[Samba] S4 DC S3 file server: samba-tool and net ads user problems

steve steve at steve-ss.com
Thu Aug 16 12:07:07 MDT 2012 

On 16/08/12 19:32, Gémes Géza wrote:
> 2012-08-16 18:53 keltezéssel, steve írta:
>> Hi everyone
>>
>> I have a S4 DC with a S3 fileserver. I want to create users and their
>> UninxHomeDirecory on the fileserver. I can do this with a script which
>> uses ldapmodify. Fine so far.
>>
>> The user shows in getent passwd on the DC and in wbinfo -u on the S3
>> box but does not show in getent passwd on the fileserver. The user has
>> been created with all his rfc2307 attributes but is invisible to
>> winbind on the S3 box.
>>
>> I have tried restarting winbind on the S3 box but still no luck. Is
>> there a cache I must clear somewhere?
>>
>> How can I get new users to show on the S3 box?
>>
>> Cheers,
>> Steve
> Hi,
>
> I'm not sure I've understand your situation, so please correct me if I'm
> wrong. You have 3 computers:
>
> 1. Samba4 (everything work to the amount permitted by its winbind
> implementation)

Does winbindd have to be running on this DC? I thought it didn't matter 
whether it was or it wasn't. I use nss-ldapd for mapping on this box as 
the S4 winbindd seems to be broken for groups.

> 2. Samba3 (everything works, including having homedirs and shells
> obtained via winbind from AD)
Yes. The home director shares are all on this box
> 3. Samba3 (where do you intend to have home directories, and could not
> list users)
No. I have no box 3. Just 2 boxes. S4 Dc and S3 fileserver.

Here is the conf which works on box2:
[global]
realm = hh3.site
workgroup = ALTEA
security = ADS
winbind enum users = Yes
winbind enum groups = Yes
idmap config *:backend = tdb
idmap config *:range = 3000-4000
idmap config ALTEA:backend = ad
idmap config ALTEA:range = 20000-40000000
idmap config ALTEA:schema_mode = rfc2307
winbind nss info = rfc2307
winbind expand groups = 2
winbind nested groups = yes

[home]
path = /home2/home
read only = No

[profiles]
path = /home2/profiles
read only = No

However, m$ machines cannot write to the shares even though they are 
correctly listed as having the correct permissions and ownership.
>
> If that is the situation you could simply copy the config from second
> box to third one, and add a [homes] share and everything should work.
>
> If not, in a previous e-mail of you've already wrote the samba config
> needed for having a working winbind with idmap_ad. On think I've learned
> the hard way: if any of the gidNumbers of a group a user belongs to is
> out of the range you've specified in your smb.conf for your domain that
> user is going to be invisible (I've avoided it with a range = 0-10000000).
>
> If you have winbind installed by package I would try to delete
> /var/lib/samba/winbind* (WHILE winbind IS STOPED), and then reatart it.
>
> Regards
>
> Geza Gemes

More information about the samba mailing list