[Samba] help, please, troubleshooting winbind testing during setup of Samba 4 AD member server
Rowland Penny
rowlandpenny at googlemail.com
Tue Jan 13 02:50:04 MST 2015
On 13/01/15 01:07, BISI wrote:
> Found it! (Thanks to Louis van Belle and Rowland Penny for their
> guidance).
>
> The wiki page for
> https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server
> *really* needs a note about this to be added. It will save a lot of
> frustration and wasted time for others coming behind.
>
> The reason I say this is that a default Windows Server 2008 R2
> install, *does not provide* the necessary tools to allow a Samba 4 AD
> Member Server to enumerate the users and groups for the domain. So it
> will join the domain, and wbinfo -u and wbinfo -g report info, but the
> member server is still essentially useless - unavailable to the domain
> users.
>
> Thus, if you using the wiki as a guide, with a Windows server 2008 R2
> Domain Controller, you will hit the same wall as I have.
>
> To fix this situation, somewhere in "Section 2 Preconditions" there
> should be a mention (say, section 2.3) of installing said tools.
>
> Feel free to cut and paste the following in place if you have editing
> privileges (formatted for mediaWiki).
>
> ==Windows Domain Controller==
> '''This will require a server reboot'''
>
> If you have a windows Domain Controller you are '''strongly advised'''
> add the "Identity Management for Unix" Role (IDMU), so that you will
> be able to use the schema_mode = rfc2307 option of Samba to keep
> userIDs in sync on multiple member servers. Not doing so invites a
> lot of problems, and all the documentation presented here assumes you
> will be using the schema_mode = rfc2307 option.
>
> Here's what Microsoft have to say about IDMU:
> <blockquote>Identity Management for UNIX is deprecated. If you try to
> upgrade a computer that runs Identity Management for UNIX, you may
> receive a warning that it must be removed before the upgrade can
> proceed. In that case, see Installing or removing Identity Management
> for UNIX by using a command line.</blockquote>
> [http://technet.microsoft.com/en-us/library/cc772571.aspx MS Technet
> Article cc772571]
>
> *Damn the torpedos! (install IDMU on server 2008 r2)
> #Control Panel -> administrative tools -> server manager
> #Expand Roles
> #Click on "Active Directory Domain Services" (AD DS, in the technet docs)
> #Scroll down to "Role Services" section
> #Click on "Add Role Services" (link)
> #Select "Identity Management for UNIX"
> ##That will also select 3 sub-services, including "Server for Network
> Information Services" and "Administration Tools"
> #Next (button)
> #Install (button)
>
> Now you can use ADUC to see and set the "UNIX Attributes" tab in
> properties for users and groups.
>
> Next step is to set the UID and GID for users/groups you want to be
> able to see from the Member Server.
>
> some people say you need to to match your settings in the smb.conf for
> the member server (or vice-versa). I'm not sure that's true -- windows
> defaults to 10000, and using that number or 500 had no apparent affect
> on the reported UID or GID at the member server.
>
> So, using the example smb.conf from the
> [https://wiki.samba.org/index.php?title=Setup_a_Samba_AD_Member_Server
> AD Member Server page], matching the UID/GID numbers means:
> <blockquote> idmap config SAMDOM:range = 500-40000 </blockquote>
> nb - this is probably *not* a good range to use, since 500 is well
> within the normal linux userID ranges.
>
> Start with the groups in Builtin OU ('cause the users need a primary
> group) (Assuming a stock Server 2008 R2 Server Standard install)
> Administrators
> NIS domain: samdom; GID: 500
>
> Now go to the Users OU and do the groups:
> Domain Admins
> NIS Domain: samdom; GID: 501
> Domain Users
> NIS Domain: samdom; GID: 502
> Enterprise Admins
> NIS Domain: samdom; GID 503
> etc.
> NOTE - I think you have to manually keep track of the NEXT UID number
> 'cause ADUC always pops up with 10000 by default (I'm sure there's a
> way to configure it -- I've spent enough time on this already. Future
> me (or future you) can figure that out.
>
> Now edit the built-in Administrator user
> Administrator
> NIS Domain: samdom; UID: 500; Login Shell: /bin/whatever; Home
> Directory: /home/administrator; Primary group name/GID:Administrators
> (Should be what you set up in the Builtin OU)
>
> Now edit any existing users in any other OUs you might be using...
> Fred
> NIS Domain: samdom; UID: 501; Login Shell: /bin/false; Home
> Directory: /home/fred Primary group name/GID: Domain Users
> Sally
> etc.
>
> Now you should be able to enumerate the users and groups of the AD
> Domain from the member server with the tests shown in Section 9 of the
> wiki (id DomainUser, getent passwd, etc.). At least I was finally
> able to do so.
>
> Cheers!
> d.
>
> On 15-01-08 07:16 PM, BISI wrote:
>> Hello, all!
>>
>> Well, third time is *not* the charm for me. (I've been through the
>> process 3 times with 3 different DCs).
>>
>> I am trying to set up a member server, using Samba 4.1.14, and washing
>> out when getting to the winbind testing. I've tried ignoring the failure
>> and pressing on, but that didn't get anywhere.
>>
>> In this instance, I have a freshly-installed, configured and functioning
>> Server 2008r2 Domain Controller, operating at server 2003 forest and
>> domain functional level.
>>
>> following the instructions in:
>> https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server
>> https://wiki.samba.org/index.php/OS_Requirements
>>
>>
>> Completely stock compile from the tarball. I am using Debian 7.7
>> (wheezy), and samba 4.1.14,
>>
>> ./configure --with-ads --with-shared-modules=idmap_ad --enable-cups \
>> --enable-selftest
>>
>> make quicktest passes:
>> make quicktest
>> ...ALL OK (2086 tests in 310 testsuites)
>>
>> ...A summary with detailed information can be found in:
>> ... ./st/summary
>> ...'testonly' finished successfully (11m24.779s)
>>
>> ./st/summary is found here:
>> http://pastebin.com/zjkHDYUX
>>
>>
>> daemons started manually with
>> /usr/local/samba/sbin/smbd --daemon -l /var/log/samba/ -d 1
>> /usr/local/samba/sbin/nmbd --daemon -l /var/log/samba/ -d 1
>> /usr/local/samba/sbin/winbindd --daemon -l /var/log/samba/ -d 1
>>
>>
>> The commands:
>> wbinfo -u
>> wbinfo -g
>> show the users and groups from the AD Domain.
>>
>> but the other tests
>> # id DomainUser
>> # getent passwd
>> # getent group
>> # chown DomainUser:DomainGroup file
>> # chgrp DomainGroup file
>> etc.
>> do not get any information from the domain, seemingly only working with
>> the local user information.
>>
>> Where do I begin troubleshooting?
>>
>> Any help/guidance is greatly appreciated.
>>
>> my smb.conf is here:
>> http://pastebin.com/QJfh4RLN
>>
>> log.winbindd (created with debug level 1) is here:
>> http://pastebin.com/S2maUADf
>>
>> Kerberos seems to be working:
>> root at testmember:~# klist
>> Ticket cache: FILE:/tmp/krb5cc_0
>> Default principal: userID at HO.NAME.ORG
>>
>> Valid starting Expires Service principal
>> 08/01/2015 18:46 09/01/2015 04:46 krbtgt/HO.NAME.ORG at HO.NAME.ORG
>> renew until 09/01/2015 18:46
>>
>>
>> root at testmember:~# cat /etc/nsswitch.conf
>> # /etc/nsswitch.conf
>>
>> passwd: compat winbind
>> group: compat winbind
>> shadow: compat
>> <snip>
>>
>> DNS seems to be working:
>> root at testmember:~# host -t SRV _ldap._tcp.ho.name.org.
>> _ldap._tcp.ho.name.org has SRV record 0 100 389 namedc.ho.name.org.
>>
>> root at testmember:~# host -t SRV _kerberos._udp.ho.name.org.
>> _kerberos._udp.ho.name.org has SRV record 0 100 88 namedc.ho.name.org.
>>
>> root at testmember:~# host -t A namedc.ho.name.org.
>> namedc.ho.name.org has address 192.168.8.1
>>
>> Thanks in advance for any help!
>> d.
>>
>
Why use the windows group RID's ? Just start at 10000 and go from there,
Oh and windows stores the uid & gid numbers in the msSFU30MaxUidNumber &
msSFU30MaxGidNumber attributes. If you had started from 10000, windows
would have created these for you
Rowland
More information about the samba
mailing list