[Samba] Samba 4.1.9 member server config in a samba 4 ADS Domain

Daniel Müller mueller at tropenklinik.de
Wed Jul 23 00:16:45 MDT 2014 

I did mange this with ADUC Unix-Attr. Set the range according, no chance to
see anything.
Id TPLK\administrator gives nothing:
There is no such user!??
Things that where running with samba 3.6 on the fly?



EDV Daniel Müller

Leitung EDV
Tropenklinik Paul-Lechler-Krankenhaus
Paul-Lechler-Str. 24
72076 Tübingen 
Tel.: 07071/206-463, Fax: 07071/206-499
eMail: mueller at tropenklinik.de
Internet: www.tropenklinik.de




-----Ursprüngliche Nachricht-----
Von: samba-bounces at lists.samba.org [mailto:samba-bounces at lists.samba.org] Im
Auftrag von Rowland Penny
Gesendet: Dienstag, 22. Juli 2014 16:27
An: samba at lists.samba.org
Betreff: Re: [Samba] Samba 4.1.9 member server config in a samba 4 ADS
Domain

On 22/07/14 15:17, Daniel Müller wrote:
> Now I did this smb.conf:
>
> [global]
>          workgroup = TPLK
>          realm = TPLK.LOC
>          security = ADS
>          winbind enum users = Yes
>          winbind enum groups = Yes
>          winbind use default domain = Yes
>          winbind nss info = rfc2307
>          idmap config TPLK:range = 500-40000
>          idmap config TPLK:schema_mode = rfc2307
>          idmap config TPLK:backend = ad
>          idmap config *:range = 70001-80000
>          idmap config * : backend = tdb
>
> and after joining:
> net ads join -U administrator
> Enter administrator's password:
> Using short domain name -- TPLK
> Joined 'CENTCLUST1' to dns domain 'tplk.loc'
>
>   when I start manually smbd then nmbd and winbindd by hand it results in:
>
>
> STATUS=daemon 'smbd' finished starting up and ready to serve 
> connectionsUnable to connect to CUPS server localhost:631 - 
> Verbindungsaufbau abgelehnt
> Jul 22 16:13:01 centclust1 smbd[4364]:   STATUS=daemon 'smbd' finished
> starting up and ready to serve connectionsfailed to retrieve printer list:
> NT_STATUS_UNSUCCESSFUL
> Jul 22 16:13:09 centclust1 nmbd[4369]: [2014/07/22 16:13:09.366916,  
> 0]
> ../source3/nmbd/nmbd.c:945(main)
> Jul 22 16:13:09 centclust1 nmbd[4369]:   standard input is not a socket,
> assuming -D option
> Jul 22 16:13:09 centclust1 nmbd[4370]: [2014/07/22 16:13:09.370087,  
> 0]
> ../lib/util/become_daemon.c:136(daemon_ready)
> Jul 22 16:13:21 centclust1 winbindd[4425]: [2014/07/22 
> 16:13:21.183036,  0]
> ../source3/winbindd/winbindd_cache.c:3196(initialize_winbindd_cache)
> Jul 22 16:13:21 centclust1 winbindd[4425]:   initialize_winbindd_cache:
> clearing cache and re-creating with version number 2 Jul 22 16:13:21 
> centclust1 winbindd[4425]: [2014/07/22 16:13:21.185657,  0]
> ../lib/util/become_daemon.c:136(daemon_ready)
> Jul 22 16:13:33 centclust1 nmbd[4370]:   STATUS=daemon 'nmbd' finished
> starting up and ready to serve connections*****
>
> And wbinfo -u:
>
> [root at centclust1 sbin]# wbinfo -u
> fcbraun
> reiser
> stoyanopoulos
> fischerkeller
> michaletz-stolz
> drumm
> schlotterbeck
> hahn
> droessler
> schaeffer
> zanzinger
> rueda
> walker...
>
>
> And wbinfo -g
>
> wbinfo -g
> allowed rodc password replication group enterprise read-only domain 
> controllers denied rodc password replication group read-only domain 
> controllers group policy creator owners ras and ias servers 
> terminalserver user patientenverwaltung domain controllers..-
>
>
> getent passwd and group leaves me with local users and groups no ads 
> stuff!!!

Have you given your users a uidNumber and Domain Users a gidNumber ?

Without these, getent will not show any domain users (the numbers you give
your users must be inside the range you have set in smb.conf)

Even with Domain Users having a gidNumber, getent group will not display
anything, you must use 'getent group Domain\ Users'. The cure, I am lead to
believe, is to give all your domain groups a gidNumber.

Rowland
>
>
>
>
> When I set this properties in my smb.conf [global]
>
> server services = +smb, +winbind
> It does not start up with this error:
>
> Jul 22 16:09:25 centclust1 samba[3323]:   STATUS=daemon 'samba' finished
> starting up and ready to serve
>   connectionssamba_terminate: Cannot start Winbind (domainmember):
> Failed to find record for TPLK in /usr/local/samba/private/secrets.ldb:
>   No such object: (null): Have you joined the TPLK domain?
>
>
> EDV Daniel Müller
>
> Leitung EDV
> Tropenklinik Paul-Lechler-Krankenhaus
> Paul-Lechler-Str. 24
> 72076 Tübingen
> Tel.: 07071/206-463, Fax: 07071/206-499
> eMail: mueller at tropenklinik.de
> Internet: www.tropenklinik.de
>
>
>
>
> -----Ursprüngliche Nachricht-----
> Von: samba-bounces at lists.samba.org 
> [mailto:samba-bounces at lists.samba.org] Im Auftrag von Rowland Penny
> Gesendet: Dienstag, 22. Juli 2014 15:20
> An: samba at lists.samba.org
> Betreff: Re: [Samba] Samba 4.1.9 member server config in a samba 4 ADS 
> Domain
>
> On 22/07/14 14:03, Daniel Müller wrote:
>> Dear all,
>>
>> I try to setup a samba 4 member server on centos 6.5. The wikis and 
>> howtos I have found are very confusing.
>> Which is the right way to do this. So winbind can map the domain 
>> users and groups.
>> What I have done yet is,
>> Set up Kerberos working and can contact my ADS-kerberos Servers:
>>     klist
>> Ticket cache: FILE:/tmp/krb5cc_0
>> Default principal: Administrator at TPLK.LOC
>>
>> Valid starting     Expires            Service principal
>> 07/22/14 12:34:21  07/22/14 22:34:21  krbtgt/TPLK.LOC at TPLK.LOC
>>           renew until 07/29/14 12:34:18
>>
>> Installed samba4.1.9 from gz without any provision.
>> Set winbind right : ldconfig -v |grep winbind
>> ldconfig: /etc/ld.so.conf.d/kernel-2.6.32-431.20.3.el6.x86_64.conf:6:
>> duplicate hwcap 1 nosegneg
>>           libnss_winbind.so -> libnss_winbind.so.2
>>           libnss_winbind.so -> libnss_winbind.so.2
>>
>> set /etc/nsswitch.conf
>> to:
>> passwd:     files winbind
>> shadow:     files
>> group:      files  winbind
>>
>> hosts:      files dns
>>
>> Do I have to provision the samba4 server in any way to establish a 
>> /usr/local/samba/etc/smb.conf?
> No, you do not provision.
>
>> Or do I make smb.conf by hand?
> Yes, you will have to create your smb.conf, this is usually where the 
> problems start, easiest way is to use RFC2307 attributes and the ad 
> backend, but you could use the rid backend or some other backend that 
> virtually few people use.
>
>> Do I have to start windbind in server protocols im [global]!?
> winbind is a deamon just like smbd, so you need to start it just like 
> smbd, but I think that you mean 'do I have to add winbind lines to the 
> global part of smb.conf', if so, then yes if you want to use winbind.
>
>> What is the way to join right to the samba4 ads domain?
> I normally just use the 'net' command:
>
> net ads join -U Administrator at EXAMPLE.COM
>
> Rowland
>
>> Greetings
>> Daniel
>>
>>
>>
>> EDV Daniel Müller
>>
>> Leitung EDV
>> Tropenklinik Paul-Lechler-Krankenhaus Paul-Lechler-Str. 24
>> 72076 Tübingen
>> Tel.: 07071/206-463, Fax: 07071/206-499
>> eMail: mueller at tropenklinik.de
>> Internet: www.tropenklinik.de
>>
>>    
>>
>>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list