[Samba] Member Server Setup Assistance

James lingpanda101 at gmail.com
Wed Dec 31 17:07:48 MST 2014 

Hi Rowland,

     I forgot to tell you the results were from my Domain Controller and 
not the member server. Member server returned something to the effect of 
'user not found'. I am only starting the 3 services(smbd,nmbd and 
windbindd) listed in the wiki. Should I be starting Samba with command 
line switches to start as a member server? Is that even possible?

     Thanks for you smb.conf. I will attempt again using your smb.conf 
as a template and try again.

On 12/31/2014 2:20 PM, Rowland Penny wrote:
> On 31/12/14 19:07, James wrote:
>> Rowland,
>>
>>     I decided to start over with a fresh install and attempted again. 
>> Only change I made was to start my mappings at 10000. I gave 'Domain 
>> Users' group gid 10000 and 'tuser' has uid 10001. Still didn't work btw.
>>
>>  dn: CN=Test User,CN=Users,DC=domain,DC=local
>> objectClass: top
>> objectClass: person
>> objectClass: organizationalPerson
>> objectClass: user
>> cn: Test User
>> sn: User
>> givenName: Test
>> instanceType: 4
>> whenCreated: 20141231172021.0Z
>> displayName: Test User
>> uSNCreated: 477557
>> name: Test User
>> objectGUID: 90f95763-fe52-42b9-af86-8a84a4d5dd78
>> userAccountControl: 66048
>> codePage: 0
>> countryCode: 0
>> pwdLastSet: 130645200220000000
>> primaryGroupID: 513
>> objectSid: S-1-5-21-940051827-2291820289-3341758437-3126
>> accountExpires: 9223372036854775807
>> sAMAccountName: tuser
>> sAMAccountType: 805306368
>> userPrincipalName: tuser at domain.local
>> objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=domain,DC=local
>> unixUserPassword: ABCD!efgh12345$67890
>> uid: tuser
>> msSFU30Name: tuser
>> msSFU30NisDomain: domain
>> uidNumber: 10001
>> loginShell: /bin/sh
>> unixHomeDirectory: /home/tuser
>> gidNumber: 10000
>> whenChanged: 20141231185807.0Z
>> uSNChanged: 477620
>> distinguishedName: CN=Test User,CN=Users,DC=domain,DC=local
>>
>>
>> On 12/31/2014 1:50 PM, Rowland Penny wrote:
>>> On 31/12/14 18:28, James wrote:
>>>> Hi Rowland,
>>>>
>>>>     passwd:         compat winbind
>>>>     group:            compat winbind
>>>>
>>>> 'getent passwd tuser' results in a blank terminal line.
>>>>
>>>>
>>>> On 12/31/2014 1:12 PM, Rowland Penny wrote:
>>>>> On 31/12/14 17:55, James wrote:
>>>>>> Hi Rowland,
>>>>>>
>>>>>>     I did. Unfortunately something is still amiss. I do receive a 
>>>>>> response from 'getent group domain users'(users:x:100).
>>>>>>
>>>>>> On 12/31/2014 12:26 PM, Rowland Penny wrote:
>>>>>>> On 31/12/14 17:23, James wrote:
>>>>>>>> Rowland,
>>>>>>>>
>>>>>>>>     I set a user with a uid and domain users group with a gid 
>>>>>>>> but I'm still unable to view them using 'id'. I do notice a few 
>>>>>>>> strange observations. If I go to another user to attempt to 
>>>>>>>> assign a uid. I get the default value of 10000. I would expect 
>>>>>>>> 2001 given I set the first user with uid 2000. Groups however 
>>>>>>>> appear to increment.
>>>>>>>>
>>>>>>>> On 12/31/2014 10:52 AM, Rowland Penny wrote:
>>>>>>>>> On 31/12/14 15:42, James wrote:
>>>>>>>>>> Hello Stefan,
>>>>>>>>>>
>>>>>>>>>>     I learned the hard way about .local. I understand going 
>>>>>>>>>> forward.
>>>>>>>>>>
>>>>>>>>>> I do have an issue with the member server. Following along 
>>>>>>>>>> with the wiki I get stuck at 'Testing the Winbind user/group 
>>>>>>>>>> mapping'. Wbinfo works as expected but not
>>>>>>>>>>
>>>>>>>>>> #*id DomainUser*
>>>>>>>>>>
>>>>>>>>>> #*getent passwd*
>>>>>>>>>>
>>>>>>>>>> #*getent group*
>>>>>>>>>>
>>>>>>>>>> #*chown DomainUser:DomainGroup file*
>>>>>>>>>>
>>>>>>>>>> #*chgrp DomainGroup file*
>>>>>>>>>>
>>>>>>>>>> etc.
>>>>>>>>>>
>>>>>>>>>> I receive 'id: sambauser: No such user'. It will only 
>>>>>>>>>> retrieve local machine users. Let me preface by saying this 
>>>>>>>>>> is a Ubuntu 12.04 server with Samba 4.1.14. Thanks.
>>>>>>>>>>
>>>>>>>>>> On 12/31/2014 10:00 AM, Stefan Kania wrote:
>>>>>>>>>>> -----BEGIN PGP SIGNED MESSAGE-----
>>>>>>>>>>> Hash: SHA1
>>>>>>>>>>>
>>>>>>>>>>> Hello James,
>>>>>>>>>>>
>>>>>>>>>>> Am 31.12.2014 um 15:48 schrieb James:> Hello,
>>>>>>>>>>>> I'm following along with the wiki(Setup a Samba AD Member 
>>>>>>>>>>>> Server)
>>>>>>>>>>>> and I have a question after reading the 'Set up a basic 
>>>>>>>>>>>> smb.conf'
>>>>>>>>>>>> section.
>>>>>>>>>>> Please show us your smb.conf
>>>>>>>>>>>
>>>>>>>>>>>   Do I need to extend the schema in order for my member 
>>>>>>>>>>> server to
>>>>>>>>>>>> successfully join and service file shares?
>>>>>>>>>>> No, you dont have to.
>>>>>>>>>>>
>>>>>>>>>>> Do I need to configure a
>>>>>>>>>>>> krb5.conf file? Thanks.
>>>>>>>>>>> If your DC is a samba4 DC just copy krb5.conf to your new 
>>>>>>>>>>> memberserver
>>>>>>>>>>> Stefan
>>>>>>>>>>>
>>>>>>>>>>> - -- Stefan Kania
>>>>>>>>>>> Landweg 13
>>>>>>>>>>> 25693 St. Michaelisdonn
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> Signieren jeder E-Mail hilft Spam zu reduzieren. Signieren 
>>>>>>>>>>> Sie ihre
>>>>>>>>>>> E-Mail. Weiter Informationen unter http://www.gnupg.org
>>>>>>>>>>>
>>>>>>>>>>> Mein Schlüssel liegt auf
>>>>>>>>>>>
>>>>>>>>>>> hkp://subkeys.pgp.net
>>>>>>>>>>>
>>>>>>>>>>> -----BEGIN PGP SIGNATURE-----
>>>>>>>>>>> Version: GnuPG v1
>>>>>>>>>>>
>>>>>>>>>>> iEYEARECAAYFAlSkD3EACgkQ2JOGcNAHDTZdlwCgwsQF0g/pFp65ldcTMWDcJ1O7 
>>>>>>>>>>>
>>>>>>>>>>> LScAoLDzorUJNDCik4FP9dBUxKCbAbGN
>>>>>>>>>>> =SOSt
>>>>>>>>>>> -----END PGP SIGNATURE-----
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>> If you followed the wiki, you will be using the 'ad' backend. 
>>>>>>>>> For this to work, you need to add 'uidNumber' attributes to 
>>>>>>>>> your users and a 'gidNumber' attribute to at least the Domain 
>>>>>>>>> Users group. the numbers that you add must be between the 
>>>>>>>>> range you set in your smb.conf, again if you followed the 
>>>>>>>>> wiki, this will be between 500-40000.
>>>>>>>>>
>>>>>>>>> Rowland
>>>>>>>>
>>>>>>>
>>>>>>> You have restarted samba, haven't you ?
>>>>>>> You may have to wait a short time, or clear the cache with 'net 
>>>>>>> cache flush'
>>>>>>>
>>>>>>> Rowland
>>>>>>>
>>>>>>
>>>>> OK, can you post the 'passwd' & 'group' lines from /etc/nsswitch
>>>>>
>>>>> Do you get anything from 'getent passwd <a domain user>'
>>>>>
>>>>> Rowland
>>>>>
>>>>
>>> OK, install ldb-tools if not already installed, then run:
>>>
>>> ldbedit -e nano -H /var/lib/samba/private/sam.ldb sAMAccountName=tuser
>>>
>>> Post the (sanitized) result
>>>
>>> Rowland
>>>
>>
>
> OK, you added that user with ADUC (RSAT) and as such you are using the 
> std windows start number 10000, which is the way I run samba. Here is 
> my smb.conf from the laptop I am writing this on:
>
> [global]
>         workgroup = EXAMPLE
>         security = ADS
>         realm = EXAMPLE.COM
>         dedicated keytab file = /etc/krb5.keytab
>         kerberos method = secrets and keytab
>         server string = Samba 4 Client %h
>         winbind enum users = yes
>         winbind enum groups = yes
>         winbind use default domain = yes
>         winbind expand groups = 4
>         winbind nss info = rfc2307
>         winbind refresh tickets = Yes
>         winbind normalize names = Yes
>         idmap config * : backend = tdb
>         idmap config * : range = 2000-9999
>         idmap config EXAMPLE : backend  = ad
>         idmap config EXAMPLE : range = 10000-999999
>         idmap config EXAMPLE : schema_mode = rfc2307
>         printcap name = cups
>         cups options = raw
>         usershare allow guests = yes
>         domain master = no
>         local master = no
>         preferred master = no
>         os level = 20
>         map to guest = bad user
>         vfs objects = acl_xattr
>         map acl inherit = Yes
>         store dos attributes = Yes
>
> Compare it with yours, I can assure you it works.
>
> Rowland
>

-- 
-James

More information about the samba mailing list