[Samba] Member Server Setup Assistance

James lingpanda101 at gmail.com
Fri Jan 2 10:07:44 MST 2015


Rowland,

     I had a typo in my hosts file which is the reason my initial DNS 
update failed. Corrected and joined again. Successfully joined and 
updated DNS A record. I then made sure to give 'Domain users' a id of 
10000. I am now able to run' getent passwd' and see all my domain users! 
YES! However I still see something that confuses me. When I run 'id 
tuser' I get the following.

uid=2155(tuser) gid=2002(domain_users) 
groups=2002(domain_users),2004(remote_desktop_users_group),2001(BUILTIN\users)

Why is the uid 2155 and not 10001?



On 1/2/2015 12:00 PM, Rowland Penny wrote:
> On 02/01/15 16:57, James wrote:
>> Rowland,
>>
>>     I've gotten a bit further. It appears my use of '.local' is 
>> causing the issue from what I've researched. I  ran 
>> '|/etc/init.d/avahi-daemon stop'. |This allowed me to successfully 
>> join the domain.
>>
>> Enter administrator at DOMAIN.LOCAL's password:
>> Using short domain name -- DOMAIN
>> Joined 'PFMEMBER1' to dns domain 'domain.local'
>> DNS Update for pfmember1.local failed: ERROR_DNS_UPDATE_FAILED
>> DNS update failed: NT_STATUS_UNSUCCESSFUL
>> ||
>> On 1/2/2015 8:55 AM, Rowland Penny wrote:
>>> On 02/01/15 13:41, James wrote:
>>>> Hi Rowland,
>>>>
>>>>     If you don't mind I like to post my member server configuration 
>>>> as I attempt again. This is how my member server(Ubuntu 12.04) is 
>>>> configured after fresh install and prior to Samba build. Anything 
>>>> I'm missing that could cause my issue as I proceed? I assume no 
>>>> other prerequisites must be done on the other DC's either? Thanks.
>>>>
>>>> /*# From Wiki for DC build*/
>>>> apt-get install build-essential libacl1-dev libattr1-dev 
>>>> libblkid-dev libgnutls-dev libreadline-dev python-dev libpam0g-dev 
>>>> python-dnspython gdb pkg-config libpopt-dev libldap2-dev dnsutils 
>>>> libbsd-dev attr krb5-user docbook-xsl libcups2-dev acl
>>>>
>>>>
>>>> /*# Fstab file*/
>>>> ext4    errors=remount-ro,user_xattr,acl,barrier=1 1       1
>>>>
>>>>
>>>> */# Hosts File/*
>>>> 127.0.0.1       localhost
>>>> 172.16.232.25   pfmember1.domain.local    pfmember1
>>>>
>>>> # The following lines are desirable for IPv6 capable hosts
>>>> ::1     ip6-localhost ip6-loopback
>>>> fe00::0 ip6-localnet
>>>> ff00::0 ip6-mcastprefix
>>>> ff02::1 ip6-allnodes
>>>> ff02::2 ip6-allrouters
>>>>
>>>>
>>>> */# Hostname/* */File/*
>>>> pfmember1.domain.local
>>>
>>> if you are referring to /etc/hostname, then it should just contain 
>>> 'pfmember1'.
>>>
>>> Also, are you fixed on using Ubuntu 12.04, if you were to use Debian 
>>> Wheezy and backports, you wouldn't have to compile samba4.
>>>
>>> Rowland
>>>
>>>>
>>>> */#/network/interfaces/*
>>>> # This file describes the network interfaces available on your system
>>>> # and how to activate them. For more information, see interfaces(5).
>>>>
>>>> # The loopback network interface
>>>> auto lo
>>>> iface lo inet loopback
>>>>
>>>> # The primary network interface
>>>> auto eth0
>>>> iface eth0 inet static
>>>>         address 172.16.232.25
>>>>         netmask 255.255.255.0
>>>>         gateway 172.16.232.201
>>>>         network 172.16.232.0
>>>>         broadcast 172.16.232.255
>>>>         dns-search domain.local
>>>>         dns-nameservers 172.16.232.29
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> On 1/1/2015 4:34 AM, Rowland Penny wrote:
>>>>> On 01/01/15 00:07, James wrote:
>>>>>> Hi Rowland,
>>>>>>
>>>>>>     I forgot to tell you the results were from my Domain 
>>>>>> Controller and not the member server. Member server returned 
>>>>>> something to the effect of 'user not found'. I am only starting 
>>>>>> the 3 services(smbd,nmbd and windbindd) listed in the wiki. 
>>>>>> Should I be starting Samba with command line switches to start as 
>>>>>> a member server? Is that even possible?
>>>>>
>>>>> Hi, there are two ways of running samba4, the classic or original 
>>>>> way that samba3 was used, or as an AD DC. If you run samba4 in the 
>>>>> classic way, you need to start the smbd & nmbd deamons and 
>>>>> optionally the winbind daemon. If you use samba4 as an AD DC, then 
>>>>> you only start the samba daemon, this will start any other 
>>>>> required deamons, you only start the samba daemon on an AD DC.
>>>>>
>>>>> As you are trying to set up a member server, you must carry out 
>>>>> the tests on the member server.
>>>>>
>>>>> Rowland
>>>>>
>>>>>>
>>>>>>     Thanks for you smb.conf. I will attempt again using your 
>>>>>> smb.conf as a template and try again.
>>>>>>
>>>>>> On 12/31/2014 2:20 PM, Rowland Penny wrote:
>>>>>>> On 31/12/14 19:07, James wrote:
>>>>>>>> Rowland,
>>>>>>>>
>>>>>>>>     I decided to start over with a fresh install and attempted 
>>>>>>>> again. Only change I made was to start my mappings at 10000. I 
>>>>>>>> gave 'Domain Users' group gid 10000 and 'tuser' has uid 10001. 
>>>>>>>> Still didn't work btw.
>>>>>>>>
>>>>>>>>  dn: CN=Test User,CN=Users,DC=domain,DC=local
>>>>>>>> objectClass: top
>>>>>>>> objectClass: person
>>>>>>>> objectClass: organizationalPerson
>>>>>>>> objectClass: user
>>>>>>>> cn: Test User
>>>>>>>> sn: User
>>>>>>>> givenName: Test
>>>>>>>> instanceType: 4
>>>>>>>> whenCreated: 20141231172021.0Z
>>>>>>>> displayName: Test User
>>>>>>>> uSNCreated: 477557
>>>>>>>> name: Test User
>>>>>>>> objectGUID: 90f95763-fe52-42b9-af86-8a84a4d5dd78
>>>>>>>> userAccountControl: 66048
>>>>>>>> codePage: 0
>>>>>>>> countryCode: 0
>>>>>>>> pwdLastSet: 130645200220000000
>>>>>>>> primaryGroupID: 513
>>>>>>>> objectSid: S-1-5-21-940051827-2291820289-3341758437-3126
>>>>>>>> accountExpires: 9223372036854775807
>>>>>>>> sAMAccountName: tuser
>>>>>>>> sAMAccountType: 805306368
>>>>>>>> userPrincipalName: tuser at domain.local
>>>>>>>> objectCategory: 
>>>>>>>> CN=Person,CN=Schema,CN=Configuration,DC=domain,DC=local
>>>>>>>> unixUserPassword: ABCD!efgh12345$67890
>>>>>>>> uid: tuser
>>>>>>>> msSFU30Name: tuser
>>>>>>>> msSFU30NisDomain: domain
>>>>>>>> uidNumber: 10001
>>>>>>>> loginShell: /bin/sh
>>>>>>>> unixHomeDirectory: /home/tuser
>>>>>>>> gidNumber: 10000
>>>>>>>> whenChanged: 20141231185807.0Z
>>>>>>>> uSNChanged: 477620
>>>>>>>> distinguishedName: CN=Test User,CN=Users,DC=domain,DC=local
>>>>>>>>
>>>>>>>>
>>>>>>>> On 12/31/2014 1:50 PM, Rowland Penny wrote:
>>>>>>>>> On 31/12/14 18:28, James wrote:
>>>>>>>>>> Hi Rowland,
>>>>>>>>>>
>>>>>>>>>>     passwd:         compat winbind
>>>>>>>>>>     group:            compat winbind
>>>>>>>>>>
>>>>>>>>>> 'getent passwd tuser' results in a blank terminal line.
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> On 12/31/2014 1:12 PM, Rowland Penny wrote:
>>>>>>>>>>> On 31/12/14 17:55, James wrote:
>>>>>>>>>>>> Hi Rowland,
>>>>>>>>>>>>
>>>>>>>>>>>>     I did. Unfortunately something is still amiss. I do 
>>>>>>>>>>>> receive a response from 'getent group domain 
>>>>>>>>>>>> users'(users:x:100).
>>>>>>>>>>>>
>>>>>>>>>>>> On 12/31/2014 12:26 PM, Rowland Penny wrote:
>>>>>>>>>>>>> On 31/12/14 17:23, James wrote:
>>>>>>>>>>>>>> Rowland,
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>     I set a user with a uid and domain users group with a 
>>>>>>>>>>>>>> gid but I'm still unable to view them using 'id'. I do 
>>>>>>>>>>>>>> notice a few strange observations. If I go to another 
>>>>>>>>>>>>>> user to attempt to assign a uid. I get the default value 
>>>>>>>>>>>>>> of 10000. I would expect 2001 given I set the first user 
>>>>>>>>>>>>>> with uid 2000. Groups however appear to increment.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> On 12/31/2014 10:52 AM, Rowland Penny wrote:
>>>>>>>>>>>>>>> On 31/12/14 15:42, James wrote:
>>>>>>>>>>>>>>>> Hello Stefan,
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>     I learned the hard way about .local. I understand 
>>>>>>>>>>>>>>>> going forward.
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> I do have an issue with the member server. Following 
>>>>>>>>>>>>>>>> along with the wiki I get stuck at 'Testing the Winbind 
>>>>>>>>>>>>>>>> user/group mapping'. Wbinfo works as expected but not
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> #*id DomainUser*
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> #*getent passwd*
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> #*getent group*
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> #*chown DomainUser:DomainGroup file*
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> #*chgrp DomainGroup file*
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> etc.
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> I receive 'id: sambauser: No such user'. It will only 
>>>>>>>>>>>>>>>> retrieve local machine users. Let me preface by saying 
>>>>>>>>>>>>>>>> this is a Ubuntu 12.04 server with Samba 4.1.14. Thanks.
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> On 12/31/2014 10:00 AM, Stefan Kania wrote:
>>>>>>>>>>>>>>>>> -----BEGIN PGP SIGNED MESSAGE-----
>>>>>>>>>>>>>>>>> Hash: SHA1
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> Hello James,
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> Am 31.12.2014 um 15:48 schrieb James:> Hello,
>>>>>>>>>>>>>>>>>> I'm following along with the wiki(Setup a Samba AD 
>>>>>>>>>>>>>>>>>> Member Server)
>>>>>>>>>>>>>>>>>> and I have a question after reading the 'Set up a 
>>>>>>>>>>>>>>>>>> basic smb.conf'
>>>>>>>>>>>>>>>>>> section.
>>>>>>>>>>>>>>>>> Please show us your smb.conf
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>   Do I need to extend the schema in order for my 
>>>>>>>>>>>>>>>>> member server to
>>>>>>>>>>>>>>>>>> successfully join and service file shares?
>>>>>>>>>>>>>>>>> No, you dont have to.
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> Do I need to configure a
>>>>>>>>>>>>>>>>>> krb5.conf file? Thanks.
>>>>>>>>>>>>>>>>> If your DC is a samba4 DC just copy krb5.conf to your 
>>>>>>>>>>>>>>>>> new memberserver
>>>>>>>>>>>>>>>>> Stefan
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> - -- Stefan Kania
>>>>>>>>>>>>>>>>> Landweg 13
>>>>>>>>>>>>>>>>> 25693 St. Michaelisdonn
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> Signieren jeder E-Mail hilft Spam zu reduzieren. 
>>>>>>>>>>>>>>>>> Signieren Sie ihre
>>>>>>>>>>>>>>>>> E-Mail. Weiter Informationen unter http://www.gnupg.org
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> Mein Schlüssel liegt auf
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> hkp://subkeys.pgp.net
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> -----BEGIN PGP SIGNATURE-----
>>>>>>>>>>>>>>>>> Version: GnuPG v1
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> iEYEARECAAYFAlSkD3EACgkQ2JOGcNAHDTZdlwCgwsQF0g/pFp65ldcTMWDcJ1O7 
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> LScAoLDzorUJNDCik4FP9dBUxKCbAbGN
>>>>>>>>>>>>>>>>> =SOSt
>>>>>>>>>>>>>>>>> -----END PGP SIGNATURE-----
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> If you followed the wiki, you will be using the 'ad' 
>>>>>>>>>>>>>>> backend. For this to work, you need to add 'uidNumber' 
>>>>>>>>>>>>>>> attributes to your users and a 'gidNumber' attribute to 
>>>>>>>>>>>>>>> at least the Domain Users group. the numbers that you 
>>>>>>>>>>>>>>> add must be between the range you set in your smb.conf, 
>>>>>>>>>>>>>>> again if you followed the wiki, this will be between 
>>>>>>>>>>>>>>> 500-40000.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Rowland
>>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> You have restarted samba, haven't you ?
>>>>>>>>>>>>> You may have to wait a short time, or clear the cache with 
>>>>>>>>>>>>> 'net cache flush'
>>>>>>>>>>>>>
>>>>>>>>>>>>> Rowland
>>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>> OK, can you post the 'passwd' & 'group' lines from 
>>>>>>>>>>> /etc/nsswitch
>>>>>>>>>>>
>>>>>>>>>>> Do you get anything from 'getent passwd <a domain user>'
>>>>>>>>>>>
>>>>>>>>>>> Rowland
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>> OK, install ldb-tools if not already installed, then run:
>>>>>>>>>
>>>>>>>>> ldbedit -e nano -H /var/lib/samba/private/sam.ldb 
>>>>>>>>> sAMAccountName=tuser
>>>>>>>>>
>>>>>>>>> Post the (sanitized) result
>>>>>>>>>
>>>>>>>>> Rowland
>>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>> OK, you added that user with ADUC (RSAT) and as such you are 
>>>>>>> using the std windows start number 10000, which is the way I run 
>>>>>>> samba. Here is my smb.conf from the laptop I am writing this on:
>>>>>>>
>>>>>>> [global]
>>>>>>>         workgroup = EXAMPLE
>>>>>>>         security = ADS
>>>>>>>         realm = EXAMPLE.COM
>>>>>>>         dedicated keytab file = /etc/krb5.keytab
>>>>>>>         kerberos method = secrets and keytab
>>>>>>>         server string = Samba 4 Client %h
>>>>>>>         winbind enum users = yes
>>>>>>>         winbind enum groups = yes
>>>>>>>         winbind use default domain = yes
>>>>>>>         winbind expand groups = 4
>>>>>>>         winbind nss info = rfc2307
>>>>>>>         winbind refresh tickets = Yes
>>>>>>>         winbind normalize names = Yes
>>>>>>>         idmap config * : backend = tdb
>>>>>>>         idmap config * : range = 2000-9999
>>>>>>>         idmap config EXAMPLE : backend  = ad
>>>>>>>         idmap config EXAMPLE : range = 10000-999999
>>>>>>>         idmap config EXAMPLE : schema_mode = rfc2307
>>>>>>>         printcap name = cups
>>>>>>>         cups options = raw
>>>>>>>         usershare allow guests = yes
>>>>>>>         domain master = no
>>>>>>>         local master = no
>>>>>>>         preferred master = no
>>>>>>>         os level = 20
>>>>>>>         map to guest = bad user
>>>>>>>         vfs objects = acl_xattr
>>>>>>>         map acl inherit = Yes
>>>>>>>         store dos attributes = Yes
>>>>>>>
>>>>>>> Compare it with yours, I can assure you it works.
>>>>>>>
>>>>>>> Rowland
>>>>>>>
>>>>>>
>>>>>
>>>>
>>>> -- 
>>>> -James
>>>
>>
>> -- 
>> -James
>
> OK, you have *now* found out one of the reasons you shouldn't use the 
> .local suffix
>
> But does anything else work?
>
> Rowland

-- 
-James



More information about the samba mailing list