[Samba] Member Server Setup Assistance

James lingpanda101 at gmail.com
Fri Jan 2 07:00:28 MST 2015 

Hi Rowland,

     Yes 'etc/hostname/'. No I'm not fixed on Ubuntu. I'm currently 
using Ubuntu for all DC's and have compiled them as well. I can 
certainly try Debian Wheezy.

On 1/2/2015 8:55 AM, Rowland Penny wrote:
> On 02/01/15 13:41, James wrote:
>> Hi Rowland,
>>
>>     If you don't mind I like to post my member server configuration 
>> as I attempt again. This is how my member server(Ubuntu 12.04) is 
>> configured after fresh install and prior to Samba build. Anything I'm 
>> missing that could cause my issue as I proceed? I assume no other 
>> prerequisites must be done on the other DC's either? Thanks.
>>
>> /*# From Wiki for DC build*/
>> apt-get install build-essential libacl1-dev libattr1-dev libblkid-dev 
>> libgnutls-dev libreadline-dev python-dev libpam0g-dev 
>> python-dnspython gdb pkg-config libpopt-dev libldap2-dev dnsutils 
>> libbsd-dev attr krb5-user docbook-xsl libcups2-dev acl
>>
>>
>> /*# Fstab file*/
>> ext4    errors=remount-ro,user_xattr,acl,barrier=1 1       1
>>
>>
>> */# Hosts File/*
>> 127.0.0.1       localhost
>> 172.16.232.25   pfmember1.domain.local    pfmember1
>>
>> # The following lines are desirable for IPv6 capable hosts
>> ::1     ip6-localhost ip6-loopback
>> fe00::0 ip6-localnet
>> ff00::0 ip6-mcastprefix
>> ff02::1 ip6-allnodes
>> ff02::2 ip6-allrouters
>>
>>
>> */# Hostname/* */File/*
>> pfmember1.domain.local
>
> if you are referring to /etc/hostname, then it should just contain 
> 'pfmember1'.
>
> Also, are you fixed on using Ubuntu 12.04, if you were to use Debian 
> Wheezy and backports, you wouldn't have to compile samba4.
>
> Rowland
>
>>
>> */#/network/interfaces/*
>> # This file describes the network interfaces available on your system
>> # and how to activate them. For more information, see interfaces(5).
>>
>> # The loopback network interface
>> auto lo
>> iface lo inet loopback
>>
>> # The primary network interface
>> auto eth0
>> iface eth0 inet static
>>         address 172.16.232.25
>>         netmask 255.255.255.0
>>         gateway 172.16.232.201
>>         network 172.16.232.0
>>         broadcast 172.16.232.255
>>         dns-search domain.local
>>         dns-nameservers 172.16.232.29
>>
>>
>>
>>
>>
>> On 1/1/2015 4:34 AM, Rowland Penny wrote:
>>> On 01/01/15 00:07, James wrote:
>>>> Hi Rowland,
>>>>
>>>>     I forgot to tell you the results were from my Domain Controller 
>>>> and not the member server. Member server returned something to the 
>>>> effect of 'user not found'. I am only starting the 3 
>>>> services(smbd,nmbd and windbindd) listed in the wiki. Should I be 
>>>> starting Samba with command line switches to start as a member 
>>>> server? Is that even possible?
>>>
>>> Hi, there are two ways of running samba4, the classic or original 
>>> way that samba3 was used, or as an AD DC. If you run samba4 in the 
>>> classic way, you need to start the smbd & nmbd deamons and 
>>> optionally the winbind daemon. If you use samba4 as an AD DC, then 
>>> you only start the samba daemon, this will start any other required 
>>> deamons, you only start the samba daemon on an AD DC.
>>>
>>> As you are trying to set up a member server, you must carry out the 
>>> tests on the member server.
>>>
>>> Rowland
>>>
>>>>
>>>>     Thanks for you smb.conf. I will attempt again using your 
>>>> smb.conf as a template and try again.
>>>>
>>>> On 12/31/2014 2:20 PM, Rowland Penny wrote:
>>>>> On 31/12/14 19:07, James wrote:
>>>>>> Rowland,
>>>>>>
>>>>>>     I decided to start over with a fresh install and attempted 
>>>>>> again. Only change I made was to start my mappings at 10000. I 
>>>>>> gave 'Domain Users' group gid 10000 and 'tuser' has uid 10001. 
>>>>>> Still didn't work btw.
>>>>>>
>>>>>>  dn: CN=Test User,CN=Users,DC=domain,DC=local
>>>>>> objectClass: top
>>>>>> objectClass: person
>>>>>> objectClass: organizationalPerson
>>>>>> objectClass: user
>>>>>> cn: Test User
>>>>>> sn: User
>>>>>> givenName: Test
>>>>>> instanceType: 4
>>>>>> whenCreated: 20141231172021.0Z
>>>>>> displayName: Test User
>>>>>> uSNCreated: 477557
>>>>>> name: Test User
>>>>>> objectGUID: 90f95763-fe52-42b9-af86-8a84a4d5dd78
>>>>>> userAccountControl: 66048
>>>>>> codePage: 0
>>>>>> countryCode: 0
>>>>>> pwdLastSet: 130645200220000000
>>>>>> primaryGroupID: 513
>>>>>> objectSid: S-1-5-21-940051827-2291820289-3341758437-3126
>>>>>> accountExpires: 9223372036854775807
>>>>>> sAMAccountName: tuser
>>>>>> sAMAccountType: 805306368
>>>>>> userPrincipalName: tuser at domain.local
>>>>>> objectCategory: 
>>>>>> CN=Person,CN=Schema,CN=Configuration,DC=domain,DC=local
>>>>>> unixUserPassword: ABCD!efgh12345$67890
>>>>>> uid: tuser
>>>>>> msSFU30Name: tuser
>>>>>> msSFU30NisDomain: domain
>>>>>> uidNumber: 10001
>>>>>> loginShell: /bin/sh
>>>>>> unixHomeDirectory: /home/tuser
>>>>>> gidNumber: 10000
>>>>>> whenChanged: 20141231185807.0Z
>>>>>> uSNChanged: 477620
>>>>>> distinguishedName: CN=Test User,CN=Users,DC=domain,DC=local
>>>>>>
>>>>>>
>>>>>> On 12/31/2014 1:50 PM, Rowland Penny wrote:
>>>>>>> On 31/12/14 18:28, James wrote:
>>>>>>>> Hi Rowland,
>>>>>>>>
>>>>>>>>     passwd:         compat winbind
>>>>>>>>     group:            compat winbind
>>>>>>>>
>>>>>>>> 'getent passwd tuser' results in a blank terminal line.
>>>>>>>>
>>>>>>>>
>>>>>>>> On 12/31/2014 1:12 PM, Rowland Penny wrote:
>>>>>>>>> On 31/12/14 17:55, James wrote:
>>>>>>>>>> Hi Rowland,
>>>>>>>>>>
>>>>>>>>>>     I did. Unfortunately something is still amiss. I do 
>>>>>>>>>> receive a response from 'getent group domain 
>>>>>>>>>> users'(users:x:100).
>>>>>>>>>>
>>>>>>>>>> On 12/31/2014 12:26 PM, Rowland Penny wrote:
>>>>>>>>>>> On 31/12/14 17:23, James wrote:
>>>>>>>>>>>> Rowland,
>>>>>>>>>>>>
>>>>>>>>>>>>     I set a user with a uid and domain users group with a 
>>>>>>>>>>>> gid but I'm still unable to view them using 'id'. I do 
>>>>>>>>>>>> notice a few strange observations. If I go to another user 
>>>>>>>>>>>> to attempt to assign a uid. I get the default value of 
>>>>>>>>>>>> 10000. I would expect 2001 given I set the first user with 
>>>>>>>>>>>> uid 2000. Groups however appear to increment.
>>>>>>>>>>>>
>>>>>>>>>>>> On 12/31/2014 10:52 AM, Rowland Penny wrote:
>>>>>>>>>>>>> On 31/12/14 15:42, James wrote:
>>>>>>>>>>>>>> Hello Stefan,
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>     I learned the hard way about .local. I understand 
>>>>>>>>>>>>>> going forward.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> I do have an issue with the member server. Following 
>>>>>>>>>>>>>> along with the wiki I get stuck at 'Testing the Winbind 
>>>>>>>>>>>>>> user/group mapping'. Wbinfo works as expected but not
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> #*id DomainUser*
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> #*getent passwd*
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> #*getent group*
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> #*chown DomainUser:DomainGroup file*
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> #*chgrp DomainGroup file*
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> etc.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> I receive 'id: sambauser: No such user'. It will only 
>>>>>>>>>>>>>> retrieve local machine users. Let me preface by saying 
>>>>>>>>>>>>>> this is a Ubuntu 12.04 server with Samba 4.1.14. Thanks.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> On 12/31/2014 10:00 AM, Stefan Kania wrote:
>>>>>>>>>>>>>>> -----BEGIN PGP SIGNED MESSAGE-----
>>>>>>>>>>>>>>> Hash: SHA1
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Hello James,
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Am 31.12.2014 um 15:48 schrieb James:> Hello,
>>>>>>>>>>>>>>>> I'm following along with the wiki(Setup a Samba AD 
>>>>>>>>>>>>>>>> Member Server)
>>>>>>>>>>>>>>>> and I have a question after reading the 'Set up a basic 
>>>>>>>>>>>>>>>> smb.conf'
>>>>>>>>>>>>>>>> section.
>>>>>>>>>>>>>>> Please show us your smb.conf
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>   Do I need to extend the schema in order for my member 
>>>>>>>>>>>>>>> server to
>>>>>>>>>>>>>>>> successfully join and service file shares?
>>>>>>>>>>>>>>> No, you dont have to.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Do I need to configure a
>>>>>>>>>>>>>>>> krb5.conf file? Thanks.
>>>>>>>>>>>>>>> If your DC is a samba4 DC just copy krb5.conf to your 
>>>>>>>>>>>>>>> new memberserver
>>>>>>>>>>>>>>> Stefan
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> - -- Stefan Kania
>>>>>>>>>>>>>>> Landweg 13
>>>>>>>>>>>>>>> 25693 St. Michaelisdonn
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Signieren jeder E-Mail hilft Spam zu reduzieren. 
>>>>>>>>>>>>>>> Signieren Sie ihre
>>>>>>>>>>>>>>> E-Mail. Weiter Informationen unter http://www.gnupg.org
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Mein Schlüssel liegt auf
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> hkp://subkeys.pgp.net
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> -----BEGIN PGP SIGNATURE-----
>>>>>>>>>>>>>>> Version: GnuPG v1
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> iEYEARECAAYFAlSkD3EACgkQ2JOGcNAHDTZdlwCgwsQF0g/pFp65ldcTMWDcJ1O7 
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> LScAoLDzorUJNDCik4FP9dBUxKCbAbGN
>>>>>>>>>>>>>>> =SOSt
>>>>>>>>>>>>>>> -----END PGP SIGNATURE-----
>>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> If you followed the wiki, you will be using the 'ad' 
>>>>>>>>>>>>> backend. For this to work, you need to add 'uidNumber' 
>>>>>>>>>>>>> attributes to your users and a 'gidNumber' attribute to at 
>>>>>>>>>>>>> least the Domain Users group. the numbers that you add 
>>>>>>>>>>>>> must be between the range you set in your smb.conf, again 
>>>>>>>>>>>>> if you followed the wiki, this will be between 500-40000.
>>>>>>>>>>>>>
>>>>>>>>>>>>> Rowland
>>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> You have restarted samba, haven't you ?
>>>>>>>>>>> You may have to wait a short time, or clear the cache with 
>>>>>>>>>>> 'net cache flush'
>>>>>>>>>>>
>>>>>>>>>>> Rowland
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>> OK, can you post the 'passwd' & 'group' lines from /etc/nsswitch
>>>>>>>>>
>>>>>>>>> Do you get anything from 'getent passwd <a domain user>'
>>>>>>>>>
>>>>>>>>> Rowland
>>>>>>>>>
>>>>>>>>
>>>>>>> OK, install ldb-tools if not already installed, then run:
>>>>>>>
>>>>>>> ldbedit -e nano -H /var/lib/samba/private/sam.ldb 
>>>>>>> sAMAccountName=tuser
>>>>>>>
>>>>>>> Post the (sanitized) result
>>>>>>>
>>>>>>> Rowland
>>>>>>>
>>>>>>
>>>>>
>>>>> OK, you added that user with ADUC (RSAT) and as such you are using 
>>>>> the std windows start number 10000, which is the way I run samba. 
>>>>> Here is my smb.conf from the laptop I am writing this on:
>>>>>
>>>>> [global]
>>>>>         workgroup = EXAMPLE
>>>>>         security = ADS
>>>>>         realm = EXAMPLE.COM
>>>>>         dedicated keytab file = /etc/krb5.keytab
>>>>>         kerberos method = secrets and keytab
>>>>>         server string = Samba 4 Client %h
>>>>>         winbind enum users = yes
>>>>>         winbind enum groups = yes
>>>>>         winbind use default domain = yes
>>>>>         winbind expand groups = 4
>>>>>         winbind nss info = rfc2307
>>>>>         winbind refresh tickets = Yes
>>>>>         winbind normalize names = Yes
>>>>>         idmap config * : backend = tdb
>>>>>         idmap config * : range = 2000-9999
>>>>>         idmap config EXAMPLE : backend  = ad
>>>>>         idmap config EXAMPLE : range = 10000-999999
>>>>>         idmap config EXAMPLE : schema_mode = rfc2307
>>>>>         printcap name = cups
>>>>>         cups options = raw
>>>>>         usershare allow guests = yes
>>>>>         domain master = no
>>>>>         local master = no
>>>>>         preferred master = no
>>>>>         os level = 20
>>>>>         map to guest = bad user
>>>>>         vfs objects = acl_xattr
>>>>>         map acl inherit = Yes
>>>>>         store dos attributes = Yes
>>>>>
>>>>> Compare it with yours, I can assure you it works.
>>>>>
>>>>> Rowland
>>>>>
>>>>
>>>
>>
>> -- 
>> -James
>

-- 
-James

More information about the samba mailing list