[Samba] Member Server Setup Assistance
Rowland Penny
rowlandpenny at googlemail.com
Fri Jan 2 06:55:54 MST 2015
On 02/01/15 13:41, James wrote:
> Hi Rowland,
>
> If you don't mind I like to post my member server configuration as
> I attempt again. This is how my member server(Ubuntu 12.04) is
> configured after fresh install and prior to Samba build. Anything I'm
> missing that could cause my issue as I proceed? I assume no other
> prerequisites must be done on the other DC's either? Thanks.
>
> /*# From Wiki for DC build*/
> apt-get install build-essential libacl1-dev libattr1-dev libblkid-dev
> libgnutls-dev libreadline-dev python-dev libpam0g-dev python-dnspython
> gdb pkg-config libpopt-dev libldap2-dev dnsutils libbsd-dev attr
> krb5-user docbook-xsl libcups2-dev acl
>
>
> /*# Fstab file*/
> ext4 errors=remount-ro,user_xattr,acl,barrier=1 1 1
>
>
> */# Hosts File/*
> 127.0.0.1 localhost
> 172.16.232.25 pfmember1.domain.local pfmember1
>
> # The following lines are desirable for IPv6 capable hosts
> ::1 ip6-localhost ip6-loopback
> fe00::0 ip6-localnet
> ff00::0 ip6-mcastprefix
> ff02::1 ip6-allnodes
> ff02::2 ip6-allrouters
>
>
> */# Hostname/* */File/*
> pfmember1.domain.local
if you are referring to /etc/hostname, then it should just contain
'pfmember1'.
Also, are you fixed on using Ubuntu 12.04, if you were to use Debian
Wheezy and backports, you wouldn't have to compile samba4.
Rowland
>
> */#/network/interfaces/*
> # This file describes the network interfaces available on your system
> # and how to activate them. For more information, see interfaces(5).
>
> # The loopback network interface
> auto lo
> iface lo inet loopback
>
> # The primary network interface
> auto eth0
> iface eth0 inet static
> address 172.16.232.25
> netmask 255.255.255.0
> gateway 172.16.232.201
> network 172.16.232.0
> broadcast 172.16.232.255
> dns-search domain.local
> dns-nameservers 172.16.232.29
>
>
>
>
>
> On 1/1/2015 4:34 AM, Rowland Penny wrote:
>> On 01/01/15 00:07, James wrote:
>>> Hi Rowland,
>>>
>>> I forgot to tell you the results were from my Domain Controller
>>> and not the member server. Member server returned something to the
>>> effect of 'user not found'. I am only starting the 3
>>> services(smbd,nmbd and windbindd) listed in the wiki. Should I be
>>> starting Samba with command line switches to start as a member
>>> server? Is that even possible?
>>
>> Hi, there are two ways of running samba4, the classic or original way
>> that samba3 was used, or as an AD DC. If you run samba4 in the
>> classic way, you need to start the smbd & nmbd deamons and optionally
>> the winbind daemon. If you use samba4 as an AD DC, then you only
>> start the samba daemon, this will start any other required deamons,
>> you only start the samba daemon on an AD DC.
>>
>> As you are trying to set up a member server, you must carry out the
>> tests on the member server.
>>
>> Rowland
>>
>>>
>>> Thanks for you smb.conf. I will attempt again using your
>>> smb.conf as a template and try again.
>>>
>>> On 12/31/2014 2:20 PM, Rowland Penny wrote:
>>>> On 31/12/14 19:07, James wrote:
>>>>> Rowland,
>>>>>
>>>>> I decided to start over with a fresh install and attempted
>>>>> again. Only change I made was to start my mappings at 10000. I
>>>>> gave 'Domain Users' group gid 10000 and 'tuser' has uid 10001.
>>>>> Still didn't work btw.
>>>>>
>>>>> dn: CN=Test User,CN=Users,DC=domain,DC=local
>>>>> objectClass: top
>>>>> objectClass: person
>>>>> objectClass: organizationalPerson
>>>>> objectClass: user
>>>>> cn: Test User
>>>>> sn: User
>>>>> givenName: Test
>>>>> instanceType: 4
>>>>> whenCreated: 20141231172021.0Z
>>>>> displayName: Test User
>>>>> uSNCreated: 477557
>>>>> name: Test User
>>>>> objectGUID: 90f95763-fe52-42b9-af86-8a84a4d5dd78
>>>>> userAccountControl: 66048
>>>>> codePage: 0
>>>>> countryCode: 0
>>>>> pwdLastSet: 130645200220000000
>>>>> primaryGroupID: 513
>>>>> objectSid: S-1-5-21-940051827-2291820289-3341758437-3126
>>>>> accountExpires: 9223372036854775807
>>>>> sAMAccountName: tuser
>>>>> sAMAccountType: 805306368
>>>>> userPrincipalName: tuser at domain.local
>>>>> objectCategory:
>>>>> CN=Person,CN=Schema,CN=Configuration,DC=domain,DC=local
>>>>> unixUserPassword: ABCD!efgh12345$67890
>>>>> uid: tuser
>>>>> msSFU30Name: tuser
>>>>> msSFU30NisDomain: domain
>>>>> uidNumber: 10001
>>>>> loginShell: /bin/sh
>>>>> unixHomeDirectory: /home/tuser
>>>>> gidNumber: 10000
>>>>> whenChanged: 20141231185807.0Z
>>>>> uSNChanged: 477620
>>>>> distinguishedName: CN=Test User,CN=Users,DC=domain,DC=local
>>>>>
>>>>>
>>>>> On 12/31/2014 1:50 PM, Rowland Penny wrote:
>>>>>> On 31/12/14 18:28, James wrote:
>>>>>>> Hi Rowland,
>>>>>>>
>>>>>>> passwd: compat winbind
>>>>>>> group: compat winbind
>>>>>>>
>>>>>>> 'getent passwd tuser' results in a blank terminal line.
>>>>>>>
>>>>>>>
>>>>>>> On 12/31/2014 1:12 PM, Rowland Penny wrote:
>>>>>>>> On 31/12/14 17:55, James wrote:
>>>>>>>>> Hi Rowland,
>>>>>>>>>
>>>>>>>>> I did. Unfortunately something is still amiss. I do
>>>>>>>>> receive a response from 'getent group domain users'(users:x:100).
>>>>>>>>>
>>>>>>>>> On 12/31/2014 12:26 PM, Rowland Penny wrote:
>>>>>>>>>> On 31/12/14 17:23, James wrote:
>>>>>>>>>>> Rowland,
>>>>>>>>>>>
>>>>>>>>>>> I set a user with a uid and domain users group with a
>>>>>>>>>>> gid but I'm still unable to view them using 'id'. I do
>>>>>>>>>>> notice a few strange observations. If I go to another user
>>>>>>>>>>> to attempt to assign a uid. I get the default value of
>>>>>>>>>>> 10000. I would expect 2001 given I set the first user with
>>>>>>>>>>> uid 2000. Groups however appear to increment.
>>>>>>>>>>>
>>>>>>>>>>> On 12/31/2014 10:52 AM, Rowland Penny wrote:
>>>>>>>>>>>> On 31/12/14 15:42, James wrote:
>>>>>>>>>>>>> Hello Stefan,
>>>>>>>>>>>>>
>>>>>>>>>>>>> I learned the hard way about .local. I understand
>>>>>>>>>>>>> going forward.
>>>>>>>>>>>>>
>>>>>>>>>>>>> I do have an issue with the member server. Following along
>>>>>>>>>>>>> with the wiki I get stuck at 'Testing the Winbind
>>>>>>>>>>>>> user/group mapping'. Wbinfo works as expected but not
>>>>>>>>>>>>>
>>>>>>>>>>>>> #*id DomainUser*
>>>>>>>>>>>>>
>>>>>>>>>>>>> #*getent passwd*
>>>>>>>>>>>>>
>>>>>>>>>>>>> #*getent group*
>>>>>>>>>>>>>
>>>>>>>>>>>>> #*chown DomainUser:DomainGroup file*
>>>>>>>>>>>>>
>>>>>>>>>>>>> #*chgrp DomainGroup file*
>>>>>>>>>>>>>
>>>>>>>>>>>>> etc.
>>>>>>>>>>>>>
>>>>>>>>>>>>> I receive 'id: sambauser: No such user'. It will only
>>>>>>>>>>>>> retrieve local machine users. Let me preface by saying
>>>>>>>>>>>>> this is a Ubuntu 12.04 server with Samba 4.1.14. Thanks.
>>>>>>>>>>>>>
>>>>>>>>>>>>> On 12/31/2014 10:00 AM, Stefan Kania wrote:
>>>>>>>>>>>>>> -----BEGIN PGP SIGNED MESSAGE-----
>>>>>>>>>>>>>> Hash: SHA1
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Hello James,
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Am 31.12.2014 um 15:48 schrieb James:> Hello,
>>>>>>>>>>>>>>> I'm following along with the wiki(Setup a Samba AD
>>>>>>>>>>>>>>> Member Server)
>>>>>>>>>>>>>>> and I have a question after reading the 'Set up a basic
>>>>>>>>>>>>>>> smb.conf'
>>>>>>>>>>>>>>> section.
>>>>>>>>>>>>>> Please show us your smb.conf
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Do I need to extend the schema in order for my member
>>>>>>>>>>>>>> server to
>>>>>>>>>>>>>>> successfully join and service file shares?
>>>>>>>>>>>>>> No, you dont have to.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Do I need to configure a
>>>>>>>>>>>>>>> krb5.conf file? Thanks.
>>>>>>>>>>>>>> If your DC is a samba4 DC just copy krb5.conf to your new
>>>>>>>>>>>>>> memberserver
>>>>>>>>>>>>>> Stefan
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> - -- Stefan Kania
>>>>>>>>>>>>>> Landweg 13
>>>>>>>>>>>>>> 25693 St. Michaelisdonn
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Signieren jeder E-Mail hilft Spam zu reduzieren.
>>>>>>>>>>>>>> Signieren Sie ihre
>>>>>>>>>>>>>> E-Mail. Weiter Informationen unter http://www.gnupg.org
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Mein Schlüssel liegt auf
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> hkp://subkeys.pgp.net
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> -----BEGIN PGP SIGNATURE-----
>>>>>>>>>>>>>> Version: GnuPG v1
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> iEYEARECAAYFAlSkD3EACgkQ2JOGcNAHDTZdlwCgwsQF0g/pFp65ldcTMWDcJ1O7
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> LScAoLDzorUJNDCik4FP9dBUxKCbAbGN
>>>>>>>>>>>>>> =SOSt
>>>>>>>>>>>>>> -----END PGP SIGNATURE-----
>>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> If you followed the wiki, you will be using the 'ad'
>>>>>>>>>>>> backend. For this to work, you need to add 'uidNumber'
>>>>>>>>>>>> attributes to your users and a 'gidNumber' attribute to at
>>>>>>>>>>>> least the Domain Users group. the numbers that you add must
>>>>>>>>>>>> be between the range you set in your smb.conf, again if you
>>>>>>>>>>>> followed the wiki, this will be between 500-40000.
>>>>>>>>>>>>
>>>>>>>>>>>> Rowland
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> You have restarted samba, haven't you ?
>>>>>>>>>> You may have to wait a short time, or clear the cache with
>>>>>>>>>> 'net cache flush'
>>>>>>>>>>
>>>>>>>>>> Rowland
>>>>>>>>>>
>>>>>>>>>
>>>>>>>> OK, can you post the 'passwd' & 'group' lines from /etc/nsswitch
>>>>>>>>
>>>>>>>> Do you get anything from 'getent passwd <a domain user>'
>>>>>>>>
>>>>>>>> Rowland
>>>>>>>>
>>>>>>>
>>>>>> OK, install ldb-tools if not already installed, then run:
>>>>>>
>>>>>> ldbedit -e nano -H /var/lib/samba/private/sam.ldb
>>>>>> sAMAccountName=tuser
>>>>>>
>>>>>> Post the (sanitized) result
>>>>>>
>>>>>> Rowland
>>>>>>
>>>>>
>>>>
>>>> OK, you added that user with ADUC (RSAT) and as such you are using
>>>> the std windows start number 10000, which is the way I run samba.
>>>> Here is my smb.conf from the laptop I am writing this on:
>>>>
>>>> [global]
>>>> workgroup = EXAMPLE
>>>> security = ADS
>>>> realm = EXAMPLE.COM
>>>> dedicated keytab file = /etc/krb5.keytab
>>>> kerberos method = secrets and keytab
>>>> server string = Samba 4 Client %h
>>>> winbind enum users = yes
>>>> winbind enum groups = yes
>>>> winbind use default domain = yes
>>>> winbind expand groups = 4
>>>> winbind nss info = rfc2307
>>>> winbind refresh tickets = Yes
>>>> winbind normalize names = Yes
>>>> idmap config * : backend = tdb
>>>> idmap config * : range = 2000-9999
>>>> idmap config EXAMPLE : backend = ad
>>>> idmap config EXAMPLE : range = 10000-999999
>>>> idmap config EXAMPLE : schema_mode = rfc2307
>>>> printcap name = cups
>>>> cups options = raw
>>>> usershare allow guests = yes
>>>> domain master = no
>>>> local master = no
>>>> preferred master = no
>>>> os level = 20
>>>> map to guest = bad user
>>>> vfs objects = acl_xattr
>>>> map acl inherit = Yes
>>>> store dos attributes = Yes
>>>>
>>>> Compare it with yours, I can assure you it works.
>>>>
>>>> Rowland
>>>>
>>>
>>
>
> --
> -James
More information about the samba
mailing list