Join samba 4.1.7 as member server issues

Thu May 8 07:03:12 MDT 2014

On 08/05/14 13:33, Daniele Dario wrote:
> Hi Rowland,
>
> On gio, 2014-05-08 at 10:43 +0100, Rowland Penny wrote:
>> On 08/05/14 10:12, Daniele Dario wrote:
>>> On mer, 2014-05-07 at 17:28 +0200, steve wrote:
>>>> On Wed, 2014-05-07 at 17:16 +0200, Daniele Dario wrote:
>>>>> Hi list,
>>>>> I'm trying to join a new server (samba 4.1.7) on a samba AD domain which
>>>>> has 2 samba 4.1.0 AD DCs.
>>>>>
>>>>> I started from the wiki page "Setup a Samba AD Member Server" and I'm
>>>>> using the tarball of 4.1.7 sources downloaded from samba repository but
>>>>> after the "Build Samba" step I start having issues.
>>>>>
>>>>> 1st: would it be possible that when I run make install the process
>>>>> created also /etc/samba/{smb.conf,gdbcommands}? If yes which would be
>>>>> the conf file used? The one in /etc/samba or the one
>>>>> in /usr/local/samba/etc?
>>>> Hi
>>>> For a default ./configure, the latter.
>>>>
>>>>> 2nd: joining the domain has to be done before to start the daemons am I
>>>>> right?
>>>>>
>>>> Yes.
>>>>
>>>>> # net ads join -U administrator
>>>>> Enter administrator's password:
>>>>> Using short domain name -- SAITEL
>>>>> Joined 'SRV03' to realm 'saitel.loc'
>>>>> No DNS domain configured for srv03. Unable to perform DNS Update.
>>>>> DNS update failed!
>>>> Try:
>>>> - Un-join and add fqdn of the member server to the localhost line in:
>>>> /etc/hosts
>>>>
>>>> - add:
>>>> kerberos method = system keytab
>>>> Re-join.
>>>>
>>>> -remove the samba package from your distribution.
>>>>
>>>> HTH
>>>> Steve
>>>>
>>>>
>>> Thanks Steve,
>>> seems that I have many problems:
>>> 1. it was installed samba-common and samba-common-bin packages. Now I
>>> removed them
>>> 2. performed net dom unjoin, tried to add fqdn in /etc/hosts, updated
>>> smb.conf adding kerberos method = system keytab than re-joined to the
>>> domain but after starting samba (I am using the script listed in
>>> "InitScript SambaWiki") wbinfo -u nor wbinfo -g worked.
>>> 3. looking at which precesses are started from the "InitScript" I saw
>>> that only smbd and nmbd are started so I manually tried to start
>>> winbindd -D and than wbinfo -u and wbinfo .g show domain users and
>>> groups
>>>
>>> At this point I said ok, done but ... :-(
>>>
>>> Trying to run id OneValidDomainUser I get
>>> # id daniele
>>> id: daniele: No such user
>>>
>>> And this is my /etc/nsswitch.conf
>>>
>>> passwd:         compat winbind
>>> group:          compat winbind
>>> shadow:         files
>>>
>>> hosts:          files dns
>>> networks:       files
>>>
>>> protocols:      db files
>>> services:       db files
>>> ethers:         db files
>>> rpc:            db files
>>>
>>> netgroup:       nis
>>>
>>> so I'm again stuck.
>>>
>>> Can somebody tell me if the winbindd daemon has to be added as one of
>>> the daemons that has to be started by the InitScript?
>>>
>>> And what am I doing wrong that explains the fact that id, getent and
>>> also smbclient -L ... won't work?
>>>
>>> Thanks in advance,
>>> Daniele.
>>>
>> Hi, yes you need to start winbind separately from the smbd & nmbd
>> daemons, so you need to find/write another init script.
>>
>> As for what is wrong, this could one of several things (or several of
>> several things ;) )
>>
>> Are all the daemons actually running ? run 'ps ax | grep [s]mbd' and 'ps
>> ax | grep [n]mbd' and 'ps ax | grep [w]inbind', they all should return
>> something.
> Yes they where all running.
>
>> If you are using the ad idmap backend, do your AD users have both
>> uidNumber's & gidNumber's ? Do your AD groups have gidNumber's ? , also
>> are these uid & gidNumber's within the range that you set in smb.conf ?
>>
>> Rowland
>>
> I'll try to investigate but 'cause I need to set up another fileserver
> ASAP to move the shares I have on an old samba 3.4.7 server joined to
> the domain I think I'll use one of the DCs also as fileserver.
>
> If I remember right you where one of those who where discussing about
> posixaccount and posixgroup (rfc2307) and I'm really interested on this
> topic
> Once I move the shares I will set-up another samba server to keep a
> (guess via rsync) copy of these shares for backup.
> Having distinct uid/gid on the servers will make the copy unuseful so I
> thought that with adding objectClass posixaccount and posixgroup in my
> company accounts I would solve this problem am I right?
> If so can you (or somebody else) suggest a way to do that?
> I have a copy of the scripts posted in the past (I guess from Steve)
> that "posixify" users/groups but need to understand how to proceed:
> - recently I noticed in the list that there are discussions on wellknown
> (s)ids and how to properly handle them. This means that not all
> users/groups has to be "posixified"?
> - when I do that I guess that the shares loose the association between
> the owners/groups the files/folders have on the fs and on AD so I need
> chown them after the operation?
>
> BTW Thx for the hints.
> Daniele.
>
Hi, this is slightly complicated, but here goes:

If you are running a samba 3 setup, you could be running as a standalone 
server, a member of a domain or as a PDC/BDC. With all of these setups 
your users needed to be known by both samba and the unix machine i.e. 
you had to have two accounts. To further complicate the situation, these 
users would be stored in /etc/passwd and either in a samba file or LDAP. 
Groups were treated exactly the same and you had to map windows groups 
(if you used them) to unix groups, you could also have a group with the 
same name as a user. If you did use LDAP, then you needed the 
posixAccount & posixGroup objectClasses.

If you now decide to upgrade to samba 4 and run as an AD DC, a lot of 
things have changed. Your users/groups are now stored only in AD, you 
cannot have local users with the same name as a domain user and you 
cannot have a group with the same name as a user. You no longer need the 
posix objectClasses, they are now auxiliaries of other windows 
objectClasses, if you only use ADUC to add users and groups, you will 
never find the posix objectClasses in AD. Users/groups in AD are only 
know to 'windows' machines, you need to make them known to unix by 
either using (for instance) the winbind rid backend or by (the better 
way) giving them uidNumber's &/or gidNumber's.

You can carry out the 'classicupgrade' of a PDC to AD with samba-tool, 
but you would need to test this before doing it in production, see the 
wiki. You may or may not need to change ownership of files after the 
upgrade, it depends on how you do the upgrade. If you only have a 
relatively few users, it may be quicker to just set up a new AD domain 
and the join your computers to this.

I would suggest before you do anything, you spend some time reading the 
wiki.

Once you have read the wiki, come back with any questions you might have ;-)

Rowland