[Samba] Problems with Member server in a Samba AD Domain

spindles7-2 at yahoo.co.uk spindles7-2 at yahoo.co.uk
Sun Mar 27 16:15:32 UTC 2016

I have set up a Samba Active Directory domain controller on a fresh
install of Debian 8.3 (Jessie) using Samba 4.4.0 and everything works
fine as far as I can tell.  I had users' home folders with the H:
drive letter connecting to the share on the DC and folder redirection
for My Documents, Pictures etc.     

Then I decided to add a member server (also Debian Jessie) and put the
users' home folders on that server.  So I created a second OU with
folder redirection of Documents, Pictures etc and mapped the H: drive
to the users' shared folder on the member server.   My problem is that
whilst the users folders get created automatically and have the
correct NTFS permissions (as seen from a Windows 7 machine) the user
cannot access the folder on the member server - Access Denied.
Permissions say Full Control for the user.     It seems that the newly
created users are not being recognised by the member server:   getent
passwd returns just the administrator and the user I created with home
folder on the DC:

# getent passwd
test2:*:10001:10000:Test 2. user:/home/test2:/bin/sh

The other user with home folder on the member server does not show up.

So I moved the first user into the second OU and changed the H: drive
mapping to be on the member server.     That user can now access the
home folder on the member server.   Note though that the My Documents
folder doesn't appear until the second login.

Here's my smb.conf on the member server:


       netbios name = debian-m1
       security = ADS
       workgroup = MICROLYNX
       realm = MICROLYNX.LOCAL

       log file = /var/log/samba/%m.log
       log level = 1

       dedicated keytab file = /etc/krb5.keytab
       kerberos method = secrets and keytab
       winbind refresh tickets = yes

       winbind trusted domains only = no
       winbind use default domain = yes
       winbind enum users  = yes
       winbind enum groups = yes
       # idmap config used for your domain.
       # Click on the following links for more information
       # on the available winbind idmap backends, 
       # Choose the one that fits your requirements
       # then add the corresponding configuration. 
       # Just adding the following three lines is not enough!!
       #  - idmap config ad

# Important: The ranges of the default (*) idmap config
       # and the domain(s) must not overlap!

       # Default idmap config used for BUILTIN and local
       idmap config *:backend = tdb
       idmap config *:range = 2000-9999

       # idmap config for domain MICROLYNX
       idmap config MICROLYNX:backend = ad
       idmap config MICROLYNX:schema_mode = rfc2307
       idmap config MICROLYNX:range = 10000-99999

       # Use settings from AD for login shell and home directory
       winbind nss info = rfc2307
       template homedir = /srv/users/%U
       template shell = /bin/bash

	vfs objects = acl_xattr
	map acl inherit = yes
	store dos attributes = yes

	path = /srv/users
	read only = No

This is the output of getent passwd on the DC (debian-dc1):
# getent passwd
MICROLYNX\test3:*:3000052:100:Test 3. User:/srv/users/test3:/bin/bash
MICROLYNX\test4:*:3000053:100:test 4. user:/srv/users/test4:/bin/bash
MICROLYNX\test1:*:3000049:100:Test 1. User:/srv/users/test1:/bin/bash
MICROLYNX\test2:*:3000013:100:Test 2. user:/srv/users/test2:/bin/bash

So why are these additional users not being recognised by the member
server (debian-m1)?   Also the template homedir & shell lines in the
smb.conf seem to be ignored (by debian-m1).

Any help would be appreciated,


More information about the samba mailing list