[Samba] Member Server Setup Assistance
Rowland Penny
rowlandpenny at googlemail.com
Fri Jan 2 10:38:11 MST 2015
On 02/01/15 17:26, James wrote:
> Rowland,
>
> I did forget to change it. Is it as simple as renaming now or did
> I screw up?
>
> On 1/2/2015 12:18 PM, Rowland Penny wrote:
>> On 02/01/15 17:07, James wrote:
>>> Rowland,
>>>
>>> I had a typo in my hosts file which is the reason my initial DNS
>>> update failed. Corrected and joined again. Successfully joined and
>>> updated DNS A record. I then made sure to give 'Domain users' a id
>>> of 10000. I am now able to run' getent passwd' and see all my domain
>>> users! YES! However I still see something that confuses me. When I
>>> run 'id tuser' I get the following.
>>>
>>> uid=2155(tuser) gid=2002(domain_users)
>>> groups=2002(domain_users),2004(remote_desktop_users_group),2001(BUILTIN\users)
>>>
>>> Why is the uid 2155 and not 10001?
>>>
>>>
>>>
>>> On 1/2/2015 12:00 PM, Rowland Penny wrote:
>>>> On 02/01/15 16:57, James wrote:
>>>>> Rowland,
>>>>>
>>>>> I've gotten a bit further. It appears my use of '.local' is
>>>>> causing the issue from what I've researched. I ran
>>>>> '|/etc/init.d/avahi-daemon stop'. |This allowed me to successfully
>>>>> join the domain.
>>>>>
>>>>> Enter administrator at DOMAIN.LOCAL's password:
>>>>> Using short domain name -- DOMAIN
>>>>> Joined 'PFMEMBER1' to dns domain 'domain.local'
>>>>> DNS Update for pfmember1.local failed: ERROR_DNS_UPDATE_FAILED
>>>>> DNS update failed: NT_STATUS_UNSUCCESSFUL
>>>>> ||
>>>>> On 1/2/2015 8:55 AM, Rowland Penny wrote:
>>>>>> On 02/01/15 13:41, James wrote:
>>>>>>> Hi Rowland,
>>>>>>>
>>>>>>> If you don't mind I like to post my member server
>>>>>>> configuration as I attempt again. This is how my member
>>>>>>> server(Ubuntu 12.04) is configured after fresh install and prior
>>>>>>> to Samba build. Anything I'm missing that could cause my issue
>>>>>>> as I proceed? I assume no other prerequisites must be done on
>>>>>>> the other DC's either? Thanks.
>>>>>>>
>>>>>>> /*# From Wiki for DC build*/
>>>>>>> apt-get install build-essential libacl1-dev libattr1-dev
>>>>>>> libblkid-dev libgnutls-dev libreadline-dev python-dev
>>>>>>> libpam0g-dev python-dnspython gdb pkg-config libpopt-dev
>>>>>>> libldap2-dev dnsutils libbsd-dev attr krb5-user docbook-xsl
>>>>>>> libcups2-dev acl
>>>>>>>
>>>>>>>
>>>>>>> /*# Fstab file*/
>>>>>>> ext4 errors=remount-ro,user_xattr,acl,barrier=1 1 1
>>>>>>>
>>>>>>>
>>>>>>> */# Hosts File/*
>>>>>>> 127.0.0.1 localhost
>>>>>>> 172.16.232.25 pfmember1.domain.local pfmember1
>>>>>>>
>>>>>>> # The following lines are desirable for IPv6 capable hosts
>>>>>>> ::1 ip6-localhost ip6-loopback
>>>>>>> fe00::0 ip6-localnet
>>>>>>> ff00::0 ip6-mcastprefix
>>>>>>> ff02::1 ip6-allnodes
>>>>>>> ff02::2 ip6-allrouters
>>>>>>>
>>>>>>>
>>>>>>> */# Hostname/* */File/*
>>>>>>> pfmember1.domain.local
>>>>>>
>>>>>> if you are referring to /etc/hostname, then it should just
>>>>>> contain 'pfmember1'.
>>>>>>
>>>>>> Also, are you fixed on using Ubuntu 12.04, if you were to use
>>>>>> Debian Wheezy and backports, you wouldn't have to compile samba4.
>>>>>>
>>>>>> Rowland
>>>>>>
>>>>>>>
>>>>>>> */#/network/interfaces/*
>>>>>>> # This file describes the network interfaces available on your
>>>>>>> system
>>>>>>> # and how to activate them. For more information, see interfaces(5).
>>>>>>>
>>>>>>> # The loopback network interface
>>>>>>> auto lo
>>>>>>> iface lo inet loopback
>>>>>>>
>>>>>>> # The primary network interface
>>>>>>> auto eth0
>>>>>>> iface eth0 inet static
>>>>>>> address 172.16.232.25
>>>>>>> netmask 255.255.255.0
>>>>>>> gateway 172.16.232.201
>>>>>>> network 172.16.232.0
>>>>>>> broadcast 172.16.232.255
>>>>>>> dns-search domain.local
>>>>>>> dns-nameservers 172.16.232.29
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> On 1/1/2015 4:34 AM, Rowland Penny wrote:
>>>>>>>> On 01/01/15 00:07, James wrote:
>>>>>>>>> Hi Rowland,
>>>>>>>>>
>>>>>>>>> I forgot to tell you the results were from my Domain
>>>>>>>>> Controller and not the member server. Member server returned
>>>>>>>>> something to the effect of 'user not found'. I am only
>>>>>>>>> starting the 3 services(smbd,nmbd and windbindd) listed in the
>>>>>>>>> wiki. Should I be starting Samba with command line switches to
>>>>>>>>> start as a member server? Is that even possible?
>>>>>>>>
>>>>>>>> Hi, there are two ways of running samba4, the classic or
>>>>>>>> original way that samba3 was used, or as an AD DC. If you run
>>>>>>>> samba4 in the classic way, you need to start the smbd & nmbd
>>>>>>>> deamons and optionally the winbind daemon. If you use samba4 as
>>>>>>>> an AD DC, then you only start the samba daemon, this will start
>>>>>>>> any other required deamons, you only start the samba daemon on
>>>>>>>> an AD DC.
>>>>>>>>
>>>>>>>> As you are trying to set up a member server, you must carry out
>>>>>>>> the tests on the member server.
>>>>>>>>
>>>>>>>> Rowland
>>>>>>>>
>>>>>>>>>
>>>>>>>>> Thanks for you smb.conf. I will attempt again using your
>>>>>>>>> smb.conf as a template and try again.
>>>>>>>>>
>>>>>>>>> On 12/31/2014 2:20 PM, Rowland Penny wrote:
>>>>>>>>>> On 31/12/14 19:07, James wrote:
>>>>>>>>>>> Rowland,
>>>>>>>>>>>
>>>>>>>>>>> I decided to start over with a fresh install and
>>>>>>>>>>> attempted again. Only change I made was to start my mappings
>>>>>>>>>>> at 10000. I gave 'Domain Users' group gid 10000 and 'tuser'
>>>>>>>>>>> has uid 10001. Still didn't work btw.
>>>>>>>>>>>
>>>>>>>>>>> dn: CN=Test User,CN=Users,DC=domain,DC=local
>>>>>>>>>>> objectClass: top
>>>>>>>>>>> objectClass: person
>>>>>>>>>>> objectClass: organizationalPerson
>>>>>>>>>>> objectClass: user
>>>>>>>>>>> cn: Test User
>>>>>>>>>>> sn: User
>>>>>>>>>>> givenName: Test
>>>>>>>>>>> instanceType: 4
>>>>>>>>>>> whenCreated: 20141231172021.0Z
>>>>>>>>>>> displayName: Test User
>>>>>>>>>>> uSNCreated: 477557
>>>>>>>>>>> name: Test User
>>>>>>>>>>> objectGUID: 90f95763-fe52-42b9-af86-8a84a4d5dd78
>>>>>>>>>>> userAccountControl: 66048
>>>>>>>>>>> codePage: 0
>>>>>>>>>>> countryCode: 0
>>>>>>>>>>> pwdLastSet: 130645200220000000
>>>>>>>>>>> primaryGroupID: 513
>>>>>>>>>>> objectSid: S-1-5-21-940051827-2291820289-3341758437-3126
>>>>>>>>>>> accountExpires: 9223372036854775807
>>>>>>>>>>> sAMAccountName: tuser
>>>>>>>>>>> sAMAccountType: 805306368
>>>>>>>>>>> userPrincipalName: tuser at domain.local
>>>>>>>>>>> objectCategory:
>>>>>>>>>>> CN=Person,CN=Schema,CN=Configuration,DC=domain,DC=local
>>>>>>>>>>> unixUserPassword: ABCD!efgh12345$67890
>>>>>>>>>>> uid: tuser
>>>>>>>>>>> msSFU30Name: tuser
>>>>>>>>>>> msSFU30NisDomain: domain
>>>>>>>>>>> uidNumber: 10001
>>>>>>>>>>> loginShell: /bin/sh
>>>>>>>>>>> unixHomeDirectory: /home/tuser
>>>>>>>>>>> gidNumber: 10000
>>>>>>>>>>> whenChanged: 20141231185807.0Z
>>>>>>>>>>> uSNChanged: 477620
>>>>>>>>>>> distinguishedName: CN=Test User,CN=Users,DC=domain,DC=local
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> On 12/31/2014 1:50 PM, Rowland Penny wrote:
>>>>>>>>>>>> On 31/12/14 18:28, James wrote:
>>>>>>>>>>>>> Hi Rowland,
>>>>>>>>>>>>>
>>>>>>>>>>>>> passwd: compat winbind
>>>>>>>>>>>>> group: compat winbind
>>>>>>>>>>>>>
>>>>>>>>>>>>> 'getent passwd tuser' results in a blank terminal line.
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> On 12/31/2014 1:12 PM, Rowland Penny wrote:
>>>>>>>>>>>>>> On 31/12/14 17:55, James wrote:
>>>>>>>>>>>>>>> Hi Rowland,
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> I did. Unfortunately something is still amiss. I do
>>>>>>>>>>>>>>> receive a response from 'getent group domain
>>>>>>>>>>>>>>> users'(users:x:100).
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> On 12/31/2014 12:26 PM, Rowland Penny wrote:
>>>>>>>>>>>>>>>> On 31/12/14 17:23, James wrote:
>>>>>>>>>>>>>>>>> Rowland,
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> I set a user with a uid and domain users group
>>>>>>>>>>>>>>>>> with a gid but I'm still unable to view them using
>>>>>>>>>>>>>>>>> 'id'. I do notice a few strange observations. If I go
>>>>>>>>>>>>>>>>> to another user to attempt to assign a uid. I get the
>>>>>>>>>>>>>>>>> default value of 10000. I would expect 2001 given I
>>>>>>>>>>>>>>>>> set the first user with uid 2000. Groups however
>>>>>>>>>>>>>>>>> appear to increment.
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> On 12/31/2014 10:52 AM, Rowland Penny wrote:
>>>>>>>>>>>>>>>>>> On 31/12/14 15:42, James wrote:
>>>>>>>>>>>>>>>>>>> Hello Stefan,
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> I learned the hard way about .local. I
>>>>>>>>>>>>>>>>>>> understand going forward.
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> I do have an issue with the member server. Following
>>>>>>>>>>>>>>>>>>> along with the wiki I get stuck at 'Testing the
>>>>>>>>>>>>>>>>>>> Winbind user/group mapping'. Wbinfo works as
>>>>>>>>>>>>>>>>>>> expected but not
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> #*id DomainUser*
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> #*getent passwd*
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> #*getent group*
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> #*chown DomainUser:DomainGroup file*
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> #*chgrp DomainGroup file*
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> etc.
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> I receive 'id: sambauser: No such user'. It will
>>>>>>>>>>>>>>>>>>> only retrieve local machine users. Let me preface by
>>>>>>>>>>>>>>>>>>> saying this is a Ubuntu 12.04 server with Samba
>>>>>>>>>>>>>>>>>>> 4.1.14. Thanks.
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> On 12/31/2014 10:00 AM, Stefan Kania wrote:
>>>>>>>>>>>>>>>>>>>> -----BEGIN PGP SIGNED MESSAGE-----
>>>>>>>>>>>>>>>>>>>> Hash: SHA1
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> Hello James,
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> Am 31.12.2014 um 15:48 schrieb James:> Hello,
>>>>>>>>>>>>>>>>>>>>> I'm following along with the wiki(Setup a Samba AD
>>>>>>>>>>>>>>>>>>>>> Member Server)
>>>>>>>>>>>>>>>>>>>>> and I have a question after reading the 'Set up a
>>>>>>>>>>>>>>>>>>>>> basic smb.conf'
>>>>>>>>>>>>>>>>>>>>> section.
>>>>>>>>>>>>>>>>>>>> Please show us your smb.conf
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> Do I need to extend the schema in order for my
>>>>>>>>>>>>>>>>>>>> member server to
>>>>>>>>>>>>>>>>>>>>> successfully join and service file shares?
>>>>>>>>>>>>>>>>>>>> No, you dont have to.
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> Do I need to configure a
>>>>>>>>>>>>>>>>>>>>> krb5.conf file? Thanks.
>>>>>>>>>>>>>>>>>>>> If your DC is a samba4 DC just copy krb5.conf to
>>>>>>>>>>>>>>>>>>>> your new memberserver
>>>>>>>>>>>>>>>>>>>> Stefan
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> - -- Stefan Kania
>>>>>>>>>>>>>>>>>>>> Landweg 13
>>>>>>>>>>>>>>>>>>>> 25693 St. Michaelisdonn
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> Signieren jeder E-Mail hilft Spam zu reduzieren.
>>>>>>>>>>>>>>>>>>>> Signieren Sie ihre
>>>>>>>>>>>>>>>>>>>> E-Mail. Weiter Informationen unter
>>>>>>>>>>>>>>>>>>>> http://www.gnupg.org
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> Mein Schlüssel liegt auf
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> hkp://subkeys.pgp.net
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> -----BEGIN PGP SIGNATURE-----
>>>>>>>>>>>>>>>>>>>> Version: GnuPG v1
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> iEYEARECAAYFAlSkD3EACgkQ2JOGcNAHDTZdlwCgwsQF0g/pFp65ldcTMWDcJ1O7
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> LScAoLDzorUJNDCik4FP9dBUxKCbAbGN
>>>>>>>>>>>>>>>>>>>> =SOSt
>>>>>>>>>>>>>>>>>>>> -----END PGP SIGNATURE-----
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> If you followed the wiki, you will be using the 'ad'
>>>>>>>>>>>>>>>>>> backend. For this to work, you need to add
>>>>>>>>>>>>>>>>>> 'uidNumber' attributes to your users and a
>>>>>>>>>>>>>>>>>> 'gidNumber' attribute to at least the Domain Users
>>>>>>>>>>>>>>>>>> group. the numbers that you add must be between the
>>>>>>>>>>>>>>>>>> range you set in your smb.conf, again if you followed
>>>>>>>>>>>>>>>>>> the wiki, this will be between 500-40000.
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> Rowland
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> You have restarted samba, haven't you ?
>>>>>>>>>>>>>>>> You may have to wait a short time, or clear the cache
>>>>>>>>>>>>>>>> with 'net cache flush'
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> Rowland
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>> OK, can you post the 'passwd' & 'group' lines from
>>>>>>>>>>>>>> /etc/nsswitch
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Do you get anything from 'getent passwd <a domain user>'
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Rowland
>>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>> OK, install ldb-tools if not already installed, then run:
>>>>>>>>>>>>
>>>>>>>>>>>> ldbedit -e nano -H /var/lib/samba/private/sam.ldb
>>>>>>>>>>>> sAMAccountName=tuser
>>>>>>>>>>>>
>>>>>>>>>>>> Post the (sanitized) result
>>>>>>>>>>>>
>>>>>>>>>>>> Rowland
>>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> OK, you added that user with ADUC (RSAT) and as such you are
>>>>>>>>>> using the std windows start number 10000, which is the way I
>>>>>>>>>> run samba. Here is my smb.conf from the laptop I am writing
>>>>>>>>>> this on:
>>>>>>>>>>
>>>>>>>>>> [global]
>>>>>>>>>> workgroup = EXAMPLE
>>>>>>>>>> security = ADS
>>>>>>>>>> realm = EXAMPLE.COM
>>>>>>>>>> dedicated keytab file = /etc/krb5.keytab
>>>>>>>>>> kerberos method = secrets and keytab
>>>>>>>>>> server string = Samba 4 Client %h
>>>>>>>>>> winbind enum users = yes
>>>>>>>>>> winbind enum groups = yes
>>>>>>>>>> winbind use default domain = yes
>>>>>>>>>> winbind expand groups = 4
>>>>>>>>>> winbind nss info = rfc2307
>>>>>>>>>> winbind refresh tickets = Yes
>>>>>>>>>> winbind normalize names = Yes
>>>>>>>>>> idmap config * : backend = tdb
>>>>>>>>>> idmap config * : range = 2000-9999
>>>>>>>>>> idmap config EXAMPLE : backend = ad
>>>>>>>>>> idmap config EXAMPLE : range = 10000-999999
>>>>>>>>>> idmap config EXAMPLE : schema_mode = rfc2307
>>>>>>>>>> printcap name = cups
>>>>>>>>>> cups options = raw
>>>>>>>>>> usershare allow guests = yes
>>>>>>>>>> domain master = no
>>>>>>>>>> local master = no
>>>>>>>>>> preferred master = no
>>>>>>>>>> os level = 20
>>>>>>>>>> map to guest = bad user
>>>>>>>>>> vfs objects = acl_xattr
>>>>>>>>>> map acl inherit = Yes
>>>>>>>>>> store dos attributes = Yes
>>>>>>>>>>
>>>>>>>>>> Compare it with yours, I can assure you it works.
>>>>>>>>>>
>>>>>>>>>> Rowland
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>> --
>>>>>>> -James
>>>>>>
>>>>>
>>>>> --
>>>>> -James
>>>>
>>>> OK, you have *now* found out one of the reasons you shouldn't use
>>>> the .local suffix
>>>>
>>>> But does anything else work?
>>>>
>>>> Rowland
>>>
>>> --
>>> -James
>>
>> OK, well it seems to be a step in the right direction :-)
>>
>> Have you changed 'EXAMPLE' in these lines:
>>
>> idmap config * : backend = tdb
>> idmap config * : range = 2000-9999
>> idmap config EXAMPLE : backend = ad
>> idmap config EXAMPLE : range = 10000-999999
>> idmap config EXAMPLE:schema_mode = rfc2307
>>
>> They need to be changed for your *WORKGROUP* name.
>>
>> Rowland
>>
>>
>
> --
> -James
Just change it, stop samba and winbind, run 'net cache flush' and
restart samba & winbind.
Rowland
More information about the samba
mailing list