[Samba] S4 DC S3 file server: samba-tool and net ads user problems

steve steve at steve-ss.com
Fri Aug 17 00:18:14 MDT 2012


On 08/16/2012 08:56 PM, Gémes Géza wrote:
> 2012-08-16 20:07 keltezéssel, steve írta:
>> On 16/08/12 19:32, Gémes Géza wrote:
>>> 2012-08-16 18:53 keltezéssel, steve írta:
>>>
>>> Here is the conf which works on box2:
>>> [global]
>>> realm = hh3.site
>>> workgroup = ALTEA
>>> security = ADS
>>> winbind enum users = Yes
>>> winbind enum groups = Yes
>>> idmap config *:backend = tdb
>>> idmap config *:range = 3000-4000
>>> idmap config ALTEA:backend = ad
>>> idmap config ALTEA:range = 20000-40000000
>>> idmap config ALTEA:schema_mode = rfc2307
>>> winbind nss info = rfc2307
>>> winbind expand groups = 2
>>> winbind nested groups = yes
>>>
>>> [home]
>>> path = /home2/home
>>> read only = No
>>>
>>> [profiles]
>>> path = /home2/profiles
>>> read only = No
>>>
>>>
> The following are for the Samba3 box:
>
> Does net ads testjoin reports join ok?
> wbinfo -u lists all the users?
> wbinfo -g lists all the groups?
> wbinfo -i some_username is able to list all user info?
> Have you changed your /etc/nsswitch.conf to have?
> passwd:    files winbind
> group:       files winbind
> (others doesn't realy matter)
> does id some_username and getent passwd some_username give meaningless 
> results?
> If all the above yes, have you checked, that the shared folder permits 
> write access for the above some_username (from linux shell first)?

Hi Geza, Rowland, everyone
OK I found it. The answer to all the above is yes. I did one furcher 
check with getent group which does _not_ return AD groups. getent group 
ALTEA\\group_name does however work.

Anyway I found the problem. Here is a user with rfc2307:

dn: CN=steve2,CN=Users,DC=hh3,DC=site
cn: steve2
instanceType: 4
whenCreated: 20120812101809.0Z
uSNCreated: 3845
name: steve2
objectGUID: 30cef31e-fba8-418a-a0e7-293ddf232c7e
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 0
lastLogoff: 0
lastLogon: 0
primaryGroupID: 513
objectSid: S-1-5-21-643408982-184040625-1139712187-1123
logonCount: 0
sAMAccountName: steve2
sAMAccountType: 805306368
userPrincipalName: steve2 at hh3.site
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=hh3,DC=site
pwdLastSet: 129892402900000000
uidNumber: 3000024
gidNumber: 20513
unixHomeDirectory: /home2/home/steve2
loginShell: /bin/bash
homeDrive: Z:
objectClass: top
objectClass: posixAccount
objectClass: person
objectClass: organizationalPerson
objectClass: user
userAccountControl: 66048
accountExpires: 0
homeDirectory: \\hh30\home\steve2
profilePath: \\hh30\profiles\steve2
whenChanged: 20120816093724.0Z
uSNChanged: 4030
distinguishedName: CN=steve2,CN=Users,DC=hh3,DC=site

hh30.hh3.site is the S4-DC and and hh32.hh3.site is the S3-file server. 
Note that the entries for:
homeDirectory: \\hh30\home\steve2
profilePath: \\hh30\profiles\steve2
point to the DC _not_ the file server DOH!

I changed the entries to:
homeDirectory: \\hh32\home\steve2
profilePath: \\hh32\profiles\steve2

and home directories and profiles became meaninful once again :)

Not an easy one that. The error came because I was using the two 
existing machines to to switch from s3fs all on one box to S4/S3 on two 
separate boxes.

THanks everyone for staying with me on this.

I must say I prefer the DC with s3fs on one box.
Cheers,
Steve



More information about the samba mailing list