[Samba] Samba4 DC is not visible in network neighborhood

Rowland Penny rowlandpenny241155 at gmail.com
Sun Nov 22 09:47:37 UTC 2015


On 22/11/15 09:14, Andrey Repin wrote:
> Greetings, Rowland Penny!
>
>>>>> Is there at last a solution? I've only found questions, in the list, and on
>>>>> the network.
>>>>>
>>>>> The issue is that DC built on Samba4 does not report to network browsers
>>>>> neither it is participating in election to become browser itself.
>>>>> Consequently, it is not visible in the neighborhood neither on Windows, nor on
>>>>> Linux.
>>>>>
>>>>> I've managed to force a second Linux host (member server) become a local
>>>>> browser. At least, I can see it and other hosts now. But not the DC itself.
>>>>>
>>>>>
>>>> Hi Andrey,
>>>> In that case you did exactly what you were supposed to do. :)
>>>> Browsing is turned off for the DC by design, and this will not change.
>>>> Use member servers to implement browsing.
>>> And how am I supposed to address the DC then?
>>> For all my attempts, I've had to conclude that member servers can't be
>>> configured to manage shares with native ACL's. No matter what I do, I always
>>> get "access denied" on a member server when trying to setup share permissions
>>> on a member server using Windows tools.
>>> So far, the only solution was to move ACL-sensitive services to the DC.
>>> But this is really not a solution. Only a workaround.
>>>
>>>
>> What do you mean 'native ACLs' ?
> Err, okay, "windows ACL's", not "native (POSIX)". Was writing in a
> less-than-sane state of mind.
>
>> you should be able to manage access to a share on a domain member from a
>> windows machine,
> Should be, that much I've gathered from wiki. But it is already nine months
> that I'm unable to implement it.
>
>> see this page on the wiki:
>> https://wiki.samba.org/index.php/Shares_with_Windows_ACLs
>> If you follow the various pages on the wiki, you should be able make it
>> work, if you cannot, you are doing something wrong.
> So, what I'm doing wrong? I've followed the wiki multiple times to the point.
> If you have any diagnostics in mind, please suggest, because this is tiring.
>
> The smb.conf is attached, the member server do see the users correctly.
>
> # wbinfo -i domainuser
> domainuser:*:10000:513::/home/domainuser:/bin/bash
>
> # getent passwd domainuser
> domainuser:*:10000:513::/home/domainuser:/bin/bash
>
>

Firstly I would remove these lines:

         idmap config * : schema_mode = rfc2307
         dns forwarder = 192.168.35.4 (AD DC)
         idmap_ldb:use rfc2307 = yes

The first one isn't needed and the other two should only be on a DC

You do not have a 'username map' line, does 'Domain Admins' have a 
gidNumber and have you given 'Domain Admins' the 'SeDiskOperatorPrivilege' ?

Rowland






More information about the samba mailing list