[Samba] Member Server Setup Assistance

James lingpanda101 at gmail.com
Fri Jan 2 05:56:45 MST 2015 

Hi Rowland,

     Thanks for the clarification. I have been performing all tests on 
the member server. I will attempt again.

On 1/1/2015 4:34 AM, Rowland Penny wrote:
> On 01/01/15 00:07, James wrote:
>> Hi Rowland,
>>
>>     I forgot to tell you the results were from my Domain Controller 
>> and not the member server. Member server returned something to the 
>> effect of 'user not found'. I am only starting the 3 
>> services(smbd,nmbd and windbindd) listed in the wiki. Should I be 
>> starting Samba with command line switches to start as a member 
>> server? Is that even possible?
>
> Hi, there are two ways of running samba4, the classic or original way 
> that samba3 was used, or as an AD DC. If you run samba4 in the classic 
> way, you need to start the smbd & nmbd deamons and optionally the 
> winbind daemon. If you use samba4 as an AD DC, then you only start the 
> samba daemon, this will start any other required deamons, you only 
> start the samba daemon on an AD DC.
>
> As you are trying to set up a member server, you must carry out the 
> tests on the member server.
>
> Rowland
>
>>
>>     Thanks for you smb.conf. I will attempt again using your smb.conf 
>> as a template and try again.
>>
>> On 12/31/2014 2:20 PM, Rowland Penny wrote:
>>> On 31/12/14 19:07, James wrote:
>>>> Rowland,
>>>>
>>>>     I decided to start over with a fresh install and attempted 
>>>> again. Only change I made was to start my mappings at 10000. I gave 
>>>> 'Domain Users' group gid 10000 and 'tuser' has uid 10001. Still 
>>>> didn't work btw.
>>>>
>>>>  dn: CN=Test User,CN=Users,DC=domain,DC=local
>>>> objectClass: top
>>>> objectClass: person
>>>> objectClass: organizationalPerson
>>>> objectClass: user
>>>> cn: Test User
>>>> sn: User
>>>> givenName: Test
>>>> instanceType: 4
>>>> whenCreated: 20141231172021.0Z
>>>> displayName: Test User
>>>> uSNCreated: 477557
>>>> name: Test User
>>>> objectGUID: 90f95763-fe52-42b9-af86-8a84a4d5dd78
>>>> userAccountControl: 66048
>>>> codePage: 0
>>>> countryCode: 0
>>>> pwdLastSet: 130645200220000000
>>>> primaryGroupID: 513
>>>> objectSid: S-1-5-21-940051827-2291820289-3341758437-3126
>>>> accountExpires: 9223372036854775807
>>>> sAMAccountName: tuser
>>>> sAMAccountType: 805306368
>>>> userPrincipalName: tuser at domain.local
>>>> objectCategory: 
>>>> CN=Person,CN=Schema,CN=Configuration,DC=domain,DC=local
>>>> unixUserPassword: ABCD!efgh12345$67890
>>>> uid: tuser
>>>> msSFU30Name: tuser
>>>> msSFU30NisDomain: domain
>>>> uidNumber: 10001
>>>> loginShell: /bin/sh
>>>> unixHomeDirectory: /home/tuser
>>>> gidNumber: 10000
>>>> whenChanged: 20141231185807.0Z
>>>> uSNChanged: 477620
>>>> distinguishedName: CN=Test User,CN=Users,DC=domain,DC=local
>>>>
>>>>
>>>> On 12/31/2014 1:50 PM, Rowland Penny wrote:
>>>>> On 31/12/14 18:28, James wrote:
>>>>>> Hi Rowland,
>>>>>>
>>>>>>     passwd:         compat winbind
>>>>>>     group:            compat winbind
>>>>>>
>>>>>> 'getent passwd tuser' results in a blank terminal line.
>>>>>>
>>>>>>
>>>>>> On 12/31/2014 1:12 PM, Rowland Penny wrote:
>>>>>>> On 31/12/14 17:55, James wrote:
>>>>>>>> Hi Rowland,
>>>>>>>>
>>>>>>>>     I did. Unfortunately something is still amiss. I do receive 
>>>>>>>> a response from 'getent group domain users'(users:x:100).
>>>>>>>>
>>>>>>>> On 12/31/2014 12:26 PM, Rowland Penny wrote:
>>>>>>>>> On 31/12/14 17:23, James wrote:
>>>>>>>>>> Rowland,
>>>>>>>>>>
>>>>>>>>>>     I set a user with a uid and domain users group with a gid 
>>>>>>>>>> but I'm still unable to view them using 'id'. I do notice a 
>>>>>>>>>> few strange observations. If I go to another user to attempt 
>>>>>>>>>> to assign a uid. I get the default value of 10000. I would 
>>>>>>>>>> expect 2001 given I set the first user with uid 2000. Groups 
>>>>>>>>>> however appear to increment.
>>>>>>>>>>
>>>>>>>>>> On 12/31/2014 10:52 AM, Rowland Penny wrote:
>>>>>>>>>>> On 31/12/14 15:42, James wrote:
>>>>>>>>>>>> Hello Stefan,
>>>>>>>>>>>>
>>>>>>>>>>>>     I learned the hard way about .local. I understand going 
>>>>>>>>>>>> forward.
>>>>>>>>>>>>
>>>>>>>>>>>> I do have an issue with the member server. Following along 
>>>>>>>>>>>> with the wiki I get stuck at 'Testing the Winbind 
>>>>>>>>>>>> user/group mapping'. Wbinfo works as expected but not
>>>>>>>>>>>>
>>>>>>>>>>>> #*id DomainUser*
>>>>>>>>>>>>
>>>>>>>>>>>> #*getent passwd*
>>>>>>>>>>>>
>>>>>>>>>>>> #*getent group*
>>>>>>>>>>>>
>>>>>>>>>>>> #*chown DomainUser:DomainGroup file*
>>>>>>>>>>>>
>>>>>>>>>>>> #*chgrp DomainGroup file*
>>>>>>>>>>>>
>>>>>>>>>>>> etc.
>>>>>>>>>>>>
>>>>>>>>>>>> I receive 'id: sambauser: No such user'. It will only 
>>>>>>>>>>>> retrieve local machine users. Let me preface by saying this 
>>>>>>>>>>>> is a Ubuntu 12.04 server with Samba 4.1.14. Thanks.
>>>>>>>>>>>>
>>>>>>>>>>>> On 12/31/2014 10:00 AM, Stefan Kania wrote:
>>>>>>>>>>>>> -----BEGIN PGP SIGNED MESSAGE-----
>>>>>>>>>>>>> Hash: SHA1
>>>>>>>>>>>>>
>>>>>>>>>>>>> Hello James,
>>>>>>>>>>>>>
>>>>>>>>>>>>> Am 31.12.2014 um 15:48 schrieb James:> Hello,
>>>>>>>>>>>>>> I'm following along with the wiki(Setup a Samba AD Member 
>>>>>>>>>>>>>> Server)
>>>>>>>>>>>>>> and I have a question after reading the 'Set up a basic 
>>>>>>>>>>>>>> smb.conf'
>>>>>>>>>>>>>> section.
>>>>>>>>>>>>> Please show us your smb.conf
>>>>>>>>>>>>>
>>>>>>>>>>>>>   Do I need to extend the schema in order for my member 
>>>>>>>>>>>>> server to
>>>>>>>>>>>>>> successfully join and service file shares?
>>>>>>>>>>>>> No, you dont have to.
>>>>>>>>>>>>>
>>>>>>>>>>>>> Do I need to configure a
>>>>>>>>>>>>>> krb5.conf file? Thanks.
>>>>>>>>>>>>> If your DC is a samba4 DC just copy krb5.conf to your new 
>>>>>>>>>>>>> memberserver
>>>>>>>>>>>>> Stefan
>>>>>>>>>>>>>
>>>>>>>>>>>>> - -- Stefan Kania
>>>>>>>>>>>>> Landweg 13
>>>>>>>>>>>>> 25693 St. Michaelisdonn
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> Signieren jeder E-Mail hilft Spam zu reduzieren. Signieren 
>>>>>>>>>>>>> Sie ihre
>>>>>>>>>>>>> E-Mail. Weiter Informationen unter http://www.gnupg.org
>>>>>>>>>>>>>
>>>>>>>>>>>>> Mein Schlüssel liegt auf
>>>>>>>>>>>>>
>>>>>>>>>>>>> hkp://subkeys.pgp.net
>>>>>>>>>>>>>
>>>>>>>>>>>>> -----BEGIN PGP SIGNATURE-----
>>>>>>>>>>>>> Version: GnuPG v1
>>>>>>>>>>>>>
>>>>>>>>>>>>> iEYEARECAAYFAlSkD3EACgkQ2JOGcNAHDTZdlwCgwsQF0g/pFp65ldcTMWDcJ1O7 
>>>>>>>>>>>>>
>>>>>>>>>>>>> LScAoLDzorUJNDCik4FP9dBUxKCbAbGN
>>>>>>>>>>>>> =SOSt
>>>>>>>>>>>>> -----END PGP SIGNATURE-----
>>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> If you followed the wiki, you will be using the 'ad' 
>>>>>>>>>>> backend. For this to work, you need to add 'uidNumber' 
>>>>>>>>>>> attributes to your users and a 'gidNumber' attribute to at 
>>>>>>>>>>> least the Domain Users group. the numbers that you add must 
>>>>>>>>>>> be between the range you set in your smb.conf, again if you 
>>>>>>>>>>> followed the wiki, this will be between 500-40000.
>>>>>>>>>>>
>>>>>>>>>>> Rowland
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>> You have restarted samba, haven't you ?
>>>>>>>>> You may have to wait a short time, or clear the cache with 
>>>>>>>>> 'net cache flush'
>>>>>>>>>
>>>>>>>>> Rowland
>>>>>>>>>
>>>>>>>>
>>>>>>> OK, can you post the 'passwd' & 'group' lines from /etc/nsswitch
>>>>>>>
>>>>>>> Do you get anything from 'getent passwd <a domain user>'
>>>>>>>
>>>>>>> Rowland
>>>>>>>
>>>>>>
>>>>> OK, install ldb-tools if not already installed, then run:
>>>>>
>>>>> ldbedit -e nano -H /var/lib/samba/private/sam.ldb 
>>>>> sAMAccountName=tuser
>>>>>
>>>>> Post the (sanitized) result
>>>>>
>>>>> Rowland
>>>>>
>>>>
>>>
>>> OK, you added that user with ADUC (RSAT) and as such you are using 
>>> the std windows start number 10000, which is the way I run samba. 
>>> Here is my smb.conf from the laptop I am writing this on:
>>>
>>> [global]
>>>         workgroup = EXAMPLE
>>>         security = ADS
>>>         realm = EXAMPLE.COM
>>>         dedicated keytab file = /etc/krb5.keytab
>>>         kerberos method = secrets and keytab
>>>         server string = Samba 4 Client %h
>>>         winbind enum users = yes
>>>         winbind enum groups = yes
>>>         winbind use default domain = yes
>>>         winbind expand groups = 4
>>>         winbind nss info = rfc2307
>>>         winbind refresh tickets = Yes
>>>         winbind normalize names = Yes
>>>         idmap config * : backend = tdb
>>>         idmap config * : range = 2000-9999
>>>         idmap config EXAMPLE : backend  = ad
>>>         idmap config EXAMPLE : range = 10000-999999
>>>         idmap config EXAMPLE : schema_mode = rfc2307
>>>         printcap name = cups
>>>         cups options = raw
>>>         usershare allow guests = yes
>>>         domain master = no
>>>         local master = no
>>>         preferred master = no
>>>         os level = 20
>>>         map to guest = bad user
>>>         vfs objects = acl_xattr
>>>         map acl inherit = Yes
>>>         store dos attributes = Yes
>>>
>>> Compare it with yours, I can assure you it works.
>>>
>>> Rowland
>>>
>>
>

-- 
-James

More information about the samba mailing list