[Samba] Samba4 member of an another « Samba4 » domain
François Lafont
flafdivers at free.fr
Mon Apr 8 19:01:47 MDT 2013
Thank you Matthieu for your answer.
Le 08/04/2013 01:37, Matthieu Patou a écrit :
>> 1) First attempt to join the domain in the member server
>>
>> root at member~# samba-tool domain join chezmoi.priv member -U
>> administrator --realm=chezmoi.priv
>> Password for [CHEZMOI\administrator]:
>> Joined domain CHEZMOI (S-1-5-21-3370545617-3166960116-3193249687)
>>
>> root at member~# ldconfig
>>
>> root at member~# smbd && nmbd
>>
>> And now impossible to run winbindd.
>>
>> -----------------------------------------------
>> root at member~# winbindd -i -d 10
[...]
>> pack_tdc_domains: Packing 2 trusted domains
>> pack_tdc_domains: Packing domain BUILTIN ()
>> pack_tdc_domains: Packing domain WHEEZY-2 ()
>> idmap config WHEEZY-2 : range = not defined
>> Added domain WHEEZY-2 S-1-5-21-210096926-4033722923-1792459932
>> Could not fetch our SID - did we join?
>> unable to initialize domain list
>> -----------------------------------------------
> Hum, interesting, would be worth to check that from a clean setup you
> have this issue again and again.
I have 2 "virtualbox" snapshots of Debian Wheezy with a Samba 4.0.4 installation in /usr/local/samba/. And I have the problem each time. Let me explain you what I have done exactly.
In the DC server *and* in the MEMBER server (both in static IP), I have done this:
-----------------------------------------------
apt-get update
apt-get dist-upgrade
apt-get install build-essential libacl1-dev libattr1-dev libblkid-dev libgnutls-dev libreadline-dev python-dev python-dnspython gdb pkg-config libpopt-dev libldap2-dev dnsutils libtool xsltproc libpam0g-dev attr acl psmisc ntp libtalloc2 libtalloc-dev
vi /etc/fstab # I add the acl and user_xattr options for "/" partition
mount -o remount /
cd /usr/local/src/
wget https://ftp.samba.org/pub/ldb/ldb-1.1.15.tar.gz && tar -zxvf ldb-1.1.15.tar.gz
wget http://ftp.samba.org/pub/samba/samba-4.0.4.tar.gz && tar -zxvf samba-4.0.4.tar.gz
cd /usr/local/src/ldb-1.1.15/ && ./configure && make && make install
cd /usr/local/src/samba-4.0.4 && ./configure && make && make install
echo 'export PATH="/usr/local/samba/bin/:/usr/local/samba/sbin/:$PATH"' > ~/.bashrc
halt
-----------------------------------------------
Couic ! Snapshot of the DC server and snapshot of the MEMBER server. :-)
Then, in the DC server, I have done:
-----------------------------------------------
samba-tool domain provision # I keep the default answers each time, seems to work fine
# 192.168.0.21 = IP of DC server which are DNS server (internal DNS)
echo "nameserver 192.168.0.21" > /etc/resolv.conf
ln -s /usr/local/samba/lib/libnss_winbind.so /lib/libnss_winbind.so
ln -s /lib/libnss_winbind.so /lib/libnss_winbind.so.2
vi /etc/nsswitch.conf # add winbind for passwd and group
ldconfig
samba
-----------------------------------------------
Just for information, here is the smb.conf on the DC server after this commands:
-----------------------------------------------
# Global parameters
[global]
workgroup = CHEZMOI
realm = CHEZMOI.PRIV
netbios name = WHEEZY-SERVER
server role = active directory domain controller
dns forwarder = 212.27.40.241
[netlogon]
path = /usr/local/samba/var/locks/sysvol/chezmoi.priv/scripts
read only = No
[sysvol]
path = /usr/local/samba/var/locks/sysvol
read only = No
-----------------------------------------------
In the MEMBER server, I have done:
-----------------------------------------------
echo "nameserver 192.168.0.21" > /etc/resolv.conf
samba-tool domain join chezmoi.priv MEMBER -U administrator --realm=CHEZMOI.PRIV # seems to work fine
ln -s /usr/local/samba/lib/libnss_winbind.so /lib/libnss_winbind.so
ln -s /lib/libnss_winbind.so /lib/libnss_winbind.so.2
vi /etc/nsswitch.conf # add winbind for passwd and group
ldconfig
vi /usr/local/samba/etc/smb.conf # see below
smbd && nmbd
winbindd -i -d 10
-----------------------------------------------
And Boum ! I have the same error which I have described in my previous message. The winbindd command is stopped.
Just for information, here is the smb.conf in the MEMBER server:
-----------------------------------------------
[global]
workgroup = CHEZMOI
security = ADS
realm = CHEZMOI.PRIV
encrypt passwords = yes
idmap config *:backend = tdb
idmap config *:range = 70001-80000
idmap config CHEZMOI:backend = ad
idmap config CHEZMOI:schema_mode = rfc2307
idmap config CHEZMOI:range = 500-40000
winbind nss info = rfc2307
winbind trusted domains only = no
winbind use default domain = yes
winbind enum users = yes
winbind enum groups = yes
-----------------------------------------------
Do I have forgotten one step ?
>> 2) Second attempt to join the domain in the member server. It's better
>> but It doesn't work too.
>>
>> root at member:~# net ads join -U administrator
>> Enter administrator's password:
>> Using short domain name -- CHEZMOI
>> Joined 'WHEEZY-2' to dns domain 'chezmoi.priv'
>> DNS Update for wheezy-2.chezmoi.priv failed: ERROR_DNS_UPDATE_FAILED
>> DNS update failed: NT_STATUS_UNSUCCESSFUL
>>
>> root at member:~# ldconfig
>> root at member:~# smbd && nmbd
>> root at member:~# winbindd -i -d 10
>>
>> And winbindd seems to be ok. I have :
>>
>> root at member:~# wbinfo -u
>> administrator
>> krbtgt
>> test10
>> test11
>> guest
>> test1
>> test2
>> test3
>> test4
>> test5
>> test6
>> ...
>>
>> root at member:~# wbinfo -i test9
>> test9:*:70004:70001:test9:/home/CHEZMOI/test9:/bin/false
>>
>> But if I create an user in the domain controller server:
>>
>> root at dc:~# samba-tool user add test12 --random-password
>> User 'test12' created successfully
>>
>> after in the member server:
>>
>> root at member:~# wbinfo -i test12
>> failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
>> Could not get info for user test12
>>
>> Here is the stdout of winbindd during the command :
>>
>> -----------------------------------------------
>> info : *
>> info: struct wbint_userinfo
>> acct_name : *
>> acct_name : 'test12'
>> full_name : NULL
>> homedir : NULL
>> shell : NULL
>> primary_gid : 0x00000000ffffffff
>> (4294967295)
>> user_sid :
>> S-1-5-21-3370545617-3166960116-3193249687-1115
>> group_sid :
>> S-1-5-21-3370545617-3166960116-3193249687-513
>> result : NT_STATUS_NOT_FOUND
>> Could not convert sid S-1-5-21-3370545617-3166960116-3193249687-1115:
>> NT_STATUS_NOT_FOUND
>> wb_request_done[2813:GETPWNAM]: NT_STATUS_NOT_FOUND
>> winbind_client_response_written[2813:GETPWNAM]: delivered response to
>> client
>> closing socket 23, client exited
>> -----------------------------------------------
> Don't you have rfc2307 configured ?
The smb.conf of DC server and the smb.conf of MEMBER server are exacty like above in this message. So, I have « winbind nss info = rfc2307 » in the smb.conf of the MEMBER server.
> if so for the new user did you set the needed attributes ?
I have just run: samba-tool user add test12 --random-password
That's all. Which are the needed attributes?
Thanks for your help.
--
François Lafont
More information about the samba
mailing list