[Samba] Member Server Setup Assistance
Rowland Penny
rowlandpenny at googlemail.com
Fri Jan 2 10:18:05 MST 2015
On 02/01/15 17:07, James wrote:
> Rowland,
>
> I had a typo in my hosts file which is the reason my initial DNS
> update failed. Corrected and joined again. Successfully joined and
> updated DNS A record. I then made sure to give 'Domain users' a id of
> 10000. I am now able to run' getent passwd' and see all my domain
> users! YES! However I still see something that confuses me. When I run
> 'id tuser' I get the following.
>
> uid=2155(tuser) gid=2002(domain_users)
> groups=2002(domain_users),2004(remote_desktop_users_group),2001(BUILTIN\users)
>
> Why is the uid 2155 and not 10001?
>
>
>
> On 1/2/2015 12:00 PM, Rowland Penny wrote:
>> On 02/01/15 16:57, James wrote:
>>> Rowland,
>>>
>>> I've gotten a bit further. It appears my use of '.local' is
>>> causing the issue from what I've researched. I ran
>>> '|/etc/init.d/avahi-daemon stop'. |This allowed me to successfully
>>> join the domain.
>>>
>>> Enter administrator at DOMAIN.LOCAL's password:
>>> Using short domain name -- DOMAIN
>>> Joined 'PFMEMBER1' to dns domain 'domain.local'
>>> DNS Update for pfmember1.local failed: ERROR_DNS_UPDATE_FAILED
>>> DNS update failed: NT_STATUS_UNSUCCESSFUL
>>> ||
>>> On 1/2/2015 8:55 AM, Rowland Penny wrote:
>>>> On 02/01/15 13:41, James wrote:
>>>>> Hi Rowland,
>>>>>
>>>>> If you don't mind I like to post my member server
>>>>> configuration as I attempt again. This is how my member
>>>>> server(Ubuntu 12.04) is configured after fresh install and prior
>>>>> to Samba build. Anything I'm missing that could cause my issue as
>>>>> I proceed? I assume no other prerequisites must be done on the
>>>>> other DC's either? Thanks.
>>>>>
>>>>> /*# From Wiki for DC build*/
>>>>> apt-get install build-essential libacl1-dev libattr1-dev
>>>>> libblkid-dev libgnutls-dev libreadline-dev python-dev libpam0g-dev
>>>>> python-dnspython gdb pkg-config libpopt-dev libldap2-dev dnsutils
>>>>> libbsd-dev attr krb5-user docbook-xsl libcups2-dev acl
>>>>>
>>>>>
>>>>> /*# Fstab file*/
>>>>> ext4 errors=remount-ro,user_xattr,acl,barrier=1 1 1
>>>>>
>>>>>
>>>>> */# Hosts File/*
>>>>> 127.0.0.1 localhost
>>>>> 172.16.232.25 pfmember1.domain.local pfmember1
>>>>>
>>>>> # The following lines are desirable for IPv6 capable hosts
>>>>> ::1 ip6-localhost ip6-loopback
>>>>> fe00::0 ip6-localnet
>>>>> ff00::0 ip6-mcastprefix
>>>>> ff02::1 ip6-allnodes
>>>>> ff02::2 ip6-allrouters
>>>>>
>>>>>
>>>>> */# Hostname/* */File/*
>>>>> pfmember1.domain.local
>>>>
>>>> if you are referring to /etc/hostname, then it should just contain
>>>> 'pfmember1'.
>>>>
>>>> Also, are you fixed on using Ubuntu 12.04, if you were to use
>>>> Debian Wheezy and backports, you wouldn't have to compile samba4.
>>>>
>>>> Rowland
>>>>
>>>>>
>>>>> */#/network/interfaces/*
>>>>> # This file describes the network interfaces available on your system
>>>>> # and how to activate them. For more information, see interfaces(5).
>>>>>
>>>>> # The loopback network interface
>>>>> auto lo
>>>>> iface lo inet loopback
>>>>>
>>>>> # The primary network interface
>>>>> auto eth0
>>>>> iface eth0 inet static
>>>>> address 172.16.232.25
>>>>> netmask 255.255.255.0
>>>>> gateway 172.16.232.201
>>>>> network 172.16.232.0
>>>>> broadcast 172.16.232.255
>>>>> dns-search domain.local
>>>>> dns-nameservers 172.16.232.29
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> On 1/1/2015 4:34 AM, Rowland Penny wrote:
>>>>>> On 01/01/15 00:07, James wrote:
>>>>>>> Hi Rowland,
>>>>>>>
>>>>>>> I forgot to tell you the results were from my Domain
>>>>>>> Controller and not the member server. Member server returned
>>>>>>> something to the effect of 'user not found'. I am only starting
>>>>>>> the 3 services(smbd,nmbd and windbindd) listed in the wiki.
>>>>>>> Should I be starting Samba with command line switches to start
>>>>>>> as a member server? Is that even possible?
>>>>>>
>>>>>> Hi, there are two ways of running samba4, the classic or original
>>>>>> way that samba3 was used, or as an AD DC. If you run samba4 in
>>>>>> the classic way, you need to start the smbd & nmbd deamons and
>>>>>> optionally the winbind daemon. If you use samba4 as an AD DC,
>>>>>> then you only start the samba daemon, this will start any other
>>>>>> required deamons, you only start the samba daemon on an AD DC.
>>>>>>
>>>>>> As you are trying to set up a member server, you must carry out
>>>>>> the tests on the member server.
>>>>>>
>>>>>> Rowland
>>>>>>
>>>>>>>
>>>>>>> Thanks for you smb.conf. I will attempt again using your
>>>>>>> smb.conf as a template and try again.
>>>>>>>
>>>>>>> On 12/31/2014 2:20 PM, Rowland Penny wrote:
>>>>>>>> On 31/12/14 19:07, James wrote:
>>>>>>>>> Rowland,
>>>>>>>>>
>>>>>>>>> I decided to start over with a fresh install and attempted
>>>>>>>>> again. Only change I made was to start my mappings at 10000. I
>>>>>>>>> gave 'Domain Users' group gid 10000 and 'tuser' has uid 10001.
>>>>>>>>> Still didn't work btw.
>>>>>>>>>
>>>>>>>>> dn: CN=Test User,CN=Users,DC=domain,DC=local
>>>>>>>>> objectClass: top
>>>>>>>>> objectClass: person
>>>>>>>>> objectClass: organizationalPerson
>>>>>>>>> objectClass: user
>>>>>>>>> cn: Test User
>>>>>>>>> sn: User
>>>>>>>>> givenName: Test
>>>>>>>>> instanceType: 4
>>>>>>>>> whenCreated: 20141231172021.0Z
>>>>>>>>> displayName: Test User
>>>>>>>>> uSNCreated: 477557
>>>>>>>>> name: Test User
>>>>>>>>> objectGUID: 90f95763-fe52-42b9-af86-8a84a4d5dd78
>>>>>>>>> userAccountControl: 66048
>>>>>>>>> codePage: 0
>>>>>>>>> countryCode: 0
>>>>>>>>> pwdLastSet: 130645200220000000
>>>>>>>>> primaryGroupID: 513
>>>>>>>>> objectSid: S-1-5-21-940051827-2291820289-3341758437-3126
>>>>>>>>> accountExpires: 9223372036854775807
>>>>>>>>> sAMAccountName: tuser
>>>>>>>>> sAMAccountType: 805306368
>>>>>>>>> userPrincipalName: tuser at domain.local
>>>>>>>>> objectCategory:
>>>>>>>>> CN=Person,CN=Schema,CN=Configuration,DC=domain,DC=local
>>>>>>>>> unixUserPassword: ABCD!efgh12345$67890
>>>>>>>>> uid: tuser
>>>>>>>>> msSFU30Name: tuser
>>>>>>>>> msSFU30NisDomain: domain
>>>>>>>>> uidNumber: 10001
>>>>>>>>> loginShell: /bin/sh
>>>>>>>>> unixHomeDirectory: /home/tuser
>>>>>>>>> gidNumber: 10000
>>>>>>>>> whenChanged: 20141231185807.0Z
>>>>>>>>> uSNChanged: 477620
>>>>>>>>> distinguishedName: CN=Test User,CN=Users,DC=domain,DC=local
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> On 12/31/2014 1:50 PM, Rowland Penny wrote:
>>>>>>>>>> On 31/12/14 18:28, James wrote:
>>>>>>>>>>> Hi Rowland,
>>>>>>>>>>>
>>>>>>>>>>> passwd: compat winbind
>>>>>>>>>>> group: compat winbind
>>>>>>>>>>>
>>>>>>>>>>> 'getent passwd tuser' results in a blank terminal line.
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> On 12/31/2014 1:12 PM, Rowland Penny wrote:
>>>>>>>>>>>> On 31/12/14 17:55, James wrote:
>>>>>>>>>>>>> Hi Rowland,
>>>>>>>>>>>>>
>>>>>>>>>>>>> I did. Unfortunately something is still amiss. I do
>>>>>>>>>>>>> receive a response from 'getent group domain
>>>>>>>>>>>>> users'(users:x:100).
>>>>>>>>>>>>>
>>>>>>>>>>>>> On 12/31/2014 12:26 PM, Rowland Penny wrote:
>>>>>>>>>>>>>> On 31/12/14 17:23, James wrote:
>>>>>>>>>>>>>>> Rowland,
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> I set a user with a uid and domain users group with
>>>>>>>>>>>>>>> a gid but I'm still unable to view them using 'id'. I do
>>>>>>>>>>>>>>> notice a few strange observations. If I go to another
>>>>>>>>>>>>>>> user to attempt to assign a uid. I get the default value
>>>>>>>>>>>>>>> of 10000. I would expect 2001 given I set the first user
>>>>>>>>>>>>>>> with uid 2000. Groups however appear to increment.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> On 12/31/2014 10:52 AM, Rowland Penny wrote:
>>>>>>>>>>>>>>>> On 31/12/14 15:42, James wrote:
>>>>>>>>>>>>>>>>> Hello Stefan,
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> I learned the hard way about .local. I understand
>>>>>>>>>>>>>>>>> going forward.
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> I do have an issue with the member server. Following
>>>>>>>>>>>>>>>>> along with the wiki I get stuck at 'Testing the
>>>>>>>>>>>>>>>>> Winbind user/group mapping'. Wbinfo works as expected
>>>>>>>>>>>>>>>>> but not
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> #*id DomainUser*
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> #*getent passwd*
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> #*getent group*
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> #*chown DomainUser:DomainGroup file*
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> #*chgrp DomainGroup file*
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> etc.
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> I receive 'id: sambauser: No such user'. It will only
>>>>>>>>>>>>>>>>> retrieve local machine users. Let me preface by saying
>>>>>>>>>>>>>>>>> this is a Ubuntu 12.04 server with Samba 4.1.14. Thanks.
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> On 12/31/2014 10:00 AM, Stefan Kania wrote:
>>>>>>>>>>>>>>>>>> -----BEGIN PGP SIGNED MESSAGE-----
>>>>>>>>>>>>>>>>>> Hash: SHA1
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> Hello James,
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> Am 31.12.2014 um 15:48 schrieb James:> Hello,
>>>>>>>>>>>>>>>>>>> I'm following along with the wiki(Setup a Samba AD
>>>>>>>>>>>>>>>>>>> Member Server)
>>>>>>>>>>>>>>>>>>> and I have a question after reading the 'Set up a
>>>>>>>>>>>>>>>>>>> basic smb.conf'
>>>>>>>>>>>>>>>>>>> section.
>>>>>>>>>>>>>>>>>> Please show us your smb.conf
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> Do I need to extend the schema in order for my
>>>>>>>>>>>>>>>>>> member server to
>>>>>>>>>>>>>>>>>>> successfully join and service file shares?
>>>>>>>>>>>>>>>>>> No, you dont have to.
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> Do I need to configure a
>>>>>>>>>>>>>>>>>>> krb5.conf file? Thanks.
>>>>>>>>>>>>>>>>>> If your DC is a samba4 DC just copy krb5.conf to your
>>>>>>>>>>>>>>>>>> new memberserver
>>>>>>>>>>>>>>>>>> Stefan
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> - -- Stefan Kania
>>>>>>>>>>>>>>>>>> Landweg 13
>>>>>>>>>>>>>>>>>> 25693 St. Michaelisdonn
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> Signieren jeder E-Mail hilft Spam zu reduzieren.
>>>>>>>>>>>>>>>>>> Signieren Sie ihre
>>>>>>>>>>>>>>>>>> E-Mail. Weiter Informationen unter http://www.gnupg.org
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> Mein Schlüssel liegt auf
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> hkp://subkeys.pgp.net
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> -----BEGIN PGP SIGNATURE-----
>>>>>>>>>>>>>>>>>> Version: GnuPG v1
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> iEYEARECAAYFAlSkD3EACgkQ2JOGcNAHDTZdlwCgwsQF0g/pFp65ldcTMWDcJ1O7
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> LScAoLDzorUJNDCik4FP9dBUxKCbAbGN
>>>>>>>>>>>>>>>>>> =SOSt
>>>>>>>>>>>>>>>>>> -----END PGP SIGNATURE-----
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> If you followed the wiki, you will be using the 'ad'
>>>>>>>>>>>>>>>> backend. For this to work, you need to add 'uidNumber'
>>>>>>>>>>>>>>>> attributes to your users and a 'gidNumber' attribute to
>>>>>>>>>>>>>>>> at least the Domain Users group. the numbers that you
>>>>>>>>>>>>>>>> add must be between the range you set in your smb.conf,
>>>>>>>>>>>>>>>> again if you followed the wiki, this will be between
>>>>>>>>>>>>>>>> 500-40000.
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> Rowland
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> You have restarted samba, haven't you ?
>>>>>>>>>>>>>> You may have to wait a short time, or clear the cache
>>>>>>>>>>>>>> with 'net cache flush'
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Rowland
>>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>> OK, can you post the 'passwd' & 'group' lines from
>>>>>>>>>>>> /etc/nsswitch
>>>>>>>>>>>>
>>>>>>>>>>>> Do you get anything from 'getent passwd <a domain user>'
>>>>>>>>>>>>
>>>>>>>>>>>> Rowland
>>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>> OK, install ldb-tools if not already installed, then run:
>>>>>>>>>>
>>>>>>>>>> ldbedit -e nano -H /var/lib/samba/private/sam.ldb
>>>>>>>>>> sAMAccountName=tuser
>>>>>>>>>>
>>>>>>>>>> Post the (sanitized) result
>>>>>>>>>>
>>>>>>>>>> Rowland
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>> OK, you added that user with ADUC (RSAT) and as such you are
>>>>>>>> using the std windows start number 10000, which is the way I
>>>>>>>> run samba. Here is my smb.conf from the laptop I am writing
>>>>>>>> this on:
>>>>>>>>
>>>>>>>> [global]
>>>>>>>> workgroup = EXAMPLE
>>>>>>>> security = ADS
>>>>>>>> realm = EXAMPLE.COM
>>>>>>>> dedicated keytab file = /etc/krb5.keytab
>>>>>>>> kerberos method = secrets and keytab
>>>>>>>> server string = Samba 4 Client %h
>>>>>>>> winbind enum users = yes
>>>>>>>> winbind enum groups = yes
>>>>>>>> winbind use default domain = yes
>>>>>>>> winbind expand groups = 4
>>>>>>>> winbind nss info = rfc2307
>>>>>>>> winbind refresh tickets = Yes
>>>>>>>> winbind normalize names = Yes
>>>>>>>> idmap config * : backend = tdb
>>>>>>>> idmap config * : range = 2000-9999
>>>>>>>> idmap config EXAMPLE : backend = ad
>>>>>>>> idmap config EXAMPLE : range = 10000-999999
>>>>>>>> idmap config EXAMPLE : schema_mode = rfc2307
>>>>>>>> printcap name = cups
>>>>>>>> cups options = raw
>>>>>>>> usershare allow guests = yes
>>>>>>>> domain master = no
>>>>>>>> local master = no
>>>>>>>> preferred master = no
>>>>>>>> os level = 20
>>>>>>>> map to guest = bad user
>>>>>>>> vfs objects = acl_xattr
>>>>>>>> map acl inherit = Yes
>>>>>>>> store dos attributes = Yes
>>>>>>>>
>>>>>>>> Compare it with yours, I can assure you it works.
>>>>>>>>
>>>>>>>> Rowland
>>>>>>>>
>>>>>>>
>>>>>>
>>>>>
>>>>> --
>>>>> -James
>>>>
>>>
>>> --
>>> -James
>>
>> OK, you have *now* found out one of the reasons you shouldn't use the
>> .local suffix
>>
>> But does anything else work?
>>
>> Rowland
>
> --
> -James
OK, well it seems to be a step in the right direction :-)
Have you changed 'EXAMPLE' in these lines:
idmap config * : backend = tdb
idmap config * : range = 2000-9999
idmap config EXAMPLE : backend = ad
idmap config EXAMPLE : range = 10000-999999
idmap config EXAMPLE:schema_mode = rfc2307
They need to be changed for your *WORKGROUP* name.
Rowland
More information about the samba
mailing list