[Samba] Domain users not resolving...

Ryan Ashley ryana at reachtechfp.com
Mon Aug 25 09:01:07 MDT 2014


Alright, but I am curious as to why I would not use the same name or IP 
address? Once I remove the DC and verify it is gone using the AD tools 
in Windows, what would be the harm? I ask because the prior company does 
have a good network setup and naming scheme (similar to our own, 
actually) and I would like to reuse it. I'm going to start reading those 
articles now. Thanks for the help, I appreciate it.

On 8/25/2014 10:33 AM, L.P.H. van Belle wrote:
> You have 2 dc's.  thats good.
> Wel now its easy...
>
> first check where the FSMO Roles are running and if needed move them all to DC1.
> samba-tool fsmo show
> see: (https://wiki.samba.org/index.php/Flexible_Single-Master_Operations_(FSMO)_roles)
>
> remove the old server from the domain,
> see: ( https://wiki.samba.org/index.php/Demote_a_Samba_DC )
>
> and i advice to use an other name and other IP, to avoid possible problems with the old name/ip of the old server.
> and install the new server and join the domain and let it sync its DB.
> etc etc.
> start from here i suggest.
> You know where to find us.  ;-)
>
> Greetz,
>
> Louis
>
>
>
>> -----Oorspronkelijk bericht-----
>> Van: ryana at reachtechfp.com
>> [mailto:samba-bounces at lists.samba.org] Namens Ryan Ashley
>> Verzonden: maandag 25 augustus 2014 16:19
>> Aan: samba at lists.samba.org
>> Onderwerp: Re: [Samba] Domain users not resolving...
>>
>> Rowland, I would LOVE to upgrade, but as I am brand-new to
>> this location
>> and it has this borked Samba install, I am hesitant. Is there
>> a guide or
>> wiki article on the correct way to do this? If it was just going from
>> Squeeze to Wheezy, that's cake! I am more concerned with the
>> location of
>> everything relating to Samba. Since it is all on "/samba", what do I
>> need to backup? I am assuming the following is what I need to do, but
>> must make sure first. I do not want to have to rebuild an
>> entire domain
>> if I can help it!
>>
>> /samba/etc -> /etc/samba
>> /samba/lib -> /var/lib/samba
>> /samba/private -> /var/lib/samba/private
>> /samba/locks/sysvol -> /var/lib/samba/sysvol
>>
>> Is this correct? The locations on the right of the arrow are
>> where those
>> directories are on my functioning domain controllers at other
>> locations.
>> I've never seen a setup like this before. However, due to this
>> location
>> having TWO DC's, I could easily take one down, install Wheezy from
>> scratch (clean install) and set it up correctly, allow it to
>> sync, then
>> do the other one. Am I correct in that?
>>
>> On 8/25/2014 9:45 AM, L.P.H. van Belle wrote:
>>> Hai Rowland,
>>>
>>> yeah.. i know.
>>> The DC's are using sernet-samba and the links arent there
>> because i dont use it. ;-)
>>> Thats the same with the "Proper sysvol replication
>> solution..." threat..
>>> Yes i have mixed XIDs on my DC's, but i have all correct
>> UIDs on my sysvol.
>>> and yes, samba-tool ntacl sysvolcheck gives. .
>>> ERROR(<class 'samba.provision.ProvisioningError'>): uncaught
>> exception  etc...
>>> but i dont mind. all my shares on the DC (sysvol and
>> netlogon) ( used from within windows ) work 100% ok.
>>> GPO is processed without errors so i dont care. i just dont
>> run samba-tool ntacl sysvolcheck  :-)
>>> my logs on my DC are all (whole my debian server logs ) error free.
>>> and i rechecked my windows logs after a login, after is saw
>> the threat about it to be really long..
>>> but same there 100% error free..
>>>
>>> But thanks for the notice!
>>>
>>> and for Ryan.
>>>
>>> The debian Samba (backports 4.1.11 ) paths
>>> Paths:
>>>      SBINDIR: /usr/sbin
>>>      BINDIR: /usr/bin
>>>      CONFIGFILE: /etc/samba/smb.conf
>>>      LOGFILEBASE: /var/log/samba
>>>      LMHOSTSFILE: /etc/samba/lmhosts
>>>      LIBDIR: /usr/lib/x86_64-linux-gnu
>>>      MODULESDIR: /usr/lib/x86_64-linux-gnu/samba
>>>      SHLIBEXT: so
>>>      LOCKDIR: /var/run/samba
>>>      STATEDIR: /var/lib/samba
>>>      CACHEDIR: /var/cache/samba
>>>      PIDDIR: /var/run/samba
>>>      SMB_PASSWD_FILE: /etc/samba/smbpasswd
>>>      PRIVATE_DIR: /var/lib/samba/private
>>>
>>> just compare them with you local installed then stop samba,
>> install backports samba, stop samba ( the backports version)
>> copy the old files the above locations and start samba.
>>>
>>>
>>> Greetz,
>>>
>>> Louis
>>>
>>>
>>>
>>>
>>>
>>>> -----Oorspronkelijk bericht-----
>>>> Van: rowlandpenny at googlemail.com
>>>> [mailto:samba-bounces at lists.samba.org] Namens Rowland Penny
>>>> Verzonden: maandag 25 augustus 2014 15:32
>>>> Aan: samba at lists.samba.org
>>>> Onderwerp: Re: [Samba] Domain users not resolving...
>>>>
>>>> On 25/08/14 14:22, L.P.H. van Belle wrote:
>>>>> Why dont you upgrade to debian Wheezy and start using or
>>>> wheezy-backports samba of sernet-samba.
>>>>> If you backup all your old samba files, the transfer for an
>>>> own build of samba to debian samba ( or sernet samba )
>>>>> isnt that hard.
>>>>>
>>>>> about the id.
>>>>>
>>>>> on my DC : id user  => not found, but must say, i dont use
>>>> my dc for anything else but being a DC with sysvol.
>>>>> getent passwd = > nothing  ( and correct i dont have winbind
>>>> set in my nsswitch.conf )
>>>>> wbinfo -u = all my users
>>>>> wbinfo -g = all my groups.
>>>> Hi Louis, this is probably because you don't have the winbind links
>>>> installed, on Debian using samba from backports this is
>> easy, you just
>>>> need to install a few packages, but when you compile samba4,
>>>> you need to
>>>> create a couple of symlinks. There used to be a samba4
>> winbind page in
>>>> the wiki, but this seems to have vanished.
>>>>
>>>> Rowland
>>>>> on my member server : id user1 : uid=5003(user1)
>>>> gid=5000(domain users) groups=5000(domain
>>>>
>> users),4294967295,4294967295,4294967295,4294967295,50002(BUILTIN\users)
>>>>> getent passwd => only the users with UID assigned.
>>>>> getent group => only groups with GID assigned.
>>>>> wbinfo -u = all my users
>>>>> wbinfo -g = all my groups.
>>>>>
>>>>> but just a question for what are you using the RFC2307 uid
>>>> on the DC server for?
>>>>> Check if your smb.conf on all your Domain Controllers
>>>> contain the following parameter in the „[global]“ section:
>>>>> idmap_ldb:use rfc2307 = yes
>>>>>
>>>>> ( see
>> http://wiki.samba.org/index.php/Using_RFC2307_on_a_Samba_DC  )
>>>>>
>>>>> Greetz,
>>>>>
>>>>> Louis
>>>>>
>>>>>
>>>>>
>>>>>> -----Oorspronkelijk bericht-----
>>>>>> Van: ryana at reachtechfp.com
>>>>>> [mailto:samba-bounces at lists.samba.org] Namens Ryan Ashley
>>>>>> Verzonden: maandag 25 augustus 2014 14:59
>>>>>> Aan: samba at lists.samba.org
>>>>>> Onderwerp: Re: [Samba] Domain users not resolving...
>>>>>>
>>>>>> On 08/23/2014 04:26 AM, Rowland Penny wrote:
>>>>>>> On 23/08/14 01:19, Ryan Ashley wrote:
>>>>>>>> Rowland, I did not do this. This is a new client who
>> dropped their
>>>>>>>> old IT support due to issues on the network. I found out
>>>> it was not
>>>>>>>> having access to the sysvol. That is where I figured out
>>>>>> what I have.
>>>>>>>> I do use FHS in my builds, but I would never put it into a root
>>>>>>>> directory like this. I guess the other team was testing
>> Samba and
>>>>>>>> using a client to test on! I do agree 100% that the issue is the
>>>>>>>> path. However, I can feel good that I didn't do such a
>>>>>> bone-headed move!
>>>>>>>> Sorry for the lack of files, I had to figure out how it
>>>> was set up.
>>>>>>>> Everything, including the configuration file is in
>> "/samba", which
>>>>>>>> appears to be a separate partition. Here is what you requested.
>>>>>>>>
>>>>>>>> Samba 4.1.11 64bit
>>>>>>>> Debian Squeeze 64bit
>>>>>>>>
>>>>>>>> =========
>>>>>>>> smb.conf:
>>>>>>>> =========
>>>>>>>> # Global parameters
>>>>>>>> [global]
>>>>>>>>            workgroup = DOMAIN
>>>>>>>>            realm = DOMAIN.LOCAL
>>>>>>>>            netbios name = DC01
>>>>>>>>            server role = active directory domain controller
>>>>>>>>            server services = s3fs, rpc, nbt, wrepl, ldap,
>>>> cldap, kdc,
>>>>>>>> drepl, winbind, ntp_signd, kcc, dnsupdate
>>>>>>>>            interfaces = 127.0.0.1, 192.168.0.1
>>>>>>>>
>>>>>>>> [netlogon]
>>>>>>>>            path = /samba/var/locks/sysvol/kigm.local/scripts
>>>>>>>>            read only = No
>>>>>>>>
>>>>>>>> [sysvol]
>>>>>>>>            path = /samba/var/locks/sysvol
>>>>>>>>            read only = No
>>>>>>>>
>>>>>>>> =========
>>>>>>>> krb5.conf:
>>>>>>>> =========
>>>>>>>> [libdefaults]
>>>>>>>>            default_realm = DOMAIN.LOCAL
>>>>>>>>            dns_lookup_realm = false
>>>>>>>>            dns_lookup_kdc = true
>>>>>>>>
>>>>>>>> =================
>>>>>>>> Rowland's Request:
>>>>>>>> =================
>>>>>>>> root at dc01:~# /samba/sbin/samba -b
>>>>>>>> Samba version: 4.1.11
>>>>>>>> Build environment:
>>>>>>>>       Build host:  Linux dc01 2.6.32-5-amd64 #1 SMP Tue May 13
>>>>>> 16:34:35
>>>>>>>> UTC 2014 x86_64 GNU/Linux
>>>>>>>> Paths:
>>>>>>>>       BINDIR: /samba/bin
>>>>>>>>       SBINDIR: /samba/sbin
>>>>>>>>       CONFIGFILE: /samba/etc/smb.conf
>>>>>>>>       NCALRPCDIR: /samba/var/run/ncalrpc
>>>>>>>>       LOGFILEBASE: /samba/var
>>>>>>>>       LMHOSTSFILE: /samba/etc/lmhosts
>>>>>>>>       DATADIR: /samba/share
>>>>>>>>       MODULESDIR: /samba/lib
>>>>>>>>       LOCKDIR: /samba/var/lock
>>>>>>>>       STATEDIR: /samba/var/locks
>>>>>>>>       CACHEDIR: /samba/var/cache
>>>>>>>>       PIDDIR: /samba/var/run
>>>>>>>>       PRIVATE_DIR: /samba/private
>>>>>>>>       CODEPAGEDIR: /samba/share/codepages
>>>>>>>>       SETUPDIR: /samba/share/setup
>>>>>>>>       WINBINDD_SOCKET_DIR: /samba/var/run/winbindd
>>>>>>>>       WINBINDD_PRIVILEGED_SOCKET_DIR:
>>>>>> /samba/var/lib/winbindd_privileged
>>>>>>>>       NTP_SIGND_SOCKET_DIR: /samba/var/lib/ntp_signd
>>>>>>>>
>>>>>>>> No ID's have been setup. The rfc2307 stuff is there, but
>>>>>> they're not
>>>>>>>> using it. They have two Samba DC's and everything else is
>>>>>> Windows 7.
>>>>>>>> They were using rsync to sync the sysvol, which had
>> caused issues
>>>>>>>> with GID/UID on the second DC, but I fixed that already.
>>>>>> Well, tried
>>>>>>>> to anyway. It is setup the EXACT same way. It also has
>> issues with
>>>>>>>> this stuff.
>>>>>>>>
>>>>>>>> I have a theory as to how to fix this but want advice
>>>>>> first. If I am
>>>>>>>> wrong, so be it. I would like to build Samba the STANDARD
>>>> way (FHS,
>>>>>>>> bin files go to /bin, etc) but have one concern. If I do
>>>> this, do I
>>>>>>>> simply need to adjust the paths in the configuration
>> file and move
>>>>>>>> the sysvol to the proper location? On all of the systems
>>>> I do, this
>>>>>>>> is always "/var/lib/samba/sysvol". I would obviously have
>>>>>> to move the
>>>>>>>> tdb files and such to "/var/lib/samba" as well. Would
>>>> that work, or
>>>>>>>> am I going to have to deal with this the way it is?
>>>>>>>>
>>>>>>>> If you need anything else, please ask. Remember, this
>> is a DC and
>>>>>>>> while rfc2307 attributes exist, they're not being used.
>>>>>> Probably due
>>>>>>>> to no Linux member servers.
>>>>>>>>
>>>>>>>> On 8/22/2014 4:54 PM, Rowland Penny wrote:
>>>>>>>>> On 22/08/14 21:40, Marc Muehlfeld wrote:
>>>>>>>>>> Hello,
>>>>>>>>>>
>>>>>>>>>> Am 22.08.2014 20:48, schrieb Ryan Ashley:
>>>>>>>>>>> I stepped into a setup where Samba was compiled and
>>>>>> installed into
>>>>>>>>>>> "/samba". The configure command on the DC is "configure
>>>>>>>>>>> --prefix=/samba". The links for libnss_wins.so.2 and
>>>>>>>>>>> libnss_winbind.so.2
>>>>>>>>>>> are there and nsswitch.conf is told to use winbind.
>>>>>> However, "getent
>>>>>>>>>>> group" returns only local users, "id" finds NO domain
>>>> users, and
>>>>>>>>>>> "getent
>>>>>>>>>>> passwd" returns only local users. I did do a rebuild of
>>>>>> Samba after
>>>>>>>>>>> verifying the dependencies were there and
>>>>>> configured/installed the
>>>>>>>>>>> same
>>>>>>>>>>> way so everything is in place. Still no dice. This guy
>>>> was still
>>>>>>>>>>> running
>>>>>>>>>>> Debian Squeeze so the install is probably old. Things
>>>>>> seem to run,
>>>>>>>>>>> but
>>>>>>>>>>> no systems can access the sysvol even after a reset,
>>>>>> which led to
>>>>>>>>>>> this
>>>>>>>>>>> discovery.
>>>>>>>>>>>
>>>>>>>>>>> Now, my thinking is that maybe the binaries in
>>>>>> "/samba/bin" should be
>>>>>>>>>>> linked to "/bin" and the same goes for the sbin stuff.
>>>>>> Is this my
>>>>>>>>>>> issue
>>>>>>>>>>> or what am I looking at? Yes, I stepped into it this time...
>>>>>>>>>> It would be much easier to help, if you give some
>>>>>> information about
>>>>>>>>>> your
>>>>>>>>>> environment.
>>>>>>>>>>
>>>>>>>>>> - smb.conf
>>>>>>>>>> - Samba version
>>>>>>>>>> - IDs, etc. configured in your backend (depending on
>> your Idmap
>>>>>>>>>> config)
>>>>>>>>>> - etc.
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> Regards,
>>>>>>>>>> Marc
>>>>>>>>>>
>>>>>>>>> It would also help if you followed the howto and didn't
>>>>>> change bits
>>>>>>>>> that you don't like, just why did you install into /samba
>>>>>> instead of
>>>>>>>>> /usr/local/samba ?
>>>>>>>>> Everything out there is based on self compiling into
>>>>>>>>> /usr/local/samba, the wiki gives you the instructions
>>>>>> based on this.
>>>>>>>>> having said this, it is possibly/probably a path problem,
>>>>>> could you
>>>>>>>>> please post (along with what Marc has asked for) the result of
>>>>>>>>> 'samba -b'
>>>>>>>>>
>>>>>>>>> Rowland
>>>>>>> OK, what does 'echo "$PATH"' return, does it have '/samba/sbin' &
>>>>>>> '/samba/bin' in it ?
>>>>>>>
>>>>>>> If not, try this:
>>>>>>>
>>>>>>> export PATH=/samba/sbin:/samba/bin:$PATH
>>>>>>>
>>>>>>> if everything now works correctly, do this:
>>>>>>>
>>>>>>> echo "PATH=/samba/sbin:/samba/bin:$PATH" >
>> /etc/profile.d/samba4.sh
>>>>>>> Rowland
>>>>>> Rowland, nothing in /samba is in the path. I had already
>> tried your
>>>>>> suggestion, but I did it again this morning and here are my
>>>>>> results. It
>>>>>> does not fix the issue. I also included some configuration
>>>>>> files and such.
>>>>>>
>>>>>> root at dc01:~# echo "$PATH"
>>>>>> /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
>>>>>> root at dc01:~# export PATH=$PATH:/samba/bin:/samba/sbin
>>>>>> root at dc01:~# id maliag
>>>>>> id: maliag: No such user
>>>>>> root at dc01:~# id michaelh
>>>>>> id: michaelh: No such user
>>>>>> root at dc01:~# getent passwd
>>>>>> root:x:0:0:root:/root:/bin/bash
>>>>>> daemon:x:1:1:daemon:/usr/sbin:/bin/sh
>>>>>> bin:x:2:2:bin:/bin:/bin/sh
>>>>>> sys:x:3:3:sys:/dev:/bin/sh
>>>>>> sync:x:4:65534:sync:/bin:/bin/sync
>>>>>> games:x:5:60:games:/usr/games:/bin/sh
>>>>>> man:x:6:12:man:/var/cache/man:/bin/sh
>>>>>> lp:x:7:7:lp:/var/spool/lpd:/bin/sh
>>>>>> mail:x:8:8:mail:/var/mail:/bin/sh
>>>>>> news:x:9:9:news:/var/spool/news:/bin/sh
>>>>>> uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
>>>>>> proxy:x:13:13:proxy:/bin:/bin/sh
>>>>>> www-data:x:33:33:www-data:/var/www:/bin/sh
>>>>>> backup:x:34:34:backup:/var/backups:/bin/sh
>>>>>> list:x:38:38:Mailing List Manager:/var/list:/bin/sh
>>>>>> irc:x:39:39:ircd:/var/run/ircd:/bin/sh
>>>>>> gnats:x:41:41:Gnats Bug-Reporting System
>>>> (admin):/var/lib/gnats:/bin/sh
>>>>>> nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
>>>>>> libuuid:x:100:101::/var/lib/libuuid:/bin/sh
>>>>>> ntp:x:101:103::/home/ntp:/bin/false
>>>>>> sshd:x:102:65534::/var/run/sshd:/usr/sbin/nologin
>>>>>> bind:x:103:105::/var/cache/bind:/bin/false
>>>>>> root at dc01:~# cat /samba/etc/smb.conf
>>>>>> # Global parameters
>>>>>> [global]
>>>>>>            workgroup = KIGM
>>>>>>            realm = KIGM.LOCAL
>>>>>>            netbios name = DC01
>>>>>>            server role = active directory domain controller
>>>>>>            server services = s3fs, rpc, nbt, wrepl, ldap,
>> cldap, kdc,
>>>>>> drepl, winbind, ntp_signd, kcc, dnsupdate
>>>>>>            interfaces = 127.0.0.1, 192.168.0.1
>>>>>>
>>>>>> [netlogon]
>>>>>>            path = /samba/var/locks/sysvol/kigm.local/scripts
>>>>>>            read only = No
>>>>>>
>>>>>> [sysvol]
>>>>>>            path = /samba/var/locks/sysvol
>>>>>>            read only = No
>>>>>> root at dc01:~# cat /etc/nsswitch.conf
>>>>>> # /etc/nsswitch.conf
>>>>>> #
>>>>>> # Example configuration of GNU Name Service Switch functionality.
>>>>>> # If you have the `glibc-doc-reference' and `info' packages
>>>>>> installed, try:
>>>>>> # `info libc "Name Service Switch"' for information about
>> this file.
>>>>>> passwd:         compat winbind
>>>>>> group:          compat winbind
>>>>>> shadow:         compat
>>>>>>
>>>>>> hosts:          files dns wins
>>>>>> networks:       files
>>>>>>
>>>>>> protocols:      db files
>>>>>> services:       db files
>>>>>> ethers:         db files
>>>>>> rpc:            db files
>>>>>>
>>>>>> netgroup:       nis
>>>>>> root at dc01:~# wbinfo -g
>>>>>> Enterprise Read-Only Domain Controllers
>>>>>> Domain Admins
>>>>>> Domain Users
>>>>>> Domain Guests
>>>>>> Domain Computers
>>>>>> Domain Controllers
>>>>>> Schema Admins
>>>>>> Enterprise Admins
>>>>>> Group Policy Creator Owners
>>>>>> Read-Only Domain Controllers
>>>>>> DnsUpdateProxy
>>>>>> Operations
>>>>>> AV
>>>>>> Graphics
>>>>>> WAFA
>>>>>> Finance
>>>>>> Logos
>>>>>> Streaming
>>>>>> root at dc01:~# cat /etc/krb5.conf
>>>>>> [libdefaults]
>>>>>>            default_realm = KIGM.LOCAL
>>>>>>            dns_lookup_realm = false
>>>>>>            dns_lookup_kdc = true
>>>>>>
>>>>>> Thanks for the help. What about my suggestion to perform a normal
>>>>>> install per the book and then move everything in
>>>> /samba/var/lib to the
>>>>>> correct location? Would that not work? I agree with you that
>>>>>> this issue
>>>>>> is caused by the odd install location.
>>>>>> -- 
>>>>>> To unsubscribe from this list go to the following URL and read the
>>>>>> instructions:  https://lists.samba.org/mailman/options/samba
>>>>>>
>>>>>>
>>>> -- 
>>>> To unsubscribe from this list go to the following URL and read the
>>>> instructions:  https://lists.samba.org/mailman/options/samba
>>>>
>>>>
>> -- 
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>>
>>



More information about the samba mailing list