[Samba] Member Server Setup Assistance
Rowland Penny
rowlandpenny at googlemail.com
Mon Jan 5 07:12:12 MST 2015
On 05/01/15 14:00, James wrote:
> Hi Rowland,
>
> Yes. When I create a share I get the expected 'Everyone' group
> under 'Share Permissions' for example. I'm assuming I must map this
> object to Unix so all windows users can access this share. However in
> AD there is no 'Everyone' group to set a gid. I wouldn't necessarily
> expect one either. I'm currently under the mind set that with a member
> server I must have a uid/gid for every object assigned on the share.
AH, light dawns, you are creating a share on a windows machine and
setting the permissions from windows. You cannot really map the users &
groups you refer to, because they are windows only users.
Samba 4 does map them to xidNumber's via idmap.ldb, you can see them via:
ldbedit -e nano -H /var/lib/samba/private/idmap.ldb
There is a wiki page you might like to take a look at:
https://wiki.samba.org/index.php/Setup_and_configure_file_shares_with_Windows_ACLs
Rowland
>
> On 1/5/2015 8:37 AM, Rowland Penny wrote:
>> On 05/01/15 13:28, James wrote:
>>> Rowland,
>>>
>>> Thanks so far for the assistance. I have a question about
>>> setting up shares on a member server. How do I map to users or
>>> groups that do not display in AD(Everyone,System,Authenticated Users)?
>>
>> Could you be a bit more specific here, are you talking about mapping
>> these windows objects to Unix, or something else ?
>>
>> Rowland
>>>
>>> On 1/2/2015 2:08 PM, Rowland Penny wrote:
>>>> On 02/01/15 18:59, James wrote:
>>>>> Rowland,
>>>>>
>>>>> That was the issue. Windows computer management console showed
>>>>> 0 connections. That obviously wasn't correct. A reboot corrected
>>>>> the issue. ACL's working as expected. I probably should have ran a
>>>>> 'netstat' to verify.
>>>>>
>>>>> Any best practices on who should or shouldn't have uid's or
>>>>> gid's set in AD? I've read where the Administrator account should
>>>>> not have one set.
>>>>
>>>> Cannot say that I know of any best practices, but I only give
>>>> Domain Admins and Domain Users a gidNumber and Administrator should
>>>> already be mapped to root (that is if you changed 'Example' in
>>>> /etc/samba/smbmap).
>>>>
>>>> Rowland
>>>>>
>>>>> On 1/2/2015 1:47 PM, Rowland Penny wrote:
>>>>>> On 02/01/15 18:35, James wrote:
>>>>>>> Rowland,
>>>>>>>
>>>>>>> Thanks for the clarification. It appears the member server
>>>>>>> is joined and I have created a share.
>>>>>>>
>>>>>>> [demoshare]
>>>>>>> path = /srv/samba/test
>>>>>>> read only = no
>>>>>>>
>>>>>>>
>>>>>>> I have enabled ACL support and given 'SeDiskOperatorPrivilege'
>>>>>>> per the wiki. I can navigate to the share using Windows
>>>>>>> Explorer. If I set the share permissions to only me(Full
>>>>>>> Control). I can't access the share. The 'Everyone' and 'Domain
>>>>>>> Users' group allows me access. On my DC's this has worked in the
>>>>>>> past. Am I missing something? This is the error I receive.
>>>>>>>
>>>>>>> \\pfmember1\demoshare is not accessible. You might not have
>>>>>>> permission to use this network resource. Contact the
>>>>>>> administrator of this server to find out if you have access
>>>>>>> permissions.
>>>>>>>
>>>>>>> Multiple connections to a server or shared resource by the same
>>>>>>> user, using more than one user name, are not allowed. Disconnect
>>>>>>> all previous connections to the server or shared resource and
>>>>>>> try again.
>>>>>>
>>>>>> You seem to have a connection to the share already open, close
>>>>>> this and try again.
>>>>>> If this fails, post the results of:
>>>>>>
>>>>>> ls -la /srv/samba/test
>>>>>>
>>>>>> and
>>>>>>
>>>>>> getfacl /srv/samba/test
>>>>>>
>>>>>> Rowland
>>>>>>
>>>>>>>
>>>>>>> On 1/2/2015 1:14 PM, Rowland Penny wrote:
>>>>>>>> On 02/01/15 18:01, James wrote:
>>>>>>>>> Rowland,
>>>>>>>>>
>>>>>>>>> That did it! Thank you so much. I do have a question
>>>>>>>>> regarding the 'getent' command before setting up file shares.
>>>>>>>>> When I run 'getent group Domain\ Users' I get
>>>>>>>>>
>>>>>>>>> domain_users:x:10000:user1,user2,user3,user4,user5,user6,user7,user8
>>>>>>>>>
>>>>>>>>> Why does it show these specific users? I would assume it would
>>>>>>>>> only show my 'tuser'. I don't have uid's set for anyone else.
>>>>>>>>
>>>>>>>> When you run 'getent group Domain\ Users' it gets the groups
>>>>>>>> gidNumber (10000 in your case) and the contents any 'member'
>>>>>>>> attributes, so I presume if you examine the groups AD object,
>>>>>>>> you would find 8 'member' attribute lines.
>>>>>>>>
>>>>>>>> But if you were to run 'getent passwd user5', you would only
>>>>>>>> get a response if 'user5' has a 'uidNumber'.
>>>>>>>>
>>>>>>>> Rowland
>>>>>>>>
>>>>>>>>>
>>>>>>>>> On 1/2/2015 12:38 PM, Rowland Penny wrote:
>>>>>>>>>> On 02/01/15 17:26, James wrote:
>>>>>>>>>>> Rowland,
>>>>>>>>>>>
>>>>>>>>>>> I did forget to change it. Is it as simple as renaming
>>>>>>>>>>> now or did I screw up?
>>>>>>>>>>>
>>>>>>>>>>> On 1/2/2015 12:18 PM, Rowland Penny wrote:
>>>>>>>>>>>> On 02/01/15 17:07, James wrote:
>>>>>>>>>>>>> Rowland,
>>>>>>>>>>>>>
>>>>>>>>>>>>> I had a typo in my hosts file which is the reason my
>>>>>>>>>>>>> initial DNS update failed. Corrected and joined again.
>>>>>>>>>>>>> Successfully joined and updated DNS A record. I then made
>>>>>>>>>>>>> sure to give 'Domain users' a id of 10000. I am now able
>>>>>>>>>>>>> to run' getent passwd' and see all my domain users! YES!
>>>>>>>>>>>>> However I still see something that confuses me. When I run
>>>>>>>>>>>>> 'id tuser' I get the following.
>>>>>>>>>>>>>
>>>>>>>>>>>>> uid=2155(tuser) gid=2002(domain_users)
>>>>>>>>>>>>> groups=2002(domain_users),2004(remote_desktop_users_group),2001(BUILTIN\users)
>>>>>>>>>>>>>
>>>>>>>>>>>>> Why is the uid 2155 and not 10001?
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> On 1/2/2015 12:00 PM, Rowland Penny wrote:
>>>>>>>>>>>>>> On 02/01/15 16:57, James wrote:
>>>>>>>>>>>>>>> Rowland,
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> I've gotten a bit further. It appears my use of
>>>>>>>>>>>>>>> '.local' is causing the issue from what I've researched.
>>>>>>>>>>>>>>> I ran '|/etc/init.d/avahi-daemon stop'. |This allowed
>>>>>>>>>>>>>>> me to successfully join the domain.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Enter administrator at DOMAIN.LOCAL's password:
>>>>>>>>>>>>>>> Using short domain name -- DOMAIN
>>>>>>>>>>>>>>> Joined 'PFMEMBER1' to dns domain 'domain.local'
>>>>>>>>>>>>>>> DNS Update for pfmember1.local failed:
>>>>>>>>>>>>>>> ERROR_DNS_UPDATE_FAILED
>>>>>>>>>>>>>>> DNS update failed: NT_STATUS_UNSUCCESSFUL
>>>>>>>>>>>>>>> ||
>>>>>>>>>>>>>>> On 1/2/2015 8:55 AM, Rowland Penny wrote:
>>>>>>>>>>>>>>>> On 02/01/15 13:41, James wrote:
>>>>>>>>>>>>>>>>> Hi Rowland,
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> If you don't mind I like to post my member server
>>>>>>>>>>>>>>>>> configuration as I attempt again. This is how my
>>>>>>>>>>>>>>>>> member server(Ubuntu 12.04) is configured after fresh
>>>>>>>>>>>>>>>>> install and prior to Samba build. Anything I'm missing
>>>>>>>>>>>>>>>>> that could cause my issue as I proceed? I assume no
>>>>>>>>>>>>>>>>> other prerequisites must be done on the other DC's
>>>>>>>>>>>>>>>>> either? Thanks.
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> /*# From Wiki for DC build*/
>>>>>>>>>>>>>>>>> apt-get install build-essential libacl1-dev
>>>>>>>>>>>>>>>>> libattr1-dev libblkid-dev libgnutls-dev
>>>>>>>>>>>>>>>>> libreadline-dev python-dev libpam0g-dev
>>>>>>>>>>>>>>>>> python-dnspython gdb pkg-config libpopt-dev
>>>>>>>>>>>>>>>>> libldap2-dev dnsutils libbsd-dev attr krb5-user
>>>>>>>>>>>>>>>>> docbook-xsl libcups2-dev acl
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> /*# Fstab file*/
>>>>>>>>>>>>>>>>> ext4 errors=remount-ro,user_xattr,acl,barrier=1 1 1
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> */# Hosts File/*
>>>>>>>>>>>>>>>>> 127.0.0.1 localhost
>>>>>>>>>>>>>>>>> 172.16.232.25 pfmember1.domain.local pfmember1
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> # The following lines are desirable for IPv6 capable hosts
>>>>>>>>>>>>>>>>> ::1 ip6-localhost ip6-loopback
>>>>>>>>>>>>>>>>> fe00::0 ip6-localnet
>>>>>>>>>>>>>>>>> ff00::0 ip6-mcastprefix
>>>>>>>>>>>>>>>>> ff02::1 ip6-allnodes
>>>>>>>>>>>>>>>>> ff02::2 ip6-allrouters
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> */# Hostname/* */File/*
>>>>>>>>>>>>>>>>> pfmember1.domain.local
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> if you are referring to /etc/hostname, then it should
>>>>>>>>>>>>>>>> just contain 'pfmember1'.
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> Also, are you fixed on using Ubuntu 12.04, if you were
>>>>>>>>>>>>>>>> to use Debian Wheezy and backports, you wouldn't have
>>>>>>>>>>>>>>>> to compile samba4.
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> Rowland
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> */#/network/interfaces/*
>>>>>>>>>>>>>>>>> # This file describes the network interfaces available
>>>>>>>>>>>>>>>>> on your system
>>>>>>>>>>>>>>>>> # and how to activate them. For more information, see
>>>>>>>>>>>>>>>>> interfaces(5).
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> # The loopback network interface
>>>>>>>>>>>>>>>>> auto lo
>>>>>>>>>>>>>>>>> iface lo inet loopback
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> # The primary network interface
>>>>>>>>>>>>>>>>> auto eth0
>>>>>>>>>>>>>>>>> iface eth0 inet static
>>>>>>>>>>>>>>>>> address 172.16.232.25
>>>>>>>>>>>>>>>>> netmask 255.255.255.0
>>>>>>>>>>>>>>>>> gateway 172.16.232.201
>>>>>>>>>>>>>>>>> network 172.16.232.0
>>>>>>>>>>>>>>>>> broadcast 172.16.232.255
>>>>>>>>>>>>>>>>> dns-search domain.local
>>>>>>>>>>>>>>>>> dns-nameservers 172.16.232.29
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> On 1/1/2015 4:34 AM, Rowland Penny wrote:
>>>>>>>>>>>>>>>>>> On 01/01/15 00:07, James wrote:
>>>>>>>>>>>>>>>>>>> Hi Rowland,
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> I forgot to tell you the results were from my
>>>>>>>>>>>>>>>>>>> Domain Controller and not the member server. Member
>>>>>>>>>>>>>>>>>>> server returned something to the effect of 'user not
>>>>>>>>>>>>>>>>>>> found'. I am only starting the 3 services(smbd,nmbd
>>>>>>>>>>>>>>>>>>> and windbindd) listed in the wiki. Should I be
>>>>>>>>>>>>>>>>>>> starting Samba with command line switches to start
>>>>>>>>>>>>>>>>>>> as a member server? Is that even possible?
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> Hi, there are two ways of running samba4, the classic
>>>>>>>>>>>>>>>>>> or original way that samba3 was used, or as an AD DC.
>>>>>>>>>>>>>>>>>> If you run samba4 in the classic way, you need to
>>>>>>>>>>>>>>>>>> start the smbd & nmbd deamons and optionally the
>>>>>>>>>>>>>>>>>> winbind daemon. If you use samba4 as an AD DC, then
>>>>>>>>>>>>>>>>>> you only start the samba daemon, this will start any
>>>>>>>>>>>>>>>>>> other required deamons, you only start the samba
>>>>>>>>>>>>>>>>>> daemon on an AD DC.
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> As you are trying to set up a member server, you must
>>>>>>>>>>>>>>>>>> carry out the tests on the member server.
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> Rowland
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> Thanks for you smb.conf. I will attempt again
>>>>>>>>>>>>>>>>>>> using your smb.conf as a template and try again.
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> On 12/31/2014 2:20 PM, Rowland Penny wrote:
>>>>>>>>>>>>>>>>>>>> On 31/12/14 19:07, James wrote:
>>>>>>>>>>>>>>>>>>>>> Rowland,
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> I decided to start over with a fresh install
>>>>>>>>>>>>>>>>>>>>> and attempted again. Only change I made was to
>>>>>>>>>>>>>>>>>>>>> start my mappings at 10000. I gave 'Domain Users'
>>>>>>>>>>>>>>>>>>>>> group gid 10000 and 'tuser' has uid 10001. Still
>>>>>>>>>>>>>>>>>>>>> didn't work btw.
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> dn: CN=Test User,CN=Users,DC=domain,DC=local
>>>>>>>>>>>>>>>>>>>>> objectClass: top
>>>>>>>>>>>>>>>>>>>>> objectClass: person
>>>>>>>>>>>>>>>>>>>>> objectClass: organizationalPerson
>>>>>>>>>>>>>>>>>>>>> objectClass: user
>>>>>>>>>>>>>>>>>>>>> cn: Test User
>>>>>>>>>>>>>>>>>>>>> sn: User
>>>>>>>>>>>>>>>>>>>>> givenName: Test
>>>>>>>>>>>>>>>>>>>>> instanceType: 4
>>>>>>>>>>>>>>>>>>>>> whenCreated: 20141231172021.0Z
>>>>>>>>>>>>>>>>>>>>> displayName: Test User
>>>>>>>>>>>>>>>>>>>>> uSNCreated: 477557
>>>>>>>>>>>>>>>>>>>>> name: Test User
>>>>>>>>>>>>>>>>>>>>> objectGUID: 90f95763-fe52-42b9-af86-8a84a4d5dd78
>>>>>>>>>>>>>>>>>>>>> userAccountControl: 66048
>>>>>>>>>>>>>>>>>>>>> codePage: 0
>>>>>>>>>>>>>>>>>>>>> countryCode: 0
>>>>>>>>>>>>>>>>>>>>> pwdLastSet: 130645200220000000
>>>>>>>>>>>>>>>>>>>>> primaryGroupID: 513
>>>>>>>>>>>>>>>>>>>>> objectSid:
>>>>>>>>>>>>>>>>>>>>> S-1-5-21-940051827-2291820289-3341758437-3126
>>>>>>>>>>>>>>>>>>>>> accountExpires: 9223372036854775807
>>>>>>>>>>>>>>>>>>>>> sAMAccountName: tuser
>>>>>>>>>>>>>>>>>>>>> sAMAccountType: 805306368
>>>>>>>>>>>>>>>>>>>>> userPrincipalName: tuser at domain.local
>>>>>>>>>>>>>>>>>>>>> objectCategory:
>>>>>>>>>>>>>>>>>>>>> CN=Person,CN=Schema,CN=Configuration,DC=domain,DC=local
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> unixUserPassword: ABCD!efgh12345$67890
>>>>>>>>>>>>>>>>>>>>> uid: tuser
>>>>>>>>>>>>>>>>>>>>> msSFU30Name: tuser
>>>>>>>>>>>>>>>>>>>>> msSFU30NisDomain: domain
>>>>>>>>>>>>>>>>>>>>> uidNumber: 10001
>>>>>>>>>>>>>>>>>>>>> loginShell: /bin/sh
>>>>>>>>>>>>>>>>>>>>> unixHomeDirectory: /home/tuser
>>>>>>>>>>>>>>>>>>>>> gidNumber: 10000
>>>>>>>>>>>>>>>>>>>>> whenChanged: 20141231185807.0Z
>>>>>>>>>>>>>>>>>>>>> uSNChanged: 477620
>>>>>>>>>>>>>>>>>>>>> distinguishedName: CN=Test
>>>>>>>>>>>>>>>>>>>>> User,CN=Users,DC=domain,DC=local
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> On 12/31/2014 1:50 PM, Rowland Penny wrote:
>>>>>>>>>>>>>>>>>>>>>> On 31/12/14 18:28, James wrote:
>>>>>>>>>>>>>>>>>>>>>>> Hi Rowland,
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>> passwd: compat winbind
>>>>>>>>>>>>>>>>>>>>>>> group: compat winbind
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>> 'getent passwd tuser' results in a blank
>>>>>>>>>>>>>>>>>>>>>>> terminal line.
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>> On 12/31/2014 1:12 PM, Rowland Penny wrote:
>>>>>>>>>>>>>>>>>>>>>>>> On 31/12/14 17:55, James wrote:
>>>>>>>>>>>>>>>>>>>>>>>>> Hi Rowland,
>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>> I did. Unfortunately something is still
>>>>>>>>>>>>>>>>>>>>>>>>> amiss. I do receive a response from 'getent
>>>>>>>>>>>>>>>>>>>>>>>>> group domain users'(users:x:100).
>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>> On 12/31/2014 12:26 PM, Rowland Penny wrote:
>>>>>>>>>>>>>>>>>>>>>>>>>> On 31/12/14 17:23, James wrote:
>>>>>>>>>>>>>>>>>>>>>>>>>>> Rowland,
>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>> I set a user with a uid and domain users
>>>>>>>>>>>>>>>>>>>>>>>>>>> group with a gid but I'm still unable to
>>>>>>>>>>>>>>>>>>>>>>>>>>> view them using 'id'. I do notice a few
>>>>>>>>>>>>>>>>>>>>>>>>>>> strange observations. If I go to another
>>>>>>>>>>>>>>>>>>>>>>>>>>> user to attempt to assign a uid. I get the
>>>>>>>>>>>>>>>>>>>>>>>>>>> default value of 10000. I would expect 2001
>>>>>>>>>>>>>>>>>>>>>>>>>>> given I set the first user with uid 2000.
>>>>>>>>>>>>>>>>>>>>>>>>>>> Groups however appear to increment.
>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>> On 12/31/2014 10:52 AM, Rowland Penny wrote:
>>>>>>>>>>>>>>>>>>>>>>>>>>>> On 31/12/14 15:42, James wrote:
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Hello Stefan,
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> I learned the hard way about .local. I
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> understand going forward.
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> I do have an issue with the member server.
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Following along with the wiki I get stuck
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> at 'Testing the Winbind user/group
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> mapping'. Wbinfo works as expected but not
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> #*id DomainUser*
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> #*getent passwd*
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> #*getent group*
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> #*chown DomainUser:DomainGroup file*
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> #*chgrp DomainGroup file*
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> etc.
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> I receive 'id: sambauser: No such user'.
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> It will only retrieve local machine users.
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Let me preface by saying this is a Ubuntu
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> 12.04 server with Samba 4.1.14. Thanks.
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> On 12/31/2014 10:00 AM, Stefan Kania wrote:
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> -----BEGIN PGP SIGNED MESSAGE-----
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Hash: SHA1
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Hello James,
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Am 31.12.2014 um 15:48 schrieb James:>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Hello,
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> I'm following along with the wiki(Setup
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> a Samba AD Member Server)
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> and I have a question after reading the
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> 'Set up a basic smb.conf'
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> section.
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Please show us your smb.conf
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Do I need to extend the schema in order
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> for my member server to
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> successfully join and service file shares?
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> No, you dont have to.
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Do I need to configure a
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> krb5.conf file? Thanks.
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> If your DC is a samba4 DC just copy
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> krb5.conf to your new memberserver
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Stefan
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> - -- Stefan Kania
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Landweg 13
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> 25693 St. Michaelisdonn
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Signieren jeder E-Mail hilft Spam zu
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> reduzieren. Signieren Sie ihre
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> E-Mail. Weiter Informationen unter
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> http://www.gnupg.org
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Mein Schlüssel liegt auf
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> hkp://subkeys.pgp.net
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> -----BEGIN PGP SIGNATURE-----
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Version: GnuPG v1
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> iEYEARECAAYFAlSkD3EACgkQ2JOGcNAHDTZdlwCgwsQF0g/pFp65ldcTMWDcJ1O7
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> LScAoLDzorUJNDCik4FP9dBUxKCbAbGN
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> =SOSt
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> -----END PGP SIGNATURE-----
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>> If you followed the wiki, you will be using
>>>>>>>>>>>>>>>>>>>>>>>>>>>> the 'ad' backend. For this to work, you
>>>>>>>>>>>>>>>>>>>>>>>>>>>> need to add 'uidNumber' attributes to your
>>>>>>>>>>>>>>>>>>>>>>>>>>>> users and a 'gidNumber' attribute to at
>>>>>>>>>>>>>>>>>>>>>>>>>>>> least the Domain Users group. the numbers
>>>>>>>>>>>>>>>>>>>>>>>>>>>> that you add must be between the range you
>>>>>>>>>>>>>>>>>>>>>>>>>>>> set in your smb.conf, again if you followed
>>>>>>>>>>>>>>>>>>>>>>>>>>>> the wiki, this will be between 500-40000.
>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>> Rowland
>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>> You have restarted samba, haven't you ?
>>>>>>>>>>>>>>>>>>>>>>>>>> You may have to wait a short time, or clear
>>>>>>>>>>>>>>>>>>>>>>>>>> the cache with 'net cache flush'
>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>> Rowland
>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>> OK, can you post the 'passwd' & 'group' lines
>>>>>>>>>>>>>>>>>>>>>>>> from /etc/nsswitch
>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>> Do you get anything from 'getent passwd <a
>>>>>>>>>>>>>>>>>>>>>>>> domain user>'
>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>> Rowland
>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>> OK, install ldb-tools if not already installed,
>>>>>>>>>>>>>>>>>>>>>> then run:
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>> ldbedit -e nano -H /var/lib/samba/private/sam.ldb
>>>>>>>>>>>>>>>>>>>>>> sAMAccountName=tuser
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>> Post the (sanitized) result
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>> Rowland
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> OK, you added that user with ADUC (RSAT) and as
>>>>>>>>>>>>>>>>>>>> such you are using the std windows start number
>>>>>>>>>>>>>>>>>>>> 10000, which is the way I run samba. Here is my
>>>>>>>>>>>>>>>>>>>> smb.conf from the laptop I am writing this on:
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> [global]
>>>>>>>>>>>>>>>>>>>> workgroup = EXAMPLE
>>>>>>>>>>>>>>>>>>>> security = ADS
>>>>>>>>>>>>>>>>>>>> realm = EXAMPLE.COM
>>>>>>>>>>>>>>>>>>>> dedicated keytab file = /etc/krb5.keytab
>>>>>>>>>>>>>>>>>>>> kerberos method = secrets and keytab
>>>>>>>>>>>>>>>>>>>> server string = Samba 4 Client %h
>>>>>>>>>>>>>>>>>>>> winbind enum users = yes
>>>>>>>>>>>>>>>>>>>> winbind enum groups = yes
>>>>>>>>>>>>>>>>>>>> winbind use default domain = yes
>>>>>>>>>>>>>>>>>>>> winbind expand groups = 4
>>>>>>>>>>>>>>>>>>>> winbind nss info = rfc2307
>>>>>>>>>>>>>>>>>>>> winbind refresh tickets = Yes
>>>>>>>>>>>>>>>>>>>> winbind normalize names = Yes
>>>>>>>>>>>>>>>>>>>> idmap config * : backend = tdb
>>>>>>>>>>>>>>>>>>>> idmap config * : range = 2000-9999
>>>>>>>>>>>>>>>>>>>> idmap config EXAMPLE : backend = ad
>>>>>>>>>>>>>>>>>>>> idmap config EXAMPLE : range = 10000-999999
>>>>>>>>>>>>>>>>>>>> idmap config EXAMPLE : schema_mode = rfc2307
>>>>>>>>>>>>>>>>>>>> printcap name = cups
>>>>>>>>>>>>>>>>>>>> cups options = raw
>>>>>>>>>>>>>>>>>>>> usershare allow guests = yes
>>>>>>>>>>>>>>>>>>>> domain master = no
>>>>>>>>>>>>>>>>>>>> local master = no
>>>>>>>>>>>>>>>>>>>> preferred master = no
>>>>>>>>>>>>>>>>>>>> os level = 20
>>>>>>>>>>>>>>>>>>>> map to guest = bad user
>>>>>>>>>>>>>>>>>>>> vfs objects = acl_xattr
>>>>>>>>>>>>>>>>>>>> map acl inherit = Yes
>>>>>>>>>>>>>>>>>>>> store dos attributes = Yes
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> Compare it with yours, I can assure you it works.
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> Rowland
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> --
>>>>>>>>>>>>>>>>> -James
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> --
>>>>>>>>>>>>>>> -James
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> OK, you have *now* found out one of the reasons you
>>>>>>>>>>>>>> shouldn't use the .local suffix
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> But does anything else work?
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Rowland
>>>>>>>>>>>>>
>>>>>>>>>>>>> --
>>>>>>>>>>>>> -James
>>>>>>>>>>>>
>>>>>>>>>>>> OK, well it seems to be a step in the right direction :-)
>>>>>>>>>>>>
>>>>>>>>>>>> Have you changed 'EXAMPLE' in these lines:
>>>>>>>>>>>>
>>>>>>>>>>>> idmap config * : backend = tdb
>>>>>>>>>>>> idmap config * : range = 2000-9999
>>>>>>>>>>>> idmap config EXAMPLE : backend = ad
>>>>>>>>>>>> idmap config EXAMPLE : range = 10000-999999
>>>>>>>>>>>> idmap config EXAMPLE:schema_mode = rfc2307
>>>>>>>>>>>>
>>>>>>>>>>>> They need to be changed for your *WORKGROUP* name.
>>>>>>>>>>>>
>>>>>>>>>>>> Rowland
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> --
>>>>>>>>>>> -James
>>>>>>>>>>
>>>>>>>>>> Just change it, stop samba and winbind, run 'net cache flush'
>>>>>>>>>> and restart samba & winbind.
>>>>>>>>>>
>>>>>>>>>> Rowland
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>> --
>>>>>>>>> -James
>>>>>>>>
>>>>>>>
>>>>>>> --
>>>>>>> -James
>>>>>>
>>>>>
>>>>> --
>>>>> -James
>>>>
>>>
>>> --
>>> -James
>>
>
> --
> -James
More information about the samba
mailing list