[Samba] SAMBA 4 Member Server - Help please

Rowland Penny rowlandpenny at googlemail.com
Wed Jan 14 15:32:31 MST 2015


On 14/01/15 21:46, David Thompson wrote:
> Hi all,
>
>
> I'm quite stuck here at the moment. I have tried this multiple times to get built and can't seem to get it working properly. I have a test virtual server running as a domain controller with Samba 4.1.15 using (9.10.1) bind_dlz as the back end and all works properly. I have the server setup as domain controller and have added a user and I can look that user up with the samba-tool command.
>
>
> I cannot however get the users to appear when issue any of the commands such as ID or getent.
>
>
> I have followed the following articles located here and both seem to compile and configure without issue.
>
>
> Samba Domain Controller: https://wiki.samba.org/index.php/Samba_AD_DC_HOWTO#Introduction
> Samba Domain Member: https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server#Introduction
>
>
> Kerberos works fine as I can run kinit and kdestroy on both the DC and member server and they work fine. Time is set to  the default time servers right now as installed by the ntp install, but both servers are in sync for their time and working correctly.
>
>
> On the member server, I am able to get it bound to the domain without issue and I can see that it adds its name into the DNS service.
> I cannot however get it to lookup any users either, which is odd, since when I setup a SAMBA3 server to be a member server, I am able to get winbindd, smbd, and nmbd playing nicely together and can look users up without issue against the DC.
>
>
> I'm not exactly sure what I'm missing here so I thought I would turn to the list. I saw on the list last week that there was a similar issue but that was with an Actual windows DC and not a SambaDC, so that issue doesn't apply to me here.
>
>
> Here is the relevant information (I think) that's needed and I appreciate any help anyone can provide me with in order to get this working properly.
>
>
> Base systems are both Debian Wheezy 64 Bit with all applied updates and patches.
> Samba: 4.1.15 (compiled by hand on both)
> Samba: 4.1.15 on member server: ./configure --with-ads --with-shared-modules=idmap_ad
> Bind: 9.10.1 (compiled by hand on DC)
>
>
> SMB.CONF file on DC Server
> =================================================
> # Global parameters
>
>
> [global]
>   workgroup = DIGIDNS
>   realm = DIGIDNS.PRIVATE
>   netbios name = DC01
>   server role = active directory domain controller
>   server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbind, ntp_signd, kcc, dnsupdate
>   idmap_ldb:use rfc2307 = yes
>
>
> [netlogon]
>   path = /usr/local/samba/var/locks/sysvol/digidns.private/scripts
>   read only = No
>
>
> [sysvol]
>   path = /usr/local/samba/var/locks/sysvol
>   read only = No
>
>
> [home]
>   path = /home/
>   read only = no
>
>
> =================================================
>
>
>
> SMB.CONF file on member Server
> =================================================
> [global]
>
>
>
>     netbios name = fs
>     workgroup = DIGIDNS
>     security = ADS
>     realm = DIGIDNS.PRIVATE
>     encrypt passwords = yes
>
>
>     idmap config *:backend = tdb
>     idmap config *:range = 70001-80000
>     idmap config DIGIDNS:backend = ad
>     idmap config DIGIDNS:schema_mode = rfc2307
>     idmap config DIGIDNS:range = 500-40000
>
>
>     winbind nss info = rfc2307
>     winbind trusted domains only = no
>     winbind use default domain = yes
>     winbind enum users  = yes
>     winbind enum groups = yes
>
>
>
> =================================================
>
>
> nsswitch.conf file on member server:
>
> =================================================
>
>
>
> passwd:         compat winbind
> group:          compat winbind
> shadow:         compat
>
>
> =================================================
>
>
>
>
> Please let me know if you any other information is required or if its best for me to attend clown college instead...especially if its to attend clown college.
>
>
> Thanks,
>
>
>
>
> David

Hi, I take it as read that you have joined the domain and that 
/etc/resolv.conf has the DC has the first or only nameserver.

The first thing that comes to mind is, have you given your users a 
uidNumber inside the range '500-40000' ?

What is in /etc/krb5.conf ?

Rowland



More information about the samba mailing list