Join samba 4.1.7 as member server issues

Thu May 8 08:02:05 MDT 2014

On gio, 2014-05-08 at 14:03 +0100, Rowland Penny wrote:
> On 08/05/14 13:33, Daniele Dario wrote:
> > Hi Rowland,
> >
> > On gio, 2014-05-08 at 10:43 +0100, Rowland Penny wrote:
> >> On 08/05/14 10:12, Daniele Dario wrote:
> >>> On mer, 2014-05-07 at 17:28 +0200, steve wrote:
> >>>> On Wed, 2014-05-07 at 17:16 +0200, Daniele Dario wrote:
> >>>>> Hi list,
> >>>>> I'm trying to join a new server (samba 4.1.7) on a samba AD domain which
> >>>>> has 2 samba 4.1.0 AD DCs.
> >>>>>
> >>>>> I started from the wiki page "Setup a Samba AD Member Server" and I'm
> >>>>> using the tarball of 4.1.7 sources downloaded from samba repository but
> >>>>> after the "Build Samba" step I start having issues.
> >>>>>
> >>>>> 1st: would it be possible that when I run make install the process
> >>>>> created also /etc/samba/{smb.conf,gdbcommands}? If yes which would be
> >>>>> the conf file used? The one in /etc/samba or the one
> >>>>> in /usr/local/samba/etc?
> >>>> Hi
> >>>> For a default ./configure, the latter.
> >>>>
> >>>>> 2nd: joining the domain has to be done before to start the daemons am I
> >>>>> right?
> >>>>>
> >>>> Yes.
> >>>>
> >>>>> # net ads join -U administrator
> >>>>> Enter administrator's password:
> >>>>> Using short domain name -- SAITEL
> >>>>> Joined 'SRV03' to realm 'saitel.loc'
> >>>>> No DNS domain configured for srv03. Unable to perform DNS Update.
> >>>>> DNS update failed!
> >>>> Try:
> >>>> - Un-join and add fqdn of the member server to the localhost line in:
> >>>> /etc/hosts
> >>>>
> >>>> - add:
> >>>> kerberos method = system keytab
> >>>> Re-join.
> >>>>
> >>>> -remove the samba package from your distribution.
> >>>>
> >>>> HTH
> >>>> Steve
> >>>>
> >>>>
> >>> Thanks Steve,
> >>> seems that I have many problems:
> >>> 1. it was installed samba-common and samba-common-bin packages. Now I
> >>> removed them
> >>> 2. performed net dom unjoin, tried to add fqdn in /etc/hosts, updated
> >>> smb.conf adding kerberos method = system keytab than re-joined to the
> >>> domain but after starting samba (I am using the script listed in
> >>> "InitScript SambaWiki") wbinfo -u nor wbinfo -g worked.
> >>> 3. looking at which precesses are started from the "InitScript" I saw
> >>> that only smbd and nmbd are started so I manually tried to start
> >>> winbindd -D and than wbinfo -u and wbinfo .g show domain users and
> >>> groups
> >>>
> >>> At this point I said ok, done but ... :-(
> >>>
> >>> Trying to run id OneValidDomainUser I get
> >>> # id daniele
> >>> id: daniele: No such user
> >>>
> >>> And this is my /etc/nsswitch.conf
> >>>
> >>> passwd:         compat winbind
> >>> group:          compat winbind
> >>> shadow:         files
> >>>
> >>> hosts:          files dns
> >>> networks:       files
> >>>
> >>> protocols:      db files
> >>> services:       db files
> >>> ethers:         db files
> >>> rpc:            db files
> >>>
> >>> netgroup:       nis
> >>>
> >>> so I'm again stuck.
> >>>
> >>> Can somebody tell me if the winbindd daemon has to be added as one of
> >>> the daemons that has to be started by the InitScript?
> >>>
> >>> And what am I doing wrong that explains the fact that id, getent and
> >>> also smbclient -L ... won't work?
> >>>
> >>> Thanks in advance,
> >>> Daniele.
> >>>
> >> Hi, yes you need to start winbind separately from the smbd & nmbd
> >> daemons, so you need to find/write another init script.
> >>
> >> As for what is wrong, this could one of several things (or several of
> >> several things ;) )
> >>
> >> Are all the daemons actually running ? run 'ps ax | grep [s]mbd' and 'ps
> >> ax | grep [n]mbd' and 'ps ax | grep [w]inbind', they all should return
> >> something.
> > Yes they where all running.
> >
> >> If you are using the ad idmap backend, do your AD users have both
> >> uidNumber's & gidNumber's ? Do your AD groups have gidNumber's ? , also
> >> are these uid & gidNumber's within the range that you set in smb.conf ?
> >>
> >> Rowland
> >>
> > I'll try to investigate but 'cause I need to set up another fileserver
> > ASAP to move the shares I have on an old samba 3.4.7 server joined to
> > the domain I think I'll use one of the DCs also as fileserver.
> >
> > If I remember right you where one of those who where discussing about
> > posixaccount and posixgroup (rfc2307) and I'm really interested on this
> > topic
> > Once I move the shares I will set-up another samba server to keep a
> > (guess via rsync) copy of these shares for backup.
> > Having distinct uid/gid on the servers will make the copy unuseful so I
> > thought that with adding objectClass posixaccount and posixgroup in my
> > company accounts I would solve this problem am I right?
> > If so can you (or somebody else) suggest a way to do that?
> > I have a copy of the scripts posted in the past (I guess from Steve)
> > that "posixify" users/groups but need to understand how to proceed:
> > - recently I noticed in the list that there are discussions on wellknown
> > (s)ids and how to properly handle them. This means that not all
> > users/groups has to be "posixified"?
> > - when I do that I guess that the shares loose the association between
> > the owners/groups the files/folders have on the fs and on AD so I need
> > chown them after the operation?
> >
> > BTW Thx for the hints.
> > Daniele.
> >
> Hi, this is slightly complicated, but here goes:
> 
> If you are running a samba 3 setup, you could be running as a standalone 
> server, a member of a domain or as a PDC/BDC. With all of these setups 
> your users needed to be known by both samba and the unix machine i.e. 
> you had to have two accounts. To further complicate the situation, these 
> users would be stored in /etc/passwd and either in a samba file or LDAP. 
> Groups were treated exactly the same and you had to map windows groups 
> (if you used them) to unix groups, you could also have a group with the 
> same name as a user. If you did use LDAP, then you needed the 
> posixAccount & posixGroup objectClasses.
> 
> If you now decide to upgrade to samba 4 and run as an AD DC, a lot of 
> things have changed. Your users/groups are now stored only in AD, you 
> cannot have local users with the same name as a domain user and you 
> cannot have a group with the same name as a user. You no longer need the 
> posix objectClasses, they are now auxiliaries of other windows 
> objectClasses, if you only use ADUC to add users and groups, you will 
> never find the posix objectClasses in AD. Users/groups in AD are only 
> know to 'windows' machines, you need to make them known to unix by 
> either using (for instance) the winbind rid backend or by (the better 
> way) giving them uidNumber's &/or gidNumber's.
> 
> You can carry out the 'classicupgrade' of a PDC to AD with samba-tool, 
> but you would need to test this before doing it in production, see the 
> wiki. You may or may not need to change ownership of files after the 
> upgrade, it depends on how you do the upgrade. If you only have a 
> relatively few users, it may be quicker to just set up a new AD domain 
> and the join your computers to this.
> 
> I would suggest before you do anything, you spend some time reading the 
> wiki.
> 
> Once you have read the wiki, come back with any questions you might have ;-)
> 
> Rowland
> 
> 

My situation is that I started from scratch (with an older beta release
as test and then with rcs in production) and provisioned a new domain
with 1 samba AD DC.

Than I joined a 3.4.7 as member server (was the default on ubuntu 10.04
server) which was the fileserver than I noticed that I cannot have the
same uid/gid(s) but I was using tapes to backup my shares so I didn't
care so much about that.

Than the rfc2307 became a topic on the list and I thought that adding
another AD DC and enabling the option I could migrate the shares but I
discovered that only enabling the option didn't do the trick and tried
with Steve scripts to add the attributes. Doing that I gained the same
ids on both servers but that broke something else (thanks to the
developers who saved my ass guiding me to restore the situation).

Than I had been involved in other stuff for a couple of whiles but now I
need to finish the job.

Of course I'll take the time to read again carefully the wiki pages but
if you have some hints to point me in the right direction I'd appreciate
it.

Again thanks,
Daniele.