[Samba] Member Server Setup Assistance
James
lingpanda101 at gmail.com
Fri Jan 2 10:26:58 MST 2015
Rowland,
I did forget to change it. Is it as simple as renaming now or did I
screw up?
On 1/2/2015 12:18 PM, Rowland Penny wrote:
> On 02/01/15 17:07, James wrote:
>> Rowland,
>>
>> I had a typo in my hosts file which is the reason my initial DNS
>> update failed. Corrected and joined again. Successfully joined and
>> updated DNS A record. I then made sure to give 'Domain users' a id of
>> 10000. I am now able to run' getent passwd' and see all my domain
>> users! YES! However I still see something that confuses me. When I
>> run 'id tuser' I get the following.
>>
>> uid=2155(tuser) gid=2002(domain_users)
>> groups=2002(domain_users),2004(remote_desktop_users_group),2001(BUILTIN\users)
>>
>> Why is the uid 2155 and not 10001?
>>
>>
>>
>> On 1/2/2015 12:00 PM, Rowland Penny wrote:
>>> On 02/01/15 16:57, James wrote:
>>>> Rowland,
>>>>
>>>> I've gotten a bit further. It appears my use of '.local' is
>>>> causing the issue from what I've researched. I ran
>>>> '|/etc/init.d/avahi-daemon stop'. |This allowed me to successfully
>>>> join the domain.
>>>>
>>>> Enter administrator at DOMAIN.LOCAL's password:
>>>> Using short domain name -- DOMAIN
>>>> Joined 'PFMEMBER1' to dns domain 'domain.local'
>>>> DNS Update for pfmember1.local failed: ERROR_DNS_UPDATE_FAILED
>>>> DNS update failed: NT_STATUS_UNSUCCESSFUL
>>>> ||
>>>> On 1/2/2015 8:55 AM, Rowland Penny wrote:
>>>>> On 02/01/15 13:41, James wrote:
>>>>>> Hi Rowland,
>>>>>>
>>>>>> If you don't mind I like to post my member server
>>>>>> configuration as I attempt again. This is how my member
>>>>>> server(Ubuntu 12.04) is configured after fresh install and prior
>>>>>> to Samba build. Anything I'm missing that could cause my issue as
>>>>>> I proceed? I assume no other prerequisites must be done on the
>>>>>> other DC's either? Thanks.
>>>>>>
>>>>>> /*# From Wiki for DC build*/
>>>>>> apt-get install build-essential libacl1-dev libattr1-dev
>>>>>> libblkid-dev libgnutls-dev libreadline-dev python-dev
>>>>>> libpam0g-dev python-dnspython gdb pkg-config libpopt-dev
>>>>>> libldap2-dev dnsutils libbsd-dev attr krb5-user docbook-xsl
>>>>>> libcups2-dev acl
>>>>>>
>>>>>>
>>>>>> /*# Fstab file*/
>>>>>> ext4 errors=remount-ro,user_xattr,acl,barrier=1 1 1
>>>>>>
>>>>>>
>>>>>> */# Hosts File/*
>>>>>> 127.0.0.1 localhost
>>>>>> 172.16.232.25 pfmember1.domain.local pfmember1
>>>>>>
>>>>>> # The following lines are desirable for IPv6 capable hosts
>>>>>> ::1 ip6-localhost ip6-loopback
>>>>>> fe00::0 ip6-localnet
>>>>>> ff00::0 ip6-mcastprefix
>>>>>> ff02::1 ip6-allnodes
>>>>>> ff02::2 ip6-allrouters
>>>>>>
>>>>>>
>>>>>> */# Hostname/* */File/*
>>>>>> pfmember1.domain.local
>>>>>
>>>>> if you are referring to /etc/hostname, then it should just contain
>>>>> 'pfmember1'.
>>>>>
>>>>> Also, are you fixed on using Ubuntu 12.04, if you were to use
>>>>> Debian Wheezy and backports, you wouldn't have to compile samba4.
>>>>>
>>>>> Rowland
>>>>>
>>>>>>
>>>>>> */#/network/interfaces/*
>>>>>> # This file describes the network interfaces available on your system
>>>>>> # and how to activate them. For more information, see interfaces(5).
>>>>>>
>>>>>> # The loopback network interface
>>>>>> auto lo
>>>>>> iface lo inet loopback
>>>>>>
>>>>>> # The primary network interface
>>>>>> auto eth0
>>>>>> iface eth0 inet static
>>>>>> address 172.16.232.25
>>>>>> netmask 255.255.255.0
>>>>>> gateway 172.16.232.201
>>>>>> network 172.16.232.0
>>>>>> broadcast 172.16.232.255
>>>>>> dns-search domain.local
>>>>>> dns-nameservers 172.16.232.29
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> On 1/1/2015 4:34 AM, Rowland Penny wrote:
>>>>>>> On 01/01/15 00:07, James wrote:
>>>>>>>> Hi Rowland,
>>>>>>>>
>>>>>>>> I forgot to tell you the results were from my Domain
>>>>>>>> Controller and not the member server. Member server returned
>>>>>>>> something to the effect of 'user not found'. I am only starting
>>>>>>>> the 3 services(smbd,nmbd and windbindd) listed in the wiki.
>>>>>>>> Should I be starting Samba with command line switches to start
>>>>>>>> as a member server? Is that even possible?
>>>>>>>
>>>>>>> Hi, there are two ways of running samba4, the classic or
>>>>>>> original way that samba3 was used, or as an AD DC. If you run
>>>>>>> samba4 in the classic way, you need to start the smbd & nmbd
>>>>>>> deamons and optionally the winbind daemon. If you use samba4 as
>>>>>>> an AD DC, then you only start the samba daemon, this will start
>>>>>>> any other required deamons, you only start the samba daemon on
>>>>>>> an AD DC.
>>>>>>>
>>>>>>> As you are trying to set up a member server, you must carry out
>>>>>>> the tests on the member server.
>>>>>>>
>>>>>>> Rowland
>>>>>>>
>>>>>>>>
>>>>>>>> Thanks for you smb.conf. I will attempt again using your
>>>>>>>> smb.conf as a template and try again.
>>>>>>>>
>>>>>>>> On 12/31/2014 2:20 PM, Rowland Penny wrote:
>>>>>>>>> On 31/12/14 19:07, James wrote:
>>>>>>>>>> Rowland,
>>>>>>>>>>
>>>>>>>>>> I decided to start over with a fresh install and
>>>>>>>>>> attempted again. Only change I made was to start my mappings
>>>>>>>>>> at 10000. I gave 'Domain Users' group gid 10000 and 'tuser'
>>>>>>>>>> has uid 10001. Still didn't work btw.
>>>>>>>>>>
>>>>>>>>>> dn: CN=Test User,CN=Users,DC=domain,DC=local
>>>>>>>>>> objectClass: top
>>>>>>>>>> objectClass: person
>>>>>>>>>> objectClass: organizationalPerson
>>>>>>>>>> objectClass: user
>>>>>>>>>> cn: Test User
>>>>>>>>>> sn: User
>>>>>>>>>> givenName: Test
>>>>>>>>>> instanceType: 4
>>>>>>>>>> whenCreated: 20141231172021.0Z
>>>>>>>>>> displayName: Test User
>>>>>>>>>> uSNCreated: 477557
>>>>>>>>>> name: Test User
>>>>>>>>>> objectGUID: 90f95763-fe52-42b9-af86-8a84a4d5dd78
>>>>>>>>>> userAccountControl: 66048
>>>>>>>>>> codePage: 0
>>>>>>>>>> countryCode: 0
>>>>>>>>>> pwdLastSet: 130645200220000000
>>>>>>>>>> primaryGroupID: 513
>>>>>>>>>> objectSid: S-1-5-21-940051827-2291820289-3341758437-3126
>>>>>>>>>> accountExpires: 9223372036854775807
>>>>>>>>>> sAMAccountName: tuser
>>>>>>>>>> sAMAccountType: 805306368
>>>>>>>>>> userPrincipalName: tuser at domain.local
>>>>>>>>>> objectCategory:
>>>>>>>>>> CN=Person,CN=Schema,CN=Configuration,DC=domain,DC=local
>>>>>>>>>> unixUserPassword: ABCD!efgh12345$67890
>>>>>>>>>> uid: tuser
>>>>>>>>>> msSFU30Name: tuser
>>>>>>>>>> msSFU30NisDomain: domain
>>>>>>>>>> uidNumber: 10001
>>>>>>>>>> loginShell: /bin/sh
>>>>>>>>>> unixHomeDirectory: /home/tuser
>>>>>>>>>> gidNumber: 10000
>>>>>>>>>> whenChanged: 20141231185807.0Z
>>>>>>>>>> uSNChanged: 477620
>>>>>>>>>> distinguishedName: CN=Test User,CN=Users,DC=domain,DC=local
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> On 12/31/2014 1:50 PM, Rowland Penny wrote:
>>>>>>>>>>> On 31/12/14 18:28, James wrote:
>>>>>>>>>>>> Hi Rowland,
>>>>>>>>>>>>
>>>>>>>>>>>> passwd: compat winbind
>>>>>>>>>>>> group: compat winbind
>>>>>>>>>>>>
>>>>>>>>>>>> 'getent passwd tuser' results in a blank terminal line.
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> On 12/31/2014 1:12 PM, Rowland Penny wrote:
>>>>>>>>>>>>> On 31/12/14 17:55, James wrote:
>>>>>>>>>>>>>> Hi Rowland,
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> I did. Unfortunately something is still amiss. I do
>>>>>>>>>>>>>> receive a response from 'getent group domain
>>>>>>>>>>>>>> users'(users:x:100).
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> On 12/31/2014 12:26 PM, Rowland Penny wrote:
>>>>>>>>>>>>>>> On 31/12/14 17:23, James wrote:
>>>>>>>>>>>>>>>> Rowland,
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> I set a user with a uid and domain users group with
>>>>>>>>>>>>>>>> a gid but I'm still unable to view them using 'id'. I
>>>>>>>>>>>>>>>> do notice a few strange observations. If I go to
>>>>>>>>>>>>>>>> another user to attempt to assign a uid. I get the
>>>>>>>>>>>>>>>> default value of 10000. I would expect 2001 given I set
>>>>>>>>>>>>>>>> the first user with uid 2000. Groups however appear to
>>>>>>>>>>>>>>>> increment.
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> On 12/31/2014 10:52 AM, Rowland Penny wrote:
>>>>>>>>>>>>>>>>> On 31/12/14 15:42, James wrote:
>>>>>>>>>>>>>>>>>> Hello Stefan,
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> I learned the hard way about .local. I understand
>>>>>>>>>>>>>>>>>> going forward.
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> I do have an issue with the member server. Following
>>>>>>>>>>>>>>>>>> along with the wiki I get stuck at 'Testing the
>>>>>>>>>>>>>>>>>> Winbind user/group mapping'. Wbinfo works as expected
>>>>>>>>>>>>>>>>>> but not
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> #*id DomainUser*
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> #*getent passwd*
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> #*getent group*
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> #*chown DomainUser:DomainGroup file*
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> #*chgrp DomainGroup file*
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> etc.
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> I receive 'id: sambauser: No such user'. It will only
>>>>>>>>>>>>>>>>>> retrieve local machine users. Let me preface by
>>>>>>>>>>>>>>>>>> saying this is a Ubuntu 12.04 server with Samba
>>>>>>>>>>>>>>>>>> 4.1.14. Thanks.
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> On 12/31/2014 10:00 AM, Stefan Kania wrote:
>>>>>>>>>>>>>>>>>>> -----BEGIN PGP SIGNED MESSAGE-----
>>>>>>>>>>>>>>>>>>> Hash: SHA1
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> Hello James,
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> Am 31.12.2014 um 15:48 schrieb James:> Hello,
>>>>>>>>>>>>>>>>>>>> I'm following along with the wiki(Setup a Samba AD
>>>>>>>>>>>>>>>>>>>> Member Server)
>>>>>>>>>>>>>>>>>>>> and I have a question after reading the 'Set up a
>>>>>>>>>>>>>>>>>>>> basic smb.conf'
>>>>>>>>>>>>>>>>>>>> section.
>>>>>>>>>>>>>>>>>>> Please show us your smb.conf
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> Do I need to extend the schema in order for my
>>>>>>>>>>>>>>>>>>> member server to
>>>>>>>>>>>>>>>>>>>> successfully join and service file shares?
>>>>>>>>>>>>>>>>>>> No, you dont have to.
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> Do I need to configure a
>>>>>>>>>>>>>>>>>>>> krb5.conf file? Thanks.
>>>>>>>>>>>>>>>>>>> If your DC is a samba4 DC just copy krb5.conf to
>>>>>>>>>>>>>>>>>>> your new memberserver
>>>>>>>>>>>>>>>>>>> Stefan
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> - -- Stefan Kania
>>>>>>>>>>>>>>>>>>> Landweg 13
>>>>>>>>>>>>>>>>>>> 25693 St. Michaelisdonn
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> Signieren jeder E-Mail hilft Spam zu reduzieren.
>>>>>>>>>>>>>>>>>>> Signieren Sie ihre
>>>>>>>>>>>>>>>>>>> E-Mail. Weiter Informationen unter http://www.gnupg.org
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> Mein Schlüssel liegt auf
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> hkp://subkeys.pgp.net
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> -----BEGIN PGP SIGNATURE-----
>>>>>>>>>>>>>>>>>>> Version: GnuPG v1
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> iEYEARECAAYFAlSkD3EACgkQ2JOGcNAHDTZdlwCgwsQF0g/pFp65ldcTMWDcJ1O7
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> LScAoLDzorUJNDCik4FP9dBUxKCbAbGN
>>>>>>>>>>>>>>>>>>> =SOSt
>>>>>>>>>>>>>>>>>>> -----END PGP SIGNATURE-----
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> If you followed the wiki, you will be using the 'ad'
>>>>>>>>>>>>>>>>> backend. For this to work, you need to add 'uidNumber'
>>>>>>>>>>>>>>>>> attributes to your users and a 'gidNumber' attribute
>>>>>>>>>>>>>>>>> to at least the Domain Users group. the numbers that
>>>>>>>>>>>>>>>>> you add must be between the range you set in your
>>>>>>>>>>>>>>>>> smb.conf, again if you followed the wiki, this will be
>>>>>>>>>>>>>>>>> between 500-40000.
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> Rowland
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> You have restarted samba, haven't you ?
>>>>>>>>>>>>>>> You may have to wait a short time, or clear the cache
>>>>>>>>>>>>>>> with 'net cache flush'
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Rowland
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>> OK, can you post the 'passwd' & 'group' lines from
>>>>>>>>>>>>> /etc/nsswitch
>>>>>>>>>>>>>
>>>>>>>>>>>>> Do you get anything from 'getent passwd <a domain user>'
>>>>>>>>>>>>>
>>>>>>>>>>>>> Rowland
>>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>> OK, install ldb-tools if not already installed, then run:
>>>>>>>>>>>
>>>>>>>>>>> ldbedit -e nano -H /var/lib/samba/private/sam.ldb
>>>>>>>>>>> sAMAccountName=tuser
>>>>>>>>>>>
>>>>>>>>>>> Post the (sanitized) result
>>>>>>>>>>>
>>>>>>>>>>> Rowland
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>> OK, you added that user with ADUC (RSAT) and as such you are
>>>>>>>>> using the std windows start number 10000, which is the way I
>>>>>>>>> run samba. Here is my smb.conf from the laptop I am writing
>>>>>>>>> this on:
>>>>>>>>>
>>>>>>>>> [global]
>>>>>>>>> workgroup = EXAMPLE
>>>>>>>>> security = ADS
>>>>>>>>> realm = EXAMPLE.COM
>>>>>>>>> dedicated keytab file = /etc/krb5.keytab
>>>>>>>>> kerberos method = secrets and keytab
>>>>>>>>> server string = Samba 4 Client %h
>>>>>>>>> winbind enum users = yes
>>>>>>>>> winbind enum groups = yes
>>>>>>>>> winbind use default domain = yes
>>>>>>>>> winbind expand groups = 4
>>>>>>>>> winbind nss info = rfc2307
>>>>>>>>> winbind refresh tickets = Yes
>>>>>>>>> winbind normalize names = Yes
>>>>>>>>> idmap config * : backend = tdb
>>>>>>>>> idmap config * : range = 2000-9999
>>>>>>>>> idmap config EXAMPLE : backend = ad
>>>>>>>>> idmap config EXAMPLE : range = 10000-999999
>>>>>>>>> idmap config EXAMPLE : schema_mode = rfc2307
>>>>>>>>> printcap name = cups
>>>>>>>>> cups options = raw
>>>>>>>>> usershare allow guests = yes
>>>>>>>>> domain master = no
>>>>>>>>> local master = no
>>>>>>>>> preferred master = no
>>>>>>>>> os level = 20
>>>>>>>>> map to guest = bad user
>>>>>>>>> vfs objects = acl_xattr
>>>>>>>>> map acl inherit = Yes
>>>>>>>>> store dos attributes = Yes
>>>>>>>>>
>>>>>>>>> Compare it with yours, I can assure you it works.
>>>>>>>>>
>>>>>>>>> Rowland
>>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>
>>>>>> --
>>>>>> -James
>>>>>
>>>>
>>>> --
>>>> -James
>>>
>>> OK, you have *now* found out one of the reasons you shouldn't use
>>> the .local suffix
>>>
>>> But does anything else work?
>>>
>>> Rowland
>>
>> --
>> -James
>
> OK, well it seems to be a step in the right direction :-)
>
> Have you changed 'EXAMPLE' in these lines:
>
> idmap config * : backend = tdb
> idmap config * : range = 2000-9999
> idmap config EXAMPLE : backend = ad
> idmap config EXAMPLE : range = 10000-999999
> idmap config EXAMPLE:schema_mode = rfc2307
>
> They need to be changed for your *WORKGROUP* name.
>
> Rowland
>
>
--
-James
More information about the samba
mailing list