[Samba] Member Server Setup Assistance
James
lingpanda101 at gmail.com
Mon Jan 5 09:23:34 MST 2015
Rowland,
Thanks. I understand now.
On 1/5/2015 11:00 AM, Rowland Penny wrote:
> On 05/01/15 14:59, James wrote:
>> That is actually the wiki page I am currently referencing in my
>> question. From the wiki you can see the 'Everyone' group. I would
>> normally remove and add domain users or authenticated users. That
>> prompted me to ask myself "what if I wanted the everyone group to
>> have access"? How does the member server know who the everyone group
>> is since the share is created on the server. What mappings if any do
>> I need to make sure are in place.
>
> OK, this is a good question :-)
>
> If you examine your smb.conf, you should find these two lines:
>
> idmap config * : backend = tdb
> idmap config * : range = 2000-9999
>
> What do they mean ?
>
> Well, idmap is fairly obvious, map the ID, '*' is for trusted domains
> and local groups, 'backend = tdb' is where to store the result, 'range
> = 2000-9999' is for the numbers to use.
> So the first line means, store trusted domains and local groups in a
> tdb file, the second line gives the number to start at (2000) and what
> the last number will be (9999). The users & groups are allocated
> numbers as they are found, this means that they could have different
> numbers on different machines, this is not a problem as they are
> treated as local identities. It works in a similar way to idmap.ldb on
> the DC, this is a problem when it comes to 'sysvol', which is why it
> is advisable to sync idmap.ldb between DC's.
>
> OK, how do we prove that it works ?
>
> Well you referred to 'Everyone', this has the well know SID 'S-1-1-0'
>
> Run (on the member server): 'sudo wbinfo -Y S-1-1-0'
>
> on mine it returns '2002'
>
> So if we now create a directory on the member server
>
> sudo mkdir /home/acltest
>
> and set an ACL for 'Everyone'
>
> sudo setfacl -m g:2002:rwx /home/acltest
>
> read the directories ACL's
>
> getfacl /home/acltest
> getfacl: Removing leading '/' from absolute path names
> # file: home/acltest
> # owner: root
> # group: root
> user::rwx
> group::r-x
> group:2002:rwx
> mask::rwx
> other::r-x
>
> It shows here that group '2002' has full permissions on the directory,
> but if you share the directory via samba and go to the share on a
> windows machine, it would show that 'Everyone' has full permissions on
> the share.
>
> Rowland
>>
>> On 1/5/2015 9:12 AM, Rowland Penny wrote:
>>> On 05/01/15 14:00, James wrote:
>>>> Hi Rowland,
>>>>
>>>> Yes. When I create a share I get the expected 'Everyone' group
>>>> under 'Share Permissions' for example. I'm assuming I must map this
>>>> object to Unix so all windows users can access this share. However
>>>> in AD there is no 'Everyone' group to set a gid. I wouldn't
>>>> necessarily expect one either. I'm currently under the mind set
>>>> that with a member server I must have a uid/gid for every object
>>>> assigned on the share.
>>>
>>> AH, light dawns, you are creating a share on a windows machine and
>>> setting the permissions from windows. You cannot really map the
>>> users & groups you refer to, because they are windows only users.
>>>
>>> Samba 4 does map them to xidNumber's via idmap.ldb, you can see them
>>> via:
>>>
>>> ldbedit -e nano -H /var/lib/samba/private/idmap.ldb
>>>
>>> There is a wiki page you might like to take a look at:
>>> https://wiki.samba.org/index.php/Setup_and_configure_file_shares_with_Windows_ACLs
>>>
>>> Rowland
>>>
>>>>
>>>> On 1/5/2015 8:37 AM, Rowland Penny wrote:
>>>>> On 05/01/15 13:28, James wrote:
>>>>>> Rowland,
>>>>>>
>>>>>> Thanks so far for the assistance. I have a question about
>>>>>> setting up shares on a member server. How do I map to users or
>>>>>> groups that do not display in AD(Everyone,System,Authenticated
>>>>>> Users)?
>>>>>
>>>>> Could you be a bit more specific here, are you talking about
>>>>> mapping these windows objects to Unix, or something else ?
>>>>>
>>>>> Rowland
>>>>>>
>>>>>> On 1/2/2015 2:08 PM, Rowland Penny wrote:
>>>>>>> On 02/01/15 18:59, James wrote:
>>>>>>>> Rowland,
>>>>>>>>
>>>>>>>> That was the issue. Windows computer management console
>>>>>>>> showed 0 connections. That obviously wasn't correct. A reboot
>>>>>>>> corrected the issue. ACL's working as expected. I probably
>>>>>>>> should have ran a 'netstat' to verify.
>>>>>>>>
>>>>>>>> Any best practices on who should or shouldn't have uid's or
>>>>>>>> gid's set in AD? I've read where the Administrator account
>>>>>>>> should not have one set.
>>>>>>>
>>>>>>> Cannot say that I know of any best practices, but I only give
>>>>>>> Domain Admins and Domain Users a gidNumber and Administrator
>>>>>>> should already be mapped to root (that is if you changed
>>>>>>> 'Example' in /etc/samba/smbmap).
>>>>>>>
>>>>>>> Rowland
>>>>>>>>
>>>>>>>> On 1/2/2015 1:47 PM, Rowland Penny wrote:
>>>>>>>>> On 02/01/15 18:35, James wrote:
>>>>>>>>>> Rowland,
>>>>>>>>>>
>>>>>>>>>> Thanks for the clarification. It appears the member
>>>>>>>>>> server is joined and I have created a share.
>>>>>>>>>>
>>>>>>>>>> [demoshare]
>>>>>>>>>> path = /srv/samba/test
>>>>>>>>>> read only = no
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> I have enabled ACL support and given
>>>>>>>>>> 'SeDiskOperatorPrivilege' per the wiki. I can navigate to the
>>>>>>>>>> share using Windows Explorer. If I set the share permissions
>>>>>>>>>> to only me(Full Control). I can't access the share. The
>>>>>>>>>> 'Everyone' and 'Domain Users' group allows me access. On my
>>>>>>>>>> DC's this has worked in the past. Am I missing something?
>>>>>>>>>> This is the error I receive.
>>>>>>>>>>
>>>>>>>>>> \\pfmember1\demoshare is not accessible. You might not have
>>>>>>>>>> permission to use this network resource. Contact the
>>>>>>>>>> administrator of this server to find out if you have access
>>>>>>>>>> permissions.
>>>>>>>>>>
>>>>>>>>>> Multiple connections to a server or shared resource by the
>>>>>>>>>> same user, using more than one user name, are not allowed.
>>>>>>>>>> Disconnect all previous connections to the server or shared
>>>>>>>>>> resource and try again.
>>>>>>>>>
>>>>>>>>> You seem to have a connection to the share already open, close
>>>>>>>>> this and try again.
>>>>>>>>> If this fails, post the results of:
>>>>>>>>>
>>>>>>>>> ls -la /srv/samba/test
>>>>>>>>>
>>>>>>>>> and
>>>>>>>>>
>>>>>>>>> getfacl /srv/samba/test
>>>>>>>>>
>>>>>>>>> Rowland
>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> On 1/2/2015 1:14 PM, Rowland Penny wrote:
>>>>>>>>>>> On 02/01/15 18:01, James wrote:
>>>>>>>>>>>> Rowland,
>>>>>>>>>>>>
>>>>>>>>>>>> That did it! Thank you so much. I do have a question
>>>>>>>>>>>> regarding the 'getent' command before setting up file
>>>>>>>>>>>> shares. When I run 'getent group Domain\ Users' I get
>>>>>>>>>>>>
>>>>>>>>>>>> domain_users:x:10000:user1,user2,user3,user4,user5,user6,user7,user8
>>>>>>>>>>>>
>>>>>>>>>>>> Why does it show these specific users? I would assume it
>>>>>>>>>>>> would only show my 'tuser'. I don't have uid's set for
>>>>>>>>>>>> anyone else.
>>>>>>>>>>>
>>>>>>>>>>> When you run 'getent group Domain\ Users' it gets the groups
>>>>>>>>>>> gidNumber (10000 in your case) and the contents any 'member'
>>>>>>>>>>> attributes, so I presume if you examine the groups AD
>>>>>>>>>>> object, you would find 8 'member' attribute lines.
>>>>>>>>>>>
>>>>>>>>>>> But if you were to run 'getent passwd user5', you would only
>>>>>>>>>>> get a response if 'user5' has a 'uidNumber'.
>>>>>>>>>>>
>>>>>>>>>>> Rowland
>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> On 1/2/2015 12:38 PM, Rowland Penny wrote:
>>>>>>>>>>>>> On 02/01/15 17:26, James wrote:
>>>>>>>>>>>>>> Rowland,
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> I did forget to change it. Is it as simple as
>>>>>>>>>>>>>> renaming now or did I screw up?
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> On 1/2/2015 12:18 PM, Rowland Penny wrote:
>>>>>>>>>>>>>>> On 02/01/15 17:07, James wrote:
>>>>>>>>>>>>>>>> Rowland,
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> I had a typo in my hosts file which is the reason
>>>>>>>>>>>>>>>> my initial DNS update failed. Corrected and joined
>>>>>>>>>>>>>>>> again. Successfully joined and updated DNS A record. I
>>>>>>>>>>>>>>>> then made sure to give 'Domain users' a id of 10000. I
>>>>>>>>>>>>>>>> am now able to run' getent passwd' and see all my
>>>>>>>>>>>>>>>> domain users! YES! However I still see something that
>>>>>>>>>>>>>>>> confuses me. When I run 'id tuser' I get the following.
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> uid=2155(tuser) gid=2002(domain_users)
>>>>>>>>>>>>>>>> groups=2002(domain_users),2004(remote_desktop_users_group),2001(BUILTIN\users)
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> Why is the uid 2155 and not 10001?
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> On 1/2/2015 12:00 PM, Rowland Penny wrote:
>>>>>>>>>>>>>>>>> On 02/01/15 16:57, James wrote:
>>>>>>>>>>>>>>>>>> Rowland,
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> I've gotten a bit further. It appears my use of
>>>>>>>>>>>>>>>>>> '.local' is causing the issue from what I've
>>>>>>>>>>>>>>>>>> researched. I ran '|/etc/init.d/avahi-daemon stop'.
>>>>>>>>>>>>>>>>>> |This allowed me to successfully join the domain.
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> Enter administrator at DOMAIN.LOCAL's password:
>>>>>>>>>>>>>>>>>> Using short domain name -- DOMAIN
>>>>>>>>>>>>>>>>>> Joined 'PFMEMBER1' to dns domain 'domain.local'
>>>>>>>>>>>>>>>>>> DNS Update for pfmember1.local failed:
>>>>>>>>>>>>>>>>>> ERROR_DNS_UPDATE_FAILED
>>>>>>>>>>>>>>>>>> DNS update failed: NT_STATUS_UNSUCCESSFUL
>>>>>>>>>>>>>>>>>> ||
>>>>>>>>>>>>>>>>>> On 1/2/2015 8:55 AM, Rowland Penny wrote:
>>>>>>>>>>>>>>>>>>> On 02/01/15 13:41, James wrote:
>>>>>>>>>>>>>>>>>>>> Hi Rowland,
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> If you don't mind I like to post my member
>>>>>>>>>>>>>>>>>>>> server configuration as I attempt again. This is
>>>>>>>>>>>>>>>>>>>> how my member server(Ubuntu 12.04) is configured
>>>>>>>>>>>>>>>>>>>> after fresh install and prior to Samba build.
>>>>>>>>>>>>>>>>>>>> Anything I'm missing that could cause my issue as I
>>>>>>>>>>>>>>>>>>>> proceed? I assume no other prerequisites must be
>>>>>>>>>>>>>>>>>>>> done on the other DC's either? Thanks.
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> /*# From Wiki for DC build*/
>>>>>>>>>>>>>>>>>>>> apt-get install build-essential libacl1-dev
>>>>>>>>>>>>>>>>>>>> libattr1-dev libblkid-dev libgnutls-dev
>>>>>>>>>>>>>>>>>>>> libreadline-dev python-dev libpam0g-dev
>>>>>>>>>>>>>>>>>>>> python-dnspython gdb pkg-config libpopt-dev
>>>>>>>>>>>>>>>>>>>> libldap2-dev dnsutils libbsd-dev attr krb5-user
>>>>>>>>>>>>>>>>>>>> docbook-xsl libcups2-dev acl
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> /*# Fstab file*/
>>>>>>>>>>>>>>>>>>>> ext4 errors=remount-ro,user_xattr,acl,barrier=1
>>>>>>>>>>>>>>>>>>>> 1 1
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> */# Hosts File/*
>>>>>>>>>>>>>>>>>>>> 127.0.0.1 localhost
>>>>>>>>>>>>>>>>>>>> 172.16.232.25 pfmember1.domain.local pfmember1
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> # The following lines are desirable for IPv6
>>>>>>>>>>>>>>>>>>>> capable hosts
>>>>>>>>>>>>>>>>>>>> ::1 ip6-localhost ip6-loopback
>>>>>>>>>>>>>>>>>>>> fe00::0 ip6-localnet
>>>>>>>>>>>>>>>>>>>> ff00::0 ip6-mcastprefix
>>>>>>>>>>>>>>>>>>>> ff02::1 ip6-allnodes
>>>>>>>>>>>>>>>>>>>> ff02::2 ip6-allrouters
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> */# Hostname/* */File/*
>>>>>>>>>>>>>>>>>>>> pfmember1.domain.local
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> if you are referring to /etc/hostname, then it
>>>>>>>>>>>>>>>>>>> should just contain 'pfmember1'.
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> Also, are you fixed on using Ubuntu 12.04, if you
>>>>>>>>>>>>>>>>>>> were to use Debian Wheezy and backports, you
>>>>>>>>>>>>>>>>>>> wouldn't have to compile samba4.
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> Rowland
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> */#/network/interfaces/*
>>>>>>>>>>>>>>>>>>>> # This file describes the network interfaces
>>>>>>>>>>>>>>>>>>>> available on your system
>>>>>>>>>>>>>>>>>>>> # and how to activate them. For more information,
>>>>>>>>>>>>>>>>>>>> see interfaces(5).
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> # The loopback network interface
>>>>>>>>>>>>>>>>>>>> auto lo
>>>>>>>>>>>>>>>>>>>> iface lo inet loopback
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> # The primary network interface
>>>>>>>>>>>>>>>>>>>> auto eth0
>>>>>>>>>>>>>>>>>>>> iface eth0 inet static
>>>>>>>>>>>>>>>>>>>> address 172.16.232.25
>>>>>>>>>>>>>>>>>>>> netmask 255.255.255.0
>>>>>>>>>>>>>>>>>>>> gateway 172.16.232.201
>>>>>>>>>>>>>>>>>>>> network 172.16.232.0
>>>>>>>>>>>>>>>>>>>> broadcast 172.16.232.255
>>>>>>>>>>>>>>>>>>>> dns-search domain.local
>>>>>>>>>>>>>>>>>>>> dns-nameservers 172.16.232.29
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> On 1/1/2015 4:34 AM, Rowland Penny wrote:
>>>>>>>>>>>>>>>>>>>>> On 01/01/15 00:07, James wrote:
>>>>>>>>>>>>>>>>>>>>>> Hi Rowland,
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>> I forgot to tell you the results were from my
>>>>>>>>>>>>>>>>>>>>>> Domain Controller and not the member server.
>>>>>>>>>>>>>>>>>>>>>> Member server returned something to the effect of
>>>>>>>>>>>>>>>>>>>>>> 'user not found'. I am only starting the 3
>>>>>>>>>>>>>>>>>>>>>> services(smbd,nmbd and windbindd) listed in the
>>>>>>>>>>>>>>>>>>>>>> wiki. Should I be starting Samba with command
>>>>>>>>>>>>>>>>>>>>>> line switches to start as a member server? Is
>>>>>>>>>>>>>>>>>>>>>> that even possible?
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> Hi, there are two ways of running samba4, the
>>>>>>>>>>>>>>>>>>>>> classic or original way that samba3 was used, or
>>>>>>>>>>>>>>>>>>>>> as an AD DC. If you run samba4 in the classic way,
>>>>>>>>>>>>>>>>>>>>> you need to start the smbd & nmbd deamons and
>>>>>>>>>>>>>>>>>>>>> optionally the winbind daemon. If you use samba4
>>>>>>>>>>>>>>>>>>>>> as an AD DC, then you only start the samba daemon,
>>>>>>>>>>>>>>>>>>>>> this will start any other required deamons, you
>>>>>>>>>>>>>>>>>>>>> only start the samba daemon on an AD DC.
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> As you are trying to set up a member server, you
>>>>>>>>>>>>>>>>>>>>> must carry out the tests on the member server.
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> Rowland
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>> Thanks for you smb.conf. I will attempt again
>>>>>>>>>>>>>>>>>>>>>> using your smb.conf as a template and try again.
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>> On 12/31/2014 2:20 PM, Rowland Penny wrote:
>>>>>>>>>>>>>>>>>>>>>>> On 31/12/14 19:07, James wrote:
>>>>>>>>>>>>>>>>>>>>>>>> Rowland,
>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>> I decided to start over with a fresh
>>>>>>>>>>>>>>>>>>>>>>>> install and attempted again. Only change I made
>>>>>>>>>>>>>>>>>>>>>>>> was to start my mappings at 10000. I gave
>>>>>>>>>>>>>>>>>>>>>>>> 'Domain Users' group gid 10000 and 'tuser' has
>>>>>>>>>>>>>>>>>>>>>>>> uid 10001. Still didn't work btw.
>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>> dn: CN=Test User,CN=Users,DC=domain,DC=local
>>>>>>>>>>>>>>>>>>>>>>>> objectClass: top
>>>>>>>>>>>>>>>>>>>>>>>> objectClass: person
>>>>>>>>>>>>>>>>>>>>>>>> objectClass: organizationalPerson
>>>>>>>>>>>>>>>>>>>>>>>> objectClass: user
>>>>>>>>>>>>>>>>>>>>>>>> cn: Test User
>>>>>>>>>>>>>>>>>>>>>>>> sn: User
>>>>>>>>>>>>>>>>>>>>>>>> givenName: Test
>>>>>>>>>>>>>>>>>>>>>>>> instanceType: 4
>>>>>>>>>>>>>>>>>>>>>>>> whenCreated: 20141231172021.0Z
>>>>>>>>>>>>>>>>>>>>>>>> displayName: Test User
>>>>>>>>>>>>>>>>>>>>>>>> uSNCreated: 477557
>>>>>>>>>>>>>>>>>>>>>>>> name: Test User
>>>>>>>>>>>>>>>>>>>>>>>> objectGUID: 90f95763-fe52-42b9-af86-8a84a4d5dd78
>>>>>>>>>>>>>>>>>>>>>>>> userAccountControl: 66048
>>>>>>>>>>>>>>>>>>>>>>>> codePage: 0
>>>>>>>>>>>>>>>>>>>>>>>> countryCode: 0
>>>>>>>>>>>>>>>>>>>>>>>> pwdLastSet: 130645200220000000
>>>>>>>>>>>>>>>>>>>>>>>> primaryGroupID: 513
>>>>>>>>>>>>>>>>>>>>>>>> objectSid:
>>>>>>>>>>>>>>>>>>>>>>>> S-1-5-21-940051827-2291820289-3341758437-3126
>>>>>>>>>>>>>>>>>>>>>>>> accountExpires: 9223372036854775807
>>>>>>>>>>>>>>>>>>>>>>>> sAMAccountName: tuser
>>>>>>>>>>>>>>>>>>>>>>>> sAMAccountType: 805306368
>>>>>>>>>>>>>>>>>>>>>>>> userPrincipalName: tuser at domain.local
>>>>>>>>>>>>>>>>>>>>>>>> objectCategory:
>>>>>>>>>>>>>>>>>>>>>>>> CN=Person,CN=Schema,CN=Configuration,DC=domain,DC=local
>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>> unixUserPassword: ABCD!efgh12345$67890
>>>>>>>>>>>>>>>>>>>>>>>> uid: tuser
>>>>>>>>>>>>>>>>>>>>>>>> msSFU30Name: tuser
>>>>>>>>>>>>>>>>>>>>>>>> msSFU30NisDomain: domain
>>>>>>>>>>>>>>>>>>>>>>>> uidNumber: 10001
>>>>>>>>>>>>>>>>>>>>>>>> loginShell: /bin/sh
>>>>>>>>>>>>>>>>>>>>>>>> unixHomeDirectory: /home/tuser
>>>>>>>>>>>>>>>>>>>>>>>> gidNumber: 10000
>>>>>>>>>>>>>>>>>>>>>>>> whenChanged: 20141231185807.0Z
>>>>>>>>>>>>>>>>>>>>>>>> uSNChanged: 477620
>>>>>>>>>>>>>>>>>>>>>>>> distinguishedName: CN=Test
>>>>>>>>>>>>>>>>>>>>>>>> User,CN=Users,DC=domain,DC=local
>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>> On 12/31/2014 1:50 PM, Rowland Penny wrote:
>>>>>>>>>>>>>>>>>>>>>>>>> On 31/12/14 18:28, James wrote:
>>>>>>>>>>>>>>>>>>>>>>>>>> Hi Rowland,
>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>> passwd: compat winbind
>>>>>>>>>>>>>>>>>>>>>>>>>> group: compat winbind
>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>> 'getent passwd tuser' results in a blank
>>>>>>>>>>>>>>>>>>>>>>>>>> terminal line.
>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>> On 12/31/2014 1:12 PM, Rowland Penny wrote:
>>>>>>>>>>>>>>>>>>>>>>>>>>> On 31/12/14 17:55, James wrote:
>>>>>>>>>>>>>>>>>>>>>>>>>>>> Hi Rowland,
>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>> I did. Unfortunately something is still
>>>>>>>>>>>>>>>>>>>>>>>>>>>> amiss. I do receive a response from 'getent
>>>>>>>>>>>>>>>>>>>>>>>>>>>> group domain users'(users:x:100).
>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>> On 12/31/2014 12:26 PM, Rowland Penny wrote:
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> On 31/12/14 17:23, James wrote:
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Rowland,
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> I set a user with a uid and domain
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> users group with a gid but I'm still
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> unable to view them using 'id'. I do
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> notice a few strange observations. If I
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> go to another user to attempt to assign a
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> uid. I get the default value of 10000. I
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> would expect 2001 given I set the first
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> user with uid 2000. Groups however appear
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> to increment.
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> On 12/31/2014 10:52 AM, Rowland Penny wrote:
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> On 31/12/14 15:42, James wrote:
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Hello Stefan,
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> I learned the hard way about
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> .local. I understand going forward.
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> I do have an issue with the member
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> server. Following along with the wiki I
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> get stuck at 'Testing the Winbind
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> user/group mapping'. Wbinfo works as
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> expected but not
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> #*id DomainUser*
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> #*getent passwd*
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> #*getent group*
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> #*chown DomainUser:DomainGroup file*
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> #*chgrp DomainGroup file*
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> etc.
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> I receive 'id: sambauser: No such
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> user'. It will only retrieve local
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> machine users. Let me preface by saying
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> this is a Ubuntu 12.04 server with
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Samba 4.1.14. Thanks.
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> On 12/31/2014 10:00 AM, Stefan Kania
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> wrote:
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> -----BEGIN PGP SIGNED MESSAGE-----
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Hash: SHA1
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Hello James,
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Am 31.12.2014 um 15:48 schrieb James:>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Hello,
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> I'm following along with the
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> wiki(Setup a Samba AD Member Server)
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> and I have a question after reading
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> the 'Set up a basic smb.conf'
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> section.
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Please show us your smb.conf
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Do I need to extend the schema in
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> order for my member server to
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> successfully join and service file
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> shares?
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> No, you dont have to.
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Do I need to configure a
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> krb5.conf file? Thanks.
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> If your DC is a samba4 DC just copy
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> krb5.conf to your new memberserver
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Stefan
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> - -- Stefan Kania
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Landweg 13
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> 25693 St. Michaelisdonn
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Signieren jeder E-Mail hilft Spam zu
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> reduzieren. Signieren Sie ihre
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> E-Mail. Weiter Informationen unter
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> http://www.gnupg.org
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Mein Schlüssel liegt auf
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> hkp://subkeys.pgp.net
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> -----BEGIN PGP SIGNATURE-----
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Version: GnuPG v1
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> iEYEARECAAYFAlSkD3EACgkQ2JOGcNAHDTZdlwCgwsQF0g/pFp65ldcTMWDcJ1O7
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> LScAoLDzorUJNDCik4FP9dBUxKCbAbGN
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> =SOSt
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> -----END PGP SIGNATURE-----
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> If you followed the wiki, you will be
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> using the 'ad' backend. For this to
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> work, you need to add 'uidNumber'
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> attributes to your users and a
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> 'gidNumber' attribute to at least the
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Domain Users group. the numbers that you
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> add must be between the range you set in
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> your smb.conf, again if you followed the
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> wiki, this will be between 500-40000.
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Rowland
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> You have restarted samba, haven't you ?
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> You may have to wait a short time, or
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> clear the cache with 'net cache flush'
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Rowland
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>> OK, can you post the 'passwd' & 'group'
>>>>>>>>>>>>>>>>>>>>>>>>>>> lines from /etc/nsswitch
>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>> Do you get anything from 'getent passwd <a
>>>>>>>>>>>>>>>>>>>>>>>>>>> domain user>'
>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>> Rowland
>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>> OK, install ldb-tools if not already
>>>>>>>>>>>>>>>>>>>>>>>>> installed, then run:
>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>> ldbedit -e nano -H
>>>>>>>>>>>>>>>>>>>>>>>>> /var/lib/samba/private/sam.ldb
>>>>>>>>>>>>>>>>>>>>>>>>> sAMAccountName=tuser
>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>> Post the (sanitized) result
>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>> Rowland
>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>> OK, you added that user with ADUC (RSAT) and as
>>>>>>>>>>>>>>>>>>>>>>> such you are using the std windows start number
>>>>>>>>>>>>>>>>>>>>>>> 10000, which is the way I run samba. Here is my
>>>>>>>>>>>>>>>>>>>>>>> smb.conf from the laptop I am writing this on:
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>> [global]
>>>>>>>>>>>>>>>>>>>>>>> workgroup = EXAMPLE
>>>>>>>>>>>>>>>>>>>>>>> security = ADS
>>>>>>>>>>>>>>>>>>>>>>> realm = EXAMPLE.COM
>>>>>>>>>>>>>>>>>>>>>>> dedicated keytab file = /etc/krb5.keytab
>>>>>>>>>>>>>>>>>>>>>>> kerberos method = secrets and keytab
>>>>>>>>>>>>>>>>>>>>>>> server string = Samba 4 Client %h
>>>>>>>>>>>>>>>>>>>>>>> winbind enum users = yes
>>>>>>>>>>>>>>>>>>>>>>> winbind enum groups = yes
>>>>>>>>>>>>>>>>>>>>>>> winbind use default domain = yes
>>>>>>>>>>>>>>>>>>>>>>> winbind expand groups = 4
>>>>>>>>>>>>>>>>>>>>>>> winbind nss info = rfc2307
>>>>>>>>>>>>>>>>>>>>>>> winbind refresh tickets = Yes
>>>>>>>>>>>>>>>>>>>>>>> winbind normalize names = Yes
>>>>>>>>>>>>>>>>>>>>>>> idmap config * : backend = tdb
>>>>>>>>>>>>>>>>>>>>>>> idmap config * : range = 2000-9999
>>>>>>>>>>>>>>>>>>>>>>> idmap config EXAMPLE : backend = ad
>>>>>>>>>>>>>>>>>>>>>>> idmap config EXAMPLE : range = 10000-999999
>>>>>>>>>>>>>>>>>>>>>>> idmap config EXAMPLE : schema_mode =
>>>>>>>>>>>>>>>>>>>>>>> rfc2307
>>>>>>>>>>>>>>>>>>>>>>> printcap name = cups
>>>>>>>>>>>>>>>>>>>>>>> cups options = raw
>>>>>>>>>>>>>>>>>>>>>>> usershare allow guests = yes
>>>>>>>>>>>>>>>>>>>>>>> domain master = no
>>>>>>>>>>>>>>>>>>>>>>> local master = no
>>>>>>>>>>>>>>>>>>>>>>> preferred master = no
>>>>>>>>>>>>>>>>>>>>>>> os level = 20
>>>>>>>>>>>>>>>>>>>>>>> map to guest = bad user
>>>>>>>>>>>>>>>>>>>>>>> vfs objects = acl_xattr
>>>>>>>>>>>>>>>>>>>>>>> map acl inherit = Yes
>>>>>>>>>>>>>>>>>>>>>>> store dos attributes = Yes
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>> Compare it with yours, I can assure you it works.
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>> Rowland
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> --
>>>>>>>>>>>>>>>>>>>> -James
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> --
>>>>>>>>>>>>>>>>>> -James
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> OK, you have *now* found out one of the reasons you
>>>>>>>>>>>>>>>>> shouldn't use the .local suffix
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> But does anything else work?
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> Rowland
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> --
>>>>>>>>>>>>>>>> -James
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> OK, well it seems to be a step in the right direction :-)
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Have you changed 'EXAMPLE' in these lines:
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> idmap config * : backend = tdb
>>>>>>>>>>>>>>> idmap config * : range = 2000-9999
>>>>>>>>>>>>>>> idmap config EXAMPLE : backend = ad
>>>>>>>>>>>>>>> idmap config EXAMPLE : range = 10000-999999
>>>>>>>>>>>>>>> idmap config EXAMPLE:schema_mode = rfc2307
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> They need to be changed for your *WORKGROUP* name.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Rowland
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> --
>>>>>>>>>>>>>> -James
>>>>>>>>>>>>>
>>>>>>>>>>>>> Just change it, stop samba and winbind, run 'net cache
>>>>>>>>>>>>> flush' and restart samba & winbind.
>>>>>>>>>>>>>
>>>>>>>>>>>>> Rowland
>>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> --
>>>>>>>>>>>> -James
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> --
>>>>>>>>>> -James
>>>>>>>>>
>>>>>>>>
>>>>>>>> --
>>>>>>>> -James
>>>>>>>
>>>>>>
>>>>>> --
>>>>>> -James
>>>>>
>>>>
>>>> --
>>>> -James
>>>
>>
>> --
>> -James
>
--
-James
More information about the samba
mailing list