[Samba] Samba4 member of an another « Samba4 » domain
François Lafont
flafdivers at free.fr
Tue Apr 9 17:32:13 MDT 2013
Le 09/04/2013 09:34, Matthieu Patou a écrit :
>> Le 08/04/2013 01:37, Matthieu Patou a écrit :
>> Then, in the DC server, I have done:
>>
>> -----------------------------------------------
>> samba-tool domain provision # I keep the default answers each time,
>> seems to work fine
>>
>> # 192.168.0.21 = IP of DC server which are DNS server (internal DNS)
>> echo "nameserver 192.168.0.21" > /etc/resolv.conf
>>
>> ln -s /usr/local/samba/lib/libnss_winbind.so /lib/libnss_winbind.so
>> ln -s /lib/libnss_winbind.so /lib/libnss_winbind.so.2
>> vi /etc/nsswitch.conf # add winbind for passwd and group
>> ldconfig
>> samba
>> -----------------------------------------------
[...]
>> -----------------------------------------------
>> echo "nameserver 192.168.0.21" > /etc/resolv.conf
>> samba-tool domain join chezmoi.priv MEMBER -U administrator
>> --realm=CHEZMOI.PRIV # seems to work fine
>> ln -s /usr/local/samba/lib/libnss_winbind.so /lib/libnss_winbind.so
>> ln -s /lib/libnss_winbind.so /lib/libnss_winbind.so.2
>> vi /etc/nsswitch.conf # add winbind for passwd and group
>> ldconfig
>> vi /usr/local/samba/etc/smb.conf # see below
>> smbd && nmbd
>> winbindd -i -d 10
>> -----------------------------------------------
>>
>> And Boum ! I have the same error which I have described in my previous
>> message. The winbindd command is stopped.
[...]
> Are you sure that the two host have a different name as you are creating
> everything from the same base ?
Yes I'm absolutely sure because the names of the 2 servers have been set *during* the installation with a netinstall CD :
- hostname == "wheezy-server" for the DC server
- hostname == "wheezy-2" for the MEMBER server
> Also could you do a net join -d 10 and attach the secrets.tdb after the
> first join ?
Yes, no problem. But, you suggest I use this command:
net ads join -d 10 -U administrator
I would like to understand. For join a member server in a domain (with a Samba4 DC), which command should I use:
1. "net ads join -U administrator"
or
2. "samba-tool domain join chezmoi.priv member -U administrator" ?
So, if I understand well, you ask me to try the first command (net ads join) with "-d 10" option. Here:
http://sisco.laf.free.fr/codes/samba4.zip
you'll find the output of the "join" command in debug mode and the secrets.*db files (before and after the join, in the member server and in the dc server):
- with the "net ads join -U administrator -d 10" command
- and with the "samba-tool domain join chezmoi.priv MEMBER -U administrator" command
>>> if so for the new user did you set the needed attributes ?
>> I have just run: samba-tool user add test12 --random-password
>> That's all. Which are the needed attributes?
> When you specify rfc2307 winbindd expect to use uidNumber and gidNumber
> in order to convert the SID to uid/gid, hence the error message.
But is the "rfc2307" option in smb.conf really mandatory?
1. For example, when I install a "simple" Samba4 DC like this:
-------------------------------------------------------------------
samba-tool domain provision # I keep the default answers each time
echo "nameserver 192.168.0.21" > /etc/resolv.conf # The DNS is the DC himself
ln -s /usr/local/samba/lib/libnss_winbind.so /lib/libnss_winbind.so
ln -s /lib/libnss_winbind.so /lib/libnss_winbind.so.2
vi /etc/nsswitch.conf # add winbind for passwd and group
ldconfig
samba
-------------------------------------------------------------------
It seems to work fine. "getent password", "wbinfo -u", "wbinfo -i user1", "wbinfo -n=user1" are OK, yet there is no "rfc2307" string in the default "smb.conf" file.
2. Another example. I have installed a member server like this (member of a Samba4 DC, I have no Windows server):
-------------------------------------------------------------------
vi /usr/local/samba/etc/smb.conf # see below for the smb.conf file
vi /usr/local/samba/etc/smb.conf # The DC is the DNS server
ln -s /usr/local/samba/lib/libnss_winbind.so /lib/libnss_winbind.so
ln -s /lib/libnss_winbind.so /lib/libnss_winbind.so.2
vi /etc/nsswitch.conf # add winbind
ldconfig
net ads join -U administrator
smbd && nmbd && winbindd
-------------------------------------------------------------------
with this smb.conf file:
-------------------------------------------------------------------
# No refer to "rfc2307".
[global]
workgroup = CHEZMOI
security = ADS
realm = CHEZMOI.PRIV
encrypt passwords = yes
idmap config *:backend = tdb
idmap config *:range = 70001-80000
winbind trusted domains only = no
winbind use default domain = yes
winbind enum users = yes
winbind enum groups = yes
-------------------------------------------------------------------
and the member server seems to work fine. If I create a user toto on the DC:
samba-tool user add toto --random-password
In the member, I have:
root at member:~# wbinfo -i toto
toto:*:70011:70001:toto:/home/CHEZMOI/toto:/bin/false
root at member:~# wbinfo -n=toto
S-1-5-21-1430849794-1775759099-2616264933-1112 SID_USER (1)
The only "problem" that I see, it's with:
root at member:~# wbinfo -u
root at member:~# getent passwd
Because the toto user isn't printed in the output. However, I wait during 5-6 minutes, the toto user appears in the output of this commands. Another solution: if I do:
root at member:~# killall smbd nmbd winbindd
root at member:~# smbd && nmbd && winbindd
the toto user appears in the member server immediately
Is this behavior (the 5-6 minutes period) normal?
Is this configuration correct for a member server?
Thanks for your help.
--
François Lafont
More information about the samba
mailing list