[Samba] Member Server Setup Assistance
James
lingpanda101 at gmail.com
Fri Jan 2 10:07:44 MST 2015
Rowland,
I had a typo in my hosts file which is the reason my initial DNS
update failed. Corrected and joined again. Successfully joined and
updated DNS A record. I then made sure to give 'Domain users' a id of
10000. I am now able to run' getent passwd' and see all my domain users!
YES! However I still see something that confuses me. When I run 'id
tuser' I get the following.
uid=2155(tuser) gid=2002(domain_users)
groups=2002(domain_users),2004(remote_desktop_users_group),2001(BUILTIN\users)
Why is the uid 2155 and not 10001?
On 1/2/2015 12:00 PM, Rowland Penny wrote:
> On 02/01/15 16:57, James wrote:
>> Rowland,
>>
>> I've gotten a bit further. It appears my use of '.local' is
>> causing the issue from what I've researched. I ran
>> '|/etc/init.d/avahi-daemon stop'. |This allowed me to successfully
>> join the domain.
>>
>> Enter administrator at DOMAIN.LOCAL's password:
>> Using short domain name -- DOMAIN
>> Joined 'PFMEMBER1' to dns domain 'domain.local'
>> DNS Update for pfmember1.local failed: ERROR_DNS_UPDATE_FAILED
>> DNS update failed: NT_STATUS_UNSUCCESSFUL
>> ||
>> On 1/2/2015 8:55 AM, Rowland Penny wrote:
>>> On 02/01/15 13:41, James wrote:
>>>> Hi Rowland,
>>>>
>>>> If you don't mind I like to post my member server configuration
>>>> as I attempt again. This is how my member server(Ubuntu 12.04) is
>>>> configured after fresh install and prior to Samba build. Anything
>>>> I'm missing that could cause my issue as I proceed? I assume no
>>>> other prerequisites must be done on the other DC's either? Thanks.
>>>>
>>>> /*# From Wiki for DC build*/
>>>> apt-get install build-essential libacl1-dev libattr1-dev
>>>> libblkid-dev libgnutls-dev libreadline-dev python-dev libpam0g-dev
>>>> python-dnspython gdb pkg-config libpopt-dev libldap2-dev dnsutils
>>>> libbsd-dev attr krb5-user docbook-xsl libcups2-dev acl
>>>>
>>>>
>>>> /*# Fstab file*/
>>>> ext4 errors=remount-ro,user_xattr,acl,barrier=1 1 1
>>>>
>>>>
>>>> */# Hosts File/*
>>>> 127.0.0.1 localhost
>>>> 172.16.232.25 pfmember1.domain.local pfmember1
>>>>
>>>> # The following lines are desirable for IPv6 capable hosts
>>>> ::1 ip6-localhost ip6-loopback
>>>> fe00::0 ip6-localnet
>>>> ff00::0 ip6-mcastprefix
>>>> ff02::1 ip6-allnodes
>>>> ff02::2 ip6-allrouters
>>>>
>>>>
>>>> */# Hostname/* */File/*
>>>> pfmember1.domain.local
>>>
>>> if you are referring to /etc/hostname, then it should just contain
>>> 'pfmember1'.
>>>
>>> Also, are you fixed on using Ubuntu 12.04, if you were to use Debian
>>> Wheezy and backports, you wouldn't have to compile samba4.
>>>
>>> Rowland
>>>
>>>>
>>>> */#/network/interfaces/*
>>>> # This file describes the network interfaces available on your system
>>>> # and how to activate them. For more information, see interfaces(5).
>>>>
>>>> # The loopback network interface
>>>> auto lo
>>>> iface lo inet loopback
>>>>
>>>> # The primary network interface
>>>> auto eth0
>>>> iface eth0 inet static
>>>> address 172.16.232.25
>>>> netmask 255.255.255.0
>>>> gateway 172.16.232.201
>>>> network 172.16.232.0
>>>> broadcast 172.16.232.255
>>>> dns-search domain.local
>>>> dns-nameservers 172.16.232.29
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> On 1/1/2015 4:34 AM, Rowland Penny wrote:
>>>>> On 01/01/15 00:07, James wrote:
>>>>>> Hi Rowland,
>>>>>>
>>>>>> I forgot to tell you the results were from my Domain
>>>>>> Controller and not the member server. Member server returned
>>>>>> something to the effect of 'user not found'. I am only starting
>>>>>> the 3 services(smbd,nmbd and windbindd) listed in the wiki.
>>>>>> Should I be starting Samba with command line switches to start as
>>>>>> a member server? Is that even possible?
>>>>>
>>>>> Hi, there are two ways of running samba4, the classic or original
>>>>> way that samba3 was used, or as an AD DC. If you run samba4 in the
>>>>> classic way, you need to start the smbd & nmbd deamons and
>>>>> optionally the winbind daemon. If you use samba4 as an AD DC, then
>>>>> you only start the samba daemon, this will start any other
>>>>> required deamons, you only start the samba daemon on an AD DC.
>>>>>
>>>>> As you are trying to set up a member server, you must carry out
>>>>> the tests on the member server.
>>>>>
>>>>> Rowland
>>>>>
>>>>>>
>>>>>> Thanks for you smb.conf. I will attempt again using your
>>>>>> smb.conf as a template and try again.
>>>>>>
>>>>>> On 12/31/2014 2:20 PM, Rowland Penny wrote:
>>>>>>> On 31/12/14 19:07, James wrote:
>>>>>>>> Rowland,
>>>>>>>>
>>>>>>>> I decided to start over with a fresh install and attempted
>>>>>>>> again. Only change I made was to start my mappings at 10000. I
>>>>>>>> gave 'Domain Users' group gid 10000 and 'tuser' has uid 10001.
>>>>>>>> Still didn't work btw.
>>>>>>>>
>>>>>>>> dn: CN=Test User,CN=Users,DC=domain,DC=local
>>>>>>>> objectClass: top
>>>>>>>> objectClass: person
>>>>>>>> objectClass: organizationalPerson
>>>>>>>> objectClass: user
>>>>>>>> cn: Test User
>>>>>>>> sn: User
>>>>>>>> givenName: Test
>>>>>>>> instanceType: 4
>>>>>>>> whenCreated: 20141231172021.0Z
>>>>>>>> displayName: Test User
>>>>>>>> uSNCreated: 477557
>>>>>>>> name: Test User
>>>>>>>> objectGUID: 90f95763-fe52-42b9-af86-8a84a4d5dd78
>>>>>>>> userAccountControl: 66048
>>>>>>>> codePage: 0
>>>>>>>> countryCode: 0
>>>>>>>> pwdLastSet: 130645200220000000
>>>>>>>> primaryGroupID: 513
>>>>>>>> objectSid: S-1-5-21-940051827-2291820289-3341758437-3126
>>>>>>>> accountExpires: 9223372036854775807
>>>>>>>> sAMAccountName: tuser
>>>>>>>> sAMAccountType: 805306368
>>>>>>>> userPrincipalName: tuser at domain.local
>>>>>>>> objectCategory:
>>>>>>>> CN=Person,CN=Schema,CN=Configuration,DC=domain,DC=local
>>>>>>>> unixUserPassword: ABCD!efgh12345$67890
>>>>>>>> uid: tuser
>>>>>>>> msSFU30Name: tuser
>>>>>>>> msSFU30NisDomain: domain
>>>>>>>> uidNumber: 10001
>>>>>>>> loginShell: /bin/sh
>>>>>>>> unixHomeDirectory: /home/tuser
>>>>>>>> gidNumber: 10000
>>>>>>>> whenChanged: 20141231185807.0Z
>>>>>>>> uSNChanged: 477620
>>>>>>>> distinguishedName: CN=Test User,CN=Users,DC=domain,DC=local
>>>>>>>>
>>>>>>>>
>>>>>>>> On 12/31/2014 1:50 PM, Rowland Penny wrote:
>>>>>>>>> On 31/12/14 18:28, James wrote:
>>>>>>>>>> Hi Rowland,
>>>>>>>>>>
>>>>>>>>>> passwd: compat winbind
>>>>>>>>>> group: compat winbind
>>>>>>>>>>
>>>>>>>>>> 'getent passwd tuser' results in a blank terminal line.
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> On 12/31/2014 1:12 PM, Rowland Penny wrote:
>>>>>>>>>>> On 31/12/14 17:55, James wrote:
>>>>>>>>>>>> Hi Rowland,
>>>>>>>>>>>>
>>>>>>>>>>>> I did. Unfortunately something is still amiss. I do
>>>>>>>>>>>> receive a response from 'getent group domain
>>>>>>>>>>>> users'(users:x:100).
>>>>>>>>>>>>
>>>>>>>>>>>> On 12/31/2014 12:26 PM, Rowland Penny wrote:
>>>>>>>>>>>>> On 31/12/14 17:23, James wrote:
>>>>>>>>>>>>>> Rowland,
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> I set a user with a uid and domain users group with a
>>>>>>>>>>>>>> gid but I'm still unable to view them using 'id'. I do
>>>>>>>>>>>>>> notice a few strange observations. If I go to another
>>>>>>>>>>>>>> user to attempt to assign a uid. I get the default value
>>>>>>>>>>>>>> of 10000. I would expect 2001 given I set the first user
>>>>>>>>>>>>>> with uid 2000. Groups however appear to increment.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> On 12/31/2014 10:52 AM, Rowland Penny wrote:
>>>>>>>>>>>>>>> On 31/12/14 15:42, James wrote:
>>>>>>>>>>>>>>>> Hello Stefan,
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> I learned the hard way about .local. I understand
>>>>>>>>>>>>>>>> going forward.
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> I do have an issue with the member server. Following
>>>>>>>>>>>>>>>> along with the wiki I get stuck at 'Testing the Winbind
>>>>>>>>>>>>>>>> user/group mapping'. Wbinfo works as expected but not
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> #*id DomainUser*
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> #*getent passwd*
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> #*getent group*
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> #*chown DomainUser:DomainGroup file*
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> #*chgrp DomainGroup file*
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> etc.
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> I receive 'id: sambauser: No such user'. It will only
>>>>>>>>>>>>>>>> retrieve local machine users. Let me preface by saying
>>>>>>>>>>>>>>>> this is a Ubuntu 12.04 server with Samba 4.1.14. Thanks.
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> On 12/31/2014 10:00 AM, Stefan Kania wrote:
>>>>>>>>>>>>>>>>> -----BEGIN PGP SIGNED MESSAGE-----
>>>>>>>>>>>>>>>>> Hash: SHA1
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> Hello James,
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> Am 31.12.2014 um 15:48 schrieb James:> Hello,
>>>>>>>>>>>>>>>>>> I'm following along with the wiki(Setup a Samba AD
>>>>>>>>>>>>>>>>>> Member Server)
>>>>>>>>>>>>>>>>>> and I have a question after reading the 'Set up a
>>>>>>>>>>>>>>>>>> basic smb.conf'
>>>>>>>>>>>>>>>>>> section.
>>>>>>>>>>>>>>>>> Please show us your smb.conf
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> Do I need to extend the schema in order for my
>>>>>>>>>>>>>>>>> member server to
>>>>>>>>>>>>>>>>>> successfully join and service file shares?
>>>>>>>>>>>>>>>>> No, you dont have to.
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> Do I need to configure a
>>>>>>>>>>>>>>>>>> krb5.conf file? Thanks.
>>>>>>>>>>>>>>>>> If your DC is a samba4 DC just copy krb5.conf to your
>>>>>>>>>>>>>>>>> new memberserver
>>>>>>>>>>>>>>>>> Stefan
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> - -- Stefan Kania
>>>>>>>>>>>>>>>>> Landweg 13
>>>>>>>>>>>>>>>>> 25693 St. Michaelisdonn
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> Signieren jeder E-Mail hilft Spam zu reduzieren.
>>>>>>>>>>>>>>>>> Signieren Sie ihre
>>>>>>>>>>>>>>>>> E-Mail. Weiter Informationen unter http://www.gnupg.org
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> Mein Schlüssel liegt auf
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> hkp://subkeys.pgp.net
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> -----BEGIN PGP SIGNATURE-----
>>>>>>>>>>>>>>>>> Version: GnuPG v1
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> iEYEARECAAYFAlSkD3EACgkQ2JOGcNAHDTZdlwCgwsQF0g/pFp65ldcTMWDcJ1O7
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> LScAoLDzorUJNDCik4FP9dBUxKCbAbGN
>>>>>>>>>>>>>>>>> =SOSt
>>>>>>>>>>>>>>>>> -----END PGP SIGNATURE-----
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> If you followed the wiki, you will be using the 'ad'
>>>>>>>>>>>>>>> backend. For this to work, you need to add 'uidNumber'
>>>>>>>>>>>>>>> attributes to your users and a 'gidNumber' attribute to
>>>>>>>>>>>>>>> at least the Domain Users group. the numbers that you
>>>>>>>>>>>>>>> add must be between the range you set in your smb.conf,
>>>>>>>>>>>>>>> again if you followed the wiki, this will be between
>>>>>>>>>>>>>>> 500-40000.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Rowland
>>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> You have restarted samba, haven't you ?
>>>>>>>>>>>>> You may have to wait a short time, or clear the cache with
>>>>>>>>>>>>> 'net cache flush'
>>>>>>>>>>>>>
>>>>>>>>>>>>> Rowland
>>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>> OK, can you post the 'passwd' & 'group' lines from
>>>>>>>>>>> /etc/nsswitch
>>>>>>>>>>>
>>>>>>>>>>> Do you get anything from 'getent passwd <a domain user>'
>>>>>>>>>>>
>>>>>>>>>>> Rowland
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>> OK, install ldb-tools if not already installed, then run:
>>>>>>>>>
>>>>>>>>> ldbedit -e nano -H /var/lib/samba/private/sam.ldb
>>>>>>>>> sAMAccountName=tuser
>>>>>>>>>
>>>>>>>>> Post the (sanitized) result
>>>>>>>>>
>>>>>>>>> Rowland
>>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>> OK, you added that user with ADUC (RSAT) and as such you are
>>>>>>> using the std windows start number 10000, which is the way I run
>>>>>>> samba. Here is my smb.conf from the laptop I am writing this on:
>>>>>>>
>>>>>>> [global]
>>>>>>> workgroup = EXAMPLE
>>>>>>> security = ADS
>>>>>>> realm = EXAMPLE.COM
>>>>>>> dedicated keytab file = /etc/krb5.keytab
>>>>>>> kerberos method = secrets and keytab
>>>>>>> server string = Samba 4 Client %h
>>>>>>> winbind enum users = yes
>>>>>>> winbind enum groups = yes
>>>>>>> winbind use default domain = yes
>>>>>>> winbind expand groups = 4
>>>>>>> winbind nss info = rfc2307
>>>>>>> winbind refresh tickets = Yes
>>>>>>> winbind normalize names = Yes
>>>>>>> idmap config * : backend = tdb
>>>>>>> idmap config * : range = 2000-9999
>>>>>>> idmap config EXAMPLE : backend = ad
>>>>>>> idmap config EXAMPLE : range = 10000-999999
>>>>>>> idmap config EXAMPLE : schema_mode = rfc2307
>>>>>>> printcap name = cups
>>>>>>> cups options = raw
>>>>>>> usershare allow guests = yes
>>>>>>> domain master = no
>>>>>>> local master = no
>>>>>>> preferred master = no
>>>>>>> os level = 20
>>>>>>> map to guest = bad user
>>>>>>> vfs objects = acl_xattr
>>>>>>> map acl inherit = Yes
>>>>>>> store dos attributes = Yes
>>>>>>>
>>>>>>> Compare it with yours, I can assure you it works.
>>>>>>>
>>>>>>> Rowland
>>>>>>>
>>>>>>
>>>>>
>>>>
>>>> --
>>>> -James
>>>
>>
>> --
>> -James
>
> OK, you have *now* found out one of the reasons you shouldn't use the
> .local suffix
>
> But does anything else work?
>
> Rowland
--
-James
More information about the samba
mailing list