[Samba] Domain Member server - Domain users don't get access
steve at steve-ss.com
Wed Feb 12 18:19:38 MST 2014
On Wed, 2014-02-12 at 14:12 -0800, Shane Robinson wrote:
> I'll answer in line below (sorry about the top-posting, I blame outlook)
> Shane Robinson
> Chief Administrative Officer
> SimpeQ Care
> t. 604.988.3103 ext. 104
> c. 604.506.3311
> f. 604.988.3105
> Please consider the environment before printing this email.
> -----Original Message-----
> From: samba-bounces at lists.samba.org [mailto:samba-bounces at lists.samba.org]
> On Behalf Of steve
> Sent: Wednesday, February 12, 2014 12:10 AM
> To: samba at lists.samba.org
> Subject: Re: [Samba] Domain Member server - Domain users don't get access
> On Tue, 2014-02-11 at 16:15 -0800, Shane Robinson wrote:
> >> Hello list!
> >> I have a newish Samba 4.1.4 (from git) AD DC running in an Ubuntu
> >> Precise KVM guest. It seems to be running well. Recent list posts have
> >> led me to set up a second instance of samba/ubuntu as a file server.
> >> Like the domain controller, Samba was built from git, but then it was
> >> configured using the "Samba/Domain Member" wiki. I added the sfu
> >> attributes to a few users/groups using ADUC, but I don't see that
> >> mentioned as a requirement (Is it a requirement?).
> >If you want getent to work, you don't _have_ to add the sfu stuff.
> >uidNumber and gidNumber are sufficient.
> >> My domain name is internal.simpeq.ca, the DC's name is Samba2, and the
> >> new file server's name is FS2. I start the services with a script that
> >> runs winbindd, then smbd, then nmbd, in that order.
> >> Wbinfo -u and wbinfo -g work well, enumerating all domain users and
> >> Kinit works.
> >> $ getent passwd INTERNAL\\administrator
> >> AND
> >> getent group INTERNAL\\hrall
> >> . give nothing.
> >> An strace of getent revealed that /lib64 was never queried for
> >> libnss_winbind.so, but /usr/lib/x86_64-linux-gnu was, so I relinked
> >> libnss_winbind.so to that folder.
> >> (Is this incorrect, or shall I update the Wiki with this information
> >> for Ubuntu users?)
> >> am
> >The wiki is for 32 bit non-Debian distros only.
> >How did you join FS2?
> >Could you post:
> >The content of its keytab
> >The DN of INTERNAL\administrator
> Thanks for the reply Steve (et al)!
> First, if the uidNumber and ridNumber are required, I'll add that as a note
> to the wiki, once my account is active. Is it as simple as adding them in
If you can see a Unix tab for the user then yes. Otherwise you can use
ldbedit or ldbmodify on the DC itself. Either method works fine, the
former implies you provisioned with rfc2307, but as we're not m$, we are
under no obligation to do so.
> Can you leave the default numbers in? For example, my administrator
> account has a uidNumber of 10002 and a gidNumber of 10004, as they were the
> defaults in ADUC.
Yeah. No reason to change.
> Second, the wiki makes no mention of being "32-bit non-debian". There is a
> section on linking the libnss_winbind.so in 64bit systems, but it only asks
> the user to link to /lib64, which doesn't appear to be correct for the
> ubuntu situation. If my suggestion is correct, I will add this to the wiki
> as well.
No, you have to know. The author of the wiki uses Red Hat. It would be
good if you could 'debian- and 64bit- ify' it.
> The join was as follows: (did it again to be sure)
> shane at FS2:/usr/local/samba$ sudo ./bin/net ads join -UAdministrator
> Enter Administrator's password:
> Using short domain name -- INTERNAL
> Joined 'FS2' to dns domain 'internal.simpeq.ca'
> No DNS domain configured for fs2. Unable to perform DNS Update.
> DNS update failed: NT_STATUS_INVALID_PARAMETER
OK. The DC doesn't know the fqdn of the client. On Linux, we add it to
the localhost line in /etc/hosts before we join. Unjoin, do the aix
equivalent and rejoin. It will then register in DNS.
> The distinguishedName of Administrator (from ADSI) is:
> As to the keytab file:
> shane at FS2:/usr/local/samba$ klist
> klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_1000)
No, no. It's a keytab:
If you don't have one:
./bin/net ads keytab create -UAdministrator
and add the line:
kerberos method = system keytab
to the global section of your smb.conf
> And here's the part of the show where I explain that this is my first and
> only foray into anything Active Directory (LDAP, Kerberos, DNS etc).
> There was no mention whatsoever of a keytab file on the wiki, so I didn't do
> anything about it. Should one have been created/retrieved/found/pulled out
> of my... ? If so, what is the procedure for doing so? I'd love to be able to
> make that wiki as complete as possible.
With Kerberos, both the user and the machine must authenticate. The
method above will create the machine key. Users themselves normally have
to supply a password to get access to their keys although if you use
some users frequently e.g. to mount cifs shares, then you can stick
their keys in the keytab too.
> Thank you very much!
No probs. Hope this gets you a little closer.
More information about the samba