[Samba] S4 DC S3 file server: samba-tool and net ads user problems

[Gémes Géza]

2012-08-16 20:07 keltezéssel, steve írta:
> On 16/08/12 19:32, Gémes Géza wrote:
>> 2012-08-16 18:53 keltezéssel, steve írta:
>>> Hi everyone
>>>
>>> I have a S4 DC with a S3 fileserver. I want to create users and their
>>> UninxHomeDirecory on the fileserver. I can do this with a script which
>>> uses ldapmodify. Fine so far.
>>>
>>> The user shows in getent passwd on the DC and in wbinfo -u on the S3
>>> box but does not show in getent passwd on the fileserver. The user has
>>> been created with all his rfc2307 attributes but is invisible to
>>> winbind on the S3 box.
>>>
>>> I have tried restarting winbind on the S3 box but still no luck. Is
>>> there a cache I must clear somewhere?
>>>
>>> How can I get new users to show on the S3 box?
>>>
>>> Cheers,
>>> Steve
>> Hi,
>>
>> I'm not sure I've understand your situation, so please correct me if I'm
>> wrong. You have 3 computers:
>>
>> 1. Samba4 (everything work to the amount permitted by its winbind
>> implementation)
>
> Does winbindd have to be running on this DC? I thought it didn't 
> matter whether it was or it wasn't. I use nss-ldapd for mapping on 
> this box as the S4 winbindd seems to be broken for groups.
It is running "inside" the samba binary, you don't have/can't start it 
independently
>
>> 2. Samba3 (everything works, including having homedirs and shells
>> obtained via winbind from AD)
> Yes. The home director shares are all on this box
>> 3. Samba3 (where do you intend to have home directories, and could not
>> list users)
> No. I have no box 3. Just 2 boxes. S4 Dc and S3 fileserver.
>
> Here is the conf which works on box2:
> [global]
> realm = hh3.site
> workgroup = ALTEA
> security = ADS
> winbind enum users = Yes
> winbind enum groups = Yes
> idmap config *:backend = tdb
> idmap config *:range = 3000-4000
> idmap config ALTEA:backend = ad
> idmap config ALTEA:range = 20000-40000000
> idmap config ALTEA:schema_mode = rfc2307
> winbind nss info = rfc2307
> winbind expand groups = 2
> winbind nested groups = yes
>
> [home]
> path = /home2/home
> read only = No
>
> [profiles]
> path = /home2/profiles
> read only = No
>
> However, m$ machines cannot write to the shares even though they are 
> correctly listed as having the correct permissions and ownership.
The following are for the Samba3 box:

Does net ads testjoin reports join ok?
wbinfo -u lists all the users?
wbinfo -g lists all the groups?
wbinfo -i some_username is able to list all user info?
Have you changed your /etc/nsswitch.conf to have?
passwd:    files winbind
group:       files winbind
(others doesn't realy matter)
does id some_username and getent passwd some_username give meaningless 
results?
If all the above yes, have you checked, that the shared folder permits 
write access for the above some_username (from linux shell first)?
>>
>> If that is the situation you could simply copy the config from second
>> box to third one, and add a [homes] share and everything should work.
>>
>> If not, in a previous e-mail of you've already wrote the samba config
>> needed for having a working winbind with idmap_ad. On think I've learned
>> the hard way: if any of the gidNumbers of a group a user belongs to is
>> out of the range you've specified in your smb.conf for your domain that
>> user is going to be invisible (I've avoided it with a range = 
>> 0-10000000).
>>
>> If you have winbind installed by package I would try to delete
>> /var/lib/samba/winbind* (WHILE winbind IS STOPED), and then reatart it.
>>
>> Regards
>>
>> Geza Gemes
>
Hope that the above order of checks help to find out the problem.

Regards

Geza Gemes