[Samba] re-using a member server?
BISI
d3r3kshaw at gmail.com
Sun Jan 18 17:34:58 MST 2015
OK - I must be close, but I'm lost...
I have a sernet member server that I built and joined to a test
win2008R2 AD Domain Controller ("the AD-DC").
(Version 4.1.14-SerNet-Debian-9.wheezy)
I used Louis van Belle's setup script (manually executed, just 'cause
I'm that kind of guy).
https://secure.bazuin.nl/scripts/4-setup-sernet-samba4-MEMBER-wheezy.sh
The install, configuration and testing of the member server went very
smoothly, (also teaching me, I thought, that you need to install the
deprecated IdMU service to the AD-DC server first, and set up the NIS
information (GIDs and UIDs on the AD-DC). Everything worked as expected.
One wrinkle here -- In my ignorance, I did not accept the default 10000
starting point for NIS UIDs and GIDs. I followed the lead of one of the
example smb.conf scripts, and started at 500.
After testing was complete, I did a
net ads leave -U administrator
to remove the member server from the domain.
I am now trying to get the same member server (it is an esxi VM)
working with a production AD-DC, and it's no longer working. So I've
built yet another test windows AD-DC and I can't get the member server
working properly with that one, either.
Clearly I'm missing something obvious. Any help to identify what it is
would be greatly welcomed.
A collection of maybe-relevant information:
- I made the original test windows AD-DC with the same forest/domain
name. The new test windows AD-DC has the same (HO.EXAMPLE.ORG)
- The member server joins the domain with the usual statements of
success (and creates a new krb5.keytab file).
- The server shows up in DNS properly, and is visible in the windows
explorer/browser but if one of the joined-up windows 7 machines attempts
to access the server, the dialog asking for credentials comes up.
- the wbinfo -u and -g commands work
- id domainUser does not (no such user)
- wbinfo -i testuser responds with information put in the NIS fields
on the AD-DC, but is clearly assigning the user to the wrong domain
testuser:*:50002:50003:testuser:/home/testuser:/bin/false
smb.conf on the member server:
> # /etc/samba/smb.conf
> [global]
> workgroup = HO
> security = ADS
> realm = HO.EXAMPLE.ORG
>
> netbios name = sernetmember
> domain master = no
> host msdfs = no
>
> dedicated keytab file = /etc/krb5.keytab
> kerberos method = secrets and keytab
> client signing = if_required
>
> ## map id's outside to domain to tdb files.
> idmap config *:backend = tdb
> idmap config *:range = 50001-80000
> ## map ids from the domain
> ## the two ranges MUST not overlap !
> idmap config INTERNAL:backend = ad
> idmap config INTERNAL:schema_mode = rfc2307
> idmap config INTERNAL:range = 2000-40000
>
> winbind nss info = rfc2307
> winbind trusted domains only = no
> winbind use default domain = yes
> winbind enum users = yes
> winbind enum groups = yes
> winbind refresh tickets = yes
> winbind offline logon = yes
>
> wins server = 192.168.21.1
>
> template shell = /bin/bash
> template homedir = /home/samba/HO/users/%USERNAME%
>
> # user Administrator workaround, without it you are unable to set privileges
> username map = /etc/samba/samba_usermapping
>
> # For ACL support on member file server
> vfs objects = acl_xattr
> map acl inherit = yes
> store dos attributes = yes
>
> # Share Setting Globally
> usershare allow guests = no
> unix extensions = no
> wide links = no
> reset on zero vc = yes
> veto files = /.bash_logout/.bash_profile/.bash_history/.bashrc/
> hide unreadable = yes
>
> # disable printing completely
> load printers = no
> printing = bsd
> printcap name = /dev/null
> disable spoolss = yes
>
>
> [home]
> path = /mnt/smbshares/home
> read only = no
>
> [profiles$]
> path = /mnt/smbshares/profiles
> read only = no
> admin users = +"HO\Domain Admins"
> profile acls = yes
> csc policy = disable
>
> [public]
> path = /mnt/smbshares/public
> read only = no
>
> [install$]
> path = /mnt/smbshares/install
> read only = no
>
More information about the samba
mailing list