[Samba] Member Server Setup Assistance
Rowland Penny
rowlandpenny at googlemail.com
Thu Jan 1 02:34:41 MST 2015
On 01/01/15 00:07, James wrote:
> Hi Rowland,
>
> I forgot to tell you the results were from my Domain Controller
> and not the member server. Member server returned something to the
> effect of 'user not found'. I am only starting the 3
> services(smbd,nmbd and windbindd) listed in the wiki. Should I be
> starting Samba with command line switches to start as a member server?
> Is that even possible?
Hi, there are two ways of running samba4, the classic or original way
that samba3 was used, or as an AD DC. If you run samba4 in the classic
way, you need to start the smbd & nmbd deamons and optionally the
winbind daemon. If you use samba4 as an AD DC, then you only start the
samba daemon, this will start any other required deamons, you only start
the samba daemon on an AD DC.
As you are trying to set up a member server, you must carry out the
tests on the member server.
Rowland
>
> Thanks for you smb.conf. I will attempt again using your smb.conf
> as a template and try again.
>
> On 12/31/2014 2:20 PM, Rowland Penny wrote:
>> On 31/12/14 19:07, James wrote:
>>> Rowland,
>>>
>>> I decided to start over with a fresh install and attempted
>>> again. Only change I made was to start my mappings at 10000. I gave
>>> 'Domain Users' group gid 10000 and 'tuser' has uid 10001. Still
>>> didn't work btw.
>>>
>>> dn: CN=Test User,CN=Users,DC=domain,DC=local
>>> objectClass: top
>>> objectClass: person
>>> objectClass: organizationalPerson
>>> objectClass: user
>>> cn: Test User
>>> sn: User
>>> givenName: Test
>>> instanceType: 4
>>> whenCreated: 20141231172021.0Z
>>> displayName: Test User
>>> uSNCreated: 477557
>>> name: Test User
>>> objectGUID: 90f95763-fe52-42b9-af86-8a84a4d5dd78
>>> userAccountControl: 66048
>>> codePage: 0
>>> countryCode: 0
>>> pwdLastSet: 130645200220000000
>>> primaryGroupID: 513
>>> objectSid: S-1-5-21-940051827-2291820289-3341758437-3126
>>> accountExpires: 9223372036854775807
>>> sAMAccountName: tuser
>>> sAMAccountType: 805306368
>>> userPrincipalName: tuser at domain.local
>>> objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=domain,DC=local
>>> unixUserPassword: ABCD!efgh12345$67890
>>> uid: tuser
>>> msSFU30Name: tuser
>>> msSFU30NisDomain: domain
>>> uidNumber: 10001
>>> loginShell: /bin/sh
>>> unixHomeDirectory: /home/tuser
>>> gidNumber: 10000
>>> whenChanged: 20141231185807.0Z
>>> uSNChanged: 477620
>>> distinguishedName: CN=Test User,CN=Users,DC=domain,DC=local
>>>
>>>
>>> On 12/31/2014 1:50 PM, Rowland Penny wrote:
>>>> On 31/12/14 18:28, James wrote:
>>>>> Hi Rowland,
>>>>>
>>>>> passwd: compat winbind
>>>>> group: compat winbind
>>>>>
>>>>> 'getent passwd tuser' results in a blank terminal line.
>>>>>
>>>>>
>>>>> On 12/31/2014 1:12 PM, Rowland Penny wrote:
>>>>>> On 31/12/14 17:55, James wrote:
>>>>>>> Hi Rowland,
>>>>>>>
>>>>>>> I did. Unfortunately something is still amiss. I do receive
>>>>>>> a response from 'getent group domain users'(users:x:100).
>>>>>>>
>>>>>>> On 12/31/2014 12:26 PM, Rowland Penny wrote:
>>>>>>>> On 31/12/14 17:23, James wrote:
>>>>>>>>> Rowland,
>>>>>>>>>
>>>>>>>>> I set a user with a uid and domain users group with a gid
>>>>>>>>> but I'm still unable to view them using 'id'. I do notice a
>>>>>>>>> few strange observations. If I go to another user to attempt
>>>>>>>>> to assign a uid. I get the default value of 10000. I would
>>>>>>>>> expect 2001 given I set the first user with uid 2000. Groups
>>>>>>>>> however appear to increment.
>>>>>>>>>
>>>>>>>>> On 12/31/2014 10:52 AM, Rowland Penny wrote:
>>>>>>>>>> On 31/12/14 15:42, James wrote:
>>>>>>>>>>> Hello Stefan,
>>>>>>>>>>>
>>>>>>>>>>> I learned the hard way about .local. I understand going
>>>>>>>>>>> forward.
>>>>>>>>>>>
>>>>>>>>>>> I do have an issue with the member server. Following along
>>>>>>>>>>> with the wiki I get stuck at 'Testing the Winbind user/group
>>>>>>>>>>> mapping'. Wbinfo works as expected but not
>>>>>>>>>>>
>>>>>>>>>>> #*id DomainUser*
>>>>>>>>>>>
>>>>>>>>>>> #*getent passwd*
>>>>>>>>>>>
>>>>>>>>>>> #*getent group*
>>>>>>>>>>>
>>>>>>>>>>> #*chown DomainUser:DomainGroup file*
>>>>>>>>>>>
>>>>>>>>>>> #*chgrp DomainGroup file*
>>>>>>>>>>>
>>>>>>>>>>> etc.
>>>>>>>>>>>
>>>>>>>>>>> I receive 'id: sambauser: No such user'. It will only
>>>>>>>>>>> retrieve local machine users. Let me preface by saying this
>>>>>>>>>>> is a Ubuntu 12.04 server with Samba 4.1.14. Thanks.
>>>>>>>>>>>
>>>>>>>>>>> On 12/31/2014 10:00 AM, Stefan Kania wrote:
>>>>>>>>>>>> -----BEGIN PGP SIGNED MESSAGE-----
>>>>>>>>>>>> Hash: SHA1
>>>>>>>>>>>>
>>>>>>>>>>>> Hello James,
>>>>>>>>>>>>
>>>>>>>>>>>> Am 31.12.2014 um 15:48 schrieb James:> Hello,
>>>>>>>>>>>>> I'm following along with the wiki(Setup a Samba AD Member
>>>>>>>>>>>>> Server)
>>>>>>>>>>>>> and I have a question after reading the 'Set up a basic
>>>>>>>>>>>>> smb.conf'
>>>>>>>>>>>>> section.
>>>>>>>>>>>> Please show us your smb.conf
>>>>>>>>>>>>
>>>>>>>>>>>> Do I need to extend the schema in order for my member
>>>>>>>>>>>> server to
>>>>>>>>>>>>> successfully join and service file shares?
>>>>>>>>>>>> No, you dont have to.
>>>>>>>>>>>>
>>>>>>>>>>>> Do I need to configure a
>>>>>>>>>>>>> krb5.conf file? Thanks.
>>>>>>>>>>>> If your DC is a samba4 DC just copy krb5.conf to your new
>>>>>>>>>>>> memberserver
>>>>>>>>>>>> Stefan
>>>>>>>>>>>>
>>>>>>>>>>>> - -- Stefan Kania
>>>>>>>>>>>> Landweg 13
>>>>>>>>>>>> 25693 St. Michaelisdonn
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> Signieren jeder E-Mail hilft Spam zu reduzieren. Signieren
>>>>>>>>>>>> Sie ihre
>>>>>>>>>>>> E-Mail. Weiter Informationen unter http://www.gnupg.org
>>>>>>>>>>>>
>>>>>>>>>>>> Mein Schlüssel liegt auf
>>>>>>>>>>>>
>>>>>>>>>>>> hkp://subkeys.pgp.net
>>>>>>>>>>>>
>>>>>>>>>>>> -----BEGIN PGP SIGNATURE-----
>>>>>>>>>>>> Version: GnuPG v1
>>>>>>>>>>>>
>>>>>>>>>>>> iEYEARECAAYFAlSkD3EACgkQ2JOGcNAHDTZdlwCgwsQF0g/pFp65ldcTMWDcJ1O7
>>>>>>>>>>>>
>>>>>>>>>>>> LScAoLDzorUJNDCik4FP9dBUxKCbAbGN
>>>>>>>>>>>> =SOSt
>>>>>>>>>>>> -----END PGP SIGNATURE-----
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> If you followed the wiki, you will be using the 'ad' backend.
>>>>>>>>>> For this to work, you need to add 'uidNumber' attributes to
>>>>>>>>>> your users and a 'gidNumber' attribute to at least the Domain
>>>>>>>>>> Users group. the numbers that you add must be between the
>>>>>>>>>> range you set in your smb.conf, again if you followed the
>>>>>>>>>> wiki, this will be between 500-40000.
>>>>>>>>>>
>>>>>>>>>> Rowland
>>>>>>>>>
>>>>>>>>
>>>>>>>> You have restarted samba, haven't you ?
>>>>>>>> You may have to wait a short time, or clear the cache with 'net
>>>>>>>> cache flush'
>>>>>>>>
>>>>>>>> Rowland
>>>>>>>>
>>>>>>>
>>>>>> OK, can you post the 'passwd' & 'group' lines from /etc/nsswitch
>>>>>>
>>>>>> Do you get anything from 'getent passwd <a domain user>'
>>>>>>
>>>>>> Rowland
>>>>>>
>>>>>
>>>> OK, install ldb-tools if not already installed, then run:
>>>>
>>>> ldbedit -e nano -H /var/lib/samba/private/sam.ldb sAMAccountName=tuser
>>>>
>>>> Post the (sanitized) result
>>>>
>>>> Rowland
>>>>
>>>
>>
>> OK, you added that user with ADUC (RSAT) and as such you are using
>> the std windows start number 10000, which is the way I run samba.
>> Here is my smb.conf from the laptop I am writing this on:
>>
>> [global]
>> workgroup = EXAMPLE
>> security = ADS
>> realm = EXAMPLE.COM
>> dedicated keytab file = /etc/krb5.keytab
>> kerberos method = secrets and keytab
>> server string = Samba 4 Client %h
>> winbind enum users = yes
>> winbind enum groups = yes
>> winbind use default domain = yes
>> winbind expand groups = 4
>> winbind nss info = rfc2307
>> winbind refresh tickets = Yes
>> winbind normalize names = Yes
>> idmap config * : backend = tdb
>> idmap config * : range = 2000-9999
>> idmap config EXAMPLE : backend = ad
>> idmap config EXAMPLE : range = 10000-999999
>> idmap config EXAMPLE : schema_mode = rfc2307
>> printcap name = cups
>> cups options = raw
>> usershare allow guests = yes
>> domain master = no
>> local master = no
>> preferred master = no
>> os level = 20
>> map to guest = bad user
>> vfs objects = acl_xattr
>> map acl inherit = Yes
>> store dos attributes = Yes
>>
>> Compare it with yours, I can assure you it works.
>>
>> Rowland
>>
>
More information about the samba
mailing list