[Samba] Member Server Setup Assistance
Rowland Penny
rowlandpenny at googlemail.com
Fri Jan 2 10:00:44 MST 2015
On 02/01/15 16:57, James wrote:
> Rowland,
>
> I've gotten a bit further. It appears my use of '.local' is
> causing the issue from what I've researched. I ran
> '|/etc/init.d/avahi-daemon stop'. |This allowed me to successfully
> join the domain.
>
> Enter administrator at DOMAIN.LOCAL's password:
> Using short domain name -- DOMAIN
> Joined 'PFMEMBER1' to dns domain 'domain.local'
> DNS Update for pfmember1.local failed: ERROR_DNS_UPDATE_FAILED
> DNS update failed: NT_STATUS_UNSUCCESSFUL
> ||
> On 1/2/2015 8:55 AM, Rowland Penny wrote:
>> On 02/01/15 13:41, James wrote:
>>> Hi Rowland,
>>>
>>> If you don't mind I like to post my member server configuration
>>> as I attempt again. This is how my member server(Ubuntu 12.04) is
>>> configured after fresh install and prior to Samba build. Anything
>>> I'm missing that could cause my issue as I proceed? I assume no
>>> other prerequisites must be done on the other DC's either? Thanks.
>>>
>>> /*# From Wiki for DC build*/
>>> apt-get install build-essential libacl1-dev libattr1-dev
>>> libblkid-dev libgnutls-dev libreadline-dev python-dev libpam0g-dev
>>> python-dnspython gdb pkg-config libpopt-dev libldap2-dev dnsutils
>>> libbsd-dev attr krb5-user docbook-xsl libcups2-dev acl
>>>
>>>
>>> /*# Fstab file*/
>>> ext4 errors=remount-ro,user_xattr,acl,barrier=1 1 1
>>>
>>>
>>> */# Hosts File/*
>>> 127.0.0.1 localhost
>>> 172.16.232.25 pfmember1.domain.local pfmember1
>>>
>>> # The following lines are desirable for IPv6 capable hosts
>>> ::1 ip6-localhost ip6-loopback
>>> fe00::0 ip6-localnet
>>> ff00::0 ip6-mcastprefix
>>> ff02::1 ip6-allnodes
>>> ff02::2 ip6-allrouters
>>>
>>>
>>> */# Hostname/* */File/*
>>> pfmember1.domain.local
>>
>> if you are referring to /etc/hostname, then it should just contain
>> 'pfmember1'.
>>
>> Also, are you fixed on using Ubuntu 12.04, if you were to use Debian
>> Wheezy and backports, you wouldn't have to compile samba4.
>>
>> Rowland
>>
>>>
>>> */#/network/interfaces/*
>>> # This file describes the network interfaces available on your system
>>> # and how to activate them. For more information, see interfaces(5).
>>>
>>> # The loopback network interface
>>> auto lo
>>> iface lo inet loopback
>>>
>>> # The primary network interface
>>> auto eth0
>>> iface eth0 inet static
>>> address 172.16.232.25
>>> netmask 255.255.255.0
>>> gateway 172.16.232.201
>>> network 172.16.232.0
>>> broadcast 172.16.232.255
>>> dns-search domain.local
>>> dns-nameservers 172.16.232.29
>>>
>>>
>>>
>>>
>>>
>>> On 1/1/2015 4:34 AM, Rowland Penny wrote:
>>>> On 01/01/15 00:07, James wrote:
>>>>> Hi Rowland,
>>>>>
>>>>> I forgot to tell you the results were from my Domain
>>>>> Controller and not the member server. Member server returned
>>>>> something to the effect of 'user not found'. I am only starting
>>>>> the 3 services(smbd,nmbd and windbindd) listed in the wiki. Should
>>>>> I be starting Samba with command line switches to start as a
>>>>> member server? Is that even possible?
>>>>
>>>> Hi, there are two ways of running samba4, the classic or original
>>>> way that samba3 was used, or as an AD DC. If you run samba4 in the
>>>> classic way, you need to start the smbd & nmbd deamons and
>>>> optionally the winbind daemon. If you use samba4 as an AD DC, then
>>>> you only start the samba daemon, this will start any other required
>>>> deamons, you only start the samba daemon on an AD DC.
>>>>
>>>> As you are trying to set up a member server, you must carry out the
>>>> tests on the member server.
>>>>
>>>> Rowland
>>>>
>>>>>
>>>>> Thanks for you smb.conf. I will attempt again using your
>>>>> smb.conf as a template and try again.
>>>>>
>>>>> On 12/31/2014 2:20 PM, Rowland Penny wrote:
>>>>>> On 31/12/14 19:07, James wrote:
>>>>>>> Rowland,
>>>>>>>
>>>>>>> I decided to start over with a fresh install and attempted
>>>>>>> again. Only change I made was to start my mappings at 10000. I
>>>>>>> gave 'Domain Users' group gid 10000 and 'tuser' has uid 10001.
>>>>>>> Still didn't work btw.
>>>>>>>
>>>>>>> dn: CN=Test User,CN=Users,DC=domain,DC=local
>>>>>>> objectClass: top
>>>>>>> objectClass: person
>>>>>>> objectClass: organizationalPerson
>>>>>>> objectClass: user
>>>>>>> cn: Test User
>>>>>>> sn: User
>>>>>>> givenName: Test
>>>>>>> instanceType: 4
>>>>>>> whenCreated: 20141231172021.0Z
>>>>>>> displayName: Test User
>>>>>>> uSNCreated: 477557
>>>>>>> name: Test User
>>>>>>> objectGUID: 90f95763-fe52-42b9-af86-8a84a4d5dd78
>>>>>>> userAccountControl: 66048
>>>>>>> codePage: 0
>>>>>>> countryCode: 0
>>>>>>> pwdLastSet: 130645200220000000
>>>>>>> primaryGroupID: 513
>>>>>>> objectSid: S-1-5-21-940051827-2291820289-3341758437-3126
>>>>>>> accountExpires: 9223372036854775807
>>>>>>> sAMAccountName: tuser
>>>>>>> sAMAccountType: 805306368
>>>>>>> userPrincipalName: tuser at domain.local
>>>>>>> objectCategory:
>>>>>>> CN=Person,CN=Schema,CN=Configuration,DC=domain,DC=local
>>>>>>> unixUserPassword: ABCD!efgh12345$67890
>>>>>>> uid: tuser
>>>>>>> msSFU30Name: tuser
>>>>>>> msSFU30NisDomain: domain
>>>>>>> uidNumber: 10001
>>>>>>> loginShell: /bin/sh
>>>>>>> unixHomeDirectory: /home/tuser
>>>>>>> gidNumber: 10000
>>>>>>> whenChanged: 20141231185807.0Z
>>>>>>> uSNChanged: 477620
>>>>>>> distinguishedName: CN=Test User,CN=Users,DC=domain,DC=local
>>>>>>>
>>>>>>>
>>>>>>> On 12/31/2014 1:50 PM, Rowland Penny wrote:
>>>>>>>> On 31/12/14 18:28, James wrote:
>>>>>>>>> Hi Rowland,
>>>>>>>>>
>>>>>>>>> passwd: compat winbind
>>>>>>>>> group: compat winbind
>>>>>>>>>
>>>>>>>>> 'getent passwd tuser' results in a blank terminal line.
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> On 12/31/2014 1:12 PM, Rowland Penny wrote:
>>>>>>>>>> On 31/12/14 17:55, James wrote:
>>>>>>>>>>> Hi Rowland,
>>>>>>>>>>>
>>>>>>>>>>> I did. Unfortunately something is still amiss. I do
>>>>>>>>>>> receive a response from 'getent group domain
>>>>>>>>>>> users'(users:x:100).
>>>>>>>>>>>
>>>>>>>>>>> On 12/31/2014 12:26 PM, Rowland Penny wrote:
>>>>>>>>>>>> On 31/12/14 17:23, James wrote:
>>>>>>>>>>>>> Rowland,
>>>>>>>>>>>>>
>>>>>>>>>>>>> I set a user with a uid and domain users group with a
>>>>>>>>>>>>> gid but I'm still unable to view them using 'id'. I do
>>>>>>>>>>>>> notice a few strange observations. If I go to another user
>>>>>>>>>>>>> to attempt to assign a uid. I get the default value of
>>>>>>>>>>>>> 10000. I would expect 2001 given I set the first user with
>>>>>>>>>>>>> uid 2000. Groups however appear to increment.
>>>>>>>>>>>>>
>>>>>>>>>>>>> On 12/31/2014 10:52 AM, Rowland Penny wrote:
>>>>>>>>>>>>>> On 31/12/14 15:42, James wrote:
>>>>>>>>>>>>>>> Hello Stefan,
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> I learned the hard way about .local. I understand
>>>>>>>>>>>>>>> going forward.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> I do have an issue with the member server. Following
>>>>>>>>>>>>>>> along with the wiki I get stuck at 'Testing the Winbind
>>>>>>>>>>>>>>> user/group mapping'. Wbinfo works as expected but not
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> #*id DomainUser*
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> #*getent passwd*
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> #*getent group*
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> #*chown DomainUser:DomainGroup file*
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> #*chgrp DomainGroup file*
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> etc.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> I receive 'id: sambauser: No such user'. It will only
>>>>>>>>>>>>>>> retrieve local machine users. Let me preface by saying
>>>>>>>>>>>>>>> this is a Ubuntu 12.04 server with Samba 4.1.14. Thanks.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> On 12/31/2014 10:00 AM, Stefan Kania wrote:
>>>>>>>>>>>>>>>> -----BEGIN PGP SIGNED MESSAGE-----
>>>>>>>>>>>>>>>> Hash: SHA1
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> Hello James,
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> Am 31.12.2014 um 15:48 schrieb James:> Hello,
>>>>>>>>>>>>>>>>> I'm following along with the wiki(Setup a Samba AD
>>>>>>>>>>>>>>>>> Member Server)
>>>>>>>>>>>>>>>>> and I have a question after reading the 'Set up a
>>>>>>>>>>>>>>>>> basic smb.conf'
>>>>>>>>>>>>>>>>> section.
>>>>>>>>>>>>>>>> Please show us your smb.conf
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> Do I need to extend the schema in order for my member
>>>>>>>>>>>>>>>> server to
>>>>>>>>>>>>>>>>> successfully join and service file shares?
>>>>>>>>>>>>>>>> No, you dont have to.
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> Do I need to configure a
>>>>>>>>>>>>>>>>> krb5.conf file? Thanks.
>>>>>>>>>>>>>>>> If your DC is a samba4 DC just copy krb5.conf to your
>>>>>>>>>>>>>>>> new memberserver
>>>>>>>>>>>>>>>> Stefan
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> - -- Stefan Kania
>>>>>>>>>>>>>>>> Landweg 13
>>>>>>>>>>>>>>>> 25693 St. Michaelisdonn
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> Signieren jeder E-Mail hilft Spam zu reduzieren.
>>>>>>>>>>>>>>>> Signieren Sie ihre
>>>>>>>>>>>>>>>> E-Mail. Weiter Informationen unter http://www.gnupg.org
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> Mein Schlüssel liegt auf
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> hkp://subkeys.pgp.net
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> -----BEGIN PGP SIGNATURE-----
>>>>>>>>>>>>>>>> Version: GnuPG v1
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> iEYEARECAAYFAlSkD3EACgkQ2JOGcNAHDTZdlwCgwsQF0g/pFp65ldcTMWDcJ1O7
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> LScAoLDzorUJNDCik4FP9dBUxKCbAbGN
>>>>>>>>>>>>>>>> =SOSt
>>>>>>>>>>>>>>>> -----END PGP SIGNATURE-----
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> If you followed the wiki, you will be using the 'ad'
>>>>>>>>>>>>>> backend. For this to work, you need to add 'uidNumber'
>>>>>>>>>>>>>> attributes to your users and a 'gidNumber' attribute to
>>>>>>>>>>>>>> at least the Domain Users group. the numbers that you add
>>>>>>>>>>>>>> must be between the range you set in your smb.conf, again
>>>>>>>>>>>>>> if you followed the wiki, this will be between 500-40000.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Rowland
>>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> You have restarted samba, haven't you ?
>>>>>>>>>>>> You may have to wait a short time, or clear the cache with
>>>>>>>>>>>> 'net cache flush'
>>>>>>>>>>>>
>>>>>>>>>>>> Rowland
>>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>> OK, can you post the 'passwd' & 'group' lines from /etc/nsswitch
>>>>>>>>>>
>>>>>>>>>> Do you get anything from 'getent passwd <a domain user>'
>>>>>>>>>>
>>>>>>>>>> Rowland
>>>>>>>>>>
>>>>>>>>>
>>>>>>>> OK, install ldb-tools if not already installed, then run:
>>>>>>>>
>>>>>>>> ldbedit -e nano -H /var/lib/samba/private/sam.ldb
>>>>>>>> sAMAccountName=tuser
>>>>>>>>
>>>>>>>> Post the (sanitized) result
>>>>>>>>
>>>>>>>> Rowland
>>>>>>>>
>>>>>>>
>>>>>>
>>>>>> OK, you added that user with ADUC (RSAT) and as such you are
>>>>>> using the std windows start number 10000, which is the way I run
>>>>>> samba. Here is my smb.conf from the laptop I am writing this on:
>>>>>>
>>>>>> [global]
>>>>>> workgroup = EXAMPLE
>>>>>> security = ADS
>>>>>> realm = EXAMPLE.COM
>>>>>> dedicated keytab file = /etc/krb5.keytab
>>>>>> kerberos method = secrets and keytab
>>>>>> server string = Samba 4 Client %h
>>>>>> winbind enum users = yes
>>>>>> winbind enum groups = yes
>>>>>> winbind use default domain = yes
>>>>>> winbind expand groups = 4
>>>>>> winbind nss info = rfc2307
>>>>>> winbind refresh tickets = Yes
>>>>>> winbind normalize names = Yes
>>>>>> idmap config * : backend = tdb
>>>>>> idmap config * : range = 2000-9999
>>>>>> idmap config EXAMPLE : backend = ad
>>>>>> idmap config EXAMPLE : range = 10000-999999
>>>>>> idmap config EXAMPLE : schema_mode = rfc2307
>>>>>> printcap name = cups
>>>>>> cups options = raw
>>>>>> usershare allow guests = yes
>>>>>> domain master = no
>>>>>> local master = no
>>>>>> preferred master = no
>>>>>> os level = 20
>>>>>> map to guest = bad user
>>>>>> vfs objects = acl_xattr
>>>>>> map acl inherit = Yes
>>>>>> store dos attributes = Yes
>>>>>>
>>>>>> Compare it with yours, I can assure you it works.
>>>>>>
>>>>>> Rowland
>>>>>>
>>>>>
>>>>
>>>
>>> --
>>> -James
>>
>
> --
> -James
OK, you have *now* found out one of the reasons you shouldn't use the
.local suffix
But does anything else work?
Rowland
More information about the samba
mailing list