[Samba] Samba4 member of an another « Samba4 » domain

Gémes Géza geza at kzsdabas.hu
Tue Apr 9 22:59:31 MDT 2013


2013-04-10 01:32 keltezéssel, François Lafont írta:
> Le 09/04/2013 09:34, Matthieu Patou a écrit :
>
>>> Le 08/04/2013 01:37, Matthieu Patou a écrit :
>>> Then, in the DC server, I have done:
>>>
>>> -----------------------------------------------
>>> samba-tool domain provision # I keep the default answers each time,
>>> seems to work fine
>>>
>>> # 192.168.0.21 = IP of DC server which are DNS server (internal DNS)
>>> echo "nameserver 192.168.0.21" > /etc/resolv.conf
>>>
>>> ln -s /usr/local/samba/lib/libnss_winbind.so /lib/libnss_winbind.so
>>> ln -s /lib/libnss_winbind.so /lib/libnss_winbind.so.2
>>> vi /etc/nsswitch.conf # add winbind for passwd and group
>>> ldconfig
>>> samba
>>> -----------------------------------------------
> [...]
>
>>> -----------------------------------------------
>>> echo "nameserver 192.168.0.21" > /etc/resolv.conf
>>> samba-tool domain join chezmoi.priv MEMBER -U administrator
>>> --realm=CHEZMOI.PRIV # seems to work fine
>>> ln -s /usr/local/samba/lib/libnss_winbind.so /lib/libnss_winbind.so
>>> ln -s /lib/libnss_winbind.so /lib/libnss_winbind.so.2
>>> vi /etc/nsswitch.conf # add winbind for passwd and group
>>> ldconfig
>>> vi /usr/local/samba/etc/smb.conf # see below
>>> smbd && nmbd
>>> winbindd -i -d 10
>>> -----------------------------------------------
>>>
>>> And Boum ! I have the same error which I have described in my previous
>>> message. The winbindd command is stopped.
> [...]
>
>> Are you sure that the two host have a different name as you are creating
>> everything from the same base ?
> Yes I'm absolutely sure because the names of the 2 servers have been set *during* the installation with a netinstall CD :
> - hostname == "wheezy-server" for the DC server
> - hostname == "wheezy-2" for the MEMBER server
>
>> Also could you do a net join -d 10  and attach the secrets.tdb after the
>> first join ?
> Yes, no problem. But, you suggest I use this command:
> net ads join -d 10 -U administrator
>
> I would like to understand. For join a member server in a domain (with a Samba4 DC), which command should I use:
>
> 1. "net ads join -U administrator"
>
> or
>
> 2. "samba-tool domain join chezmoi.priv member -U administrator" ?
>
> So, if I understand well, you ask me to try the first command (net ads join) with  "-d 10" option. Here:
>
> http://sisco.laf.free.fr/codes/samba4.zip
>
> you'll find the output of the "join" command in debug mode and the secrets.*db files (before and after the join, in the member server and in the dc server):
> - with the "net ads join -U administrator -d 10" command
> - and with the "samba-tool domain join chezmoi.priv MEMBER -U administrator" command
>
>>>> if so for the new user did you set the needed attributes ?
>>> I have just run: samba-tool user add test12 --random-password
>>> That's all. Which are the needed attributes?
>> When you specify rfc2307 winbindd expect to use uidNumber and gidNumber
>> in order to convert the SID to uid/gid, hence the error message.
> But is the "rfc2307" option in smb.conf really mandatory?
>
> 1. For example, when I install a "simple" Samba4 DC like this:
>
> -------------------------------------------------------------------
> samba-tool domain provision # I keep the default answers each time
> echo "nameserver 192.168.0.21" > /etc/resolv.conf # The DNS is the DC himself
> ln -s /usr/local/samba/lib/libnss_winbind.so /lib/libnss_winbind.so
> ln -s /lib/libnss_winbind.so /lib/libnss_winbind.so.2
> vi /etc/nsswitch.conf # add winbind for passwd and group
> ldconfig
> samba
> -------------------------------------------------------------------
>
> It seems to work fine. "getent password", "wbinfo -u", "wbinfo -i user1", "wbinfo -n=user1" are OK, yet there is no "rfc2307" string in the default "smb.conf" file.
>
> 2. Another example. I have installed a member server like this (member of a Samba4 DC, I have no Windows server):
>
> -------------------------------------------------------------------
> vi /usr/local/samba/etc/smb.conf # see below for the smb.conf file
> vi /usr/local/samba/etc/smb.conf # The DC is the DNS server
> ln -s /usr/local/samba/lib/libnss_winbind.so /lib/libnss_winbind.so
> ln -s /lib/libnss_winbind.so /lib/libnss_winbind.so.2
> vi /etc/nsswitch.conf # add winbind
> ldconfig
> net ads join -U administrator
> smbd && nmbd && winbindd
> -------------------------------------------------------------------
>
> with this smb.conf file:
>
> -------------------------------------------------------------------
> # No refer to "rfc2307".
>
> [global]
>      workgroup = CHEZMOI
>      security = ADS
>      realm = CHEZMOI.PRIV
>      encrypt passwords = yes
>      idmap config *:backend = tdb
>      idmap config *:range = 70001-80000
>
>      winbind trusted domains only = no
>      winbind use default domain = yes
>      winbind enum users  = yes
>      winbind enum groups = yes
> -------------------------------------------------------------------
>
> and the member server seems to work fine. If I create a user toto on the DC:
>
> samba-tool user add toto --random-password
>
> In the member, I have:
>
> root at member:~# wbinfo -i toto
> toto:*:70011:70001:toto:/home/CHEZMOI/toto:/bin/false
> root at member:~# wbinfo -n=toto
> S-1-5-21-1430849794-1775759099-2616264933-1112 SID_USER (1)
>
> The only "problem" that I see, it's with:
>
> root at member:~# wbinfo -u
> root at member:~# getent passwd
>
> Because the toto user isn't printed in the output. However, I wait during 5-6 minutes, the toto user appears in the output of this commands. Another solution: if I do:
>
> root at member:~# killall smbd nmbd winbindd
> root at member:~# smbd && nmbd && winbindd
>
> the toto user appears in the member server  immediately
>
> Is this behavior (the 5-6 minutes period) normal?
>
> Is this configuration correct for a member server?
>
> Thanks for your help.
>
>
You should check rfc2307 on the samba AD, if your users do not have 
uidNumber gidNumber attributes they are going to be ignored by the 
winbind daemon if you specify rfc2307 schema mode on the domain member.

Regards

Geza Gemes


More information about the samba mailing list