[Samba] Member Server Setup Assistance
James
lingpanda101 at gmail.com
Mon Jan 5 07:00:54 MST 2015
Hi Rowland,
Yes. When I create a share I get the expected 'Everyone' group
under 'Share Permissions' for example. I'm assuming I must map this
object to Unix so all windows users can access this share. However in AD
there is no 'Everyone' group to set a gid. I wouldn't necessarily expect
one either. I'm currently under the mind set that with a member server I
must have a uid/gid for every object assigned on the share.
On 1/5/2015 8:37 AM, Rowland Penny wrote:
> On 05/01/15 13:28, James wrote:
>> Rowland,
>>
>> Thanks so far for the assistance. I have a question about setting
>> up shares on a member server. How do I map to users or groups that do
>> not display in AD(Everyone,System,Authenticated Users)?
>
> Could you be a bit more specific here, are you talking about mapping
> these windows objects to Unix, or something else ?
>
> Rowland
>>
>> On 1/2/2015 2:08 PM, Rowland Penny wrote:
>>> On 02/01/15 18:59, James wrote:
>>>> Rowland,
>>>>
>>>> That was the issue. Windows computer management console showed
>>>> 0 connections. That obviously wasn't correct. A reboot corrected
>>>> the issue. ACL's working as expected. I probably should have ran a
>>>> 'netstat' to verify.
>>>>
>>>> Any best practices on who should or shouldn't have uid's or
>>>> gid's set in AD? I've read where the Administrator account should
>>>> not have one set.
>>>
>>> Cannot say that I know of any best practices, but I only give Domain
>>> Admins and Domain Users a gidNumber and Administrator should already
>>> be mapped to root (that is if you changed 'Example' in
>>> /etc/samba/smbmap).
>>>
>>> Rowland
>>>>
>>>> On 1/2/2015 1:47 PM, Rowland Penny wrote:
>>>>> On 02/01/15 18:35, James wrote:
>>>>>> Rowland,
>>>>>>
>>>>>> Thanks for the clarification. It appears the member server is
>>>>>> joined and I have created a share.
>>>>>>
>>>>>> [demoshare]
>>>>>> path = /srv/samba/test
>>>>>> read only = no
>>>>>>
>>>>>>
>>>>>> I have enabled ACL support and given 'SeDiskOperatorPrivilege'
>>>>>> per the wiki. I can navigate to the share using Windows Explorer.
>>>>>> If I set the share permissions to only me(Full Control). I can't
>>>>>> access the share. The 'Everyone' and 'Domain Users' group allows
>>>>>> me access. On my DC's this has worked in the past. Am I missing
>>>>>> something? This is the error I receive.
>>>>>>
>>>>>> \\pfmember1\demoshare is not accessible. You might not have
>>>>>> permission to use this network resource. Contact the
>>>>>> administrator of this server to find out if you have access
>>>>>> permissions.
>>>>>>
>>>>>> Multiple connections to a server or shared resource by the same
>>>>>> user, using more than one user name, are not allowed. Disconnect
>>>>>> all previous connections to the server or shared resource and try
>>>>>> again.
>>>>>
>>>>> You seem to have a connection to the share already open, close
>>>>> this and try again.
>>>>> If this fails, post the results of:
>>>>>
>>>>> ls -la /srv/samba/test
>>>>>
>>>>> and
>>>>>
>>>>> getfacl /srv/samba/test
>>>>>
>>>>> Rowland
>>>>>
>>>>>>
>>>>>> On 1/2/2015 1:14 PM, Rowland Penny wrote:
>>>>>>> On 02/01/15 18:01, James wrote:
>>>>>>>> Rowland,
>>>>>>>>
>>>>>>>> That did it! Thank you so much. I do have a question
>>>>>>>> regarding the 'getent' command before setting up file shares.
>>>>>>>> When I run 'getent group Domain\ Users' I get
>>>>>>>>
>>>>>>>> domain_users:x:10000:user1,user2,user3,user4,user5,user6,user7,user8
>>>>>>>>
>>>>>>>> Why does it show these specific users? I would assume it would
>>>>>>>> only show my 'tuser'. I don't have uid's set for anyone else.
>>>>>>>
>>>>>>> When you run 'getent group Domain\ Users' it gets the groups
>>>>>>> gidNumber (10000 in your case) and the contents any 'member'
>>>>>>> attributes, so I presume if you examine the groups AD object,
>>>>>>> you would find 8 'member' attribute lines.
>>>>>>>
>>>>>>> But if you were to run 'getent passwd user5', you would only get
>>>>>>> a response if 'user5' has a 'uidNumber'.
>>>>>>>
>>>>>>> Rowland
>>>>>>>
>>>>>>>>
>>>>>>>> On 1/2/2015 12:38 PM, Rowland Penny wrote:
>>>>>>>>> On 02/01/15 17:26, James wrote:
>>>>>>>>>> Rowland,
>>>>>>>>>>
>>>>>>>>>> I did forget to change it. Is it as simple as renaming
>>>>>>>>>> now or did I screw up?
>>>>>>>>>>
>>>>>>>>>> On 1/2/2015 12:18 PM, Rowland Penny wrote:
>>>>>>>>>>> On 02/01/15 17:07, James wrote:
>>>>>>>>>>>> Rowland,
>>>>>>>>>>>>
>>>>>>>>>>>> I had a typo in my hosts file which is the reason my
>>>>>>>>>>>> initial DNS update failed. Corrected and joined again.
>>>>>>>>>>>> Successfully joined and updated DNS A record. I then made
>>>>>>>>>>>> sure to give 'Domain users' a id of 10000. I am now able to
>>>>>>>>>>>> run' getent passwd' and see all my domain users! YES!
>>>>>>>>>>>> However I still see something that confuses me. When I run
>>>>>>>>>>>> 'id tuser' I get the following.
>>>>>>>>>>>>
>>>>>>>>>>>> uid=2155(tuser) gid=2002(domain_users)
>>>>>>>>>>>> groups=2002(domain_users),2004(remote_desktop_users_group),2001(BUILTIN\users)
>>>>>>>>>>>>
>>>>>>>>>>>> Why is the uid 2155 and not 10001?
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> On 1/2/2015 12:00 PM, Rowland Penny wrote:
>>>>>>>>>>>>> On 02/01/15 16:57, James wrote:
>>>>>>>>>>>>>> Rowland,
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> I've gotten a bit further. It appears my use of
>>>>>>>>>>>>>> '.local' is causing the issue from what I've researched.
>>>>>>>>>>>>>> I ran '|/etc/init.d/avahi-daemon stop'. |This allowed me
>>>>>>>>>>>>>> to successfully join the domain.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Enter administrator at DOMAIN.LOCAL's password:
>>>>>>>>>>>>>> Using short domain name -- DOMAIN
>>>>>>>>>>>>>> Joined 'PFMEMBER1' to dns domain 'domain.local'
>>>>>>>>>>>>>> DNS Update for pfmember1.local failed:
>>>>>>>>>>>>>> ERROR_DNS_UPDATE_FAILED
>>>>>>>>>>>>>> DNS update failed: NT_STATUS_UNSUCCESSFUL
>>>>>>>>>>>>>> ||
>>>>>>>>>>>>>> On 1/2/2015 8:55 AM, Rowland Penny wrote:
>>>>>>>>>>>>>>> On 02/01/15 13:41, James wrote:
>>>>>>>>>>>>>>>> Hi Rowland,
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> If you don't mind I like to post my member server
>>>>>>>>>>>>>>>> configuration as I attempt again. This is how my member
>>>>>>>>>>>>>>>> server(Ubuntu 12.04) is configured after fresh install
>>>>>>>>>>>>>>>> and prior to Samba build. Anything I'm missing that
>>>>>>>>>>>>>>>> could cause my issue as I proceed? I assume no other
>>>>>>>>>>>>>>>> prerequisites must be done on the other DC's either?
>>>>>>>>>>>>>>>> Thanks.
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> /*# From Wiki for DC build*/
>>>>>>>>>>>>>>>> apt-get install build-essential libacl1-dev
>>>>>>>>>>>>>>>> libattr1-dev libblkid-dev libgnutls-dev libreadline-dev
>>>>>>>>>>>>>>>> python-dev libpam0g-dev python-dnspython gdb pkg-config
>>>>>>>>>>>>>>>> libpopt-dev libldap2-dev dnsutils libbsd-dev attr
>>>>>>>>>>>>>>>> krb5-user docbook-xsl libcups2-dev acl
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> /*# Fstab file*/
>>>>>>>>>>>>>>>> ext4 errors=remount-ro,user_xattr,acl,barrier=1 1 1
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> */# Hosts File/*
>>>>>>>>>>>>>>>> 127.0.0.1 localhost
>>>>>>>>>>>>>>>> 172.16.232.25 pfmember1.domain.local pfmember1
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> # The following lines are desirable for IPv6 capable hosts
>>>>>>>>>>>>>>>> ::1 ip6-localhost ip6-loopback
>>>>>>>>>>>>>>>> fe00::0 ip6-localnet
>>>>>>>>>>>>>>>> ff00::0 ip6-mcastprefix
>>>>>>>>>>>>>>>> ff02::1 ip6-allnodes
>>>>>>>>>>>>>>>> ff02::2 ip6-allrouters
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> */# Hostname/* */File/*
>>>>>>>>>>>>>>>> pfmember1.domain.local
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> if you are referring to /etc/hostname, then it should
>>>>>>>>>>>>>>> just contain 'pfmember1'.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Also, are you fixed on using Ubuntu 12.04, if you were
>>>>>>>>>>>>>>> to use Debian Wheezy and backports, you wouldn't have to
>>>>>>>>>>>>>>> compile samba4.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Rowland
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> */#/network/interfaces/*
>>>>>>>>>>>>>>>> # This file describes the network interfaces available
>>>>>>>>>>>>>>>> on your system
>>>>>>>>>>>>>>>> # and how to activate them. For more information, see
>>>>>>>>>>>>>>>> interfaces(5).
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> # The loopback network interface
>>>>>>>>>>>>>>>> auto lo
>>>>>>>>>>>>>>>> iface lo inet loopback
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> # The primary network interface
>>>>>>>>>>>>>>>> auto eth0
>>>>>>>>>>>>>>>> iface eth0 inet static
>>>>>>>>>>>>>>>> address 172.16.232.25
>>>>>>>>>>>>>>>> netmask 255.255.255.0
>>>>>>>>>>>>>>>> gateway 172.16.232.201
>>>>>>>>>>>>>>>> network 172.16.232.0
>>>>>>>>>>>>>>>> broadcast 172.16.232.255
>>>>>>>>>>>>>>>> dns-search domain.local
>>>>>>>>>>>>>>>> dns-nameservers 172.16.232.29
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> On 1/1/2015 4:34 AM, Rowland Penny wrote:
>>>>>>>>>>>>>>>>> On 01/01/15 00:07, James wrote:
>>>>>>>>>>>>>>>>>> Hi Rowland,
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> I forgot to tell you the results were from my
>>>>>>>>>>>>>>>>>> Domain Controller and not the member server. Member
>>>>>>>>>>>>>>>>>> server returned something to the effect of 'user not
>>>>>>>>>>>>>>>>>> found'. I am only starting the 3 services(smbd,nmbd
>>>>>>>>>>>>>>>>>> and windbindd) listed in the wiki. Should I be
>>>>>>>>>>>>>>>>>> starting Samba with command line switches to start as
>>>>>>>>>>>>>>>>>> a member server? Is that even possible?
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> Hi, there are two ways of running samba4, the classic
>>>>>>>>>>>>>>>>> or original way that samba3 was used, or as an AD DC.
>>>>>>>>>>>>>>>>> If you run samba4 in the classic way, you need to
>>>>>>>>>>>>>>>>> start the smbd & nmbd deamons and optionally the
>>>>>>>>>>>>>>>>> winbind daemon. If you use samba4 as an AD DC, then
>>>>>>>>>>>>>>>>> you only start the samba daemon, this will start any
>>>>>>>>>>>>>>>>> other required deamons, you only start the samba
>>>>>>>>>>>>>>>>> daemon on an AD DC.
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> As you are trying to set up a member server, you must
>>>>>>>>>>>>>>>>> carry out the tests on the member server.
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> Rowland
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> Thanks for you smb.conf. I will attempt again
>>>>>>>>>>>>>>>>>> using your smb.conf as a template and try again.
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> On 12/31/2014 2:20 PM, Rowland Penny wrote:
>>>>>>>>>>>>>>>>>>> On 31/12/14 19:07, James wrote:
>>>>>>>>>>>>>>>>>>>> Rowland,
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> I decided to start over with a fresh install
>>>>>>>>>>>>>>>>>>>> and attempted again. Only change I made was to
>>>>>>>>>>>>>>>>>>>> start my mappings at 10000. I gave 'Domain Users'
>>>>>>>>>>>>>>>>>>>> group gid 10000 and 'tuser' has uid 10001. Still
>>>>>>>>>>>>>>>>>>>> didn't work btw.
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> dn: CN=Test User,CN=Users,DC=domain,DC=local
>>>>>>>>>>>>>>>>>>>> objectClass: top
>>>>>>>>>>>>>>>>>>>> objectClass: person
>>>>>>>>>>>>>>>>>>>> objectClass: organizationalPerson
>>>>>>>>>>>>>>>>>>>> objectClass: user
>>>>>>>>>>>>>>>>>>>> cn: Test User
>>>>>>>>>>>>>>>>>>>> sn: User
>>>>>>>>>>>>>>>>>>>> givenName: Test
>>>>>>>>>>>>>>>>>>>> instanceType: 4
>>>>>>>>>>>>>>>>>>>> whenCreated: 20141231172021.0Z
>>>>>>>>>>>>>>>>>>>> displayName: Test User
>>>>>>>>>>>>>>>>>>>> uSNCreated: 477557
>>>>>>>>>>>>>>>>>>>> name: Test User
>>>>>>>>>>>>>>>>>>>> objectGUID: 90f95763-fe52-42b9-af86-8a84a4d5dd78
>>>>>>>>>>>>>>>>>>>> userAccountControl: 66048
>>>>>>>>>>>>>>>>>>>> codePage: 0
>>>>>>>>>>>>>>>>>>>> countryCode: 0
>>>>>>>>>>>>>>>>>>>> pwdLastSet: 130645200220000000
>>>>>>>>>>>>>>>>>>>> primaryGroupID: 513
>>>>>>>>>>>>>>>>>>>> objectSid:
>>>>>>>>>>>>>>>>>>>> S-1-5-21-940051827-2291820289-3341758437-3126
>>>>>>>>>>>>>>>>>>>> accountExpires: 9223372036854775807
>>>>>>>>>>>>>>>>>>>> sAMAccountName: tuser
>>>>>>>>>>>>>>>>>>>> sAMAccountType: 805306368
>>>>>>>>>>>>>>>>>>>> userPrincipalName: tuser at domain.local
>>>>>>>>>>>>>>>>>>>> objectCategory:
>>>>>>>>>>>>>>>>>>>> CN=Person,CN=Schema,CN=Configuration,DC=domain,DC=local
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> unixUserPassword: ABCD!efgh12345$67890
>>>>>>>>>>>>>>>>>>>> uid: tuser
>>>>>>>>>>>>>>>>>>>> msSFU30Name: tuser
>>>>>>>>>>>>>>>>>>>> msSFU30NisDomain: domain
>>>>>>>>>>>>>>>>>>>> uidNumber: 10001
>>>>>>>>>>>>>>>>>>>> loginShell: /bin/sh
>>>>>>>>>>>>>>>>>>>> unixHomeDirectory: /home/tuser
>>>>>>>>>>>>>>>>>>>> gidNumber: 10000
>>>>>>>>>>>>>>>>>>>> whenChanged: 20141231185807.0Z
>>>>>>>>>>>>>>>>>>>> uSNChanged: 477620
>>>>>>>>>>>>>>>>>>>> distinguishedName: CN=Test
>>>>>>>>>>>>>>>>>>>> User,CN=Users,DC=domain,DC=local
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> On 12/31/2014 1:50 PM, Rowland Penny wrote:
>>>>>>>>>>>>>>>>>>>>> On 31/12/14 18:28, James wrote:
>>>>>>>>>>>>>>>>>>>>>> Hi Rowland,
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>> passwd: compat winbind
>>>>>>>>>>>>>>>>>>>>>> group: compat winbind
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>> 'getent passwd tuser' results in a blank terminal
>>>>>>>>>>>>>>>>>>>>>> line.
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>> On 12/31/2014 1:12 PM, Rowland Penny wrote:
>>>>>>>>>>>>>>>>>>>>>>> On 31/12/14 17:55, James wrote:
>>>>>>>>>>>>>>>>>>>>>>>> Hi Rowland,
>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>> I did. Unfortunately something is still
>>>>>>>>>>>>>>>>>>>>>>>> amiss. I do receive a response from 'getent
>>>>>>>>>>>>>>>>>>>>>>>> group domain users'(users:x:100).
>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>> On 12/31/2014 12:26 PM, Rowland Penny wrote:
>>>>>>>>>>>>>>>>>>>>>>>>> On 31/12/14 17:23, James wrote:
>>>>>>>>>>>>>>>>>>>>>>>>>> Rowland,
>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>> I set a user with a uid and domain users
>>>>>>>>>>>>>>>>>>>>>>>>>> group with a gid but I'm still unable to view
>>>>>>>>>>>>>>>>>>>>>>>>>> them using 'id'. I do notice a few strange
>>>>>>>>>>>>>>>>>>>>>>>>>> observations. If I go to another user to
>>>>>>>>>>>>>>>>>>>>>>>>>> attempt to assign a uid. I get the default
>>>>>>>>>>>>>>>>>>>>>>>>>> value of 10000. I would expect 2001 given I
>>>>>>>>>>>>>>>>>>>>>>>>>> set the first user with uid 2000. Groups
>>>>>>>>>>>>>>>>>>>>>>>>>> however appear to increment.
>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>> On 12/31/2014 10:52 AM, Rowland Penny wrote:
>>>>>>>>>>>>>>>>>>>>>>>>>>> On 31/12/14 15:42, James wrote:
>>>>>>>>>>>>>>>>>>>>>>>>>>>> Hello Stefan,
>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>> I learned the hard way about .local. I
>>>>>>>>>>>>>>>>>>>>>>>>>>>> understand going forward.
>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>> I do have an issue with the member server.
>>>>>>>>>>>>>>>>>>>>>>>>>>>> Following along with the wiki I get stuck
>>>>>>>>>>>>>>>>>>>>>>>>>>>> at 'Testing the Winbind user/group
>>>>>>>>>>>>>>>>>>>>>>>>>>>> mapping'. Wbinfo works as expected but not
>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>> #*id DomainUser*
>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>> #*getent passwd*
>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>> #*getent group*
>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>> #*chown DomainUser:DomainGroup file*
>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>> #*chgrp DomainGroup file*
>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>> etc.
>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>> I receive 'id: sambauser: No such user'. It
>>>>>>>>>>>>>>>>>>>>>>>>>>>> will only retrieve local machine users. Let
>>>>>>>>>>>>>>>>>>>>>>>>>>>> me preface by saying this is a Ubuntu 12.04
>>>>>>>>>>>>>>>>>>>>>>>>>>>> server with Samba 4.1.14. Thanks.
>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>> On 12/31/2014 10:00 AM, Stefan Kania wrote:
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> -----BEGIN PGP SIGNED MESSAGE-----
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Hash: SHA1
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Hello James,
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Am 31.12.2014 um 15:48 schrieb James:> Hello,
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> I'm following along with the wiki(Setup a
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Samba AD Member Server)
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> and I have a question after reading the
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> 'Set up a basic smb.conf'
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> section.
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Please show us your smb.conf
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Do I need to extend the schema in order
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> for my member server to
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> successfully join and service file shares?
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> No, you dont have to.
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Do I need to configure a
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> krb5.conf file? Thanks.
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> If your DC is a samba4 DC just copy
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> krb5.conf to your new memberserver
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Stefan
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> - -- Stefan Kania
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Landweg 13
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> 25693 St. Michaelisdonn
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Signieren jeder E-Mail hilft Spam zu
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> reduzieren. Signieren Sie ihre
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> E-Mail. Weiter Informationen unter
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> http://www.gnupg.org
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Mein Schlüssel liegt auf
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> hkp://subkeys.pgp.net
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> -----BEGIN PGP SIGNATURE-----
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Version: GnuPG v1
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> iEYEARECAAYFAlSkD3EACgkQ2JOGcNAHDTZdlwCgwsQF0g/pFp65ldcTMWDcJ1O7
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> LScAoLDzorUJNDCik4FP9dBUxKCbAbGN
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> =SOSt
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> -----END PGP SIGNATURE-----
>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>> If you followed the wiki, you will be using
>>>>>>>>>>>>>>>>>>>>>>>>>>> the 'ad' backend. For this to work, you need
>>>>>>>>>>>>>>>>>>>>>>>>>>> to add 'uidNumber' attributes to your users
>>>>>>>>>>>>>>>>>>>>>>>>>>> and a 'gidNumber' attribute to at least the
>>>>>>>>>>>>>>>>>>>>>>>>>>> Domain Users group. the numbers that you add
>>>>>>>>>>>>>>>>>>>>>>>>>>> must be between the range you set in your
>>>>>>>>>>>>>>>>>>>>>>>>>>> smb.conf, again if you followed the wiki,
>>>>>>>>>>>>>>>>>>>>>>>>>>> this will be between 500-40000.
>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>> Rowland
>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>> You have restarted samba, haven't you ?
>>>>>>>>>>>>>>>>>>>>>>>>> You may have to wait a short time, or clear
>>>>>>>>>>>>>>>>>>>>>>>>> the cache with 'net cache flush'
>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>> Rowland
>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>> OK, can you post the 'passwd' & 'group' lines
>>>>>>>>>>>>>>>>>>>>>>> from /etc/nsswitch
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>> Do you get anything from 'getent passwd <a
>>>>>>>>>>>>>>>>>>>>>>> domain user>'
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>> Rowland
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> OK, install ldb-tools if not already installed,
>>>>>>>>>>>>>>>>>>>>> then run:
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> ldbedit -e nano -H /var/lib/samba/private/sam.ldb
>>>>>>>>>>>>>>>>>>>>> sAMAccountName=tuser
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> Post the (sanitized) result
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> Rowland
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> OK, you added that user with ADUC (RSAT) and as such
>>>>>>>>>>>>>>>>>>> you are using the std windows start number 10000,
>>>>>>>>>>>>>>>>>>> which is the way I run samba. Here is my smb.conf
>>>>>>>>>>>>>>>>>>> from the laptop I am writing this on:
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> [global]
>>>>>>>>>>>>>>>>>>> workgroup = EXAMPLE
>>>>>>>>>>>>>>>>>>> security = ADS
>>>>>>>>>>>>>>>>>>> realm = EXAMPLE.COM
>>>>>>>>>>>>>>>>>>> dedicated keytab file = /etc/krb5.keytab
>>>>>>>>>>>>>>>>>>> kerberos method = secrets and keytab
>>>>>>>>>>>>>>>>>>> server string = Samba 4 Client %h
>>>>>>>>>>>>>>>>>>> winbind enum users = yes
>>>>>>>>>>>>>>>>>>> winbind enum groups = yes
>>>>>>>>>>>>>>>>>>> winbind use default domain = yes
>>>>>>>>>>>>>>>>>>> winbind expand groups = 4
>>>>>>>>>>>>>>>>>>> winbind nss info = rfc2307
>>>>>>>>>>>>>>>>>>> winbind refresh tickets = Yes
>>>>>>>>>>>>>>>>>>> winbind normalize names = Yes
>>>>>>>>>>>>>>>>>>> idmap config * : backend = tdb
>>>>>>>>>>>>>>>>>>> idmap config * : range = 2000-9999
>>>>>>>>>>>>>>>>>>> idmap config EXAMPLE : backend = ad
>>>>>>>>>>>>>>>>>>> idmap config EXAMPLE : range = 10000-999999
>>>>>>>>>>>>>>>>>>> idmap config EXAMPLE : schema_mode = rfc2307
>>>>>>>>>>>>>>>>>>> printcap name = cups
>>>>>>>>>>>>>>>>>>> cups options = raw
>>>>>>>>>>>>>>>>>>> usershare allow guests = yes
>>>>>>>>>>>>>>>>>>> domain master = no
>>>>>>>>>>>>>>>>>>> local master = no
>>>>>>>>>>>>>>>>>>> preferred master = no
>>>>>>>>>>>>>>>>>>> os level = 20
>>>>>>>>>>>>>>>>>>> map to guest = bad user
>>>>>>>>>>>>>>>>>>> vfs objects = acl_xattr
>>>>>>>>>>>>>>>>>>> map acl inherit = Yes
>>>>>>>>>>>>>>>>>>> store dos attributes = Yes
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> Compare it with yours, I can assure you it works.
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> Rowland
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> --
>>>>>>>>>>>>>>>> -James
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> --
>>>>>>>>>>>>>> -James
>>>>>>>>>>>>>
>>>>>>>>>>>>> OK, you have *now* found out one of the reasons you
>>>>>>>>>>>>> shouldn't use the .local suffix
>>>>>>>>>>>>>
>>>>>>>>>>>>> But does anything else work?
>>>>>>>>>>>>>
>>>>>>>>>>>>> Rowland
>>>>>>>>>>>>
>>>>>>>>>>>> --
>>>>>>>>>>>> -James
>>>>>>>>>>>
>>>>>>>>>>> OK, well it seems to be a step in the right direction :-)
>>>>>>>>>>>
>>>>>>>>>>> Have you changed 'EXAMPLE' in these lines:
>>>>>>>>>>>
>>>>>>>>>>> idmap config * : backend = tdb
>>>>>>>>>>> idmap config * : range = 2000-9999
>>>>>>>>>>> idmap config EXAMPLE : backend = ad
>>>>>>>>>>> idmap config EXAMPLE : range = 10000-999999
>>>>>>>>>>> idmap config EXAMPLE:schema_mode = rfc2307
>>>>>>>>>>>
>>>>>>>>>>> They need to be changed for your *WORKGROUP* name.
>>>>>>>>>>>
>>>>>>>>>>> Rowland
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> --
>>>>>>>>>> -James
>>>>>>>>>
>>>>>>>>> Just change it, stop samba and winbind, run 'net cache flush'
>>>>>>>>> and restart samba & winbind.
>>>>>>>>>
>>>>>>>>> Rowland
>>>>>>>>>
>>>>>>>>
>>>>>>>> --
>>>>>>>> -James
>>>>>>>
>>>>>>
>>>>>> --
>>>>>> -James
>>>>>
>>>>
>>>> --
>>>> -James
>>>
>>
>> --
>> -James
>
--
-James
More information about the samba
mailing list