[Samba] Member Server Setup Assistance
Rowland Penny
rowlandpenny at googlemail.com
Fri Jan 2 11:47:58 MST 2015
On 02/01/15 18:35, James wrote:
> Rowland,
>
> Thanks for the clarification. It appears the member server is
> joined and I have created a share.
>
> [demoshare]
> path = /srv/samba/test
> read only = no
>
>
> I have enabled ACL support and given 'SeDiskOperatorPrivilege' per the
> wiki. I can navigate to the share using Windows Explorer. If I set the
> share permissions to only me(Full Control). I can't access the share.
> The 'Everyone' and 'Domain Users' group allows me access. On my DC's
> this has worked in the past. Am I missing something? This is the error
> I receive.
>
> \\pfmember1\demoshare is not accessible. You might not have permission
> to use this network resource. Contact the administrator of this server
> to find out if you have access permissions.
>
> Multiple connections to a server or shared resource by the same user,
> using more than one user name, are not allowed. Disconnect all
> previous connections to the server or shared resource and try again.
You seem to have a connection to the share already open, close this and
try again.
If this fails, post the results of:
ls -la /srv/samba/test
and
getfacl /srv/samba/test
Rowland
>
> On 1/2/2015 1:14 PM, Rowland Penny wrote:
>> On 02/01/15 18:01, James wrote:
>>> Rowland,
>>>
>>> That did it! Thank you so much. I do have a question regarding
>>> the 'getent' command before setting up file shares. When I run
>>> 'getent group Domain\ Users' I get
>>>
>>> domain_users:x:10000:user1,user2,user3,user4,user5,user6,user7,user8
>>>
>>> Why does it show these specific users? I would assume it would only
>>> show my 'tuser'. I don't have uid's set for anyone else.
>>
>> When you run 'getent group Domain\ Users' it gets the groups
>> gidNumber (10000 in your case) and the contents any 'member'
>> attributes, so I presume if you examine the groups AD object, you
>> would find 8 'member' attribute lines.
>>
>> But if you were to run 'getent passwd user5', you would only get a
>> response if 'user5' has a 'uidNumber'.
>>
>> Rowland
>>
>>>
>>> On 1/2/2015 12:38 PM, Rowland Penny wrote:
>>>> On 02/01/15 17:26, James wrote:
>>>>> Rowland,
>>>>>
>>>>> I did forget to change it. Is it as simple as renaming now or
>>>>> did I screw up?
>>>>>
>>>>> On 1/2/2015 12:18 PM, Rowland Penny wrote:
>>>>>> On 02/01/15 17:07, James wrote:
>>>>>>> Rowland,
>>>>>>>
>>>>>>> I had a typo in my hosts file which is the reason my initial
>>>>>>> DNS update failed. Corrected and joined again. Successfully
>>>>>>> joined and updated DNS A record. I then made sure to give
>>>>>>> 'Domain users' a id of 10000. I am now able to run' getent
>>>>>>> passwd' and see all my domain users! YES! However I still see
>>>>>>> something that confuses me. When I run 'id tuser' I get the
>>>>>>> following.
>>>>>>>
>>>>>>> uid=2155(tuser) gid=2002(domain_users)
>>>>>>> groups=2002(domain_users),2004(remote_desktop_users_group),2001(BUILTIN\users)
>>>>>>>
>>>>>>> Why is the uid 2155 and not 10001?
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> On 1/2/2015 12:00 PM, Rowland Penny wrote:
>>>>>>>> On 02/01/15 16:57, James wrote:
>>>>>>>>> Rowland,
>>>>>>>>>
>>>>>>>>> I've gotten a bit further. It appears my use of '.local'
>>>>>>>>> is causing the issue from what I've researched. I ran
>>>>>>>>> '|/etc/init.d/avahi-daemon stop'. |This allowed me to
>>>>>>>>> successfully join the domain.
>>>>>>>>>
>>>>>>>>> Enter administrator at DOMAIN.LOCAL's password:
>>>>>>>>> Using short domain name -- DOMAIN
>>>>>>>>> Joined 'PFMEMBER1' to dns domain 'domain.local'
>>>>>>>>> DNS Update for pfmember1.local failed: ERROR_DNS_UPDATE_FAILED
>>>>>>>>> DNS update failed: NT_STATUS_UNSUCCESSFUL
>>>>>>>>> ||
>>>>>>>>> On 1/2/2015 8:55 AM, Rowland Penny wrote:
>>>>>>>>>> On 02/01/15 13:41, James wrote:
>>>>>>>>>>> Hi Rowland,
>>>>>>>>>>>
>>>>>>>>>>> If you don't mind I like to post my member server
>>>>>>>>>>> configuration as I attempt again. This is how my member
>>>>>>>>>>> server(Ubuntu 12.04) is configured after fresh install and
>>>>>>>>>>> prior to Samba build. Anything I'm missing that could cause
>>>>>>>>>>> my issue as I proceed? I assume no other prerequisites must
>>>>>>>>>>> be done on the other DC's either? Thanks.
>>>>>>>>>>>
>>>>>>>>>>> /*# From Wiki for DC build*/
>>>>>>>>>>> apt-get install build-essential libacl1-dev libattr1-dev
>>>>>>>>>>> libblkid-dev libgnutls-dev libreadline-dev python-dev
>>>>>>>>>>> libpam0g-dev python-dnspython gdb pkg-config libpopt-dev
>>>>>>>>>>> libldap2-dev dnsutils libbsd-dev attr krb5-user docbook-xsl
>>>>>>>>>>> libcups2-dev acl
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> /*# Fstab file*/
>>>>>>>>>>> ext4 errors=remount-ro,user_xattr,acl,barrier=1 1 1
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> */# Hosts File/*
>>>>>>>>>>> 127.0.0.1 localhost
>>>>>>>>>>> 172.16.232.25 pfmember1.domain.local pfmember1
>>>>>>>>>>>
>>>>>>>>>>> # The following lines are desirable for IPv6 capable hosts
>>>>>>>>>>> ::1 ip6-localhost ip6-loopback
>>>>>>>>>>> fe00::0 ip6-localnet
>>>>>>>>>>> ff00::0 ip6-mcastprefix
>>>>>>>>>>> ff02::1 ip6-allnodes
>>>>>>>>>>> ff02::2 ip6-allrouters
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> */# Hostname/* */File/*
>>>>>>>>>>> pfmember1.domain.local
>>>>>>>>>>
>>>>>>>>>> if you are referring to /etc/hostname, then it should just
>>>>>>>>>> contain 'pfmember1'.
>>>>>>>>>>
>>>>>>>>>> Also, are you fixed on using Ubuntu 12.04, if you were to use
>>>>>>>>>> Debian Wheezy and backports, you wouldn't have to compile samba4.
>>>>>>>>>>
>>>>>>>>>> Rowland
>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> */#/network/interfaces/*
>>>>>>>>>>> # This file describes the network interfaces available on
>>>>>>>>>>> your system
>>>>>>>>>>> # and how to activate them. For more information, see
>>>>>>>>>>> interfaces(5).
>>>>>>>>>>>
>>>>>>>>>>> # The loopback network interface
>>>>>>>>>>> auto lo
>>>>>>>>>>> iface lo inet loopback
>>>>>>>>>>>
>>>>>>>>>>> # The primary network interface
>>>>>>>>>>> auto eth0
>>>>>>>>>>> iface eth0 inet static
>>>>>>>>>>> address 172.16.232.25
>>>>>>>>>>> netmask 255.255.255.0
>>>>>>>>>>> gateway 172.16.232.201
>>>>>>>>>>> network 172.16.232.0
>>>>>>>>>>> broadcast 172.16.232.255
>>>>>>>>>>> dns-search domain.local
>>>>>>>>>>> dns-nameservers 172.16.232.29
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> On 1/1/2015 4:34 AM, Rowland Penny wrote:
>>>>>>>>>>>> On 01/01/15 00:07, James wrote:
>>>>>>>>>>>>> Hi Rowland,
>>>>>>>>>>>>>
>>>>>>>>>>>>> I forgot to tell you the results were from my Domain
>>>>>>>>>>>>> Controller and not the member server. Member server
>>>>>>>>>>>>> returned something to the effect of 'user not found'. I am
>>>>>>>>>>>>> only starting the 3 services(smbd,nmbd and windbindd)
>>>>>>>>>>>>> listed in the wiki. Should I be starting Samba with
>>>>>>>>>>>>> command line switches to start as a member server? Is that
>>>>>>>>>>>>> even possible?
>>>>>>>>>>>>
>>>>>>>>>>>> Hi, there are two ways of running samba4, the classic or
>>>>>>>>>>>> original way that samba3 was used, or as an AD DC. If you
>>>>>>>>>>>> run samba4 in the classic way, you need to start the smbd &
>>>>>>>>>>>> nmbd deamons and optionally the winbind daemon. If you use
>>>>>>>>>>>> samba4 as an AD DC, then you only start the samba daemon,
>>>>>>>>>>>> this will start any other required deamons, you only start
>>>>>>>>>>>> the samba daemon on an AD DC.
>>>>>>>>>>>>
>>>>>>>>>>>> As you are trying to set up a member server, you must carry
>>>>>>>>>>>> out the tests on the member server.
>>>>>>>>>>>>
>>>>>>>>>>>> Rowland
>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> Thanks for you smb.conf. I will attempt again using
>>>>>>>>>>>>> your smb.conf as a template and try again.
>>>>>>>>>>>>>
>>>>>>>>>>>>> On 12/31/2014 2:20 PM, Rowland Penny wrote:
>>>>>>>>>>>>>> On 31/12/14 19:07, James wrote:
>>>>>>>>>>>>>>> Rowland,
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> I decided to start over with a fresh install and
>>>>>>>>>>>>>>> attempted again. Only change I made was to start my
>>>>>>>>>>>>>>> mappings at 10000. I gave 'Domain Users' group gid 10000
>>>>>>>>>>>>>>> and 'tuser' has uid 10001. Still didn't work btw.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> dn: CN=Test User,CN=Users,DC=domain,DC=local
>>>>>>>>>>>>>>> objectClass: top
>>>>>>>>>>>>>>> objectClass: person
>>>>>>>>>>>>>>> objectClass: organizationalPerson
>>>>>>>>>>>>>>> objectClass: user
>>>>>>>>>>>>>>> cn: Test User
>>>>>>>>>>>>>>> sn: User
>>>>>>>>>>>>>>> givenName: Test
>>>>>>>>>>>>>>> instanceType: 4
>>>>>>>>>>>>>>> whenCreated: 20141231172021.0Z
>>>>>>>>>>>>>>> displayName: Test User
>>>>>>>>>>>>>>> uSNCreated: 477557
>>>>>>>>>>>>>>> name: Test User
>>>>>>>>>>>>>>> objectGUID: 90f95763-fe52-42b9-af86-8a84a4d5dd78
>>>>>>>>>>>>>>> userAccountControl: 66048
>>>>>>>>>>>>>>> codePage: 0
>>>>>>>>>>>>>>> countryCode: 0
>>>>>>>>>>>>>>> pwdLastSet: 130645200220000000
>>>>>>>>>>>>>>> primaryGroupID: 513
>>>>>>>>>>>>>>> objectSid: S-1-5-21-940051827-2291820289-3341758437-3126
>>>>>>>>>>>>>>> accountExpires: 9223372036854775807
>>>>>>>>>>>>>>> sAMAccountName: tuser
>>>>>>>>>>>>>>> sAMAccountType: 805306368
>>>>>>>>>>>>>>> userPrincipalName: tuser at domain.local
>>>>>>>>>>>>>>> objectCategory:
>>>>>>>>>>>>>>> CN=Person,CN=Schema,CN=Configuration,DC=domain,DC=local
>>>>>>>>>>>>>>> unixUserPassword: ABCD!efgh12345$67890
>>>>>>>>>>>>>>> uid: tuser
>>>>>>>>>>>>>>> msSFU30Name: tuser
>>>>>>>>>>>>>>> msSFU30NisDomain: domain
>>>>>>>>>>>>>>> uidNumber: 10001
>>>>>>>>>>>>>>> loginShell: /bin/sh
>>>>>>>>>>>>>>> unixHomeDirectory: /home/tuser
>>>>>>>>>>>>>>> gidNumber: 10000
>>>>>>>>>>>>>>> whenChanged: 20141231185807.0Z
>>>>>>>>>>>>>>> uSNChanged: 477620
>>>>>>>>>>>>>>> distinguishedName: CN=Test User,CN=Users,DC=domain,DC=local
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> On 12/31/2014 1:50 PM, Rowland Penny wrote:
>>>>>>>>>>>>>>>> On 31/12/14 18:28, James wrote:
>>>>>>>>>>>>>>>>> Hi Rowland,
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> passwd: compat winbind
>>>>>>>>>>>>>>>>> group: compat winbind
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> 'getent passwd tuser' results in a blank terminal line.
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> On 12/31/2014 1:12 PM, Rowland Penny wrote:
>>>>>>>>>>>>>>>>>> On 31/12/14 17:55, James wrote:
>>>>>>>>>>>>>>>>>>> Hi Rowland,
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> I did. Unfortunately something is still amiss. I
>>>>>>>>>>>>>>>>>>> do receive a response from 'getent group domain
>>>>>>>>>>>>>>>>>>> users'(users:x:100).
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> On 12/31/2014 12:26 PM, Rowland Penny wrote:
>>>>>>>>>>>>>>>>>>>> On 31/12/14 17:23, James wrote:
>>>>>>>>>>>>>>>>>>>>> Rowland,
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> I set a user with a uid and domain users group
>>>>>>>>>>>>>>>>>>>>> with a gid but I'm still unable to view them using
>>>>>>>>>>>>>>>>>>>>> 'id'. I do notice a few strange observations. If I
>>>>>>>>>>>>>>>>>>>>> go to another user to attempt to assign a uid. I
>>>>>>>>>>>>>>>>>>>>> get the default value of 10000. I would expect
>>>>>>>>>>>>>>>>>>>>> 2001 given I set the first user with uid 2000.
>>>>>>>>>>>>>>>>>>>>> Groups however appear to increment.
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> On 12/31/2014 10:52 AM, Rowland Penny wrote:
>>>>>>>>>>>>>>>>>>>>>> On 31/12/14 15:42, James wrote:
>>>>>>>>>>>>>>>>>>>>>>> Hello Stefan,
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>> I learned the hard way about .local. I
>>>>>>>>>>>>>>>>>>>>>>> understand going forward.
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>> I do have an issue with the member server.
>>>>>>>>>>>>>>>>>>>>>>> Following along with the wiki I get stuck at
>>>>>>>>>>>>>>>>>>>>>>> 'Testing the Winbind user/group mapping'. Wbinfo
>>>>>>>>>>>>>>>>>>>>>>> works as expected but not
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>> #*id DomainUser*
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>> #*getent passwd*
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>> #*getent group*
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>> #*chown DomainUser:DomainGroup file*
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>> #*chgrp DomainGroup file*
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>> etc.
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>> I receive 'id: sambauser: No such user'. It will
>>>>>>>>>>>>>>>>>>>>>>> only retrieve local machine users. Let me
>>>>>>>>>>>>>>>>>>>>>>> preface by saying this is a Ubuntu 12.04 server
>>>>>>>>>>>>>>>>>>>>>>> with Samba 4.1.14. Thanks.
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>> On 12/31/2014 10:00 AM, Stefan Kania wrote:
>>>>>>>>>>>>>>>>>>>>>>>> -----BEGIN PGP SIGNED MESSAGE-----
>>>>>>>>>>>>>>>>>>>>>>>> Hash: SHA1
>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>> Hello James,
>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>> Am 31.12.2014 um 15:48 schrieb James:> Hello,
>>>>>>>>>>>>>>>>>>>>>>>>> I'm following along with the wiki(Setup a
>>>>>>>>>>>>>>>>>>>>>>>>> Samba AD Member Server)
>>>>>>>>>>>>>>>>>>>>>>>>> and I have a question after reading the 'Set
>>>>>>>>>>>>>>>>>>>>>>>>> up a basic smb.conf'
>>>>>>>>>>>>>>>>>>>>>>>>> section.
>>>>>>>>>>>>>>>>>>>>>>>> Please show us your smb.conf
>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>> Do I need to extend the schema in order for
>>>>>>>>>>>>>>>>>>>>>>>> my member server to
>>>>>>>>>>>>>>>>>>>>>>>>> successfully join and service file shares?
>>>>>>>>>>>>>>>>>>>>>>>> No, you dont have to.
>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>> Do I need to configure a
>>>>>>>>>>>>>>>>>>>>>>>>> krb5.conf file? Thanks.
>>>>>>>>>>>>>>>>>>>>>>>> If your DC is a samba4 DC just copy krb5.conf
>>>>>>>>>>>>>>>>>>>>>>>> to your new memberserver
>>>>>>>>>>>>>>>>>>>>>>>> Stefan
>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>> - -- Stefan Kania
>>>>>>>>>>>>>>>>>>>>>>>> Landweg 13
>>>>>>>>>>>>>>>>>>>>>>>> 25693 St. Michaelisdonn
>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>> Signieren jeder E-Mail hilft Spam zu
>>>>>>>>>>>>>>>>>>>>>>>> reduzieren. Signieren Sie ihre
>>>>>>>>>>>>>>>>>>>>>>>> E-Mail. Weiter Informationen unter
>>>>>>>>>>>>>>>>>>>>>>>> http://www.gnupg.org
>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>> Mein Schlüssel liegt auf
>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>> hkp://subkeys.pgp.net
>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>> -----BEGIN PGP SIGNATURE-----
>>>>>>>>>>>>>>>>>>>>>>>> Version: GnuPG v1
>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>> iEYEARECAAYFAlSkD3EACgkQ2JOGcNAHDTZdlwCgwsQF0g/pFp65ldcTMWDcJ1O7
>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>> LScAoLDzorUJNDCik4FP9dBUxKCbAbGN
>>>>>>>>>>>>>>>>>>>>>>>> =SOSt
>>>>>>>>>>>>>>>>>>>>>>>> -----END PGP SIGNATURE-----
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>> If you followed the wiki, you will be using the
>>>>>>>>>>>>>>>>>>>>>> 'ad' backend. For this to work, you need to add
>>>>>>>>>>>>>>>>>>>>>> 'uidNumber' attributes to your users and a
>>>>>>>>>>>>>>>>>>>>>> 'gidNumber' attribute to at least the Domain
>>>>>>>>>>>>>>>>>>>>>> Users group. the numbers that you add must be
>>>>>>>>>>>>>>>>>>>>>> between the range you set in your smb.conf, again
>>>>>>>>>>>>>>>>>>>>>> if you followed the wiki, this will be between
>>>>>>>>>>>>>>>>>>>>>> 500-40000.
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>> Rowland
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> You have restarted samba, haven't you ?
>>>>>>>>>>>>>>>>>>>> You may have to wait a short time, or clear the
>>>>>>>>>>>>>>>>>>>> cache with 'net cache flush'
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> Rowland
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> OK, can you post the 'passwd' & 'group' lines from
>>>>>>>>>>>>>>>>>> /etc/nsswitch
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> Do you get anything from 'getent passwd <a domain user>'
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> Rowland
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> OK, install ldb-tools if not already installed, then run:
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> ldbedit -e nano -H /var/lib/samba/private/sam.ldb
>>>>>>>>>>>>>>>> sAMAccountName=tuser
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> Post the (sanitized) result
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> Rowland
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> OK, you added that user with ADUC (RSAT) and as such you
>>>>>>>>>>>>>> are using the std windows start number 10000, which is
>>>>>>>>>>>>>> the way I run samba. Here is my smb.conf from the laptop
>>>>>>>>>>>>>> I am writing this on:
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> [global]
>>>>>>>>>>>>>> workgroup = EXAMPLE
>>>>>>>>>>>>>> security = ADS
>>>>>>>>>>>>>> realm = EXAMPLE.COM
>>>>>>>>>>>>>> dedicated keytab file = /etc/krb5.keytab
>>>>>>>>>>>>>> kerberos method = secrets and keytab
>>>>>>>>>>>>>> server string = Samba 4 Client %h
>>>>>>>>>>>>>> winbind enum users = yes
>>>>>>>>>>>>>> winbind enum groups = yes
>>>>>>>>>>>>>> winbind use default domain = yes
>>>>>>>>>>>>>> winbind expand groups = 4
>>>>>>>>>>>>>> winbind nss info = rfc2307
>>>>>>>>>>>>>> winbind refresh tickets = Yes
>>>>>>>>>>>>>> winbind normalize names = Yes
>>>>>>>>>>>>>> idmap config * : backend = tdb
>>>>>>>>>>>>>> idmap config * : range = 2000-9999
>>>>>>>>>>>>>> idmap config EXAMPLE : backend = ad
>>>>>>>>>>>>>> idmap config EXAMPLE : range = 10000-999999
>>>>>>>>>>>>>> idmap config EXAMPLE : schema_mode = rfc2307
>>>>>>>>>>>>>> printcap name = cups
>>>>>>>>>>>>>> cups options = raw
>>>>>>>>>>>>>> usershare allow guests = yes
>>>>>>>>>>>>>> domain master = no
>>>>>>>>>>>>>> local master = no
>>>>>>>>>>>>>> preferred master = no
>>>>>>>>>>>>>> os level = 20
>>>>>>>>>>>>>> map to guest = bad user
>>>>>>>>>>>>>> vfs objects = acl_xattr
>>>>>>>>>>>>>> map acl inherit = Yes
>>>>>>>>>>>>>> store dos attributes = Yes
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Compare it with yours, I can assure you it works.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Rowland
>>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> --
>>>>>>>>>>> -James
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>> --
>>>>>>>>> -James
>>>>>>>>
>>>>>>>> OK, you have *now* found out one of the reasons you shouldn't
>>>>>>>> use the .local suffix
>>>>>>>>
>>>>>>>> But does anything else work?
>>>>>>>>
>>>>>>>> Rowland
>>>>>>>
>>>>>>> --
>>>>>>> -James
>>>>>>
>>>>>> OK, well it seems to be a step in the right direction :-)
>>>>>>
>>>>>> Have you changed 'EXAMPLE' in these lines:
>>>>>>
>>>>>> idmap config * : backend = tdb
>>>>>> idmap config * : range = 2000-9999
>>>>>> idmap config EXAMPLE : backend = ad
>>>>>> idmap config EXAMPLE : range = 10000-999999
>>>>>> idmap config EXAMPLE:schema_mode = rfc2307
>>>>>>
>>>>>> They need to be changed for your *WORKGROUP* name.
>>>>>>
>>>>>> Rowland
>>>>>>
>>>>>>
>>>>>
>>>>> --
>>>>> -James
>>>>
>>>> Just change it, stop samba and winbind, run 'net cache flush' and
>>>> restart samba & winbind.
>>>>
>>>> Rowland
>>>>
>>>
>>> --
>>> -James
>>
>
> --
> -James
More information about the samba
mailing list