[Samba] Domain Member server - Domain users don't get access

[Shane Robinson]

I'll answer in line below (sorry about the top-posting, I blame outlook)

Shane Robinson
Chief Administrative Officer
SimpeQ Care
t. 604.988.3103 ext. 104
c. 604.506.3311
f. 604.988.3105
Please consider the environment before printing this email.


-----Original Message-----
From: samba-bounces at lists.samba.org [mailto:samba-bounces at lists.samba.org]
On Behalf Of steve
Sent: Wednesday, February 12, 2014 12:10 AM
To: samba at lists.samba.org
Subject: Re: [Samba] Domain Member server - Domain users don't get access

On Tue, 2014-02-11 at 16:15 -0800, Shane Robinson wrote:
>> Hello list!
>> 
>>  
>> 
>> I have a newish Samba 4.1.4 (from git) AD DC running in an Ubuntu 
>> Precise KVM guest. It seems to be running well. Recent list posts have 
>> led me to set up a second instance of samba/ubuntu as a file server. 
>> Like the domain controller, Samba was built from git, but then it was 
>> configured using the "Samba/Domain Member" wiki. I added the sfu 
>> attributes to a few users/groups using ADUC, but I don't see that 
>> mentioned as a requirement (Is it a requirement?).
>
>If you want getent to work, you don't _have_ to add the sfu stuff.
>uidNumber and gidNumber are sufficient.
>> 
>>  
>> 
>> My domain name is internal.simpeq.ca, the DC's name is Samba2, and the 
>> new file server's name is FS2. I start the services with a script that 
>> runs winbindd, then smbd, then nmbd, in that order.
>>

>>  
>> 
>> Wbinfo -u and wbinfo -g work well, enumerating all domain users and
groups.
>> 
>>  
>> 
>> Kinit works.
>> 
>>  
>> 
>> 
>> 
>> $ getent passwd INTERNAL\\administrator
>> 
>> AND
>> 
>> getent group INTERNAL\\hrall
>> 
>>  
>> 
>> . give nothing.
>> 
>>
>>
>> An strace of getent revealed that /lib64 was never queried for 
>> libnss_winbind.so, but /usr/lib/x86_64-linux-gnu was, so I relinked 
>> libnss_winbind.so to that folder.
>> 
>> (Is this incorrect, or shall I update the Wiki with this information 
>> for Ubuntu users?)
>> 
>> am
>The wiki is for 32 bit non-Debian distros only.

>How did you join FS2?
>Could you post:
>The content of its keytab
>The DN of INTERNAL\administrator

>Cheers,
>Steve


Thanks for the reply Steve (et al)!

First, if the uidNumber and ridNumber are required, I'll add that as a note
to the wiki, once my account is active. Is it as simple as adding them in
ADUC? Can you leave the default numbers in? For example, my administrator
account has a uidNumber of 10002 and a gidNumber of 10004, as they were the
defaults in ADUC.

Second, the wiki makes no mention of being "32-bit non-debian". There is a
section on linking the libnss_winbind.so in 64bit systems, but it only asks
the user to link to /lib64, which doesn't appear to be correct for the
ubuntu situation. If my suggestion is correct, I will add this to the wiki
as well.


The join was as follows: (did it again to be sure)

shane at FS2:/usr/local/samba$ sudo ./bin/net ads join -UAdministrator
Enter Administrator's password:
Using short domain name -- INTERNAL
Joined 'FS2' to dns domain 'internal.simpeq.ca'
No DNS domain configured for fs2. Unable to perform DNS Update.
DNS update failed: NT_STATUS_INVALID_PARAMETER

The distinguishedName of Administrator (from ADSI) is:
CN=Administrator,CN=Users,DC=internal,DC=simpeq,DC=ca


As to the keytab file:

shane at FS2:/usr/local/samba$ klist
klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_1000)

And here's the part of the show where I explain that this is my first and
only foray into anything Active Directory (LDAP, Kerberos, DNS etc).

There was no mention whatsoever of a keytab file on the wiki, so I didn't do
anything about it. Should one have been created/retrieved/found/pulled out
of my... ? If so, what is the procedure for doing so? I'd love to be able to
make that wiki as complete as possible.

Thank you very much!