[Samba] Samba4 Member Server not working

Carlos Alberto Borges Garcia dedraks at gmail.com
Thu Aug 29 11:21:50 MDT 2013 

Hi,

Where can I enter this values in AD?


2013/8/29 steve <steve at steve-ss.com>

> On Thu, 2013-08-29 at 11:14 +1200, Andrew Bartlett wrote:
> > On Wed, 2013-08-28 at 20:11 -0300, Carlos Alberto Borges Garcia wrote:
> > > Hi,
> > >
> > > I have one Samba4 server running as Active Directory Domain Controller.
> > > It's working like a charm.
> > >
> > > So I needed to add another server to be a Member Server (File Server).
> > >
> > > The server is running samba-4.0.9.
> > >
> > > Configured and compiled ok:
> > >
> > > ./configure --prefix=/usr/local/samba --sysconfdir=/etc
> > > --localstatedir=/var --mandir=/usr/man --bindir=/usr/bin
> > > --sbindir=/usr/sbin --libdir=/lib --enable-fhs --with-ads
> > > --with-shared-modules=idmap_ad,pam
> > >
> > > Installed ok.
> > >
> > > Kerberos OK.
> > > I can run kinit and klist
> > >
> > > root at MYNETSRV08:/etc/samba# kinit Administrator
> > > Password for Administrator at MYNET.NET:
> > > root at MYSRV08:/etc/samba#
> > >
> > > root at MYNETSRV08:/etc/samba# klist
> > > Ticket cache: FILE:/tmp/krb5cc_0
> > > Default principal: Administrator at MYNET.NET
> > >
> > > Valid starting    Expires           Service principal
> > > 28/08/2013 19:59  29/08/2013 05:59  krbtgt/MYNET.NET at MYNET.NET
> > >         renew until 29/08/2013 19:59
> > > root at MYNETSRV08:/etc/samba#
> > >
> > > My SMB.CONF is below:
> > >
> > > [global]
> > >
> > >    workgroup = MYNET
> > >    security = ADS
> > >    realm = MYNET.NET
> > >    encrypt passwords = yes
> > >
> > >    idmap config *:backend = tdb
> > >    idmap config *:range = 70001-80000
> > >    idmap config MYNET:backend = ad
> > >    idmap config MYNET:schema_mode = rfc2307
> > >
> > >    idmap config MYNET:range = 500-40000
> > >
> > >    winbind nss info = rfc2307
> > >    winbind trusted domains only = no
> > >    winbind use default domain = yes
> > >    winbind enum users  = yes
> > >    winbind enum groups = yes
> > >
> > > [test]
> > >    path = /mnt/files
> > >    read only = no
> > >
> > >
> > >
> > > I can add my server to domain:
> > >
> > > root at PCOSRV08:/etc/samba# net ads join -U administrator
> > > Enter administrator's password:
> > > Using short domain name -- MYNET
> > > Joined 'MYNETSRV08' to dns domain 'mynet.net'
> > > root at MYNETSRV08:/etc/samba#
> > >
> > > libnss_winbind.so is in the right place:
> > >
> > > root at MYNETSRV08:/etc/samba# ls /lib/libnss_winbind.so*
> > > /lib/libnss_winbind.so  /lib/libnss_winbind.so.2
> > >
> > > The libs are loaded fine:
> > >
> > > root at MYNETSRV08:/etc/samba# ldconfig -v | grep libnss
> > >         libnss_hesiod.so.2 -> libnss_hesiod-2.13.so
> > >         libnss_compat.so.2 -> libnss_compat-2.13.so
> > >         libnss_dns.so.2 -> libnss_dns-2.13.so
> > >         libnss_ldap.so.2 -> libnss_ldap.so.2
> > >         libnss_nis.so.2 -> libnss_nis-2.13.so
> > >         libnss_nisplus.so.2 -> libnss_nisplus-2.13.so
> > >         libnss_files.so.2 -> libnss_files-2.13.so
> > >         libnss_wins.so -> libnss_wins.so.2
> > >         libnss_winbind.so -> libnss_winbind.so.2
> > >         libnss_hesiod.so.2 -> libnss_hesiod-2.13.so
> > >         libnss_compat.so.2 -> libnss_compat-2.13.so
> > >         libnss_dns.so.2 -> libnss_dns-2.13.so
> > >         libnss_nis.so.2 -> libnss_nis-2.13.so
> > >         libnss_nisplus.so.2 -> libnss_nisplus-2.13.so
> > >         libnss_files.so.2 -> libnss_files-2.13.so
> > > root at MYNETSRV08:/etc/samba#
> > >
> > > I added winbind to my nsswitch.conf
> > >
> > > passwd: compat winbind
> > > group:  compat winbind
> > >
> > > I can start the daemon without issues:
> > >
> > > smbd
> > > nmbd
> > > winbindd
> > >
> > > "wbinfo -u" list all my domain users
> > >
> > > "wbinfo -g" list all my domain groups
> > >
> > >
> > > Here is the problems:
> > >
> > > When I run "getent passwd", it lists only the local users.
> >
> > For performance reasons, by default we do not list users in the AD
> > domain.  See winbind enum users in your smb.conf
>
> His smb.conf above shows that the OP has those lines for both users and
> groups.
> >
> > > When I run "id Administrator", it returns "No such user".
> >
> > You need to use 'id MYNET\\administrator'
> >
> smb.conf has: winbind use default domain = Yes
> Do we still need MYNET\\?
>
> Do your users have entries for:
> uidNumber
> and
> gidNumber
> in AD?
>
> Cheers
> Steve
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>



-- 
http://www.endomondo.com/profile/3312580

Veja: " http://naofoiacidente.org/blog/por-quem/ "

More information about the samba mailing list