[Samba] Member Server Setup Assistance
James
lingpanda101 at gmail.com
Fri Jan 2 11:59:14 MST 2015
Rowland,
That was the issue. Windows computer management console showed 0
connections. That obviously wasn't correct. A reboot corrected the
issue. ACL's working as expected. I probably should have ran a 'netstat'
to verify.
Any best practices on who should or shouldn't have uid's or gid's
set in AD? I've read where the Administrator account should not have one
set.
On 1/2/2015 1:47 PM, Rowland Penny wrote:
> On 02/01/15 18:35, James wrote:
>> Rowland,
>>
>> Thanks for the clarification. It appears the member server is
>> joined and I have created a share.
>>
>> [demoshare]
>> path = /srv/samba/test
>> read only = no
>>
>>
>> I have enabled ACL support and given 'SeDiskOperatorPrivilege' per
>> the wiki. I can navigate to the share using Windows Explorer. If I
>> set the share permissions to only me(Full Control). I can't access
>> the share. The 'Everyone' and 'Domain Users' group allows me access.
>> On my DC's this has worked in the past. Am I missing something? This
>> is the error I receive.
>>
>> \\pfmember1\demoshare is not accessible. You might not have
>> permission to use this network resource. Contact the administrator of
>> this server to find out if you have access permissions.
>>
>> Multiple connections to a server or shared resource by the same user,
>> using more than one user name, are not allowed. Disconnect all
>> previous connections to the server or shared resource and try again.
>
> You seem to have a connection to the share already open, close this
> and try again.
> If this fails, post the results of:
>
> ls -la /srv/samba/test
>
> and
>
> getfacl /srv/samba/test
>
> Rowland
>
>>
>> On 1/2/2015 1:14 PM, Rowland Penny wrote:
>>> On 02/01/15 18:01, James wrote:
>>>> Rowland,
>>>>
>>>> That did it! Thank you so much. I do have a question regarding
>>>> the 'getent' command before setting up file shares. When I run
>>>> 'getent group Domain\ Users' I get
>>>>
>>>> domain_users:x:10000:user1,user2,user3,user4,user5,user6,user7,user8
>>>>
>>>> Why does it show these specific users? I would assume it would only
>>>> show my 'tuser'. I don't have uid's set for anyone else.
>>>
>>> When you run 'getent group Domain\ Users' it gets the groups
>>> gidNumber (10000 in your case) and the contents any 'member'
>>> attributes, so I presume if you examine the groups AD object, you
>>> would find 8 'member' attribute lines.
>>>
>>> But if you were to run 'getent passwd user5', you would only get a
>>> response if 'user5' has a 'uidNumber'.
>>>
>>> Rowland
>>>
>>>>
>>>> On 1/2/2015 12:38 PM, Rowland Penny wrote:
>>>>> On 02/01/15 17:26, James wrote:
>>>>>> Rowland,
>>>>>>
>>>>>> I did forget to change it. Is it as simple as renaming now or
>>>>>> did I screw up?
>>>>>>
>>>>>> On 1/2/2015 12:18 PM, Rowland Penny wrote:
>>>>>>> On 02/01/15 17:07, James wrote:
>>>>>>>> Rowland,
>>>>>>>>
>>>>>>>> I had a typo in my hosts file which is the reason my
>>>>>>>> initial DNS update failed. Corrected and joined again.
>>>>>>>> Successfully joined and updated DNS A record. I then made sure
>>>>>>>> to give 'Domain users' a id of 10000. I am now able to run'
>>>>>>>> getent passwd' and see all my domain users! YES! However I
>>>>>>>> still see something that confuses me. When I run 'id tuser' I
>>>>>>>> get the following.
>>>>>>>>
>>>>>>>> uid=2155(tuser) gid=2002(domain_users)
>>>>>>>> groups=2002(domain_users),2004(remote_desktop_users_group),2001(BUILTIN\users)
>>>>>>>>
>>>>>>>> Why is the uid 2155 and not 10001?
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> On 1/2/2015 12:00 PM, Rowland Penny wrote:
>>>>>>>>> On 02/01/15 16:57, James wrote:
>>>>>>>>>> Rowland,
>>>>>>>>>>
>>>>>>>>>> I've gotten a bit further. It appears my use of '.local'
>>>>>>>>>> is causing the issue from what I've researched. I ran
>>>>>>>>>> '|/etc/init.d/avahi-daemon stop'. |This allowed me to
>>>>>>>>>> successfully join the domain.
>>>>>>>>>>
>>>>>>>>>> Enter administrator at DOMAIN.LOCAL's password:
>>>>>>>>>> Using short domain name -- DOMAIN
>>>>>>>>>> Joined 'PFMEMBER1' to dns domain 'domain.local'
>>>>>>>>>> DNS Update for pfmember1.local failed: ERROR_DNS_UPDATE_FAILED
>>>>>>>>>> DNS update failed: NT_STATUS_UNSUCCESSFUL
>>>>>>>>>> ||
>>>>>>>>>> On 1/2/2015 8:55 AM, Rowland Penny wrote:
>>>>>>>>>>> On 02/01/15 13:41, James wrote:
>>>>>>>>>>>> Hi Rowland,
>>>>>>>>>>>>
>>>>>>>>>>>> If you don't mind I like to post my member server
>>>>>>>>>>>> configuration as I attempt again. This is how my member
>>>>>>>>>>>> server(Ubuntu 12.04) is configured after fresh install and
>>>>>>>>>>>> prior to Samba build. Anything I'm missing that could cause
>>>>>>>>>>>> my issue as I proceed? I assume no other prerequisites must
>>>>>>>>>>>> be done on the other DC's either? Thanks.
>>>>>>>>>>>>
>>>>>>>>>>>> /*# From Wiki for DC build*/
>>>>>>>>>>>> apt-get install build-essential libacl1-dev libattr1-dev
>>>>>>>>>>>> libblkid-dev libgnutls-dev libreadline-dev python-dev
>>>>>>>>>>>> libpam0g-dev python-dnspython gdb pkg-config libpopt-dev
>>>>>>>>>>>> libldap2-dev dnsutils libbsd-dev attr krb5-user docbook-xsl
>>>>>>>>>>>> libcups2-dev acl
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> /*# Fstab file*/
>>>>>>>>>>>> ext4 errors=remount-ro,user_xattr,acl,barrier=1 1 1
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> */# Hosts File/*
>>>>>>>>>>>> 127.0.0.1 localhost
>>>>>>>>>>>> 172.16.232.25 pfmember1.domain.local pfmember1
>>>>>>>>>>>>
>>>>>>>>>>>> # The following lines are desirable for IPv6 capable hosts
>>>>>>>>>>>> ::1 ip6-localhost ip6-loopback
>>>>>>>>>>>> fe00::0 ip6-localnet
>>>>>>>>>>>> ff00::0 ip6-mcastprefix
>>>>>>>>>>>> ff02::1 ip6-allnodes
>>>>>>>>>>>> ff02::2 ip6-allrouters
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> */# Hostname/* */File/*
>>>>>>>>>>>> pfmember1.domain.local
>>>>>>>>>>>
>>>>>>>>>>> if you are referring to /etc/hostname, then it should just
>>>>>>>>>>> contain 'pfmember1'.
>>>>>>>>>>>
>>>>>>>>>>> Also, are you fixed on using Ubuntu 12.04, if you were to
>>>>>>>>>>> use Debian Wheezy and backports, you wouldn't have to
>>>>>>>>>>> compile samba4.
>>>>>>>>>>>
>>>>>>>>>>> Rowland
>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> */#/network/interfaces/*
>>>>>>>>>>>> # This file describes the network interfaces available on
>>>>>>>>>>>> your system
>>>>>>>>>>>> # and how to activate them. For more information, see
>>>>>>>>>>>> interfaces(5).
>>>>>>>>>>>>
>>>>>>>>>>>> # The loopback network interface
>>>>>>>>>>>> auto lo
>>>>>>>>>>>> iface lo inet loopback
>>>>>>>>>>>>
>>>>>>>>>>>> # The primary network interface
>>>>>>>>>>>> auto eth0
>>>>>>>>>>>> iface eth0 inet static
>>>>>>>>>>>> address 172.16.232.25
>>>>>>>>>>>> netmask 255.255.255.0
>>>>>>>>>>>> gateway 172.16.232.201
>>>>>>>>>>>> network 172.16.232.0
>>>>>>>>>>>> broadcast 172.16.232.255
>>>>>>>>>>>> dns-search domain.local
>>>>>>>>>>>> dns-nameservers 172.16.232.29
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> On 1/1/2015 4:34 AM, Rowland Penny wrote:
>>>>>>>>>>>>> On 01/01/15 00:07, James wrote:
>>>>>>>>>>>>>> Hi Rowland,
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> I forgot to tell you the results were from my Domain
>>>>>>>>>>>>>> Controller and not the member server. Member server
>>>>>>>>>>>>>> returned something to the effect of 'user not found'. I
>>>>>>>>>>>>>> am only starting the 3 services(smbd,nmbd and windbindd)
>>>>>>>>>>>>>> listed in the wiki. Should I be starting Samba with
>>>>>>>>>>>>>> command line switches to start as a member server? Is
>>>>>>>>>>>>>> that even possible?
>>>>>>>>>>>>>
>>>>>>>>>>>>> Hi, there are two ways of running samba4, the classic or
>>>>>>>>>>>>> original way that samba3 was used, or as an AD DC. If you
>>>>>>>>>>>>> run samba4 in the classic way, you need to start the smbd
>>>>>>>>>>>>> & nmbd deamons and optionally the winbind daemon. If you
>>>>>>>>>>>>> use samba4 as an AD DC, then you only start the samba
>>>>>>>>>>>>> daemon, this will start any other required deamons, you
>>>>>>>>>>>>> only start the samba daemon on an AD DC.
>>>>>>>>>>>>>
>>>>>>>>>>>>> As you are trying to set up a member server, you must
>>>>>>>>>>>>> carry out the tests on the member server.
>>>>>>>>>>>>>
>>>>>>>>>>>>> Rowland
>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Thanks for you smb.conf. I will attempt again using
>>>>>>>>>>>>>> your smb.conf as a template and try again.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> On 12/31/2014 2:20 PM, Rowland Penny wrote:
>>>>>>>>>>>>>>> On 31/12/14 19:07, James wrote:
>>>>>>>>>>>>>>>> Rowland,
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> I decided to start over with a fresh install and
>>>>>>>>>>>>>>>> attempted again. Only change I made was to start my
>>>>>>>>>>>>>>>> mappings at 10000. I gave 'Domain Users' group gid
>>>>>>>>>>>>>>>> 10000 and 'tuser' has uid 10001. Still didn't work btw.
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> dn: CN=Test User,CN=Users,DC=domain,DC=local
>>>>>>>>>>>>>>>> objectClass: top
>>>>>>>>>>>>>>>> objectClass: person
>>>>>>>>>>>>>>>> objectClass: organizationalPerson
>>>>>>>>>>>>>>>> objectClass: user
>>>>>>>>>>>>>>>> cn: Test User
>>>>>>>>>>>>>>>> sn: User
>>>>>>>>>>>>>>>> givenName: Test
>>>>>>>>>>>>>>>> instanceType: 4
>>>>>>>>>>>>>>>> whenCreated: 20141231172021.0Z
>>>>>>>>>>>>>>>> displayName: Test User
>>>>>>>>>>>>>>>> uSNCreated: 477557
>>>>>>>>>>>>>>>> name: Test User
>>>>>>>>>>>>>>>> objectGUID: 90f95763-fe52-42b9-af86-8a84a4d5dd78
>>>>>>>>>>>>>>>> userAccountControl: 66048
>>>>>>>>>>>>>>>> codePage: 0
>>>>>>>>>>>>>>>> countryCode: 0
>>>>>>>>>>>>>>>> pwdLastSet: 130645200220000000
>>>>>>>>>>>>>>>> primaryGroupID: 513
>>>>>>>>>>>>>>>> objectSid: S-1-5-21-940051827-2291820289-3341758437-3126
>>>>>>>>>>>>>>>> accountExpires: 9223372036854775807
>>>>>>>>>>>>>>>> sAMAccountName: tuser
>>>>>>>>>>>>>>>> sAMAccountType: 805306368
>>>>>>>>>>>>>>>> userPrincipalName: tuser at domain.local
>>>>>>>>>>>>>>>> objectCategory:
>>>>>>>>>>>>>>>> CN=Person,CN=Schema,CN=Configuration,DC=domain,DC=local
>>>>>>>>>>>>>>>> unixUserPassword: ABCD!efgh12345$67890
>>>>>>>>>>>>>>>> uid: tuser
>>>>>>>>>>>>>>>> msSFU30Name: tuser
>>>>>>>>>>>>>>>> msSFU30NisDomain: domain
>>>>>>>>>>>>>>>> uidNumber: 10001
>>>>>>>>>>>>>>>> loginShell: /bin/sh
>>>>>>>>>>>>>>>> unixHomeDirectory: /home/tuser
>>>>>>>>>>>>>>>> gidNumber: 10000
>>>>>>>>>>>>>>>> whenChanged: 20141231185807.0Z
>>>>>>>>>>>>>>>> uSNChanged: 477620
>>>>>>>>>>>>>>>> distinguishedName: CN=Test
>>>>>>>>>>>>>>>> User,CN=Users,DC=domain,DC=local
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> On 12/31/2014 1:50 PM, Rowland Penny wrote:
>>>>>>>>>>>>>>>>> On 31/12/14 18:28, James wrote:
>>>>>>>>>>>>>>>>>> Hi Rowland,
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> passwd: compat winbind
>>>>>>>>>>>>>>>>>> group: compat winbind
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> 'getent passwd tuser' results in a blank terminal line.
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> On 12/31/2014 1:12 PM, Rowland Penny wrote:
>>>>>>>>>>>>>>>>>>> On 31/12/14 17:55, James wrote:
>>>>>>>>>>>>>>>>>>>> Hi Rowland,
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> I did. Unfortunately something is still amiss.
>>>>>>>>>>>>>>>>>>>> I do receive a response from 'getent group domain
>>>>>>>>>>>>>>>>>>>> users'(users:x:100).
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> On 12/31/2014 12:26 PM, Rowland Penny wrote:
>>>>>>>>>>>>>>>>>>>>> On 31/12/14 17:23, James wrote:
>>>>>>>>>>>>>>>>>>>>>> Rowland,
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>> I set a user with a uid and domain users
>>>>>>>>>>>>>>>>>>>>>> group with a gid but I'm still unable to view
>>>>>>>>>>>>>>>>>>>>>> them using 'id'. I do notice a few strange
>>>>>>>>>>>>>>>>>>>>>> observations. If I go to another user to attempt
>>>>>>>>>>>>>>>>>>>>>> to assign a uid. I get the default value of
>>>>>>>>>>>>>>>>>>>>>> 10000. I would expect 2001 given I set the first
>>>>>>>>>>>>>>>>>>>>>> user with uid 2000. Groups however appear to
>>>>>>>>>>>>>>>>>>>>>> increment.
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>> On 12/31/2014 10:52 AM, Rowland Penny wrote:
>>>>>>>>>>>>>>>>>>>>>>> On 31/12/14 15:42, James wrote:
>>>>>>>>>>>>>>>>>>>>>>>> Hello Stefan,
>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>> I learned the hard way about .local. I
>>>>>>>>>>>>>>>>>>>>>>>> understand going forward.
>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>> I do have an issue with the member server.
>>>>>>>>>>>>>>>>>>>>>>>> Following along with the wiki I get stuck at
>>>>>>>>>>>>>>>>>>>>>>>> 'Testing the Winbind user/group mapping'.
>>>>>>>>>>>>>>>>>>>>>>>> Wbinfo works as expected but not
>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>> #*id DomainUser*
>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>> #*getent passwd*
>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>> #*getent group*
>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>> #*chown DomainUser:DomainGroup file*
>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>> #*chgrp DomainGroup file*
>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>> etc.
>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>> I receive 'id: sambauser: No such user'. It
>>>>>>>>>>>>>>>>>>>>>>>> will only retrieve local machine users. Let me
>>>>>>>>>>>>>>>>>>>>>>>> preface by saying this is a Ubuntu 12.04 server
>>>>>>>>>>>>>>>>>>>>>>>> with Samba 4.1.14. Thanks.
>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>> On 12/31/2014 10:00 AM, Stefan Kania wrote:
>>>>>>>>>>>>>>>>>>>>>>>>> -----BEGIN PGP SIGNED MESSAGE-----
>>>>>>>>>>>>>>>>>>>>>>>>> Hash: SHA1
>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>> Hello James,
>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>> Am 31.12.2014 um 15:48 schrieb James:> Hello,
>>>>>>>>>>>>>>>>>>>>>>>>>> I'm following along with the wiki(Setup a
>>>>>>>>>>>>>>>>>>>>>>>>>> Samba AD Member Server)
>>>>>>>>>>>>>>>>>>>>>>>>>> and I have a question after reading the 'Set
>>>>>>>>>>>>>>>>>>>>>>>>>> up a basic smb.conf'
>>>>>>>>>>>>>>>>>>>>>>>>>> section.
>>>>>>>>>>>>>>>>>>>>>>>>> Please show us your smb.conf
>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>> Do I need to extend the schema in order for
>>>>>>>>>>>>>>>>>>>>>>>>> my member server to
>>>>>>>>>>>>>>>>>>>>>>>>>> successfully join and service file shares?
>>>>>>>>>>>>>>>>>>>>>>>>> No, you dont have to.
>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>> Do I need to configure a
>>>>>>>>>>>>>>>>>>>>>>>>>> krb5.conf file? Thanks.
>>>>>>>>>>>>>>>>>>>>>>>>> If your DC is a samba4 DC just copy krb5.conf
>>>>>>>>>>>>>>>>>>>>>>>>> to your new memberserver
>>>>>>>>>>>>>>>>>>>>>>>>> Stefan
>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>> - -- Stefan Kania
>>>>>>>>>>>>>>>>>>>>>>>>> Landweg 13
>>>>>>>>>>>>>>>>>>>>>>>>> 25693 St. Michaelisdonn
>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>> Signieren jeder E-Mail hilft Spam zu
>>>>>>>>>>>>>>>>>>>>>>>>> reduzieren. Signieren Sie ihre
>>>>>>>>>>>>>>>>>>>>>>>>> E-Mail. Weiter Informationen unter
>>>>>>>>>>>>>>>>>>>>>>>>> http://www.gnupg.org
>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>> Mein Schlüssel liegt auf
>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>> hkp://subkeys.pgp.net
>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>> -----BEGIN PGP SIGNATURE-----
>>>>>>>>>>>>>>>>>>>>>>>>> Version: GnuPG v1
>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>> iEYEARECAAYFAlSkD3EACgkQ2JOGcNAHDTZdlwCgwsQF0g/pFp65ldcTMWDcJ1O7
>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>> LScAoLDzorUJNDCik4FP9dBUxKCbAbGN
>>>>>>>>>>>>>>>>>>>>>>>>> =SOSt
>>>>>>>>>>>>>>>>>>>>>>>>> -----END PGP SIGNATURE-----
>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>> If you followed the wiki, you will be using the
>>>>>>>>>>>>>>>>>>>>>>> 'ad' backend. For this to work, you need to add
>>>>>>>>>>>>>>>>>>>>>>> 'uidNumber' attributes to your users and a
>>>>>>>>>>>>>>>>>>>>>>> 'gidNumber' attribute to at least the Domain
>>>>>>>>>>>>>>>>>>>>>>> Users group. the numbers that you add must be
>>>>>>>>>>>>>>>>>>>>>>> between the range you set in your smb.conf,
>>>>>>>>>>>>>>>>>>>>>>> again if you followed the wiki, this will be
>>>>>>>>>>>>>>>>>>>>>>> between 500-40000.
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>> Rowland
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> You have restarted samba, haven't you ?
>>>>>>>>>>>>>>>>>>>>> You may have to wait a short time, or clear the
>>>>>>>>>>>>>>>>>>>>> cache with 'net cache flush'
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> Rowland
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> OK, can you post the 'passwd' & 'group' lines from
>>>>>>>>>>>>>>>>>>> /etc/nsswitch
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> Do you get anything from 'getent passwd <a domain
>>>>>>>>>>>>>>>>>>> user>'
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> Rowland
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> OK, install ldb-tools if not already installed, then run:
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> ldbedit -e nano -H /var/lib/samba/private/sam.ldb
>>>>>>>>>>>>>>>>> sAMAccountName=tuser
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> Post the (sanitized) result
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> Rowland
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> OK, you added that user with ADUC (RSAT) and as such you
>>>>>>>>>>>>>>> are using the std windows start number 10000, which is
>>>>>>>>>>>>>>> the way I run samba. Here is my smb.conf from the laptop
>>>>>>>>>>>>>>> I am writing this on:
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> [global]
>>>>>>>>>>>>>>> workgroup = EXAMPLE
>>>>>>>>>>>>>>> security = ADS
>>>>>>>>>>>>>>> realm = EXAMPLE.COM
>>>>>>>>>>>>>>> dedicated keytab file = /etc/krb5.keytab
>>>>>>>>>>>>>>> kerberos method = secrets and keytab
>>>>>>>>>>>>>>> server string = Samba 4 Client %h
>>>>>>>>>>>>>>> winbind enum users = yes
>>>>>>>>>>>>>>> winbind enum groups = yes
>>>>>>>>>>>>>>> winbind use default domain = yes
>>>>>>>>>>>>>>> winbind expand groups = 4
>>>>>>>>>>>>>>> winbind nss info = rfc2307
>>>>>>>>>>>>>>> winbind refresh tickets = Yes
>>>>>>>>>>>>>>> winbind normalize names = Yes
>>>>>>>>>>>>>>> idmap config * : backend = tdb
>>>>>>>>>>>>>>> idmap config * : range = 2000-9999
>>>>>>>>>>>>>>> idmap config EXAMPLE : backend = ad
>>>>>>>>>>>>>>> idmap config EXAMPLE : range = 10000-999999
>>>>>>>>>>>>>>> idmap config EXAMPLE : schema_mode = rfc2307
>>>>>>>>>>>>>>> printcap name = cups
>>>>>>>>>>>>>>> cups options = raw
>>>>>>>>>>>>>>> usershare allow guests = yes
>>>>>>>>>>>>>>> domain master = no
>>>>>>>>>>>>>>> local master = no
>>>>>>>>>>>>>>> preferred master = no
>>>>>>>>>>>>>>> os level = 20
>>>>>>>>>>>>>>> map to guest = bad user
>>>>>>>>>>>>>>> vfs objects = acl_xattr
>>>>>>>>>>>>>>> map acl inherit = Yes
>>>>>>>>>>>>>>> store dos attributes = Yes
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Compare it with yours, I can assure you it works.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Rowland
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> --
>>>>>>>>>>>> -James
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> --
>>>>>>>>>> -James
>>>>>>>>>
>>>>>>>>> OK, you have *now* found out one of the reasons you shouldn't
>>>>>>>>> use the .local suffix
>>>>>>>>>
>>>>>>>>> But does anything else work?
>>>>>>>>>
>>>>>>>>> Rowland
>>>>>>>>
>>>>>>>> --
>>>>>>>> -James
>>>>>>>
>>>>>>> OK, well it seems to be a step in the right direction :-)
>>>>>>>
>>>>>>> Have you changed 'EXAMPLE' in these lines:
>>>>>>>
>>>>>>> idmap config * : backend = tdb
>>>>>>> idmap config * : range = 2000-9999
>>>>>>> idmap config EXAMPLE : backend = ad
>>>>>>> idmap config EXAMPLE : range = 10000-999999
>>>>>>> idmap config EXAMPLE:schema_mode = rfc2307
>>>>>>>
>>>>>>> They need to be changed for your *WORKGROUP* name.
>>>>>>>
>>>>>>> Rowland
>>>>>>>
>>>>>>>
>>>>>>
>>>>>> --
>>>>>> -James
>>>>>
>>>>> Just change it, stop samba and winbind, run 'net cache flush' and
>>>>> restart samba & winbind.
>>>>>
>>>>> Rowland
>>>>>
>>>>
>>>> --
>>>> -James
>>>
>>
>> --
>> -James
>
--
-James
More information about the samba
mailing list