[Samba] Problems with Member server in a Samba AD Domain
Rowland penny
rpenny at samba.org
Sun Mar 27 17:15:19 UTC 2016
On 27/03/16 17:15, spindles7-2 at yahoo.co.uk wrote:
> I have set up a Samba Active Directory domain controller on a fresh
> install of Debian 8.3 (Jessie) using Samba 4.4.0 and everything works
> fine as far as I can tell. I had users' home folders with the H:
> drive letter connecting to the share on the DC and folder redirection
> for My Documents, Pictures etc.
>
> Then I decided to add a member server (also Debian Jessie) and put the
> users' home folders on that server. So I created a second OU with
> folder redirection of Documents, Pictures etc and mapped the H: drive
> to the users' shared folder on the member server. My problem is that
> whilst the users folders get created automatically and have the
> correct NTFS permissions (as seen from a Windows 7 machine) the user
> cannot access the folder on the member server - Access Denied.
> Permissions say Full Control for the user. It seems that the newly
> created users are not being recognised by the member server: getent
> passwd returns just the administrator and the user I created with home
> folder on the DC:
>
> # getent passwd
> [...]
> test2:*:10001:10000:Test 2. user:/home/test2:/bin/sh
> administrator:*:10000:10000:Administrator:/home/Administrator:/bin/sh
>
> The other user with home folder on the member server does not show up.
>
> So I moved the first user into the second OU and changed the H: drive
> mapping to be on the member server. That user can now access the
> home folder on the member server. Note though that the My Documents
> folder doesn't appear until the second login.
>
> Here's my smb.conf on the member server:
>
> [global]
>
> netbios name = debian-m1
> security = ADS
> workgroup = MICROLYNX
> realm = MICROLYNX.LOCAL
>
> log file = /var/log/samba/%m.log
> log level = 1
>
> dedicated keytab file = /etc/krb5.keytab
> kerberos method = secrets and keytab
> winbind refresh tickets = yes
>
> winbind trusted domains only = no
> winbind use default domain = yes
> winbind enum users = yes
> winbind enum groups = yes
>
> # idmap config used for your domain.
> # Click on the following links for more information
> # on the available winbind idmap backends,
> # Choose the one that fits your requirements
> # then add the corresponding configuration.
>
> # Just adding the following three lines is not enough!!
> # - idmap config ad
>
> # Important: The ranges of the default (*) idmap config
> # and the domain(s) must not overlap!
>
> # Default idmap config used for BUILTIN and local
> accounts/groups
> idmap config *:backend = tdb
> idmap config *:range = 2000-9999
>
> # idmap config for domain MICROLYNX
> idmap config MICROLYNX:backend = ad
> idmap config MICROLYNX:schema_mode = rfc2307
> idmap config MICROLYNX:range = 10000-99999
>
> # Use settings from AD for login shell and home directory
> winbind nss info = rfc2307
> template homedir = /srv/users/%U
> template shell = /bin/bash
>
> vfs objects = acl_xattr
> map acl inherit = yes
> store dos attributes = yes
>
> [users]
> path = /srv/users
> read only = No
>
> This is the output of getent passwd on the DC (debian-dc1):
> # getent passwd
> [...]
> MICROLYNX\test3:*:3000052:100:Test 3. User:/srv/users/test3:/bin/bash
> MICROLYNX\test4:*:3000053:100:test 4. user:/srv/users/test4:/bin/bash
> MICROLYNX\test1:*:3000049:100:Test 1. User:/srv/users/test1:/bin/bash
> MICROLYNX\test2:*:3000013:100:Test 2. user:/srv/users/test2:/bin/bash
> MICROLYNX\administrator:*:0:100::/srv/users/administrator:/bin/bash
> MICROLYNX\krbtgt:*:3000041:100::/srv/users/krbtgt:/bin/bash
> MICROLYNX\guest:*:3000007:100::/srv/users/guest:/bin/bash
>
> So why are these additional users not being recognised by the member
> server (debian-m1)? Also the template homedir & shell lines in the
> smb.conf seem to be ignored (by debian-m1).
>
> Any help would be appreciated,
>
> spindles7
OK, I think your problems are all probably caused by the same thing, you
are using the winbind 'ad' backend on the domain member, but *you
haven't given any of your users 'uidNumber' attributes and you haven't
given 'Domain Users' a 'gidNumber' attribute*.
Two ways to fix this, use the 'rid' backend instead or give all yours
users a 'uidNumber' attribute and 'Domain Users' (at least) a
'gidNumber' attribute, these attributes need to be inside the range you
set in smb.conf (in your case, 10000-99999)
If you do have these attributes in AD, have you set up PAM and
/etc/nsswitch.conf correctly.
Rowland
More information about the samba
mailing list