[Samba] Member Server Setup Assistance
James
lingpanda101 at gmail.com
Mon Jan 5 06:28:53 MST 2015
Rowland,
Thanks so far for the assistance. I have a question about setting
up shares on a member server. How do I map to users or groups that do
not display in AD(Everyone,System,Authenticated Users)?
On 1/2/2015 2:08 PM, Rowland Penny wrote:
> On 02/01/15 18:59, James wrote:
>> Rowland,
>>
>> That was the issue. Windows computer management console showed 0
>> connections. That obviously wasn't correct. A reboot corrected the
>> issue. ACL's working as expected. I probably should have ran a
>> 'netstat' to verify.
>>
>> Any best practices on who should or shouldn't have uid's or gid's
>> set in AD? I've read where the Administrator account should not have
>> one set.
>
> Cannot say that I know of any best practices, but I only give Domain
> Admins and Domain Users a gidNumber and Administrator should already
> be mapped to root (that is if you changed 'Example' in /etc/samba/smbmap).
>
> Rowland
>>
>> On 1/2/2015 1:47 PM, Rowland Penny wrote:
>>> On 02/01/15 18:35, James wrote:
>>>> Rowland,
>>>>
>>>> Thanks for the clarification. It appears the member server is
>>>> joined and I have created a share.
>>>>
>>>> [demoshare]
>>>> path = /srv/samba/test
>>>> read only = no
>>>>
>>>>
>>>> I have enabled ACL support and given 'SeDiskOperatorPrivilege' per
>>>> the wiki. I can navigate to the share using Windows Explorer. If I
>>>> set the share permissions to only me(Full Control). I can't access
>>>> the share. The 'Everyone' and 'Domain Users' group allows me
>>>> access. On my DC's this has worked in the past. Am I missing
>>>> something? This is the error I receive.
>>>>
>>>> \\pfmember1\demoshare is not accessible. You might not have
>>>> permission to use this network resource. Contact the administrator
>>>> of this server to find out if you have access permissions.
>>>>
>>>> Multiple connections to a server or shared resource by the same
>>>> user, using more than one user name, are not allowed. Disconnect
>>>> all previous connections to the server or shared resource and try
>>>> again.
>>>
>>> You seem to have a connection to the share already open, close this
>>> and try again.
>>> If this fails, post the results of:
>>>
>>> ls -la /srv/samba/test
>>>
>>> and
>>>
>>> getfacl /srv/samba/test
>>>
>>> Rowland
>>>
>>>>
>>>> On 1/2/2015 1:14 PM, Rowland Penny wrote:
>>>>> On 02/01/15 18:01, James wrote:
>>>>>> Rowland,
>>>>>>
>>>>>> That did it! Thank you so much. I do have a question
>>>>>> regarding the 'getent' command before setting up file shares.
>>>>>> When I run 'getent group Domain\ Users' I get
>>>>>>
>>>>>> domain_users:x:10000:user1,user2,user3,user4,user5,user6,user7,user8
>>>>>>
>>>>>> Why does it show these specific users? I would assume it would
>>>>>> only show my 'tuser'. I don't have uid's set for anyone else.
>>>>>
>>>>> When you run 'getent group Domain\ Users' it gets the groups
>>>>> gidNumber (10000 in your case) and the contents any 'member'
>>>>> attributes, so I presume if you examine the groups AD object, you
>>>>> would find 8 'member' attribute lines.
>>>>>
>>>>> But if you were to run 'getent passwd user5', you would only get a
>>>>> response if 'user5' has a 'uidNumber'.
>>>>>
>>>>> Rowland
>>>>>
>>>>>>
>>>>>> On 1/2/2015 12:38 PM, Rowland Penny wrote:
>>>>>>> On 02/01/15 17:26, James wrote:
>>>>>>>> Rowland,
>>>>>>>>
>>>>>>>> I did forget to change it. Is it as simple as renaming now
>>>>>>>> or did I screw up?
>>>>>>>>
>>>>>>>> On 1/2/2015 12:18 PM, Rowland Penny wrote:
>>>>>>>>> On 02/01/15 17:07, James wrote:
>>>>>>>>>> Rowland,
>>>>>>>>>>
>>>>>>>>>> I had a typo in my hosts file which is the reason my
>>>>>>>>>> initial DNS update failed. Corrected and joined again.
>>>>>>>>>> Successfully joined and updated DNS A record. I then made
>>>>>>>>>> sure to give 'Domain users' a id of 10000. I am now able to
>>>>>>>>>> run' getent passwd' and see all my domain users! YES! However
>>>>>>>>>> I still see something that confuses me. When I run 'id tuser'
>>>>>>>>>> I get the following.
>>>>>>>>>>
>>>>>>>>>> uid=2155(tuser) gid=2002(domain_users)
>>>>>>>>>> groups=2002(domain_users),2004(remote_desktop_users_group),2001(BUILTIN\users)
>>>>>>>>>>
>>>>>>>>>> Why is the uid 2155 and not 10001?
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> On 1/2/2015 12:00 PM, Rowland Penny wrote:
>>>>>>>>>>> On 02/01/15 16:57, James wrote:
>>>>>>>>>>>> Rowland,
>>>>>>>>>>>>
>>>>>>>>>>>> I've gotten a bit further. It appears my use of
>>>>>>>>>>>> '.local' is causing the issue from what I've researched. I
>>>>>>>>>>>> ran '|/etc/init.d/avahi-daemon stop'. |This allowed me to
>>>>>>>>>>>> successfully join the domain.
>>>>>>>>>>>>
>>>>>>>>>>>> Enter administrator at DOMAIN.LOCAL's password:
>>>>>>>>>>>> Using short domain name -- DOMAIN
>>>>>>>>>>>> Joined 'PFMEMBER1' to dns domain 'domain.local'
>>>>>>>>>>>> DNS Update for pfmember1.local failed: ERROR_DNS_UPDATE_FAILED
>>>>>>>>>>>> DNS update failed: NT_STATUS_UNSUCCESSFUL
>>>>>>>>>>>> ||
>>>>>>>>>>>> On 1/2/2015 8:55 AM, Rowland Penny wrote:
>>>>>>>>>>>>> On 02/01/15 13:41, James wrote:
>>>>>>>>>>>>>> Hi Rowland,
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> If you don't mind I like to post my member server
>>>>>>>>>>>>>> configuration as I attempt again. This is how my member
>>>>>>>>>>>>>> server(Ubuntu 12.04) is configured after fresh install
>>>>>>>>>>>>>> and prior to Samba build. Anything I'm missing that could
>>>>>>>>>>>>>> cause my issue as I proceed? I assume no other
>>>>>>>>>>>>>> prerequisites must be done on the other DC's either? Thanks.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> /*# From Wiki for DC build*/
>>>>>>>>>>>>>> apt-get install build-essential libacl1-dev libattr1-dev
>>>>>>>>>>>>>> libblkid-dev libgnutls-dev libreadline-dev python-dev
>>>>>>>>>>>>>> libpam0g-dev python-dnspython gdb pkg-config libpopt-dev
>>>>>>>>>>>>>> libldap2-dev dnsutils libbsd-dev attr krb5-user
>>>>>>>>>>>>>> docbook-xsl libcups2-dev acl
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> /*# Fstab file*/
>>>>>>>>>>>>>> ext4 errors=remount-ro,user_xattr,acl,barrier=1 1 1
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> */# Hosts File/*
>>>>>>>>>>>>>> 127.0.0.1 localhost
>>>>>>>>>>>>>> 172.16.232.25 pfmember1.domain.local pfmember1
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> # The following lines are desirable for IPv6 capable hosts
>>>>>>>>>>>>>> ::1 ip6-localhost ip6-loopback
>>>>>>>>>>>>>> fe00::0 ip6-localnet
>>>>>>>>>>>>>> ff00::0 ip6-mcastprefix
>>>>>>>>>>>>>> ff02::1 ip6-allnodes
>>>>>>>>>>>>>> ff02::2 ip6-allrouters
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> */# Hostname/* */File/*
>>>>>>>>>>>>>> pfmember1.domain.local
>>>>>>>>>>>>>
>>>>>>>>>>>>> if you are referring to /etc/hostname, then it should just
>>>>>>>>>>>>> contain 'pfmember1'.
>>>>>>>>>>>>>
>>>>>>>>>>>>> Also, are you fixed on using Ubuntu 12.04, if you were to
>>>>>>>>>>>>> use Debian Wheezy and backports, you wouldn't have to
>>>>>>>>>>>>> compile samba4.
>>>>>>>>>>>>>
>>>>>>>>>>>>> Rowland
>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> */#/network/interfaces/*
>>>>>>>>>>>>>> # This file describes the network interfaces available on
>>>>>>>>>>>>>> your system
>>>>>>>>>>>>>> # and how to activate them. For more information, see
>>>>>>>>>>>>>> interfaces(5).
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> # The loopback network interface
>>>>>>>>>>>>>> auto lo
>>>>>>>>>>>>>> iface lo inet loopback
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> # The primary network interface
>>>>>>>>>>>>>> auto eth0
>>>>>>>>>>>>>> iface eth0 inet static
>>>>>>>>>>>>>> address 172.16.232.25
>>>>>>>>>>>>>> netmask 255.255.255.0
>>>>>>>>>>>>>> gateway 172.16.232.201
>>>>>>>>>>>>>> network 172.16.232.0
>>>>>>>>>>>>>> broadcast 172.16.232.255
>>>>>>>>>>>>>> dns-search domain.local
>>>>>>>>>>>>>> dns-nameservers 172.16.232.29
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> On 1/1/2015 4:34 AM, Rowland Penny wrote:
>>>>>>>>>>>>>>> On 01/01/15 00:07, James wrote:
>>>>>>>>>>>>>>>> Hi Rowland,
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> I forgot to tell you the results were from my
>>>>>>>>>>>>>>>> Domain Controller and not the member server. Member
>>>>>>>>>>>>>>>> server returned something to the effect of 'user not
>>>>>>>>>>>>>>>> found'. I am only starting the 3 services(smbd,nmbd and
>>>>>>>>>>>>>>>> windbindd) listed in the wiki. Should I be starting
>>>>>>>>>>>>>>>> Samba with command line switches to start as a member
>>>>>>>>>>>>>>>> server? Is that even possible?
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Hi, there are two ways of running samba4, the classic or
>>>>>>>>>>>>>>> original way that samba3 was used, or as an AD DC. If
>>>>>>>>>>>>>>> you run samba4 in the classic way, you need to start the
>>>>>>>>>>>>>>> smbd & nmbd deamons and optionally the winbind daemon.
>>>>>>>>>>>>>>> If you use samba4 as an AD DC, then you only start the
>>>>>>>>>>>>>>> samba daemon, this will start any other required
>>>>>>>>>>>>>>> deamons, you only start the samba daemon on an AD DC.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> As you are trying to set up a member server, you must
>>>>>>>>>>>>>>> carry out the tests on the member server.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Rowland
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> Thanks for you smb.conf. I will attempt again using
>>>>>>>>>>>>>>>> your smb.conf as a template and try again.
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> On 12/31/2014 2:20 PM, Rowland Penny wrote:
>>>>>>>>>>>>>>>>> On 31/12/14 19:07, James wrote:
>>>>>>>>>>>>>>>>>> Rowland,
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> I decided to start over with a fresh install and
>>>>>>>>>>>>>>>>>> attempted again. Only change I made was to start my
>>>>>>>>>>>>>>>>>> mappings at 10000. I gave 'Domain Users' group gid
>>>>>>>>>>>>>>>>>> 10000 and 'tuser' has uid 10001. Still didn't work btw.
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> dn: CN=Test User,CN=Users,DC=domain,DC=local
>>>>>>>>>>>>>>>>>> objectClass: top
>>>>>>>>>>>>>>>>>> objectClass: person
>>>>>>>>>>>>>>>>>> objectClass: organizationalPerson
>>>>>>>>>>>>>>>>>> objectClass: user
>>>>>>>>>>>>>>>>>> cn: Test User
>>>>>>>>>>>>>>>>>> sn: User
>>>>>>>>>>>>>>>>>> givenName: Test
>>>>>>>>>>>>>>>>>> instanceType: 4
>>>>>>>>>>>>>>>>>> whenCreated: 20141231172021.0Z
>>>>>>>>>>>>>>>>>> displayName: Test User
>>>>>>>>>>>>>>>>>> uSNCreated: 477557
>>>>>>>>>>>>>>>>>> name: Test User
>>>>>>>>>>>>>>>>>> objectGUID: 90f95763-fe52-42b9-af86-8a84a4d5dd78
>>>>>>>>>>>>>>>>>> userAccountControl: 66048
>>>>>>>>>>>>>>>>>> codePage: 0
>>>>>>>>>>>>>>>>>> countryCode: 0
>>>>>>>>>>>>>>>>>> pwdLastSet: 130645200220000000
>>>>>>>>>>>>>>>>>> primaryGroupID: 513
>>>>>>>>>>>>>>>>>> objectSid: S-1-5-21-940051827-2291820289-3341758437-3126
>>>>>>>>>>>>>>>>>> accountExpires: 9223372036854775807
>>>>>>>>>>>>>>>>>> sAMAccountName: tuser
>>>>>>>>>>>>>>>>>> sAMAccountType: 805306368
>>>>>>>>>>>>>>>>>> userPrincipalName: tuser at domain.local
>>>>>>>>>>>>>>>>>> objectCategory:
>>>>>>>>>>>>>>>>>> CN=Person,CN=Schema,CN=Configuration,DC=domain,DC=local
>>>>>>>>>>>>>>>>>> unixUserPassword: ABCD!efgh12345$67890
>>>>>>>>>>>>>>>>>> uid: tuser
>>>>>>>>>>>>>>>>>> msSFU30Name: tuser
>>>>>>>>>>>>>>>>>> msSFU30NisDomain: domain
>>>>>>>>>>>>>>>>>> uidNumber: 10001
>>>>>>>>>>>>>>>>>> loginShell: /bin/sh
>>>>>>>>>>>>>>>>>> unixHomeDirectory: /home/tuser
>>>>>>>>>>>>>>>>>> gidNumber: 10000
>>>>>>>>>>>>>>>>>> whenChanged: 20141231185807.0Z
>>>>>>>>>>>>>>>>>> uSNChanged: 477620
>>>>>>>>>>>>>>>>>> distinguishedName: CN=Test
>>>>>>>>>>>>>>>>>> User,CN=Users,DC=domain,DC=local
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> On 12/31/2014 1:50 PM, Rowland Penny wrote:
>>>>>>>>>>>>>>>>>>> On 31/12/14 18:28, James wrote:
>>>>>>>>>>>>>>>>>>>> Hi Rowland,
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> passwd: compat winbind
>>>>>>>>>>>>>>>>>>>> group: compat winbind
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> 'getent passwd tuser' results in a blank terminal
>>>>>>>>>>>>>>>>>>>> line.
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> On 12/31/2014 1:12 PM, Rowland Penny wrote:
>>>>>>>>>>>>>>>>>>>>> On 31/12/14 17:55, James wrote:
>>>>>>>>>>>>>>>>>>>>>> Hi Rowland,
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>> I did. Unfortunately something is still
>>>>>>>>>>>>>>>>>>>>>> amiss. I do receive a response from 'getent group
>>>>>>>>>>>>>>>>>>>>>> domain users'(users:x:100).
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>> On 12/31/2014 12:26 PM, Rowland Penny wrote:
>>>>>>>>>>>>>>>>>>>>>>> On 31/12/14 17:23, James wrote:
>>>>>>>>>>>>>>>>>>>>>>>> Rowland,
>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>> I set a user with a uid and domain users
>>>>>>>>>>>>>>>>>>>>>>>> group with a gid but I'm still unable to view
>>>>>>>>>>>>>>>>>>>>>>>> them using 'id'. I do notice a few strange
>>>>>>>>>>>>>>>>>>>>>>>> observations. If I go to another user to
>>>>>>>>>>>>>>>>>>>>>>>> attempt to assign a uid. I get the default
>>>>>>>>>>>>>>>>>>>>>>>> value of 10000. I would expect 2001 given I set
>>>>>>>>>>>>>>>>>>>>>>>> the first user with uid 2000. Groups however
>>>>>>>>>>>>>>>>>>>>>>>> appear to increment.
>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>> On 12/31/2014 10:52 AM, Rowland Penny wrote:
>>>>>>>>>>>>>>>>>>>>>>>>> On 31/12/14 15:42, James wrote:
>>>>>>>>>>>>>>>>>>>>>>>>>> Hello Stefan,
>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>> I learned the hard way about .local. I
>>>>>>>>>>>>>>>>>>>>>>>>>> understand going forward.
>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>> I do have an issue with the member server.
>>>>>>>>>>>>>>>>>>>>>>>>>> Following along with the wiki I get stuck at
>>>>>>>>>>>>>>>>>>>>>>>>>> 'Testing the Winbind user/group mapping'.
>>>>>>>>>>>>>>>>>>>>>>>>>> Wbinfo works as expected but not
>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>> #*id DomainUser*
>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>> #*getent passwd*
>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>> #*getent group*
>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>> #*chown DomainUser:DomainGroup file*
>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>> #*chgrp DomainGroup file*
>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>> etc.
>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>> I receive 'id: sambauser: No such user'. It
>>>>>>>>>>>>>>>>>>>>>>>>>> will only retrieve local machine users. Let
>>>>>>>>>>>>>>>>>>>>>>>>>> me preface by saying this is a Ubuntu 12.04
>>>>>>>>>>>>>>>>>>>>>>>>>> server with Samba 4.1.14. Thanks.
>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>> On 12/31/2014 10:00 AM, Stefan Kania wrote:
>>>>>>>>>>>>>>>>>>>>>>>>>>> -----BEGIN PGP SIGNED MESSAGE-----
>>>>>>>>>>>>>>>>>>>>>>>>>>> Hash: SHA1
>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>> Hello James,
>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>> Am 31.12.2014 um 15:48 schrieb James:> Hello,
>>>>>>>>>>>>>>>>>>>>>>>>>>>> I'm following along with the wiki(Setup a
>>>>>>>>>>>>>>>>>>>>>>>>>>>> Samba AD Member Server)
>>>>>>>>>>>>>>>>>>>>>>>>>>>> and I have a question after reading the
>>>>>>>>>>>>>>>>>>>>>>>>>>>> 'Set up a basic smb.conf'
>>>>>>>>>>>>>>>>>>>>>>>>>>>> section.
>>>>>>>>>>>>>>>>>>>>>>>>>>> Please show us your smb.conf
>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>> Do I need to extend the schema in order
>>>>>>>>>>>>>>>>>>>>>>>>>>> for my member server to
>>>>>>>>>>>>>>>>>>>>>>>>>>>> successfully join and service file shares?
>>>>>>>>>>>>>>>>>>>>>>>>>>> No, you dont have to.
>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>> Do I need to configure a
>>>>>>>>>>>>>>>>>>>>>>>>>>>> krb5.conf file? Thanks.
>>>>>>>>>>>>>>>>>>>>>>>>>>> If your DC is a samba4 DC just copy
>>>>>>>>>>>>>>>>>>>>>>>>>>> krb5.conf to your new memberserver
>>>>>>>>>>>>>>>>>>>>>>>>>>> Stefan
>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>> - -- Stefan Kania
>>>>>>>>>>>>>>>>>>>>>>>>>>> Landweg 13
>>>>>>>>>>>>>>>>>>>>>>>>>>> 25693 St. Michaelisdonn
>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>> Signieren jeder E-Mail hilft Spam zu
>>>>>>>>>>>>>>>>>>>>>>>>>>> reduzieren. Signieren Sie ihre
>>>>>>>>>>>>>>>>>>>>>>>>>>> E-Mail. Weiter Informationen unter
>>>>>>>>>>>>>>>>>>>>>>>>>>> http://www.gnupg.org
>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>> Mein Schlüssel liegt auf
>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>> hkp://subkeys.pgp.net
>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>> -----BEGIN PGP SIGNATURE-----
>>>>>>>>>>>>>>>>>>>>>>>>>>> Version: GnuPG v1
>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>> iEYEARECAAYFAlSkD3EACgkQ2JOGcNAHDTZdlwCgwsQF0g/pFp65ldcTMWDcJ1O7
>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>> LScAoLDzorUJNDCik4FP9dBUxKCbAbGN
>>>>>>>>>>>>>>>>>>>>>>>>>>> =SOSt
>>>>>>>>>>>>>>>>>>>>>>>>>>> -----END PGP SIGNATURE-----
>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>> If you followed the wiki, you will be using
>>>>>>>>>>>>>>>>>>>>>>>>> the 'ad' backend. For this to work, you need
>>>>>>>>>>>>>>>>>>>>>>>>> to add 'uidNumber' attributes to your users
>>>>>>>>>>>>>>>>>>>>>>>>> and a 'gidNumber' attribute to at least the
>>>>>>>>>>>>>>>>>>>>>>>>> Domain Users group. the numbers that you add
>>>>>>>>>>>>>>>>>>>>>>>>> must be between the range you set in your
>>>>>>>>>>>>>>>>>>>>>>>>> smb.conf, again if you followed the wiki, this
>>>>>>>>>>>>>>>>>>>>>>>>> will be between 500-40000.
>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>> Rowland
>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>> You have restarted samba, haven't you ?
>>>>>>>>>>>>>>>>>>>>>>> You may have to wait a short time, or clear the
>>>>>>>>>>>>>>>>>>>>>>> cache with 'net cache flush'
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>> Rowland
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> OK, can you post the 'passwd' & 'group' lines from
>>>>>>>>>>>>>>>>>>>>> /etc/nsswitch
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> Do you get anything from 'getent passwd <a domain
>>>>>>>>>>>>>>>>>>>>> user>'
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> Rowland
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> OK, install ldb-tools if not already installed, then
>>>>>>>>>>>>>>>>>>> run:
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> ldbedit -e nano -H /var/lib/samba/private/sam.ldb
>>>>>>>>>>>>>>>>>>> sAMAccountName=tuser
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> Post the (sanitized) result
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> Rowland
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> OK, you added that user with ADUC (RSAT) and as such
>>>>>>>>>>>>>>>>> you are using the std windows start number 10000,
>>>>>>>>>>>>>>>>> which is the way I run samba. Here is my smb.conf from
>>>>>>>>>>>>>>>>> the laptop I am writing this on:
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> [global]
>>>>>>>>>>>>>>>>> workgroup = EXAMPLE
>>>>>>>>>>>>>>>>> security = ADS
>>>>>>>>>>>>>>>>> realm = EXAMPLE.COM
>>>>>>>>>>>>>>>>> dedicated keytab file = /etc/krb5.keytab
>>>>>>>>>>>>>>>>> kerberos method = secrets and keytab
>>>>>>>>>>>>>>>>> server string = Samba 4 Client %h
>>>>>>>>>>>>>>>>> winbind enum users = yes
>>>>>>>>>>>>>>>>> winbind enum groups = yes
>>>>>>>>>>>>>>>>> winbind use default domain = yes
>>>>>>>>>>>>>>>>> winbind expand groups = 4
>>>>>>>>>>>>>>>>> winbind nss info = rfc2307
>>>>>>>>>>>>>>>>> winbind refresh tickets = Yes
>>>>>>>>>>>>>>>>> winbind normalize names = Yes
>>>>>>>>>>>>>>>>> idmap config * : backend = tdb
>>>>>>>>>>>>>>>>> idmap config * : range = 2000-9999
>>>>>>>>>>>>>>>>> idmap config EXAMPLE : backend = ad
>>>>>>>>>>>>>>>>> idmap config EXAMPLE : range = 10000-999999
>>>>>>>>>>>>>>>>> idmap config EXAMPLE : schema_mode = rfc2307
>>>>>>>>>>>>>>>>> printcap name = cups
>>>>>>>>>>>>>>>>> cups options = raw
>>>>>>>>>>>>>>>>> usershare allow guests = yes
>>>>>>>>>>>>>>>>> domain master = no
>>>>>>>>>>>>>>>>> local master = no
>>>>>>>>>>>>>>>>> preferred master = no
>>>>>>>>>>>>>>>>> os level = 20
>>>>>>>>>>>>>>>>> map to guest = bad user
>>>>>>>>>>>>>>>>> vfs objects = acl_xattr
>>>>>>>>>>>>>>>>> map acl inherit = Yes
>>>>>>>>>>>>>>>>> store dos attributes = Yes
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> Compare it with yours, I can assure you it works.
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> Rowland
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> --
>>>>>>>>>>>>>> -James
>>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> --
>>>>>>>>>>>> -James
>>>>>>>>>>>
>>>>>>>>>>> OK, you have *now* found out one of the reasons you
>>>>>>>>>>> shouldn't use the .local suffix
>>>>>>>>>>>
>>>>>>>>>>> But does anything else work?
>>>>>>>>>>>
>>>>>>>>>>> Rowland
>>>>>>>>>>
>>>>>>>>>> --
>>>>>>>>>> -James
>>>>>>>>>
>>>>>>>>> OK, well it seems to be a step in the right direction :-)
>>>>>>>>>
>>>>>>>>> Have you changed 'EXAMPLE' in these lines:
>>>>>>>>>
>>>>>>>>> idmap config * : backend = tdb
>>>>>>>>> idmap config * : range = 2000-9999
>>>>>>>>> idmap config EXAMPLE : backend = ad
>>>>>>>>> idmap config EXAMPLE : range = 10000-999999
>>>>>>>>> idmap config EXAMPLE:schema_mode = rfc2307
>>>>>>>>>
>>>>>>>>> They need to be changed for your *WORKGROUP* name.
>>>>>>>>>
>>>>>>>>> Rowland
>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>> --
>>>>>>>> -James
>>>>>>>
>>>>>>> Just change it, stop samba and winbind, run 'net cache flush'
>>>>>>> and restart samba & winbind.
>>>>>>>
>>>>>>> Rowland
>>>>>>>
>>>>>>
>>>>>> --
>>>>>> -James
>>>>>
>>>>
>>>> --
>>>> -James
>>>
>>
>> --
>> -James
>
--
-James
More information about the samba
mailing list