[Samba] Samba4 member of an another « Samba4 » domain

François Lafont flafdivers at free.fr
Mon Apr 8 19:01:47 MDT 2013 

Thank you Matthieu for your answer.

Le 08/04/2013 01:37, Matthieu Patou a écrit :
>> 1) First attempt to join the domain in the member server
>>
>> root at member~# samba-tool domain join chezmoi.priv member -U
>> administrator --realm=chezmoi.priv
>> Password for [CHEZMOI\administrator]:
>> Joined domain CHEZMOI (S-1-5-21-3370545617-3166960116-3193249687)
>>
>> root at member~# ldconfig
>>
>> root at member~# smbd && nmbd
>>
>> And now impossible to run winbindd.
>>
>> -----------------------------------------------
>> root at member~# winbindd -i -d 10

[...]

>> pack_tdc_domains: Packing 2 trusted domains
>> pack_tdc_domains: Packing domain BUILTIN ()
>> pack_tdc_domains: Packing domain WHEEZY-2 ()
>> idmap config WHEEZY-2 : range = not defined
>> Added domain WHEEZY-2  S-1-5-21-210096926-4033722923-1792459932
>> Could not fetch our SID - did we join?
>> unable to initialize domain list
>> -----------------------------------------------
> Hum, interesting, would be worth to check that from a clean setup you
> have this issue again and again.

I have 2 "virtualbox" snapshots of Debian Wheezy with a Samba 4.0.4 installation in /usr/local/samba/. And I have the problem each time. Let me explain you what I have done exactly.

In the DC server *and* in the MEMBER server (both in static IP), I have done this:

-----------------------------------------------
apt-get update
apt-get dist-upgrade
apt-get install build-essential libacl1-dev libattr1-dev libblkid-dev libgnutls-dev libreadline-dev python-dev python-dnspython gdb pkg-config libpopt-dev libldap2-dev dnsutils libtool xsltproc libpam0g-dev attr acl psmisc ntp libtalloc2 libtalloc-dev
vi /etc/fstab # I add the acl and user_xattr options for "/" partition
mount -o remount /
cd /usr/local/src/
wget https://ftp.samba.org/pub/ldb/ldb-1.1.15.tar.gz && tar -zxvf ldb-1.1.15.tar.gz
wget http://ftp.samba.org/pub/samba/samba-4.0.4.tar.gz && tar -zxvf samba-4.0.4.tar.gz
cd /usr/local/src/ldb-1.1.15/ && ./configure && make && make install
cd /usr/local/src/samba-4.0.4 && ./configure && make && make install
echo 'export PATH="/usr/local/samba/bin/:/usr/local/samba/sbin/:$PATH"' > ~/.bashrc
halt
-----------------------------------------------

Couic ! Snapshot of the DC server and snapshot of the MEMBER server. :-)

Then, in the DC server, I have done:

-----------------------------------------------
samba-tool domain provision # I keep the default answers each time, seems to work fine

# 192.168.0.21 = IP of DC server which are DNS server (internal DNS)
echo "nameserver 192.168.0.21" > /etc/resolv.conf

ln -s /usr/local/samba/lib/libnss_winbind.so /lib/libnss_winbind.so
ln -s /lib/libnss_winbind.so /lib/libnss_winbind.so.2
vi /etc/nsswitch.conf # add winbind for passwd and group
ldconfig
samba
-----------------------------------------------

Just for information, here is the smb.conf on the DC server after this commands:

-----------------------------------------------
# Global parameters
[global]
        workgroup = CHEZMOI
        realm = CHEZMOI.PRIV
        netbios name = WHEEZY-SERVER
        server role = active directory domain controller
        dns forwarder = 212.27.40.241

[netlogon]
        path = /usr/local/samba/var/locks/sysvol/chezmoi.priv/scripts
        read only = No

[sysvol]
        path = /usr/local/samba/var/locks/sysvol
        read only = No
-----------------------------------------------

In the MEMBER server, I have done:

-----------------------------------------------
echo "nameserver 192.168.0.21" > /etc/resolv.conf
samba-tool domain join chezmoi.priv MEMBER -U administrator --realm=CHEZMOI.PRIV # seems to work fine
ln -s /usr/local/samba/lib/libnss_winbind.so /lib/libnss_winbind.so
ln -s /lib/libnss_winbind.so /lib/libnss_winbind.so.2
vi /etc/nsswitch.conf # add winbind for passwd and group
ldconfig
vi /usr/local/samba/etc/smb.conf # see below
smbd && nmbd
winbindd -i -d 10
-----------------------------------------------

And Boum ! I have the same error which I have described in my previous message. The winbindd command is stopped.

Just for information, here is the smb.conf in the MEMBER server:

-----------------------------------------------
[global]
    workgroup = CHEZMOI
    security = ADS
    realm = CHEZMOI.PRIV
    encrypt passwords = yes
    idmap config *:backend = tdb
    idmap config *:range = 70001-80000
    idmap config CHEZMOI:backend = ad
    idmap config CHEZMOI:schema_mode = rfc2307
    idmap config CHEZMOI:range = 500-40000
    winbind nss info = rfc2307
    winbind trusted domains only = no
    winbind use default domain = yes
    winbind enum users  = yes
    winbind enum groups = yes
-----------------------------------------------

Do I have forgotten one step ?

>> 2) Second attempt to join the domain in the member server. It's better
>> but It doesn't work too.
>>
>> root at member:~# net ads join -U administrator
>> Enter administrator's password:
>> Using short domain name -- CHEZMOI
>> Joined 'WHEEZY-2' to dns domain 'chezmoi.priv'
>> DNS Update for wheezy-2.chezmoi.priv failed: ERROR_DNS_UPDATE_FAILED
>> DNS update failed: NT_STATUS_UNSUCCESSFUL
>>
>> root at member:~# ldconfig
>> root at member:~# smbd && nmbd
>> root at member:~# winbindd -i -d 10
>>
>> And winbindd seems to be ok. I have :
>>
>> root at member:~# wbinfo -u
>> administrator
>> krbtgt
>> test10
>> test11
>> guest
>> test1
>> test2
>> test3
>> test4
>> test5
>> test6
>> ...
>>
>> root at member:~# wbinfo -i test9
>> test9:*:70004:70001:test9:/home/CHEZMOI/test9:/bin/false
>>
>> But if I create an user in the domain controller server:
>>
>> root at dc:~# samba-tool user add test12 --random-password
>> User 'test12' created successfully
>>
>> after in the member server:
>>
>> root at member:~# wbinfo -i test12
>> failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
>> Could not get info for user test12
>>
>> Here is the stdout of winbindd during the command :
>>
>> -----------------------------------------------
>>             info                     : *
>>                  info: struct wbint_userinfo
>>                      acct_name                : *
>>                          acct_name                : 'test12'
>>                      full_name                : NULL
>>                      homedir                  : NULL
>>                      shell                    : NULL
>>                      primary_gid              : 0x00000000ffffffff
>> (4294967295)
>>                      user_sid                 :
>> S-1-5-21-3370545617-3166960116-3193249687-1115
>>                      group_sid                :
>> S-1-5-21-3370545617-3166960116-3193249687-513
>>              result                   : NT_STATUS_NOT_FOUND
>> Could not convert sid S-1-5-21-3370545617-3166960116-3193249687-1115:
>> NT_STATUS_NOT_FOUND
>> wb_request_done[2813:GETPWNAM]: NT_STATUS_NOT_FOUND
>> winbind_client_response_written[2813:GETPWNAM]: delivered response to
>> client
>> closing socket 23, client exited
>> -----------------------------------------------
> Don't you have rfc2307 configured ? 

The smb.conf of DC server and the smb.conf of MEMBER server are exacty like above in this message. So, I have « winbind nss info = rfc2307 » in the smb.conf of the MEMBER server.

> if so for the new user did you set the needed attributes ?

I have just run: samba-tool user add test12 --random-password
That's all. Which are the needed attributes?

Thanks for your help.

-- 
François Lafont

More information about the samba mailing list