> Subject: Re: Samba 4 Domain Member - problem
>
> On 20/12/13 21:12, Carlos Miguel Bustillo Rdguez wrote:
>> I agree with you. Then I increase the range in
>>
>> idmap config MYDOMAIN:range =
>>
>>
>> and chand backend to rid as say Denis in the next mail.
>> Now more user are recognized by "id" command. I can see my domian groups
>> with wbinfo -g and all domain user with wbinfo -u
>> For example this user "bfeliu" is showed when I run "wbinfo -u" but when
>> I run:
>> # id bfeliu
>> id: bfeliu: No such user
>> # wbinfo -i bfeliu
>> failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
>> Could not get info for user bfeliu
>>
>> I note that if user is not recognized by "id" command, then can't logon
>> in the network share.
>>
>> One more think: I note that libnss_winbind.so and libnss_winbind.so.2
>> are linked by default in /lib/x86_64-linux-gnu/. Is necessary to add
>> link this libraries in /lib for i386 or in /lib64 from amd64, as say in
>> https://wiki.samba.org/index.php/Samba/Domain_Member??
>>
> The last time I tried Samba4 as a memberserver (compiled from source &
> running on Linux Mint 13 x86_64)  I had to create the links myself:
>
> ln -s /usr/local/samba/lib/libnss_winbind.so.2 /lib/libnss_winbind.so
> ln -s /lib/libnss_winbind.so /lib/libnss_winbind.so.2
>
> I also edited /etc/nsswitch.conf and added 'winbind' to the passwd &
> group lines
>
> Then (with the ad backend) I got all the users via getent.
>
> Have you started the 'winbindd' daemon ?
>
> Rowland
>
>> Thanks for your help.
>>
>> Regards, Carlos
>>
>> On 12/20/2013 12:48 PM, Rowland Penny wrote:
>>> On 20/12/13 17:39, Carlos Miguel Bustillo Rdguez wrote:
>>>> Our domain is based entirely Windows Server 2008R2.
>>>>
>>>> I don't know really your question.
>>>>
>>>> Is necessary that domain users have a uidNumbers?? Where I can see this
>>>> numbers??
>>>>
>>>> Thanks, Carlos
>>>> On 12/20/2013 12:27 PM, Rowland Penny wrote:
>>>>> On 20/12/13 17:11, Carlos Miguel Bustillo Rdguez wrote:
>>>>>> Rowland:
>>>>>>
>>>>>>      thanks for your time. I have made your recomendation. But the
>>>>>> problem
>>>>>> remains:
>>>>>>
>>>>>> # wbinfo -i mmorales
>>>>>> failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
>>>>>> Could not get info for user mmorales
>>>>>>
>>>>>> # id mmorales
>>>>>> id: mmorales: No such user
>>>>>>
>>>>>> Why the command "id" worked initially?
>>>>>> Sometimes command "id" identify the users and others don't do it.
>>>>>>
>>>>>> Regards, Carlos
>>>>>>
>>>>>> PD: Happy Christmas for all!!
>>>>>>
>>>>>> On 12/20/2013 04:37 AM, Rowland Penny wrote:
>>>>>>> On 19/12/13 23:12, Carlos Miguel Bustillo Rdguez wrote:
>>>>>>>> Hello list:
>>>>>>>>
>>>>>>>> Recently I join my Samba 4.1.3 (from Sernet packages in Debian
>>>>>>>> Wheezy)
>>>>>>>> to my Microsoft Windows 2008R2 Domain as member server.
>>>>>>>>
>>>>>>>> I following the steps in
>>>>>>>> https://wiki.samba.org/index.php/Samba/Domain_Member
>>>>>>>>
>>>>>>>> Initially all worked perfectly, but later I note that some user
>>>>>>>> in my
>>>>>>>> MSAD don't appear when I use "id" command:
>>>>>>>> # id joe
>>>>>>>> id: joe: No such user
>>>>>>>>
>>>>>>>> These are the result from "testparm" command:
>>>>>>>> Load smb config files from /etc/samba/smb.conf
>>>>>>>> rlimit_max: increasing rlimit_max (1024) to minimum Windows limit
>>>>>>>> (16384)
>>>>>>>> Processing section "[pkt]"
>>>>>>>> Processing section "[test]"
>>>>>>>> Loaded services file OK.
>>>>>>>> Server role: ROLE_DOMAIN_MEMBER
>>>>>>>> Press enter to see a dump of your service definitions
>>>>>>>>
>>>>>>>> [global]
>>>>>>>>         workgroup = MYDOMAIN
>>>>>>>>         realm = MYDOMAIN.COM
>>>>>>>>         security = ADS
>>>>>>>>         winbind enum users = Yes
>>>>>>>>         winbind enum groups = Yes
>>>>>>>>         winbind use default domain = Yes
>>>>>>>>         winbind nss info = rfc2307
>>>>>>>>         idmap config MYDOMAIN:range = 500-100000
>>>>>>>>         idmap config MYDOMAIN:schema_mode = rfc2307
>>>>>>>>         idmap config MYDOMAIN:backend = ad
>>>>>>>>         idmap config *:range = 70001-80000
>>>>>>>>         idmap config * : backend = tdb
>>>>>>>>         map acl inherit = Yes
>>>>>>>>         printing = bsd
>>>>>>>>         print command = lpr -r -P'%p' %s
>>>>>>>>         lpq command = lpq -P'%p'
>>>>>>>>         lprm command = lprm -P'%p' %j
>>>>>>>>         store dos attributes = Yes
>>>>>>>>         vfs objects = acl_xattr
>>>>>>>>
>>>>>>>> [pkt]
>>>>>>>>         path = /home/big
>>>>>>>>         read only = No
>>>>>>>>
>>>>>>>> [test]
>>>>>>>>         path = /home/test
>>>>>>>>         read only = No
>>>>>>>>
>>>>>>>> The big problem is when I add new users to the shares above (pkt
>>>>>>>> and
>>>>>>>> test), they cannot login.
>>>>>>>>
>>>>>>>> I think that the problem is associated with winbind and
>>>>>>>> libnss_winbind.so.2 library:
>>>>>>>>
>>>>>>>> I put the necessary symbolic links in /lib64 (my hardware is
>>>>>>>> x86_64),
>>>>>>>> the I ran the following to check if the libraries are activated:
>>>>>>>> #ldconfig -v | grep winbind
>>>>>>>> ldconfig: Path `/lib/x86_64-linux-gnu' given more than once
>>>>>>>> ldconfig: Path `/usr/lib/x86_64-linux-gnu' given more than once
>>>>>>>>         libnss_winbind.so -> libnss_winbind.so.2
>>>>>>>>         libnss_winbind.so -> libnss_winbind.so.2
>>>>>>>>
>>>>>>>>
>>>>>>>> I appreciate some help about it.
>>>>>>>>
>>>>>>>> Regards, Carlos
>>>>>>>>
>>>>>>>>
>>>>>>>> La Universidad Central "Marta Abreu" de Las Villas en su 60
>>>>>>>> Aniversario. Fundada el 30 de noviembre de 1952. Visítenos en:
>>>>>>>> http://www.uclv.edu.cu
>>>>>>>> Participe en Universidad 2014, del 10 al 14 de febrero de 2014.
>>>>>>>> Habana. Cuba. http://www.congresouniversidad.cu/
>>>>>>>>
>>>>>>>>
>>>>>>> First thing that you need to fix is your ranges, 'idmap config
>>>>>>> *:range =
>>>>>>> 70001-80000' is inside 'idmap config MYDOMAIN:range = 500-100000'
>>>>>>> The *:range needs to come before or after MYDOMAIN:range
>>>>>>> i.e.
>>>>>>> idmap config MYDOMAIN:range = 500-100000
>>>>>>> idmap config *:range = 100001-101000
>>>>>>>
>>>>>>> Rowland
>>>>>>>
>>>>>>>
>>>>>>> La Universidad Central "Marta Abreu" de Las Villas en su 60
>>>>>>> Aniversario. Fundada el 30 de noviembre de 1952. Visítenos en:
>>>>>>> http://www.uclv.edu.cu
>>>>>>> Participe en Universidad 2014, del 10 al 14 de febrero de 2014.
>>>>>>> Habana. Cuba. http://www.congresouniversidad.cu/
>>>>>>>
>>>>>>>
>>>>>>> .
>>>>>>>
>>>>>> La Universidad Central "Marta Abreu" de Las Villas en su 60
>>>>>> Aniversario. Fundada el 30 de noviembre de 1952. Visítenos en:
>>>>>> http://www.uclv.edu.cu
>>>>>> Participe en Universidad 2014, del 10 al 14 de febrero de 2014.
>>>>>> Habana. Cuba. http://www.congresouniversidad.cu/
>>>>>>
>>>>>>
>>>>> Do the users that do not appear have uidNumbers in AD and if they do,
>>>>> are these numbers inside the range you set for your domain ?
>>>>>
>>>>> Rowland
>>>>>
>>>>>
>>>>> La Universidad Central "Marta Abreu" de Las Villas en su 60
>>>>> Aniversario. Fundada el 30 de noviembre de 1952. Visítenos en:
>>>>> http://www.uclv.edu.cu
>>>>> Participe en Universidad 2014, del 10 al 14 de febrero de 2014.
>>>>> Habana. Cuba. http://www.congresouniversidad.cu/
>>>>>
>>>>>
>>>>> .
>>>>>
>>>> La Universidad Central "Marta Abreu" de Las Villas en su 60
>>>> Aniversario. Fundada el 30 de noviembre de 1952. Visítenos en:
>>>> http://www.uclv.edu.cu
>>>> Participe en Universidad 2014, del 10 al 14 de febrero de 2014.
>>>> Habana. Cuba. http://www.congresouniversidad.cu/
>>>>
>>>>
>>> If you don't know about them, then that is the problem. You are using
>>> the ad backend in your smb.conf and this relies on finding uidNumber &
>>> gidNumber in the users & groups CN's and these numbers have to be inside
>>> the range you set.
>>> As for adding them, go to ADUC, select a user or group and then go to
>>> the 'UNIX Attributes' tab, here you can add the required info.
>>>
>>> Rowland
>>>
>>> La Universidad Central "Marta Abreu" de Las Villas en su 60
>>> Aniversario. Fundada el 30 de noviembre de 1952. Visítenos en:
>>> http://www.uclv.edu.cu
>>> Participe en Universidad 2014, del 10 al 14 de febrero de 2014.
>>> Habana. Cuba. http://www.congresouniversidad.cu/
>>>
>>>
>>> .
>>>
>>
>> La Universidad Central "Marta Abreu" de Las Villas en su 60
>> Aniversario. Fundada el 30 de noviembre de 1952. Visítenos en:
>> http://www.uclv.edu.cu
>> Participe en Universidad 2014, del 10 al 14 de febrero de 2014.
>> Habana. Cuba. http://www.congresouniversidad.cu/
>>
>>
>
> La Universidad Central "Marta Abreu" de Las Villas en su 60 Aniversario. Fundada el 30 de noviembre de 1952. Visítenos en:  http://www.uclv.edu.cu
> Participe en Universidad 2014, del 10 al 14 de febrero de 2014. Habana. Cuba. http://www.congresouniversidad.cu/
>
>
>
> La Universidad Central "Marta Abreu" de Las Villas en su 60 Aniversario. Fundada el 30 de noviembre de 1952. Visítenos en:  http://www.uclv.edu.cu
> Participe en Universidad 2014, del 10 al 14 de febrero de 2014. Habana. Cuba. http://www.congresouniversidad.cu/
>
>



More information about the samba-technical mailing list