[Samba] Problems with Member server in a Samba AD Domain
spindles7-2 at yahoo.co.uk
spindles7-2 at yahoo.co.uk
Sun Mar 27 16:15:32 UTC 2016
I have set up a Samba Active Directory domain controller on a fresh
install of Debian 8.3 (Jessie) using Samba 4.4.0 and everything works
fine as far as I can tell. I had users' home folders with the H:
drive letter connecting to the share on the DC and folder redirection
for My Documents, Pictures etc.
Then I decided to add a member server (also Debian Jessie) and put the
users' home folders on that server. So I created a second OU with
folder redirection of Documents, Pictures etc and mapped the H: drive
to the users' shared folder on the member server. My problem is that
whilst the users folders get created automatically and have the
correct NTFS permissions (as seen from a Windows 7 machine) the user
cannot access the folder on the member server - Access Denied.
Permissions say Full Control for the user. It seems that the newly
created users are not being recognised by the member server: getent
passwd returns just the administrator and the user I created with home
folder on the DC:
# getent passwd
[...]
test2:*:10001:10000:Test 2. user:/home/test2:/bin/sh
administrator:*:10000:10000:Administrator:/home/Administrator:/bin/sh
The other user with home folder on the member server does not show up.
So I moved the first user into the second OU and changed the H: drive
mapping to be on the member server. That user can now access the
home folder on the member server. Note though that the My Documents
folder doesn't appear until the second login.
Here's my smb.conf on the member server:
[global]
netbios name = debian-m1
security = ADS
workgroup = MICROLYNX
realm = MICROLYNX.LOCAL
log file = /var/log/samba/%m.log
log level = 1
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
winbind refresh tickets = yes
winbind trusted domains only = no
winbind use default domain = yes
winbind enum users = yes
winbind enum groups = yes
# idmap config used for your domain.
# Click on the following links for more information
# on the available winbind idmap backends,
# Choose the one that fits your requirements
# then add the corresponding configuration.
# Just adding the following three lines is not enough!!
# - idmap config ad
# Important: The ranges of the default (*) idmap config
# and the domain(s) must not overlap!
# Default idmap config used for BUILTIN and local
accounts/groups
idmap config *:backend = tdb
idmap config *:range = 2000-9999
# idmap config for domain MICROLYNX
idmap config MICROLYNX:backend = ad
idmap config MICROLYNX:schema_mode = rfc2307
idmap config MICROLYNX:range = 10000-99999
# Use settings from AD for login shell and home directory
winbind nss info = rfc2307
template homedir = /srv/users/%U
template shell = /bin/bash
vfs objects = acl_xattr
map acl inherit = yes
store dos attributes = yes
[users]
path = /srv/users
read only = No
This is the output of getent passwd on the DC (debian-dc1):
# getent passwd
[...]
MICROLYNX\test3:*:3000052:100:Test 3. User:/srv/users/test3:/bin/bash
MICROLYNX\test4:*:3000053:100:test 4. user:/srv/users/test4:/bin/bash
MICROLYNX\test1:*:3000049:100:Test 1. User:/srv/users/test1:/bin/bash
MICROLYNX\test2:*:3000013:100:Test 2. user:/srv/users/test2:/bin/bash
MICROLYNX\administrator:*:0:100::/srv/users/administrator:/bin/bash
MICROLYNX\krbtgt:*:3000041:100::/srv/users/krbtgt:/bin/bash
MICROLYNX\guest:*:3000007:100::/srv/users/guest:/bin/bash
So why are these additional users not being recognised by the member
server (debian-m1)? Also the template homedir & shell lines in the
smb.conf seem to be ignored (by debian-m1).
Any help would be appreciated,
spindles7
More information about the samba
mailing list