[Samba] Member Server Setup Assistance
James
lingpanda101 at gmail.com
Fri Jan 2 05:56:45 MST 2015
Hi Rowland,
Thanks for the clarification. I have been performing all tests on
the member server. I will attempt again.
On 1/1/2015 4:34 AM, Rowland Penny wrote:
> On 01/01/15 00:07, James wrote:
>> Hi Rowland,
>>
>> I forgot to tell you the results were from my Domain Controller
>> and not the member server. Member server returned something to the
>> effect of 'user not found'. I am only starting the 3
>> services(smbd,nmbd and windbindd) listed in the wiki. Should I be
>> starting Samba with command line switches to start as a member
>> server? Is that even possible?
>
> Hi, there are two ways of running samba4, the classic or original way
> that samba3 was used, or as an AD DC. If you run samba4 in the classic
> way, you need to start the smbd & nmbd deamons and optionally the
> winbind daemon. If you use samba4 as an AD DC, then you only start the
> samba daemon, this will start any other required deamons, you only
> start the samba daemon on an AD DC.
>
> As you are trying to set up a member server, you must carry out the
> tests on the member server.
>
> Rowland
>
>>
>> Thanks for you smb.conf. I will attempt again using your smb.conf
>> as a template and try again.
>>
>> On 12/31/2014 2:20 PM, Rowland Penny wrote:
>>> On 31/12/14 19:07, James wrote:
>>>> Rowland,
>>>>
>>>> I decided to start over with a fresh install and attempted
>>>> again. Only change I made was to start my mappings at 10000. I gave
>>>> 'Domain Users' group gid 10000 and 'tuser' has uid 10001. Still
>>>> didn't work btw.
>>>>
>>>> dn: CN=Test User,CN=Users,DC=domain,DC=local
>>>> objectClass: top
>>>> objectClass: person
>>>> objectClass: organizationalPerson
>>>> objectClass: user
>>>> cn: Test User
>>>> sn: User
>>>> givenName: Test
>>>> instanceType: 4
>>>> whenCreated: 20141231172021.0Z
>>>> displayName: Test User
>>>> uSNCreated: 477557
>>>> name: Test User
>>>> objectGUID: 90f95763-fe52-42b9-af86-8a84a4d5dd78
>>>> userAccountControl: 66048
>>>> codePage: 0
>>>> countryCode: 0
>>>> pwdLastSet: 130645200220000000
>>>> primaryGroupID: 513
>>>> objectSid: S-1-5-21-940051827-2291820289-3341758437-3126
>>>> accountExpires: 9223372036854775807
>>>> sAMAccountName: tuser
>>>> sAMAccountType: 805306368
>>>> userPrincipalName: tuser at domain.local
>>>> objectCategory:
>>>> CN=Person,CN=Schema,CN=Configuration,DC=domain,DC=local
>>>> unixUserPassword: ABCD!efgh12345$67890
>>>> uid: tuser
>>>> msSFU30Name: tuser
>>>> msSFU30NisDomain: domain
>>>> uidNumber: 10001
>>>> loginShell: /bin/sh
>>>> unixHomeDirectory: /home/tuser
>>>> gidNumber: 10000
>>>> whenChanged: 20141231185807.0Z
>>>> uSNChanged: 477620
>>>> distinguishedName: CN=Test User,CN=Users,DC=domain,DC=local
>>>>
>>>>
>>>> On 12/31/2014 1:50 PM, Rowland Penny wrote:
>>>>> On 31/12/14 18:28, James wrote:
>>>>>> Hi Rowland,
>>>>>>
>>>>>> passwd: compat winbind
>>>>>> group: compat winbind
>>>>>>
>>>>>> 'getent passwd tuser' results in a blank terminal line.
>>>>>>
>>>>>>
>>>>>> On 12/31/2014 1:12 PM, Rowland Penny wrote:
>>>>>>> On 31/12/14 17:55, James wrote:
>>>>>>>> Hi Rowland,
>>>>>>>>
>>>>>>>> I did. Unfortunately something is still amiss. I do receive
>>>>>>>> a response from 'getent group domain users'(users:x:100).
>>>>>>>>
>>>>>>>> On 12/31/2014 12:26 PM, Rowland Penny wrote:
>>>>>>>>> On 31/12/14 17:23, James wrote:
>>>>>>>>>> Rowland,
>>>>>>>>>>
>>>>>>>>>> I set a user with a uid and domain users group with a gid
>>>>>>>>>> but I'm still unable to view them using 'id'. I do notice a
>>>>>>>>>> few strange observations. If I go to another user to attempt
>>>>>>>>>> to assign a uid. I get the default value of 10000. I would
>>>>>>>>>> expect 2001 given I set the first user with uid 2000. Groups
>>>>>>>>>> however appear to increment.
>>>>>>>>>>
>>>>>>>>>> On 12/31/2014 10:52 AM, Rowland Penny wrote:
>>>>>>>>>>> On 31/12/14 15:42, James wrote:
>>>>>>>>>>>> Hello Stefan,
>>>>>>>>>>>>
>>>>>>>>>>>> I learned the hard way about .local. I understand going
>>>>>>>>>>>> forward.
>>>>>>>>>>>>
>>>>>>>>>>>> I do have an issue with the member server. Following along
>>>>>>>>>>>> with the wiki I get stuck at 'Testing the Winbind
>>>>>>>>>>>> user/group mapping'. Wbinfo works as expected but not
>>>>>>>>>>>>
>>>>>>>>>>>> #*id DomainUser*
>>>>>>>>>>>>
>>>>>>>>>>>> #*getent passwd*
>>>>>>>>>>>>
>>>>>>>>>>>> #*getent group*
>>>>>>>>>>>>
>>>>>>>>>>>> #*chown DomainUser:DomainGroup file*
>>>>>>>>>>>>
>>>>>>>>>>>> #*chgrp DomainGroup file*
>>>>>>>>>>>>
>>>>>>>>>>>> etc.
>>>>>>>>>>>>
>>>>>>>>>>>> I receive 'id: sambauser: No such user'. It will only
>>>>>>>>>>>> retrieve local machine users. Let me preface by saying this
>>>>>>>>>>>> is a Ubuntu 12.04 server with Samba 4.1.14. Thanks.
>>>>>>>>>>>>
>>>>>>>>>>>> On 12/31/2014 10:00 AM, Stefan Kania wrote:
>>>>>>>>>>>>> -----BEGIN PGP SIGNED MESSAGE-----
>>>>>>>>>>>>> Hash: SHA1
>>>>>>>>>>>>>
>>>>>>>>>>>>> Hello James,
>>>>>>>>>>>>>
>>>>>>>>>>>>> Am 31.12.2014 um 15:48 schrieb James:> Hello,
>>>>>>>>>>>>>> I'm following along with the wiki(Setup a Samba AD Member
>>>>>>>>>>>>>> Server)
>>>>>>>>>>>>>> and I have a question after reading the 'Set up a basic
>>>>>>>>>>>>>> smb.conf'
>>>>>>>>>>>>>> section.
>>>>>>>>>>>>> Please show us your smb.conf
>>>>>>>>>>>>>
>>>>>>>>>>>>> Do I need to extend the schema in order for my member
>>>>>>>>>>>>> server to
>>>>>>>>>>>>>> successfully join and service file shares?
>>>>>>>>>>>>> No, you dont have to.
>>>>>>>>>>>>>
>>>>>>>>>>>>> Do I need to configure a
>>>>>>>>>>>>>> krb5.conf file? Thanks.
>>>>>>>>>>>>> If your DC is a samba4 DC just copy krb5.conf to your new
>>>>>>>>>>>>> memberserver
>>>>>>>>>>>>> Stefan
>>>>>>>>>>>>>
>>>>>>>>>>>>> - -- Stefan Kania
>>>>>>>>>>>>> Landweg 13
>>>>>>>>>>>>> 25693 St. Michaelisdonn
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> Signieren jeder E-Mail hilft Spam zu reduzieren. Signieren
>>>>>>>>>>>>> Sie ihre
>>>>>>>>>>>>> E-Mail. Weiter Informationen unter http://www.gnupg.org
>>>>>>>>>>>>>
>>>>>>>>>>>>> Mein Schlüssel liegt auf
>>>>>>>>>>>>>
>>>>>>>>>>>>> hkp://subkeys.pgp.net
>>>>>>>>>>>>>
>>>>>>>>>>>>> -----BEGIN PGP SIGNATURE-----
>>>>>>>>>>>>> Version: GnuPG v1
>>>>>>>>>>>>>
>>>>>>>>>>>>> iEYEARECAAYFAlSkD3EACgkQ2JOGcNAHDTZdlwCgwsQF0g/pFp65ldcTMWDcJ1O7
>>>>>>>>>>>>>
>>>>>>>>>>>>> LScAoLDzorUJNDCik4FP9dBUxKCbAbGN
>>>>>>>>>>>>> =SOSt
>>>>>>>>>>>>> -----END PGP SIGNATURE-----
>>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> If you followed the wiki, you will be using the 'ad'
>>>>>>>>>>> backend. For this to work, you need to add 'uidNumber'
>>>>>>>>>>> attributes to your users and a 'gidNumber' attribute to at
>>>>>>>>>>> least the Domain Users group. the numbers that you add must
>>>>>>>>>>> be between the range you set in your smb.conf, again if you
>>>>>>>>>>> followed the wiki, this will be between 500-40000.
>>>>>>>>>>>
>>>>>>>>>>> Rowland
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>> You have restarted samba, haven't you ?
>>>>>>>>> You may have to wait a short time, or clear the cache with
>>>>>>>>> 'net cache flush'
>>>>>>>>>
>>>>>>>>> Rowland
>>>>>>>>>
>>>>>>>>
>>>>>>> OK, can you post the 'passwd' & 'group' lines from /etc/nsswitch
>>>>>>>
>>>>>>> Do you get anything from 'getent passwd <a domain user>'
>>>>>>>
>>>>>>> Rowland
>>>>>>>
>>>>>>
>>>>> OK, install ldb-tools if not already installed, then run:
>>>>>
>>>>> ldbedit -e nano -H /var/lib/samba/private/sam.ldb
>>>>> sAMAccountName=tuser
>>>>>
>>>>> Post the (sanitized) result
>>>>>
>>>>> Rowland
>>>>>
>>>>
>>>
>>> OK, you added that user with ADUC (RSAT) and as such you are using
>>> the std windows start number 10000, which is the way I run samba.
>>> Here is my smb.conf from the laptop I am writing this on:
>>>
>>> [global]
>>> workgroup = EXAMPLE
>>> security = ADS
>>> realm = EXAMPLE.COM
>>> dedicated keytab file = /etc/krb5.keytab
>>> kerberos method = secrets and keytab
>>> server string = Samba 4 Client %h
>>> winbind enum users = yes
>>> winbind enum groups = yes
>>> winbind use default domain = yes
>>> winbind expand groups = 4
>>> winbind nss info = rfc2307
>>> winbind refresh tickets = Yes
>>> winbind normalize names = Yes
>>> idmap config * : backend = tdb
>>> idmap config * : range = 2000-9999
>>> idmap config EXAMPLE : backend = ad
>>> idmap config EXAMPLE : range = 10000-999999
>>> idmap config EXAMPLE : schema_mode = rfc2307
>>> printcap name = cups
>>> cups options = raw
>>> usershare allow guests = yes
>>> domain master = no
>>> local master = no
>>> preferred master = no
>>> os level = 20
>>> map to guest = bad user
>>> vfs objects = acl_xattr
>>> map acl inherit = Yes
>>> store dos attributes = Yes
>>>
>>> Compare it with yours, I can assure you it works.
>>>
>>> Rowland
>>>
>>
>
--
-James
More information about the samba
mailing list