[Samba] Samba 4.1.9 member server config in a samba 4 ADS Domain
steve
steve at steve-ss.com
Wed Jul 23 02:50:10 MDT 2014
On Wed, 2014-07-23 at 09:18 +0200, Daniel Müller wrote:
> I did update the range in my smb.conf to fit.
> I did in my
> /etc/nsswitch.conf
> passwd: files winbind
> shadow: files
> group: files winbind
> hosts: files dns
>
> The member server is logged on my DC
>
> smbstatus|grep centclust
> 25275 TPLK\centclust1$ TPLK\Domain Computers 192.168.135.36 (ipv4:192.168.135.36:54761)
>
> So we have two range definitions here:
>
> idmap config *:backend = tdb
> idmap config *:range = 100001-990000 #<-- What about this range!???I think MemberServer
> idmap config TPLK:backend = ad
> idmap config TPLK:schema_mode = rfc2307
> idmap config TPLK:range = 500-99999 #<-- think this is the Domain Range!???
This is indeed the domain range. In simple terms, all it means is that
your uidNumber and gidNumver attributes that you have set for the ad
backend must fall inclusively between these limits. If they d not,
getent will return nothing for those objects in the domain. I suspect
that you have not included the posix information for your users and
groups and/or t is outside the range you have specified.
> winbind nss info = rfc2307
> winbind trusted domains only = no
> winbind use default domain = yes
> winbind enum users = yes
> winbind enum groups = yes
>
> Which of one to fit?
> Wbinfo is working but I need getent to work as well. Ican not log in my Demoshare on the MemberServer!?
> smbclient //centclust1/Demoshare -Uadministrator
> Enter administrator's password:
> session setup failed: NT_STATUS_LOGON_FAILURE
> [root at centclust1 var]# smbclient //centclust1/Demoshare -UTPLK\\administrator
> Enter TPLK\administrator's password:
> session setup failed: NT_STATUS_LOGON_FAILURE
> [root at centclust1 var]# smbclient //centclust1/Demoshare -UTPLK.LOC\\administrator
> Enter TPLK.LOC\administrator's password:
> session setup failed: NT_STATUS_LOGON_FAILURE
>
> Greetiings
> Daniel
>
>
> EDV Daniel Müller
>
> Leitung EDV
> Tropenklinik Paul-Lechler-Krankenhaus
> Paul-Lechler-Str. 24
> 72076 Tübingen
> Tel.: 07071/206-463, Fax: 07071/206-499
> eMail: mueller at tropenklinik.de
> Internet: www.tropenklinik.de
>
>
>
>
>
> -----Ursprüngliche Nachricht-----
> Von: samba-bounces at lists.samba.org [mailto:samba-bounces at lists.samba.org] Im Auftrag von steve
> Gesendet: Mittwoch, 23. Juli 2014 08:27
> An: samba at lists.samba.org
> Betreff: Re: [Samba] Samba 4.1.9 member server config in a samba 4 ADS Domain
>
> On Wed, 2014-07-23 at 08:16 +0200, Daniel Müller wrote:
> > I did mange this with ADUC Unix-Attr. Set the range according, no
> > chance to see anything.
> > Id TPLK\administrator gives nothing:
> > There is no such user!??
> > Things that where running with samba 3.6 on the fly?
> >
> >
> >
> > EDV Daniel Müller
> >
> > Leitung EDV
> > Tropenklinik Paul-Lechler-Krankenhaus
> > Paul-Lechler-Str. 24
> > 72076 Tübingen
> > Tel.: 07071/206-463, Fax: 07071/206-499
> > eMail: mueller at tropenklinik.de
> > Internet: www.tropenklinik.de
> >
> >
> >
> >
> > -----Ursprüngliche Nachricht-----
> > Von: samba-bounces at lists.samba.org
> > [mailto:samba-bounces at lists.samba.org] Im Auftrag von Rowland Penny
> > Gesendet: Dienstag, 22. Juli 2014 16:27
> > An: samba at lists.samba.org
> > Betreff: Re: [Samba] Samba 4.1.9 member server config in a samba 4 ADS
> > Domain
> >
> > On 22/07/14 15:17, Daniel Müller wrote:
> > > Now I did this smb.conf:
> > >
> > > [global]
> > > workgroup = TPLK
> > > realm = TPLK.LOC
> > > security = ADS
> > > winbind enum users = Yes
> > > winbind enum groups = Yes
> > > winbind use default domain = Yes
> > > winbind nss info = rfc2307
> > > idmap config TPLK:range = 500-40000
> **_____________________________________^^^^^^^^^
>
> If as Rowland has suggested and you have added a minimum of uidNumber to your users && you have winbind specified for nss, then I can only think that the uidNumbers you have added are not within the range you have set.
> Cheers,
> Steve
>
> > > idmap config TPLK:schema_mode = rfc2307
> > > idmap config TPLK:backend = ad
> > > idmap config *:range = 70001-80000
> > > idmap config * : backend = tdb
> > >
> > > and after joining:
> > > net ads join -U administrator
> > > Enter administrator's password:
> > > Using short domain name -- TPLK
> > > Joined 'CENTCLUST1' to dns domain 'tplk.loc'
> > >
> > > when I start manually smbd then nmbd and winbindd by hand it results in:
> > >
> > >
> > > STATUS=daemon 'smbd' finished starting up and ready to serve
> > > connectionsUnable to connect to CUPS server localhost:631 -
> > > Verbindungsaufbau abgelehnt
> > > Jul 22 16:13:01 centclust1 smbd[4364]: STATUS=daemon 'smbd' finished
> > > starting up and ready to serve connectionsfailed to retrieve printer list:
> > > NT_STATUS_UNSUCCESSFUL
> > > Jul 22 16:13:09 centclust1 nmbd[4369]: [2014/07/22 16:13:09.366916,
> > > 0]
> > > ../source3/nmbd/nmbd.c:945(main)
> > > Jul 22 16:13:09 centclust1 nmbd[4369]: standard input is not a socket,
> > > assuming -D option
> > > Jul 22 16:13:09 centclust1 nmbd[4370]: [2014/07/22 16:13:09.370087,
> > > 0]
> > > ../lib/util/become_daemon.c:136(daemon_ready)
> > > Jul 22 16:13:21 centclust1 winbindd[4425]: [2014/07/22
> > > 16:13:21.183036, 0]
> > > ../source3/winbindd/winbindd_cache.c:3196(initialize_winbindd_cache)
> > > Jul 22 16:13:21 centclust1 winbindd[4425]: initialize_winbindd_cache:
> > > clearing cache and re-creating with version number 2 Jul 22 16:13:21
> > > centclust1 winbindd[4425]: [2014/07/22 16:13:21.185657, 0]
> > > ../lib/util/become_daemon.c:136(daemon_ready)
> > > Jul 22 16:13:33 centclust1 nmbd[4370]: STATUS=daemon 'nmbd' finished
> > > starting up and ready to serve connections*****
> > >
> > > And wbinfo -u:
> > >
> > > [root at centclust1 sbin]# wbinfo -u
> > > fcbraun
> > > reiser
> > > stoyanopoulos
> > > fischerkeller
> > > michaletz-stolz
> > > drumm
> > > schlotterbeck
> > > hahn
> > > droessler
> > > schaeffer
> > > zanzinger
> > > rueda
> > > walker...
> > >
> > >
> > > And wbinfo -g
> > >
> > > wbinfo -g
> > > allowed rodc password replication group enterprise read-only domain
> > > controllers denied rodc password replication group read-only domain
> > > controllers group policy creator owners ras and ias servers
> > > terminalserver user patientenverwaltung domain controllers..-
> > >
> > >
> > > getent passwd and group leaves me with local users and groups no ads
> > > stuff!!!
> >
> > Have you given your users a uidNumber and Domain Users a gidNumber ?
> >
> > Without these, getent will not show any domain users (the numbers you
> > give your users must be inside the range you have set in smb.conf)
> >
> > Even with Domain Users having a gidNumber, getent group will not
> > display anything, you must use 'getent group Domain\ Users'. The cure,
> > I am lead to believe, is to give all your domain groups a gidNumber.
> >
> > Rowland
> > >
> > >
> > >
> > >
> > > When I set this properties in my smb.conf [global]
> > >
> > > server services = +smb, +winbind
> > > It does not start up with this error:
> > >
> > > Jul 22 16:09:25 centclust1 samba[3323]: STATUS=daemon 'samba' finished
> > > starting up and ready to serve
> > > connectionssamba_terminate: Cannot start Winbind (domainmember):
> > > Failed to find record for TPLK in /usr/local/samba/private/secrets.ldb:
> > > No such object: (null): Have you joined the TPLK domain?
> > >
> > >
> > > EDV Daniel Müller
> > >
> > > Leitung EDV
> > > Tropenklinik Paul-Lechler-Krankenhaus Paul-Lechler-Str. 24
> > > 72076 Tübingen
> > > Tel.: 07071/206-463, Fax: 07071/206-499
> > > eMail: mueller at tropenklinik.de
> > > Internet: www.tropenklinik.de
> > >
> > >
> > >
> > >
> > > -----Ursprüngliche Nachricht-----
> > > Von: samba-bounces at lists.samba.org
> > > [mailto:samba-bounces at lists.samba.org] Im Auftrag von Rowland Penny
> > > Gesendet: Dienstag, 22. Juli 2014 15:20
> > > An: samba at lists.samba.org
> > > Betreff: Re: [Samba] Samba 4.1.9 member server config in a samba 4 ADS
> > > Domain
> > >
> > > On 22/07/14 14:03, Daniel Müller wrote:
> > >> Dear all,
> > >>
> > >> I try to setup a samba 4 member server on centos 6.5. The wikis and
> > >> howtos I have found are very confusing.
> > >> Which is the right way to do this. So winbind can map the domain
> > >> users and groups.
> > >> What I have done yet is,
> > >> Set up Kerberos working and can contact my ADS-kerberos Servers:
> > >> klist
> > >> Ticket cache: FILE:/tmp/krb5cc_0
> > >> Default principal: Administrator at TPLK.LOC
> > >>
> > >> Valid starting Expires Service principal
> > >> 07/22/14 12:34:21 07/22/14 22:34:21 krbtgt/TPLK.LOC at TPLK.LOC
> > >> renew until 07/29/14 12:34:18
> > >>
> > >> Installed samba4.1.9 from gz without any provision.
> > >> Set winbind right : ldconfig -v |grep winbind
> > >> ldconfig: /etc/ld.so.conf.d/kernel-2.6.32-431.20.3.el6.x86_64.conf:6:
> > >> duplicate hwcap 1 nosegneg
> > >> libnss_winbind.so -> libnss_winbind.so.2
> > >> libnss_winbind.so -> libnss_winbind.so.2
> > >>
> > >> set /etc/nsswitch.conf
> > >> to:
> > >> passwd: files winbind
> > >> shadow: files
> > >> group: files winbind
> > >>
> > >> hosts: files dns
> > >>
> > >> Do I have to provision the samba4 server in any way to establish a
> > >> /usr/local/samba/etc/smb.conf?
> > > No, you do not provision.
> > >
> > >> Or do I make smb.conf by hand?
> > > Yes, you will have to create your smb.conf, this is usually where the
> > > problems start, easiest way is to use RFC2307 attributes and the ad
> > > backend, but you could use the rid backend or some other backend that
> > > virtually few people use.
> > >
> > >> Do I have to start windbind in server protocols im [global]!?
> > > winbind is a deamon just like smbd, so you need to start it just like
> > > smbd, but I think that you mean 'do I have to add winbind lines to the
> > > global part of smb.conf', if so, then yes if you want to use winbind.
> > >
> > >> What is the way to join right to the samba4 ads domain?
> > > I normally just use the 'net' command:
> > >
> > > net ads join -U Administrator at EXAMPLE.COM
> > >
> > > Rowland
> > >
> > >> Greetings
> > >> Daniel
> > >>
> > >>
> > >>
> > >> EDV Daniel Müller
> > >>
> > >> Leitung EDV
> > >> Tropenklinik Paul-Lechler-Krankenhaus Paul-Lechler-Str. 24
> > >> 72076 Tübingen
> > >> Tel.: 07071/206-463, Fax: 07071/206-499
> > >> eMail: mueller at tropenklinik.de
> > >> Internet: www.tropenklinik.de
> > >>
> > >>
> > >>
> > >>
> > > --
> > > To unsubscribe from this list go to the following URL and read the
> > > instructions: https://lists.samba.org/mailman/options/samba
> > >
> >
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions: https://lists.samba.org/mailman/options/samba
> >
>
>
More information about the samba
mailing list