[Samba] S4 DC S3 file server: samba-tool and net ads user problems

[Rowland Penny]

On 16/08/12 19:56, Gémes Géza wrote:
> 2012-08-16 20:07 keltezéssel, steve írta:
>> On 16/08/12 19:32, Gémes Géza wrote:
>>> 2012-08-16 18:53 keltezéssel, steve írta:
>>>> Hi everyone
>>>>
>>>> I have a S4 DC with a S3 fileserver. I want to create users and their
>>>> UninxHomeDirecory on the fileserver. I can do this with a script which
>>>> uses ldapmodify. Fine so far.
>>>>
>>>> The user shows in getent passwd on the DC and in wbinfo -u on the S3
>>>> box but does not show in getent passwd on the fileserver. The user has
>>>> been created with all his rfc2307 attributes but is invisible to
>>>> winbind on the S3 box.
>>>>
>>>> I have tried restarting winbind on the S3 box but still no luck. Is
>>>> there a cache I must clear somewhere?
>>>>
>>>> How can I get new users to show on the S3 box?
>>>>
>>>> Cheers,
>>>> Steve
>>> Hi,
>>>
>>> I'm not sure I've understand your situation, so please correct me if 
>>> I'm
>>> wrong. You have 3 computers:
>>>
>>> 1. Samba4 (everything work to the amount permitted by its winbind
>>> implementation)
>>
>> Does winbindd have to be running on this DC? I thought it didn't 
>> matter whether it was or it wasn't. I use nss-ldapd for mapping on 
>> this box as the S4 winbindd seems to be broken for groups.
> It is running "inside" the samba binary, you don't have/can't start it 
> independently
>>
>>> 2. Samba3 (everything works, including having homedirs and shells
>>> obtained via winbind from AD)
>> Yes. The home director shares are all on this box
>>> 3. Samba3 (where do you intend to have home directories, and could not
>>> list users)
>> No. I have no box 3. Just 2 boxes. S4 Dc and S3 fileserver.
>>
>> Here is the conf which works on box2:
>> [global]
>> realm = hh3.site
>> workgroup = ALTEA
>> security = ADS
>> winbind enum users = Yes
>> winbind enum groups = Yes
>> idmap config *:backend = tdb
>> idmap config *:range = 3000-4000
>> idmap config ALTEA:backend = ad
>> idmap config ALTEA:range = 20000-40000000
>> idmap config ALTEA:schema_mode = rfc2307
>> winbind nss info = rfc2307
>> winbind expand groups = 2
>> winbind nested groups = yes
>>
>> [home]
>> path = /home2/home
>> read only = No
>>
>> [profiles]
>> path = /home2/profiles
>> read only = No
>>
>> However, m$ machines cannot write to the shares even though they are 
>> correctly listed as having the correct permissions and ownership.
> The following are for the Samba3 box:
>
> Does net ads testjoin reports join ok?
> wbinfo -u lists all the users?
> wbinfo -g lists all the groups?
> wbinfo -i some_username is able to list all user info?
> Have you changed your /etc/nsswitch.conf to have?
> passwd:    files winbind
> group:       files winbind
> (others doesn't realy matter)
> does id some_username and getent passwd some_username give meaningless 
> results?
> If all the above yes, have you checked, that the shared folder permits 
> write access for the above some_username (from linux shell first)?
>>>
>>> If that is the situation you could simply copy the config from second
>>> box to third one, and add a [homes] share and everything should work.
>>>
>>> If not, in a previous e-mail of you've already wrote the samba config
>>> needed for having a working winbind with idmap_ad. On think I've 
>>> learned
>>> the hard way: if any of the gidNumbers of a group a user belongs to is
>>> out of the range you've specified in your smb.conf for your domain that
>>> user is going to be invisible (I've avoided it with a range = 
>>> 0-10000000).
>>>
>>> If you have winbind installed by package I would try to delete
>>> /var/lib/samba/winbind* (WHILE winbind IS STOPED), and then reatart it.
>>>
>>> Regards
>>>
>>> Geza Gemes
>>
> Hope that the above order of checks help to find out the problem.
>
> Regards
>
> Geza Gemes
Steve,
Try looking here: https://wiki.samba.org/index.php/Samba4/Winbind

Rowland


-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.