[Samba] Member Server Setup Assistance

Rowland Penny rowlandpenny at googlemail.com
Wed Dec 31 12:20:42 MST 2014 

On 31/12/14 19:07, James wrote:
> Rowland,
>
>     I decided to start over with a fresh install and attempted again. 
> Only change I made was to start my mappings at 10000. I gave 'Domain 
> Users' group gid 10000 and 'tuser' has uid 10001. Still didn't work btw.
>
>  dn: CN=Test User,CN=Users,DC=domain,DC=local
> objectClass: top
> objectClass: person
> objectClass: organizationalPerson
> objectClass: user
> cn: Test User
> sn: User
> givenName: Test
> instanceType: 4
> whenCreated: 20141231172021.0Z
> displayName: Test User
> uSNCreated: 477557
> name: Test User
> objectGUID: 90f95763-fe52-42b9-af86-8a84a4d5dd78
> userAccountControl: 66048
> codePage: 0
> countryCode: 0
> pwdLastSet: 130645200220000000
> primaryGroupID: 513
> objectSid: S-1-5-21-940051827-2291820289-3341758437-3126
> accountExpires: 9223372036854775807
> sAMAccountName: tuser
> sAMAccountType: 805306368
> userPrincipalName: tuser at domain.local
> objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=domain,DC=local
> unixUserPassword: ABCD!efgh12345$67890
> uid: tuser
> msSFU30Name: tuser
> msSFU30NisDomain: domain
> uidNumber: 10001
> loginShell: /bin/sh
> unixHomeDirectory: /home/tuser
> gidNumber: 10000
> whenChanged: 20141231185807.0Z
> uSNChanged: 477620
> distinguishedName: CN=Test User,CN=Users,DC=domain,DC=local
>
>
> On 12/31/2014 1:50 PM, Rowland Penny wrote:
>> On 31/12/14 18:28, James wrote:
>>> Hi Rowland,
>>>
>>>     passwd:         compat winbind
>>>     group:            compat winbind
>>>
>>> 'getent passwd tuser' results in a blank terminal line.
>>>
>>>
>>> On 12/31/2014 1:12 PM, Rowland Penny wrote:
>>>> On 31/12/14 17:55, James wrote:
>>>>> Hi Rowland,
>>>>>
>>>>>     I did. Unfortunately something is still amiss. I do receive a 
>>>>> response from 'getent group domain users'(users:x:100).
>>>>>
>>>>> On 12/31/2014 12:26 PM, Rowland Penny wrote:
>>>>>> On 31/12/14 17:23, James wrote:
>>>>>>> Rowland,
>>>>>>>
>>>>>>>     I set a user with a uid and domain users group with a gid 
>>>>>>> but I'm still unable to view them using 'id'. I do notice a few 
>>>>>>> strange observations. If I go to another user to attempt to 
>>>>>>> assign a uid. I get the default value of 10000. I would expect 
>>>>>>> 2001 given I set the first user with uid 2000. Groups however 
>>>>>>> appear to increment.
>>>>>>>
>>>>>>> On 12/31/2014 10:52 AM, Rowland Penny wrote:
>>>>>>>> On 31/12/14 15:42, James wrote:
>>>>>>>>> Hello Stefan,
>>>>>>>>>
>>>>>>>>>     I learned the hard way about .local. I understand going 
>>>>>>>>> forward.
>>>>>>>>>
>>>>>>>>> I do have an issue with the member server. Following along 
>>>>>>>>> with the wiki I get stuck at 'Testing the Winbind user/group 
>>>>>>>>> mapping'. Wbinfo works as expected but not
>>>>>>>>>
>>>>>>>>> #*id DomainUser*
>>>>>>>>>
>>>>>>>>> #*getent passwd*
>>>>>>>>>
>>>>>>>>> #*getent group*
>>>>>>>>>
>>>>>>>>> #*chown DomainUser:DomainGroup file*
>>>>>>>>>
>>>>>>>>> #*chgrp DomainGroup file*
>>>>>>>>>
>>>>>>>>> etc.
>>>>>>>>>
>>>>>>>>> I receive 'id: sambauser: No such user'. It will only retrieve 
>>>>>>>>> local machine users. Let me preface by saying this is a Ubuntu 
>>>>>>>>> 12.04 server with Samba 4.1.14. Thanks.
>>>>>>>>>
>>>>>>>>> On 12/31/2014 10:00 AM, Stefan Kania wrote:
>>>>>>>>>> -----BEGIN PGP SIGNED MESSAGE-----
>>>>>>>>>> Hash: SHA1
>>>>>>>>>>
>>>>>>>>>> Hello James,
>>>>>>>>>>
>>>>>>>>>> Am 31.12.2014 um 15:48 schrieb James:> Hello,
>>>>>>>>>>> I'm following along with the wiki(Setup a Samba AD Member 
>>>>>>>>>>> Server)
>>>>>>>>>>> and I have a question after reading the 'Set up a basic 
>>>>>>>>>>> smb.conf'
>>>>>>>>>>> section.
>>>>>>>>>> Please show us your smb.conf
>>>>>>>>>>
>>>>>>>>>>   Do I need to extend the schema in order for my member 
>>>>>>>>>> server to
>>>>>>>>>>> successfully join and service file shares?
>>>>>>>>>> No, you dont have to.
>>>>>>>>>>
>>>>>>>>>> Do I need to configure a
>>>>>>>>>>> krb5.conf file? Thanks.
>>>>>>>>>> If your DC is a samba4 DC just copy krb5.conf to your new 
>>>>>>>>>> memberserver
>>>>>>>>>> Stefan
>>>>>>>>>>
>>>>>>>>>> - -- Stefan Kania
>>>>>>>>>> Landweg 13
>>>>>>>>>> 25693 St. Michaelisdonn
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> Signieren jeder E-Mail hilft Spam zu reduzieren. Signieren 
>>>>>>>>>> Sie ihre
>>>>>>>>>> E-Mail. Weiter Informationen unter http://www.gnupg.org
>>>>>>>>>>
>>>>>>>>>> Mein Schlüssel liegt auf
>>>>>>>>>>
>>>>>>>>>> hkp://subkeys.pgp.net
>>>>>>>>>>
>>>>>>>>>> -----BEGIN PGP SIGNATURE-----
>>>>>>>>>> Version: GnuPG v1
>>>>>>>>>>
>>>>>>>>>> iEYEARECAAYFAlSkD3EACgkQ2JOGcNAHDTZdlwCgwsQF0g/pFp65ldcTMWDcJ1O7
>>>>>>>>>> LScAoLDzorUJNDCik4FP9dBUxKCbAbGN
>>>>>>>>>> =SOSt
>>>>>>>>>> -----END PGP SIGNATURE-----
>>>>>>>>>
>>>>>>>>
>>>>>>>> If you followed the wiki, you will be using the 'ad' backend. 
>>>>>>>> For this to work, you need to add 'uidNumber' attributes to 
>>>>>>>> your users and a 'gidNumber' attribute to at least the Domain 
>>>>>>>> Users group. the numbers that you add must be between the range 
>>>>>>>> you set in your smb.conf, again if you followed the wiki, this 
>>>>>>>> will be between 500-40000.
>>>>>>>>
>>>>>>>> Rowland
>>>>>>>
>>>>>>
>>>>>> You have restarted samba, haven't you ?
>>>>>> You may have to wait a short time, or clear the cache with 'net 
>>>>>> cache flush'
>>>>>>
>>>>>> Rowland
>>>>>>
>>>>>
>>>> OK, can you post the 'passwd' & 'group' lines from /etc/nsswitch
>>>>
>>>> Do you get anything from 'getent passwd <a domain user>'
>>>>
>>>> Rowland
>>>>
>>>
>> OK, install ldb-tools if not already installed, then run:
>>
>> ldbedit -e nano -H /var/lib/samba/private/sam.ldb sAMAccountName=tuser
>>
>> Post the (sanitized) result
>>
>> Rowland
>>
>

OK, you added that user with ADUC (RSAT) and as such you are using the 
std windows start number 10000, which is the way I run samba. Here is my 
smb.conf from the laptop I am writing this on:

[global]
         workgroup = EXAMPLE
         security = ADS
         realm = EXAMPLE.COM
         dedicated keytab file = /etc/krb5.keytab
         kerberos method = secrets and keytab
         server string = Samba 4 Client %h
         winbind enum users = yes
         winbind enum groups = yes
         winbind use default domain = yes
         winbind expand groups = 4
         winbind nss info = rfc2307
         winbind refresh tickets = Yes
         winbind normalize names = Yes
         idmap config * : backend = tdb
         idmap config * : range = 2000-9999
         idmap config EXAMPLE : backend  = ad
         idmap config EXAMPLE : range = 10000-999999
         idmap config EXAMPLE : schema_mode = rfc2307
         printcap name = cups
         cups options = raw
         usershare allow guests = yes
         domain master = no
         local master = no
         preferred master = no
         os level = 20
         map to guest = bad user
         vfs objects = acl_xattr
         map acl inherit = Yes
         store dos attributes = Yes

Compare it with yours, I can assure you it works.

Rowland

More information about the samba mailing list