[Samba] Samba 4 problems

Brett Wynkoop wynkoop+samba at wynn.com
Thu Dec 18 10:10:18 MST 2014 

Greeting-

It has been years since I last set up a Samba server.  The last one I
did was a 2.x version!

For the last two weeks I have been fighting with 2 issues with a samba
4 server I have set up for testing.

. Encrypted transport seems to not work for me

. Unix user smith and Samba user smith seem to have different UID
  numbers when files are created.


At the moment the second issue is the most vexing, but if I do not
solve the first issue as well the project I am testing this for will
need to be implemented using some other technology.

Here is my current smb4.conf file:

# Global parameters
[global]
        workgroup = EXAMPLE
        kerberos method = secrets and keytab
        local master = yes
        netbios name = HOSTNAME
        log level = 4

        dcerpc endpoint servers = epmapper, wkssvc, rpcecho, samr,
netlogon, lsa rpc, spoolss, drsuapi, dssetup, unixinfo, browser,
eventlog6, backupkey,  winreg , srvsvc

        realm = EXAMPLE.COM
        os level = 20
        username map = /var/db/samba4/private/users.map
        client max protocol = SMB3
#        server min protocol = SMB3
        hide dot files = no
        winbind trusted domains only = yes

        server services = rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
winbind,  nt p_signd, kcc, smb

        winbind use default domain = yes
        dns forwarder = 192.168.1.1
        domain logons = yes
        smb encrypt = yes
        security = user
        encrypt passwords = yes
        preferred master = yes
#
# I have tried with and without the line below
#
        #idmap_ldb:use rfc2307 = yes
        wins support = true
        server role = active directory domain controller



[netlogon]
        path = /var/db/samba4/sysvol/example.com/scripts
        read only = No

[sysvol]
        path = /var/db/samba4/sysvol
        read only = No

[archive]
        writeable = yes
        browseable = yes
        valid users = smith
        write list = smith, at wheel
        path = /archive
        comment = /archive
        revalidate = yes
#       vfs objects = zfsacl
#       nfs4:mode = special
#       nfs4:chown = yes
#       zfsacl:acesort = dontcare

The user was first created as a Unix user with a UID of 50 (historical
reasons for the low uid).  Then the user was added to samba using
smbpasswd.

It should be noted that all the kerberos bits seem to be working as
doing a kinit then running smbclient -k //server/share yeilds a
connection, but of course with the UID different from the UID of the
same user at the unix shell level.

Also unless I am using the kerberized smbclient it seems that all
traffic is passed unencrypted according to my TCPDUMP tests.  Tested
clients at the moment are Mac OSX 10.6 and various *BSD GNU/Linux boxes
with smbclient forced to V3.  I probably will not move on to testing
with a windows client if I can not solve the UID mismatch issue.

Any ideas?  I have been searching the net for some time with no joy.

Thanks.

-Brett

-- 

wynkoop at wynn.com               http://prd4.wynn.com/wynkoop/pgp-keys.txt
917-642-6925
929-272-0000

A free people ought to be armed. - George Washington

More information about the samba mailing list