[Samba] Member Server Setup Assistance
Rowland Penny
rowlandpenny at googlemail.com
Fri Jan 2 12:08:34 MST 2015
On 02/01/15 18:59, James wrote:
> Rowland,
>
> That was the issue. Windows computer management console showed 0
> connections. That obviously wasn't correct. A reboot corrected the
> issue. ACL's working as expected. I probably should have ran a
> 'netstat' to verify.
>
> Any best practices on who should or shouldn't have uid's or gid's
> set in AD? I've read where the Administrator account should not have
> one set.
Cannot say that I know of any best practices, but I only give Domain
Admins and Domain Users a gidNumber and Administrator should already be
mapped to root (that is if you changed 'Example' in /etc/samba/smbmap).
Rowland
>
> On 1/2/2015 1:47 PM, Rowland Penny wrote:
>> On 02/01/15 18:35, James wrote:
>>> Rowland,
>>>
>>> Thanks for the clarification. It appears the member server is
>>> joined and I have created a share.
>>>
>>> [demoshare]
>>> path = /srv/samba/test
>>> read only = no
>>>
>>>
>>> I have enabled ACL support and given 'SeDiskOperatorPrivilege' per
>>> the wiki. I can navigate to the share using Windows Explorer. If I
>>> set the share permissions to only me(Full Control). I can't access
>>> the share. The 'Everyone' and 'Domain Users' group allows me access.
>>> On my DC's this has worked in the past. Am I missing something? This
>>> is the error I receive.
>>>
>>> \\pfmember1\demoshare is not accessible. You might not have
>>> permission to use this network resource. Contact the administrator
>>> of this server to find out if you have access permissions.
>>>
>>> Multiple connections to a server or shared resource by the same
>>> user, using more than one user name, are not allowed. Disconnect all
>>> previous connections to the server or shared resource and try again.
>>
>> You seem to have a connection to the share already open, close this
>> and try again.
>> If this fails, post the results of:
>>
>> ls -la /srv/samba/test
>>
>> and
>>
>> getfacl /srv/samba/test
>>
>> Rowland
>>
>>>
>>> On 1/2/2015 1:14 PM, Rowland Penny wrote:
>>>> On 02/01/15 18:01, James wrote:
>>>>> Rowland,
>>>>>
>>>>> That did it! Thank you so much. I do have a question regarding
>>>>> the 'getent' command before setting up file shares. When I run
>>>>> 'getent group Domain\ Users' I get
>>>>>
>>>>> domain_users:x:10000:user1,user2,user3,user4,user5,user6,user7,user8
>>>>>
>>>>> Why does it show these specific users? I would assume it would
>>>>> only show my 'tuser'. I don't have uid's set for anyone else.
>>>>
>>>> When you run 'getent group Domain\ Users' it gets the groups
>>>> gidNumber (10000 in your case) and the contents any 'member'
>>>> attributes, so I presume if you examine the groups AD object, you
>>>> would find 8 'member' attribute lines.
>>>>
>>>> But if you were to run 'getent passwd user5', you would only get a
>>>> response if 'user5' has a 'uidNumber'.
>>>>
>>>> Rowland
>>>>
>>>>>
>>>>> On 1/2/2015 12:38 PM, Rowland Penny wrote:
>>>>>> On 02/01/15 17:26, James wrote:
>>>>>>> Rowland,
>>>>>>>
>>>>>>> I did forget to change it. Is it as simple as renaming now
>>>>>>> or did I screw up?
>>>>>>>
>>>>>>> On 1/2/2015 12:18 PM, Rowland Penny wrote:
>>>>>>>> On 02/01/15 17:07, James wrote:
>>>>>>>>> Rowland,
>>>>>>>>>
>>>>>>>>> I had a typo in my hosts file which is the reason my
>>>>>>>>> initial DNS update failed. Corrected and joined again.
>>>>>>>>> Successfully joined and updated DNS A record. I then made sure
>>>>>>>>> to give 'Domain users' a id of 10000. I am now able to run'
>>>>>>>>> getent passwd' and see all my domain users! YES! However I
>>>>>>>>> still see something that confuses me. When I run 'id tuser' I
>>>>>>>>> get the following.
>>>>>>>>>
>>>>>>>>> uid=2155(tuser) gid=2002(domain_users)
>>>>>>>>> groups=2002(domain_users),2004(remote_desktop_users_group),2001(BUILTIN\users)
>>>>>>>>>
>>>>>>>>> Why is the uid 2155 and not 10001?
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> On 1/2/2015 12:00 PM, Rowland Penny wrote:
>>>>>>>>>> On 02/01/15 16:57, James wrote:
>>>>>>>>>>> Rowland,
>>>>>>>>>>>
>>>>>>>>>>> I've gotten a bit further. It appears my use of '.local'
>>>>>>>>>>> is causing the issue from what I've researched. I ran
>>>>>>>>>>> '|/etc/init.d/avahi-daemon stop'. |This allowed me to
>>>>>>>>>>> successfully join the domain.
>>>>>>>>>>>
>>>>>>>>>>> Enter administrator at DOMAIN.LOCAL's password:
>>>>>>>>>>> Using short domain name -- DOMAIN
>>>>>>>>>>> Joined 'PFMEMBER1' to dns domain 'domain.local'
>>>>>>>>>>> DNS Update for pfmember1.local failed: ERROR_DNS_UPDATE_FAILED
>>>>>>>>>>> DNS update failed: NT_STATUS_UNSUCCESSFUL
>>>>>>>>>>> ||
>>>>>>>>>>> On 1/2/2015 8:55 AM, Rowland Penny wrote:
>>>>>>>>>>>> On 02/01/15 13:41, James wrote:
>>>>>>>>>>>>> Hi Rowland,
>>>>>>>>>>>>>
>>>>>>>>>>>>> If you don't mind I like to post my member server
>>>>>>>>>>>>> configuration as I attempt again. This is how my member
>>>>>>>>>>>>> server(Ubuntu 12.04) is configured after fresh install and
>>>>>>>>>>>>> prior to Samba build. Anything I'm missing that could
>>>>>>>>>>>>> cause my issue as I proceed? I assume no other
>>>>>>>>>>>>> prerequisites must be done on the other DC's either? Thanks.
>>>>>>>>>>>>>
>>>>>>>>>>>>> /*# From Wiki for DC build*/
>>>>>>>>>>>>> apt-get install build-essential libacl1-dev libattr1-dev
>>>>>>>>>>>>> libblkid-dev libgnutls-dev libreadline-dev python-dev
>>>>>>>>>>>>> libpam0g-dev python-dnspython gdb pkg-config libpopt-dev
>>>>>>>>>>>>> libldap2-dev dnsutils libbsd-dev attr krb5-user
>>>>>>>>>>>>> docbook-xsl libcups2-dev acl
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> /*# Fstab file*/
>>>>>>>>>>>>> ext4 errors=remount-ro,user_xattr,acl,barrier=1 1 1
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> */# Hosts File/*
>>>>>>>>>>>>> 127.0.0.1 localhost
>>>>>>>>>>>>> 172.16.232.25 pfmember1.domain.local pfmember1
>>>>>>>>>>>>>
>>>>>>>>>>>>> # The following lines are desirable for IPv6 capable hosts
>>>>>>>>>>>>> ::1 ip6-localhost ip6-loopback
>>>>>>>>>>>>> fe00::0 ip6-localnet
>>>>>>>>>>>>> ff00::0 ip6-mcastprefix
>>>>>>>>>>>>> ff02::1 ip6-allnodes
>>>>>>>>>>>>> ff02::2 ip6-allrouters
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> */# Hostname/* */File/*
>>>>>>>>>>>>> pfmember1.domain.local
>>>>>>>>>>>>
>>>>>>>>>>>> if you are referring to /etc/hostname, then it should just
>>>>>>>>>>>> contain 'pfmember1'.
>>>>>>>>>>>>
>>>>>>>>>>>> Also, are you fixed on using Ubuntu 12.04, if you were to
>>>>>>>>>>>> use Debian Wheezy and backports, you wouldn't have to
>>>>>>>>>>>> compile samba4.
>>>>>>>>>>>>
>>>>>>>>>>>> Rowland
>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> */#/network/interfaces/*
>>>>>>>>>>>>> # This file describes the network interfaces available on
>>>>>>>>>>>>> your system
>>>>>>>>>>>>> # and how to activate them. For more information, see
>>>>>>>>>>>>> interfaces(5).
>>>>>>>>>>>>>
>>>>>>>>>>>>> # The loopback network interface
>>>>>>>>>>>>> auto lo
>>>>>>>>>>>>> iface lo inet loopback
>>>>>>>>>>>>>
>>>>>>>>>>>>> # The primary network interface
>>>>>>>>>>>>> auto eth0
>>>>>>>>>>>>> iface eth0 inet static
>>>>>>>>>>>>> address 172.16.232.25
>>>>>>>>>>>>> netmask 255.255.255.0
>>>>>>>>>>>>> gateway 172.16.232.201
>>>>>>>>>>>>> network 172.16.232.0
>>>>>>>>>>>>> broadcast 172.16.232.255
>>>>>>>>>>>>> dns-search domain.local
>>>>>>>>>>>>> dns-nameservers 172.16.232.29
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> On 1/1/2015 4:34 AM, Rowland Penny wrote:
>>>>>>>>>>>>>> On 01/01/15 00:07, James wrote:
>>>>>>>>>>>>>>> Hi Rowland,
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> I forgot to tell you the results were from my Domain
>>>>>>>>>>>>>>> Controller and not the member server. Member server
>>>>>>>>>>>>>>> returned something to the effect of 'user not found'. I
>>>>>>>>>>>>>>> am only starting the 3 services(smbd,nmbd and windbindd)
>>>>>>>>>>>>>>> listed in the wiki. Should I be starting Samba with
>>>>>>>>>>>>>>> command line switches to start as a member server? Is
>>>>>>>>>>>>>>> that even possible?
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Hi, there are two ways of running samba4, the classic or
>>>>>>>>>>>>>> original way that samba3 was used, or as an AD DC. If you
>>>>>>>>>>>>>> run samba4 in the classic way, you need to start the smbd
>>>>>>>>>>>>>> & nmbd deamons and optionally the winbind daemon. If you
>>>>>>>>>>>>>> use samba4 as an AD DC, then you only start the samba
>>>>>>>>>>>>>> daemon, this will start any other required deamons, you
>>>>>>>>>>>>>> only start the samba daemon on an AD DC.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> As you are trying to set up a member server, you must
>>>>>>>>>>>>>> carry out the tests on the member server.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Rowland
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Thanks for you smb.conf. I will attempt again using
>>>>>>>>>>>>>>> your smb.conf as a template and try again.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> On 12/31/2014 2:20 PM, Rowland Penny wrote:
>>>>>>>>>>>>>>>> On 31/12/14 19:07, James wrote:
>>>>>>>>>>>>>>>>> Rowland,
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> I decided to start over with a fresh install and
>>>>>>>>>>>>>>>>> attempted again. Only change I made was to start my
>>>>>>>>>>>>>>>>> mappings at 10000. I gave 'Domain Users' group gid
>>>>>>>>>>>>>>>>> 10000 and 'tuser' has uid 10001. Still didn't work btw.
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> dn: CN=Test User,CN=Users,DC=domain,DC=local
>>>>>>>>>>>>>>>>> objectClass: top
>>>>>>>>>>>>>>>>> objectClass: person
>>>>>>>>>>>>>>>>> objectClass: organizationalPerson
>>>>>>>>>>>>>>>>> objectClass: user
>>>>>>>>>>>>>>>>> cn: Test User
>>>>>>>>>>>>>>>>> sn: User
>>>>>>>>>>>>>>>>> givenName: Test
>>>>>>>>>>>>>>>>> instanceType: 4
>>>>>>>>>>>>>>>>> whenCreated: 20141231172021.0Z
>>>>>>>>>>>>>>>>> displayName: Test User
>>>>>>>>>>>>>>>>> uSNCreated: 477557
>>>>>>>>>>>>>>>>> name: Test User
>>>>>>>>>>>>>>>>> objectGUID: 90f95763-fe52-42b9-af86-8a84a4d5dd78
>>>>>>>>>>>>>>>>> userAccountControl: 66048
>>>>>>>>>>>>>>>>> codePage: 0
>>>>>>>>>>>>>>>>> countryCode: 0
>>>>>>>>>>>>>>>>> pwdLastSet: 130645200220000000
>>>>>>>>>>>>>>>>> primaryGroupID: 513
>>>>>>>>>>>>>>>>> objectSid: S-1-5-21-940051827-2291820289-3341758437-3126
>>>>>>>>>>>>>>>>> accountExpires: 9223372036854775807
>>>>>>>>>>>>>>>>> sAMAccountName: tuser
>>>>>>>>>>>>>>>>> sAMAccountType: 805306368
>>>>>>>>>>>>>>>>> userPrincipalName: tuser at domain.local
>>>>>>>>>>>>>>>>> objectCategory:
>>>>>>>>>>>>>>>>> CN=Person,CN=Schema,CN=Configuration,DC=domain,DC=local
>>>>>>>>>>>>>>>>> unixUserPassword: ABCD!efgh12345$67890
>>>>>>>>>>>>>>>>> uid: tuser
>>>>>>>>>>>>>>>>> msSFU30Name: tuser
>>>>>>>>>>>>>>>>> msSFU30NisDomain: domain
>>>>>>>>>>>>>>>>> uidNumber: 10001
>>>>>>>>>>>>>>>>> loginShell: /bin/sh
>>>>>>>>>>>>>>>>> unixHomeDirectory: /home/tuser
>>>>>>>>>>>>>>>>> gidNumber: 10000
>>>>>>>>>>>>>>>>> whenChanged: 20141231185807.0Z
>>>>>>>>>>>>>>>>> uSNChanged: 477620
>>>>>>>>>>>>>>>>> distinguishedName: CN=Test
>>>>>>>>>>>>>>>>> User,CN=Users,DC=domain,DC=local
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> On 12/31/2014 1:50 PM, Rowland Penny wrote:
>>>>>>>>>>>>>>>>>> On 31/12/14 18:28, James wrote:
>>>>>>>>>>>>>>>>>>> Hi Rowland,
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> passwd: compat winbind
>>>>>>>>>>>>>>>>>>> group: compat winbind
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> 'getent passwd tuser' results in a blank terminal line.
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> On 12/31/2014 1:12 PM, Rowland Penny wrote:
>>>>>>>>>>>>>>>>>>>> On 31/12/14 17:55, James wrote:
>>>>>>>>>>>>>>>>>>>>> Hi Rowland,
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> I did. Unfortunately something is still amiss.
>>>>>>>>>>>>>>>>>>>>> I do receive a response from 'getent group domain
>>>>>>>>>>>>>>>>>>>>> users'(users:x:100).
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> On 12/31/2014 12:26 PM, Rowland Penny wrote:
>>>>>>>>>>>>>>>>>>>>>> On 31/12/14 17:23, James wrote:
>>>>>>>>>>>>>>>>>>>>>>> Rowland,
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>> I set a user with a uid and domain users
>>>>>>>>>>>>>>>>>>>>>>> group with a gid but I'm still unable to view
>>>>>>>>>>>>>>>>>>>>>>> them using 'id'. I do notice a few strange
>>>>>>>>>>>>>>>>>>>>>>> observations. If I go to another user to attempt
>>>>>>>>>>>>>>>>>>>>>>> to assign a uid. I get the default value of
>>>>>>>>>>>>>>>>>>>>>>> 10000. I would expect 2001 given I set the first
>>>>>>>>>>>>>>>>>>>>>>> user with uid 2000. Groups however appear to
>>>>>>>>>>>>>>>>>>>>>>> increment.
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>> On 12/31/2014 10:52 AM, Rowland Penny wrote:
>>>>>>>>>>>>>>>>>>>>>>>> On 31/12/14 15:42, James wrote:
>>>>>>>>>>>>>>>>>>>>>>>>> Hello Stefan,
>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>> I learned the hard way about .local. I
>>>>>>>>>>>>>>>>>>>>>>>>> understand going forward.
>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>> I do have an issue with the member server.
>>>>>>>>>>>>>>>>>>>>>>>>> Following along with the wiki I get stuck at
>>>>>>>>>>>>>>>>>>>>>>>>> 'Testing the Winbind user/group mapping'.
>>>>>>>>>>>>>>>>>>>>>>>>> Wbinfo works as expected but not
>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>> #*id DomainUser*
>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>> #*getent passwd*
>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>> #*getent group*
>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>> #*chown DomainUser:DomainGroup file*
>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>> #*chgrp DomainGroup file*
>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>> etc.
>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>> I receive 'id: sambauser: No such user'. It
>>>>>>>>>>>>>>>>>>>>>>>>> will only retrieve local machine users. Let me
>>>>>>>>>>>>>>>>>>>>>>>>> preface by saying this is a Ubuntu 12.04
>>>>>>>>>>>>>>>>>>>>>>>>> server with Samba 4.1.14. Thanks.
>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>> On 12/31/2014 10:00 AM, Stefan Kania wrote:
>>>>>>>>>>>>>>>>>>>>>>>>>> -----BEGIN PGP SIGNED MESSAGE-----
>>>>>>>>>>>>>>>>>>>>>>>>>> Hash: SHA1
>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>> Hello James,
>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>> Am 31.12.2014 um 15:48 schrieb James:> Hello,
>>>>>>>>>>>>>>>>>>>>>>>>>>> I'm following along with the wiki(Setup a
>>>>>>>>>>>>>>>>>>>>>>>>>>> Samba AD Member Server)
>>>>>>>>>>>>>>>>>>>>>>>>>>> and I have a question after reading the 'Set
>>>>>>>>>>>>>>>>>>>>>>>>>>> up a basic smb.conf'
>>>>>>>>>>>>>>>>>>>>>>>>>>> section.
>>>>>>>>>>>>>>>>>>>>>>>>>> Please show us your smb.conf
>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>> Do I need to extend the schema in order for
>>>>>>>>>>>>>>>>>>>>>>>>>> my member server to
>>>>>>>>>>>>>>>>>>>>>>>>>>> successfully join and service file shares?
>>>>>>>>>>>>>>>>>>>>>>>>>> No, you dont have to.
>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>> Do I need to configure a
>>>>>>>>>>>>>>>>>>>>>>>>>>> krb5.conf file? Thanks.
>>>>>>>>>>>>>>>>>>>>>>>>>> If your DC is a samba4 DC just copy krb5.conf
>>>>>>>>>>>>>>>>>>>>>>>>>> to your new memberserver
>>>>>>>>>>>>>>>>>>>>>>>>>> Stefan
>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>> - -- Stefan Kania
>>>>>>>>>>>>>>>>>>>>>>>>>> Landweg 13
>>>>>>>>>>>>>>>>>>>>>>>>>> 25693 St. Michaelisdonn
>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>> Signieren jeder E-Mail hilft Spam zu
>>>>>>>>>>>>>>>>>>>>>>>>>> reduzieren. Signieren Sie ihre
>>>>>>>>>>>>>>>>>>>>>>>>>> E-Mail. Weiter Informationen unter
>>>>>>>>>>>>>>>>>>>>>>>>>> http://www.gnupg.org
>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>> Mein Schlüssel liegt auf
>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>> hkp://subkeys.pgp.net
>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>> -----BEGIN PGP SIGNATURE-----
>>>>>>>>>>>>>>>>>>>>>>>>>> Version: GnuPG v1
>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>> iEYEARECAAYFAlSkD3EACgkQ2JOGcNAHDTZdlwCgwsQF0g/pFp65ldcTMWDcJ1O7
>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>> LScAoLDzorUJNDCik4FP9dBUxKCbAbGN
>>>>>>>>>>>>>>>>>>>>>>>>>> =SOSt
>>>>>>>>>>>>>>>>>>>>>>>>>> -----END PGP SIGNATURE-----
>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>> If you followed the wiki, you will be using the
>>>>>>>>>>>>>>>>>>>>>>>> 'ad' backend. For this to work, you need to add
>>>>>>>>>>>>>>>>>>>>>>>> 'uidNumber' attributes to your users and a
>>>>>>>>>>>>>>>>>>>>>>>> 'gidNumber' attribute to at least the Domain
>>>>>>>>>>>>>>>>>>>>>>>> Users group. the numbers that you add must be
>>>>>>>>>>>>>>>>>>>>>>>> between the range you set in your smb.conf,
>>>>>>>>>>>>>>>>>>>>>>>> again if you followed the wiki, this will be
>>>>>>>>>>>>>>>>>>>>>>>> between 500-40000.
>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>> Rowland
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>> You have restarted samba, haven't you ?
>>>>>>>>>>>>>>>>>>>>>> You may have to wait a short time, or clear the
>>>>>>>>>>>>>>>>>>>>>> cache with 'net cache flush'
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>> Rowland
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> OK, can you post the 'passwd' & 'group' lines from
>>>>>>>>>>>>>>>>>>>> /etc/nsswitch
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> Do you get anything from 'getent passwd <a domain
>>>>>>>>>>>>>>>>>>>> user>'
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> Rowland
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> OK, install ldb-tools if not already installed, then
>>>>>>>>>>>>>>>>>> run:
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> ldbedit -e nano -H /var/lib/samba/private/sam.ldb
>>>>>>>>>>>>>>>>>> sAMAccountName=tuser
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> Post the (sanitized) result
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> Rowland
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> OK, you added that user with ADUC (RSAT) and as such
>>>>>>>>>>>>>>>> you are using the std windows start number 10000, which
>>>>>>>>>>>>>>>> is the way I run samba. Here is my smb.conf from the
>>>>>>>>>>>>>>>> laptop I am writing this on:
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> [global]
>>>>>>>>>>>>>>>> workgroup = EXAMPLE
>>>>>>>>>>>>>>>> security = ADS
>>>>>>>>>>>>>>>> realm = EXAMPLE.COM
>>>>>>>>>>>>>>>> dedicated keytab file = /etc/krb5.keytab
>>>>>>>>>>>>>>>> kerberos method = secrets and keytab
>>>>>>>>>>>>>>>> server string = Samba 4 Client %h
>>>>>>>>>>>>>>>> winbind enum users = yes
>>>>>>>>>>>>>>>> winbind enum groups = yes
>>>>>>>>>>>>>>>> winbind use default domain = yes
>>>>>>>>>>>>>>>> winbind expand groups = 4
>>>>>>>>>>>>>>>> winbind nss info = rfc2307
>>>>>>>>>>>>>>>> winbind refresh tickets = Yes
>>>>>>>>>>>>>>>> winbind normalize names = Yes
>>>>>>>>>>>>>>>> idmap config * : backend = tdb
>>>>>>>>>>>>>>>> idmap config * : range = 2000-9999
>>>>>>>>>>>>>>>> idmap config EXAMPLE : backend = ad
>>>>>>>>>>>>>>>> idmap config EXAMPLE : range = 10000-999999
>>>>>>>>>>>>>>>> idmap config EXAMPLE : schema_mode = rfc2307
>>>>>>>>>>>>>>>> printcap name = cups
>>>>>>>>>>>>>>>> cups options = raw
>>>>>>>>>>>>>>>> usershare allow guests = yes
>>>>>>>>>>>>>>>> domain master = no
>>>>>>>>>>>>>>>> local master = no
>>>>>>>>>>>>>>>> preferred master = no
>>>>>>>>>>>>>>>> os level = 20
>>>>>>>>>>>>>>>> map to guest = bad user
>>>>>>>>>>>>>>>> vfs objects = acl_xattr
>>>>>>>>>>>>>>>> map acl inherit = Yes
>>>>>>>>>>>>>>>> store dos attributes = Yes
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> Compare it with yours, I can assure you it works.
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> Rowland
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> --
>>>>>>>>>>>>> -James
>>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> --
>>>>>>>>>>> -James
>>>>>>>>>>
>>>>>>>>>> OK, you have *now* found out one of the reasons you shouldn't
>>>>>>>>>> use the .local suffix
>>>>>>>>>>
>>>>>>>>>> But does anything else work?
>>>>>>>>>>
>>>>>>>>>> Rowland
>>>>>>>>>
>>>>>>>>> --
>>>>>>>>> -James
>>>>>>>>
>>>>>>>> OK, well it seems to be a step in the right direction :-)
>>>>>>>>
>>>>>>>> Have you changed 'EXAMPLE' in these lines:
>>>>>>>>
>>>>>>>> idmap config * : backend = tdb
>>>>>>>> idmap config * : range = 2000-9999
>>>>>>>> idmap config EXAMPLE : backend = ad
>>>>>>>> idmap config EXAMPLE : range = 10000-999999
>>>>>>>> idmap config EXAMPLE:schema_mode = rfc2307
>>>>>>>>
>>>>>>>> They need to be changed for your *WORKGROUP* name.
>>>>>>>>
>>>>>>>> Rowland
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>> --
>>>>>>> -James
>>>>>>
>>>>>> Just change it, stop samba and winbind, run 'net cache flush' and
>>>>>> restart samba & winbind.
>>>>>>
>>>>>> Rowland
>>>>>>
>>>>>
>>>>> --
>>>>> -James
>>>>
>>>
>>> --
>>> -James
>>
>
> --
> -James
More information about the samba
mailing list