[Samba] Member Server Setup Assistance
Rowland Penny
rowlandpenny at googlemail.com
Mon Jan 5 06:37:34 MST 2015
On 05/01/15 13:28, James wrote:
> Rowland,
>
> Thanks so far for the assistance. I have a question about setting
> up shares on a member server. How do I map to users or groups that do
> not display in AD(Everyone,System,Authenticated Users)?
Could you be a bit more specific here, are you talking about mapping
these windows objects to Unix, or something else ?
Rowland
>
> On 1/2/2015 2:08 PM, Rowland Penny wrote:
>> On 02/01/15 18:59, James wrote:
>>> Rowland,
>>>
>>> That was the issue. Windows computer management console showed 0
>>> connections. That obviously wasn't correct. A reboot corrected the
>>> issue. ACL's working as expected. I probably should have ran a
>>> 'netstat' to verify.
>>>
>>> Any best practices on who should or shouldn't have uid's or
>>> gid's set in AD? I've read where the Administrator account should
>>> not have one set.
>>
>> Cannot say that I know of any best practices, but I only give Domain
>> Admins and Domain Users a gidNumber and Administrator should already
>> be mapped to root (that is if you changed 'Example' in
>> /etc/samba/smbmap).
>>
>> Rowland
>>>
>>> On 1/2/2015 1:47 PM, Rowland Penny wrote:
>>>> On 02/01/15 18:35, James wrote:
>>>>> Rowland,
>>>>>
>>>>> Thanks for the clarification. It appears the member server is
>>>>> joined and I have created a share.
>>>>>
>>>>> [demoshare]
>>>>> path = /srv/samba/test
>>>>> read only = no
>>>>>
>>>>>
>>>>> I have enabled ACL support and given 'SeDiskOperatorPrivilege' per
>>>>> the wiki. I can navigate to the share using Windows Explorer. If I
>>>>> set the share permissions to only me(Full Control). I can't access
>>>>> the share. The 'Everyone' and 'Domain Users' group allows me
>>>>> access. On my DC's this has worked in the past. Am I missing
>>>>> something? This is the error I receive.
>>>>>
>>>>> \\pfmember1\demoshare is not accessible. You might not have
>>>>> permission to use this network resource. Contact the administrator
>>>>> of this server to find out if you have access permissions.
>>>>>
>>>>> Multiple connections to a server or shared resource by the same
>>>>> user, using more than one user name, are not allowed. Disconnect
>>>>> all previous connections to the server or shared resource and try
>>>>> again.
>>>>
>>>> You seem to have a connection to the share already open, close this
>>>> and try again.
>>>> If this fails, post the results of:
>>>>
>>>> ls -la /srv/samba/test
>>>>
>>>> and
>>>>
>>>> getfacl /srv/samba/test
>>>>
>>>> Rowland
>>>>
>>>>>
>>>>> On 1/2/2015 1:14 PM, Rowland Penny wrote:
>>>>>> On 02/01/15 18:01, James wrote:
>>>>>>> Rowland,
>>>>>>>
>>>>>>> That did it! Thank you so much. I do have a question
>>>>>>> regarding the 'getent' command before setting up file shares.
>>>>>>> When I run 'getent group Domain\ Users' I get
>>>>>>>
>>>>>>> domain_users:x:10000:user1,user2,user3,user4,user5,user6,user7,user8
>>>>>>>
>>>>>>> Why does it show these specific users? I would assume it would
>>>>>>> only show my 'tuser'. I don't have uid's set for anyone else.
>>>>>>
>>>>>> When you run 'getent group Domain\ Users' it gets the groups
>>>>>> gidNumber (10000 in your case) and the contents any 'member'
>>>>>> attributes, so I presume if you examine the groups AD object, you
>>>>>> would find 8 'member' attribute lines.
>>>>>>
>>>>>> But if you were to run 'getent passwd user5', you would only get
>>>>>> a response if 'user5' has a 'uidNumber'.
>>>>>>
>>>>>> Rowland
>>>>>>
>>>>>>>
>>>>>>> On 1/2/2015 12:38 PM, Rowland Penny wrote:
>>>>>>>> On 02/01/15 17:26, James wrote:
>>>>>>>>> Rowland,
>>>>>>>>>
>>>>>>>>> I did forget to change it. Is it as simple as renaming now
>>>>>>>>> or did I screw up?
>>>>>>>>>
>>>>>>>>> On 1/2/2015 12:18 PM, Rowland Penny wrote:
>>>>>>>>>> On 02/01/15 17:07, James wrote:
>>>>>>>>>>> Rowland,
>>>>>>>>>>>
>>>>>>>>>>> I had a typo in my hosts file which is the reason my
>>>>>>>>>>> initial DNS update failed. Corrected and joined again.
>>>>>>>>>>> Successfully joined and updated DNS A record. I then made
>>>>>>>>>>> sure to give 'Domain users' a id of 10000. I am now able to
>>>>>>>>>>> run' getent passwd' and see all my domain users! YES!
>>>>>>>>>>> However I still see something that confuses me. When I run
>>>>>>>>>>> 'id tuser' I get the following.
>>>>>>>>>>>
>>>>>>>>>>> uid=2155(tuser) gid=2002(domain_users)
>>>>>>>>>>> groups=2002(domain_users),2004(remote_desktop_users_group),2001(BUILTIN\users)
>>>>>>>>>>>
>>>>>>>>>>> Why is the uid 2155 and not 10001?
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> On 1/2/2015 12:00 PM, Rowland Penny wrote:
>>>>>>>>>>>> On 02/01/15 16:57, James wrote:
>>>>>>>>>>>>> Rowland,
>>>>>>>>>>>>>
>>>>>>>>>>>>> I've gotten a bit further. It appears my use of
>>>>>>>>>>>>> '.local' is causing the issue from what I've researched.
>>>>>>>>>>>>> I ran '|/etc/init.d/avahi-daemon stop'. |This allowed me
>>>>>>>>>>>>> to successfully join the domain.
>>>>>>>>>>>>>
>>>>>>>>>>>>> Enter administrator at DOMAIN.LOCAL's password:
>>>>>>>>>>>>> Using short domain name -- DOMAIN
>>>>>>>>>>>>> Joined 'PFMEMBER1' to dns domain 'domain.local'
>>>>>>>>>>>>> DNS Update for pfmember1.local failed: ERROR_DNS_UPDATE_FAILED
>>>>>>>>>>>>> DNS update failed: NT_STATUS_UNSUCCESSFUL
>>>>>>>>>>>>> ||
>>>>>>>>>>>>> On 1/2/2015 8:55 AM, Rowland Penny wrote:
>>>>>>>>>>>>>> On 02/01/15 13:41, James wrote:
>>>>>>>>>>>>>>> Hi Rowland,
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> If you don't mind I like to post my member server
>>>>>>>>>>>>>>> configuration as I attempt again. This is how my member
>>>>>>>>>>>>>>> server(Ubuntu 12.04) is configured after fresh install
>>>>>>>>>>>>>>> and prior to Samba build. Anything I'm missing that
>>>>>>>>>>>>>>> could cause my issue as I proceed? I assume no other
>>>>>>>>>>>>>>> prerequisites must be done on the other DC's either? Thanks.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> /*# From Wiki for DC build*/
>>>>>>>>>>>>>>> apt-get install build-essential libacl1-dev libattr1-dev
>>>>>>>>>>>>>>> libblkid-dev libgnutls-dev libreadline-dev python-dev
>>>>>>>>>>>>>>> libpam0g-dev python-dnspython gdb pkg-config libpopt-dev
>>>>>>>>>>>>>>> libldap2-dev dnsutils libbsd-dev attr krb5-user
>>>>>>>>>>>>>>> docbook-xsl libcups2-dev acl
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> /*# Fstab file*/
>>>>>>>>>>>>>>> ext4 errors=remount-ro,user_xattr,acl,barrier=1 1 1
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> */# Hosts File/*
>>>>>>>>>>>>>>> 127.0.0.1 localhost
>>>>>>>>>>>>>>> 172.16.232.25 pfmember1.domain.local pfmember1
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> # The following lines are desirable for IPv6 capable hosts
>>>>>>>>>>>>>>> ::1 ip6-localhost ip6-loopback
>>>>>>>>>>>>>>> fe00::0 ip6-localnet
>>>>>>>>>>>>>>> ff00::0 ip6-mcastprefix
>>>>>>>>>>>>>>> ff02::1 ip6-allnodes
>>>>>>>>>>>>>>> ff02::2 ip6-allrouters
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> */# Hostname/* */File/*
>>>>>>>>>>>>>>> pfmember1.domain.local
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> if you are referring to /etc/hostname, then it should
>>>>>>>>>>>>>> just contain 'pfmember1'.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Also, are you fixed on using Ubuntu 12.04, if you were to
>>>>>>>>>>>>>> use Debian Wheezy and backports, you wouldn't have to
>>>>>>>>>>>>>> compile samba4.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Rowland
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> */#/network/interfaces/*
>>>>>>>>>>>>>>> # This file describes the network interfaces available
>>>>>>>>>>>>>>> on your system
>>>>>>>>>>>>>>> # and how to activate them. For more information, see
>>>>>>>>>>>>>>> interfaces(5).
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> # The loopback network interface
>>>>>>>>>>>>>>> auto lo
>>>>>>>>>>>>>>> iface lo inet loopback
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> # The primary network interface
>>>>>>>>>>>>>>> auto eth0
>>>>>>>>>>>>>>> iface eth0 inet static
>>>>>>>>>>>>>>> address 172.16.232.25
>>>>>>>>>>>>>>> netmask 255.255.255.0
>>>>>>>>>>>>>>> gateway 172.16.232.201
>>>>>>>>>>>>>>> network 172.16.232.0
>>>>>>>>>>>>>>> broadcast 172.16.232.255
>>>>>>>>>>>>>>> dns-search domain.local
>>>>>>>>>>>>>>> dns-nameservers 172.16.232.29
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> On 1/1/2015 4:34 AM, Rowland Penny wrote:
>>>>>>>>>>>>>>>> On 01/01/15 00:07, James wrote:
>>>>>>>>>>>>>>>>> Hi Rowland,
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> I forgot to tell you the results were from my
>>>>>>>>>>>>>>>>> Domain Controller and not the member server. Member
>>>>>>>>>>>>>>>>> server returned something to the effect of 'user not
>>>>>>>>>>>>>>>>> found'. I am only starting the 3 services(smbd,nmbd
>>>>>>>>>>>>>>>>> and windbindd) listed in the wiki. Should I be
>>>>>>>>>>>>>>>>> starting Samba with command line switches to start as
>>>>>>>>>>>>>>>>> a member server? Is that even possible?
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> Hi, there are two ways of running samba4, the classic
>>>>>>>>>>>>>>>> or original way that samba3 was used, or as an AD DC.
>>>>>>>>>>>>>>>> If you run samba4 in the classic way, you need to start
>>>>>>>>>>>>>>>> the smbd & nmbd deamons and optionally the winbind
>>>>>>>>>>>>>>>> daemon. If you use samba4 as an AD DC, then you only
>>>>>>>>>>>>>>>> start the samba daemon, this will start any other
>>>>>>>>>>>>>>>> required deamons, you only start the samba daemon on an
>>>>>>>>>>>>>>>> AD DC.
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> As you are trying to set up a member server, you must
>>>>>>>>>>>>>>>> carry out the tests on the member server.
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> Rowland
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> Thanks for you smb.conf. I will attempt again
>>>>>>>>>>>>>>>>> using your smb.conf as a template and try again.
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> On 12/31/2014 2:20 PM, Rowland Penny wrote:
>>>>>>>>>>>>>>>>>> On 31/12/14 19:07, James wrote:
>>>>>>>>>>>>>>>>>>> Rowland,
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> I decided to start over with a fresh install and
>>>>>>>>>>>>>>>>>>> attempted again. Only change I made was to start my
>>>>>>>>>>>>>>>>>>> mappings at 10000. I gave 'Domain Users' group gid
>>>>>>>>>>>>>>>>>>> 10000 and 'tuser' has uid 10001. Still didn't work btw.
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> dn: CN=Test User,CN=Users,DC=domain,DC=local
>>>>>>>>>>>>>>>>>>> objectClass: top
>>>>>>>>>>>>>>>>>>> objectClass: person
>>>>>>>>>>>>>>>>>>> objectClass: organizationalPerson
>>>>>>>>>>>>>>>>>>> objectClass: user
>>>>>>>>>>>>>>>>>>> cn: Test User
>>>>>>>>>>>>>>>>>>> sn: User
>>>>>>>>>>>>>>>>>>> givenName: Test
>>>>>>>>>>>>>>>>>>> instanceType: 4
>>>>>>>>>>>>>>>>>>> whenCreated: 20141231172021.0Z
>>>>>>>>>>>>>>>>>>> displayName: Test User
>>>>>>>>>>>>>>>>>>> uSNCreated: 477557
>>>>>>>>>>>>>>>>>>> name: Test User
>>>>>>>>>>>>>>>>>>> objectGUID: 90f95763-fe52-42b9-af86-8a84a4d5dd78
>>>>>>>>>>>>>>>>>>> userAccountControl: 66048
>>>>>>>>>>>>>>>>>>> codePage: 0
>>>>>>>>>>>>>>>>>>> countryCode: 0
>>>>>>>>>>>>>>>>>>> pwdLastSet: 130645200220000000
>>>>>>>>>>>>>>>>>>> primaryGroupID: 513
>>>>>>>>>>>>>>>>>>> objectSid:
>>>>>>>>>>>>>>>>>>> S-1-5-21-940051827-2291820289-3341758437-3126
>>>>>>>>>>>>>>>>>>> accountExpires: 9223372036854775807
>>>>>>>>>>>>>>>>>>> sAMAccountName: tuser
>>>>>>>>>>>>>>>>>>> sAMAccountType: 805306368
>>>>>>>>>>>>>>>>>>> userPrincipalName: tuser at domain.local
>>>>>>>>>>>>>>>>>>> objectCategory:
>>>>>>>>>>>>>>>>>>> CN=Person,CN=Schema,CN=Configuration,DC=domain,DC=local
>>>>>>>>>>>>>>>>>>> unixUserPassword: ABCD!efgh12345$67890
>>>>>>>>>>>>>>>>>>> uid: tuser
>>>>>>>>>>>>>>>>>>> msSFU30Name: tuser
>>>>>>>>>>>>>>>>>>> msSFU30NisDomain: domain
>>>>>>>>>>>>>>>>>>> uidNumber: 10001
>>>>>>>>>>>>>>>>>>> loginShell: /bin/sh
>>>>>>>>>>>>>>>>>>> unixHomeDirectory: /home/tuser
>>>>>>>>>>>>>>>>>>> gidNumber: 10000
>>>>>>>>>>>>>>>>>>> whenChanged: 20141231185807.0Z
>>>>>>>>>>>>>>>>>>> uSNChanged: 477620
>>>>>>>>>>>>>>>>>>> distinguishedName: CN=Test
>>>>>>>>>>>>>>>>>>> User,CN=Users,DC=domain,DC=local
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> On 12/31/2014 1:50 PM, Rowland Penny wrote:
>>>>>>>>>>>>>>>>>>>> On 31/12/14 18:28, James wrote:
>>>>>>>>>>>>>>>>>>>>> Hi Rowland,
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> passwd: compat winbind
>>>>>>>>>>>>>>>>>>>>> group: compat winbind
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> 'getent passwd tuser' results in a blank terminal
>>>>>>>>>>>>>>>>>>>>> line.
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> On 12/31/2014 1:12 PM, Rowland Penny wrote:
>>>>>>>>>>>>>>>>>>>>>> On 31/12/14 17:55, James wrote:
>>>>>>>>>>>>>>>>>>>>>>> Hi Rowland,
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>> I did. Unfortunately something is still
>>>>>>>>>>>>>>>>>>>>>>> amiss. I do receive a response from 'getent
>>>>>>>>>>>>>>>>>>>>>>> group domain users'(users:x:100).
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>> On 12/31/2014 12:26 PM, Rowland Penny wrote:
>>>>>>>>>>>>>>>>>>>>>>>> On 31/12/14 17:23, James wrote:
>>>>>>>>>>>>>>>>>>>>>>>>> Rowland,
>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>> I set a user with a uid and domain users
>>>>>>>>>>>>>>>>>>>>>>>>> group with a gid but I'm still unable to view
>>>>>>>>>>>>>>>>>>>>>>>>> them using 'id'. I do notice a few strange
>>>>>>>>>>>>>>>>>>>>>>>>> observations. If I go to another user to
>>>>>>>>>>>>>>>>>>>>>>>>> attempt to assign a uid. I get the default
>>>>>>>>>>>>>>>>>>>>>>>>> value of 10000. I would expect 2001 given I
>>>>>>>>>>>>>>>>>>>>>>>>> set the first user with uid 2000. Groups
>>>>>>>>>>>>>>>>>>>>>>>>> however appear to increment.
>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>> On 12/31/2014 10:52 AM, Rowland Penny wrote:
>>>>>>>>>>>>>>>>>>>>>>>>>> On 31/12/14 15:42, James wrote:
>>>>>>>>>>>>>>>>>>>>>>>>>>> Hello Stefan,
>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>> I learned the hard way about .local. I
>>>>>>>>>>>>>>>>>>>>>>>>>>> understand going forward.
>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>> I do have an issue with the member server.
>>>>>>>>>>>>>>>>>>>>>>>>>>> Following along with the wiki I get stuck at
>>>>>>>>>>>>>>>>>>>>>>>>>>> 'Testing the Winbind user/group mapping'.
>>>>>>>>>>>>>>>>>>>>>>>>>>> Wbinfo works as expected but not
>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>> #*id DomainUser*
>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>> #*getent passwd*
>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>> #*getent group*
>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>> #*chown DomainUser:DomainGroup file*
>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>> #*chgrp DomainGroup file*
>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>> etc.
>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>> I receive 'id: sambauser: No such user'. It
>>>>>>>>>>>>>>>>>>>>>>>>>>> will only retrieve local machine users. Let
>>>>>>>>>>>>>>>>>>>>>>>>>>> me preface by saying this is a Ubuntu 12.04
>>>>>>>>>>>>>>>>>>>>>>>>>>> server with Samba 4.1.14. Thanks.
>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>> On 12/31/2014 10:00 AM, Stefan Kania wrote:
>>>>>>>>>>>>>>>>>>>>>>>>>>>> -----BEGIN PGP SIGNED MESSAGE-----
>>>>>>>>>>>>>>>>>>>>>>>>>>>> Hash: SHA1
>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>> Hello James,
>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>> Am 31.12.2014 um 15:48 schrieb James:> Hello,
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> I'm following along with the wiki(Setup a
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Samba AD Member Server)
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> and I have a question after reading the
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> 'Set up a basic smb.conf'
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> section.
>>>>>>>>>>>>>>>>>>>>>>>>>>>> Please show us your smb.conf
>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>> Do I need to extend the schema in order
>>>>>>>>>>>>>>>>>>>>>>>>>>>> for my member server to
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> successfully join and service file shares?
>>>>>>>>>>>>>>>>>>>>>>>>>>>> No, you dont have to.
>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>> Do I need to configure a
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> krb5.conf file? Thanks.
>>>>>>>>>>>>>>>>>>>>>>>>>>>> If your DC is a samba4 DC just copy
>>>>>>>>>>>>>>>>>>>>>>>>>>>> krb5.conf to your new memberserver
>>>>>>>>>>>>>>>>>>>>>>>>>>>> Stefan
>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>> - -- Stefan Kania
>>>>>>>>>>>>>>>>>>>>>>>>>>>> Landweg 13
>>>>>>>>>>>>>>>>>>>>>>>>>>>> 25693 St. Michaelisdonn
>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>> Signieren jeder E-Mail hilft Spam zu
>>>>>>>>>>>>>>>>>>>>>>>>>>>> reduzieren. Signieren Sie ihre
>>>>>>>>>>>>>>>>>>>>>>>>>>>> E-Mail. Weiter Informationen unter
>>>>>>>>>>>>>>>>>>>>>>>>>>>> http://www.gnupg.org
>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>> Mein Schlüssel liegt auf
>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>> hkp://subkeys.pgp.net
>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>> -----BEGIN PGP SIGNATURE-----
>>>>>>>>>>>>>>>>>>>>>>>>>>>> Version: GnuPG v1
>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>> iEYEARECAAYFAlSkD3EACgkQ2JOGcNAHDTZdlwCgwsQF0g/pFp65ldcTMWDcJ1O7
>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>> LScAoLDzorUJNDCik4FP9dBUxKCbAbGN
>>>>>>>>>>>>>>>>>>>>>>>>>>>> =SOSt
>>>>>>>>>>>>>>>>>>>>>>>>>>>> -----END PGP SIGNATURE-----
>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>> If you followed the wiki, you will be using
>>>>>>>>>>>>>>>>>>>>>>>>>> the 'ad' backend. For this to work, you need
>>>>>>>>>>>>>>>>>>>>>>>>>> to add 'uidNumber' attributes to your users
>>>>>>>>>>>>>>>>>>>>>>>>>> and a 'gidNumber' attribute to at least the
>>>>>>>>>>>>>>>>>>>>>>>>>> Domain Users group. the numbers that you add
>>>>>>>>>>>>>>>>>>>>>>>>>> must be between the range you set in your
>>>>>>>>>>>>>>>>>>>>>>>>>> smb.conf, again if you followed the wiki,
>>>>>>>>>>>>>>>>>>>>>>>>>> this will be between 500-40000.
>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>> Rowland
>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>> You have restarted samba, haven't you ?
>>>>>>>>>>>>>>>>>>>>>>>> You may have to wait a short time, or clear the
>>>>>>>>>>>>>>>>>>>>>>>> cache with 'net cache flush'
>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>> Rowland
>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>> OK, can you post the 'passwd' & 'group' lines
>>>>>>>>>>>>>>>>>>>>>> from /etc/nsswitch
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>> Do you get anything from 'getent passwd <a domain
>>>>>>>>>>>>>>>>>>>>>> user>'
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>> Rowland
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> OK, install ldb-tools if not already installed,
>>>>>>>>>>>>>>>>>>>> then run:
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> ldbedit -e nano -H /var/lib/samba/private/sam.ldb
>>>>>>>>>>>>>>>>>>>> sAMAccountName=tuser
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> Post the (sanitized) result
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> Rowland
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> OK, you added that user with ADUC (RSAT) and as such
>>>>>>>>>>>>>>>>>> you are using the std windows start number 10000,
>>>>>>>>>>>>>>>>>> which is the way I run samba. Here is my smb.conf
>>>>>>>>>>>>>>>>>> from the laptop I am writing this on:
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> [global]
>>>>>>>>>>>>>>>>>> workgroup = EXAMPLE
>>>>>>>>>>>>>>>>>> security = ADS
>>>>>>>>>>>>>>>>>> realm = EXAMPLE.COM
>>>>>>>>>>>>>>>>>> dedicated keytab file = /etc/krb5.keytab
>>>>>>>>>>>>>>>>>> kerberos method = secrets and keytab
>>>>>>>>>>>>>>>>>> server string = Samba 4 Client %h
>>>>>>>>>>>>>>>>>> winbind enum users = yes
>>>>>>>>>>>>>>>>>> winbind enum groups = yes
>>>>>>>>>>>>>>>>>> winbind use default domain = yes
>>>>>>>>>>>>>>>>>> winbind expand groups = 4
>>>>>>>>>>>>>>>>>> winbind nss info = rfc2307
>>>>>>>>>>>>>>>>>> winbind refresh tickets = Yes
>>>>>>>>>>>>>>>>>> winbind normalize names = Yes
>>>>>>>>>>>>>>>>>> idmap config * : backend = tdb
>>>>>>>>>>>>>>>>>> idmap config * : range = 2000-9999
>>>>>>>>>>>>>>>>>> idmap config EXAMPLE : backend = ad
>>>>>>>>>>>>>>>>>> idmap config EXAMPLE : range = 10000-999999
>>>>>>>>>>>>>>>>>> idmap config EXAMPLE : schema_mode = rfc2307
>>>>>>>>>>>>>>>>>> printcap name = cups
>>>>>>>>>>>>>>>>>> cups options = raw
>>>>>>>>>>>>>>>>>> usershare allow guests = yes
>>>>>>>>>>>>>>>>>> domain master = no
>>>>>>>>>>>>>>>>>> local master = no
>>>>>>>>>>>>>>>>>> preferred master = no
>>>>>>>>>>>>>>>>>> os level = 20
>>>>>>>>>>>>>>>>>> map to guest = bad user
>>>>>>>>>>>>>>>>>> vfs objects = acl_xattr
>>>>>>>>>>>>>>>>>> map acl inherit = Yes
>>>>>>>>>>>>>>>>>> store dos attributes = Yes
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> Compare it with yours, I can assure you it works.
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> Rowland
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> --
>>>>>>>>>>>>>>> -James
>>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> --
>>>>>>>>>>>>> -James
>>>>>>>>>>>>
>>>>>>>>>>>> OK, you have *now* found out one of the reasons you
>>>>>>>>>>>> shouldn't use the .local suffix
>>>>>>>>>>>>
>>>>>>>>>>>> But does anything else work?
>>>>>>>>>>>>
>>>>>>>>>>>> Rowland
>>>>>>>>>>>
>>>>>>>>>>> --
>>>>>>>>>>> -James
>>>>>>>>>>
>>>>>>>>>> OK, well it seems to be a step in the right direction :-)
>>>>>>>>>>
>>>>>>>>>> Have you changed 'EXAMPLE' in these lines:
>>>>>>>>>>
>>>>>>>>>> idmap config * : backend = tdb
>>>>>>>>>> idmap config * : range = 2000-9999
>>>>>>>>>> idmap config EXAMPLE : backend = ad
>>>>>>>>>> idmap config EXAMPLE : range = 10000-999999
>>>>>>>>>> idmap config EXAMPLE:schema_mode = rfc2307
>>>>>>>>>>
>>>>>>>>>> They need to be changed for your *WORKGROUP* name.
>>>>>>>>>>
>>>>>>>>>> Rowland
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>> --
>>>>>>>>> -James
>>>>>>>>
>>>>>>>> Just change it, stop samba and winbind, run 'net cache flush'
>>>>>>>> and restart samba & winbind.
>>>>>>>>
>>>>>>>> Rowland
>>>>>>>>
>>>>>>>
>>>>>>> --
>>>>>>> -James
>>>>>>
>>>>>
>>>>> --
>>>>> -James
>>>>
>>>
>>> --
>>> -James
>>
>
> --
> -James
More information about the samba
mailing list