[Samba] Samba4 Member Server not working

Andrew Bartlett abartlet at samba.org
Wed Aug 28 17:14:48 MDT 2013 

On Wed, 2013-08-28 at 20:11 -0300, Carlos Alberto Borges Garcia wrote:
> Hi,
> 
> I have one Samba4 server running as Active Directory Domain Controller.
> It's working like a charm.
> 
> So I needed to add another server to be a Member Server (File Server).
> 
> The server is running samba-4.0.9.
> 
> Configured and compiled ok:
> 
> ./configure --prefix=/usr/local/samba --sysconfdir=/etc
> --localstatedir=/var --mandir=/usr/man --bindir=/usr/bin
> --sbindir=/usr/sbin --libdir=/lib --enable-fhs --with-ads
> --with-shared-modules=idmap_ad,pam
> 
> Installed ok.
> 
> Kerberos OK.
> I can run kinit and klist
> 
> root at MYNETSRV08:/etc/samba# kinit Administrator
> Password for Administrator at MYNET.NET:
> root at MYSRV08:/etc/samba#
> 
> root at MYNETSRV08:/etc/samba# klist
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: Administrator at MYNET.NET
> 
> Valid starting    Expires           Service principal
> 28/08/2013 19:59  29/08/2013 05:59  krbtgt/MYNET.NET at MYNET.NET
>         renew until 29/08/2013 19:59
> root at MYNETSRV08:/etc/samba#
> 
> My SMB.CONF is below:
> 
> [global]
> 
>    workgroup = MYNET
>    security = ADS
>    realm = MYNET.NET
>    encrypt passwords = yes
> 
>    idmap config *:backend = tdb
>    idmap config *:range = 70001-80000
>    idmap config MYNET:backend = ad
>    idmap config MYNET:schema_mode = rfc2307
> 
>    idmap config MYNET:range = 500-40000
> 
>    winbind nss info = rfc2307
>    winbind trusted domains only = no
>    winbind use default domain = yes
>    winbind enum users  = yes
>    winbind enum groups = yes
> 
> [test]
>    path = /mnt/files
>    read only = no
> 
> 
> 
> I can add my server to domain:
> 
> root at PCOSRV08:/etc/samba# net ads join -U administrator
> Enter administrator's password:
> Using short domain name -- MYNET
> Joined 'MYNETSRV08' to dns domain 'mynet.net'
> root at MYNETSRV08:/etc/samba#
> 
> libnss_winbind.so is in the right place:
> 
> root at MYNETSRV08:/etc/samba# ls /lib/libnss_winbind.so*
> /lib/libnss_winbind.so  /lib/libnss_winbind.so.2
> 
> The libs are loaded fine:
> 
> root at MYNETSRV08:/etc/samba# ldconfig -v | grep libnss
>         libnss_hesiod.so.2 -> libnss_hesiod-2.13.so
>         libnss_compat.so.2 -> libnss_compat-2.13.so
>         libnss_dns.so.2 -> libnss_dns-2.13.so
>         libnss_ldap.so.2 -> libnss_ldap.so.2
>         libnss_nis.so.2 -> libnss_nis-2.13.so
>         libnss_nisplus.so.2 -> libnss_nisplus-2.13.so
>         libnss_files.so.2 -> libnss_files-2.13.so
>         libnss_wins.so -> libnss_wins.so.2
>         libnss_winbind.so -> libnss_winbind.so.2
>         libnss_hesiod.so.2 -> libnss_hesiod-2.13.so
>         libnss_compat.so.2 -> libnss_compat-2.13.so
>         libnss_dns.so.2 -> libnss_dns-2.13.so
>         libnss_nis.so.2 -> libnss_nis-2.13.so
>         libnss_nisplus.so.2 -> libnss_nisplus-2.13.so
>         libnss_files.so.2 -> libnss_files-2.13.so
> root at MYNETSRV08:/etc/samba#
> 
> I added winbind to my nsswitch.conf
> 
> passwd: compat winbind
> group:  compat winbind
> 
> I can start the daemon without issues:
> 
> smbd
> nmbd
> winbindd
> 
> "wbinfo -u" list all my domain users
> 
> "wbinfo -g" list all my domain groups
> 
> 
> Here is the problems:
> 
> When I run "getent passwd", it lists only the local users.

For performance reasons, by default we do not list users in the AD
domain.  See winbind enum users in your smb.conf

> When I run "id Administrator", it returns "No such user".

You need to use 'id MYNET\\administrator'

> If I try to access the share defined in smb.conf, the server does not
> recognizes my user/password.

Can you give more detail on this part of the issue, and include logs
etc?

Thanks,

Andrew Bartlett

-- 
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Catalyst IT                   http://catalyst.net.nz

More information about the samba mailing list