[Samba] Logins differ for ip/DNS on ad dc
Rowland Penny
rpenny at samba.org
Sat Nov 5 08:08:31 UTC 2016
On Sat, 05 Nov 2016 07:06:19 +0100
Maximilian Kirchner via samba <samba at lists.samba.org> wrote:
> I set up a samba ad dc (self compiled samba 4.5.1 on Ubuntu 16.04).
> If I connect to the server via \\smb.wie (its dns name) I can access
> netlogon and sysvol. If I connect via its IP then I can access all my
> shares (test as an example) - but either way I cannot connect to the
> other (I do see them though). Windows always tells me the login
> credentials would be wrong for the other one.
>
> This is my config:
>
> [global]
> netbios name = SRV
> realm = SMB.WIE
> server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
> winbindd, ntp_signd, kcc, dnsupdate workgroup = SMB
> server role = active directory domain controller
> idmap_ldb:use rfc2307 = yes
>
> interfaces = bond0:0
> bind interfaces only = yes
>
> winbind enum users = Yes
> winbind enum groups = Yes
> winbind use default domain = Yes
> winbind refresh tickets = Yes
> winbind nested groups = No
> #winbind separator = +
>
> idmap backend = tdb
> idmap uid = 10000 - 20000
> idmap gid = 10000 - 20000
> idmap config DOMAIN : backend = rid
> idmap config DOMAIN : range = 10000 - 20000
>
> passdb backend = tdbsam # should be default
>
> domain logons = yes
> [netlogon]
> path = /usr/local/samba/var/locks/sysvol/smb.wie/scripts
> read only = No
>
> [sysvol]
> path = /usr/local/samba/var/locks/sysvol
> read only = No
>
> [test]
> path = /usr/local/samba/var/locks/sysvol/test
> read only = No
>
> And this the access rights:
> Result of ll /usr/local/samba/var/locks/sysvol/test
>
> drwxrwx---+ 5 root users 4096 Nov 1 19:42 ./
> Result of ll /usr/local/samba/var/locks/sysvol
>
> drwxrwx---+ 5 root users 4096 Nov 1 19:50 ./
> log.smbd only tells me the server started successfully and log.samba
> throws the following warning which I found on the net to ignore:
> samba: setproctitle not initialized, please either call
> setproctitle_init() or link against libbsd-ctor.
>
> I guess it is due to this error that profile synchronization also
> does not work which is why I need to fix this.
This is obviously a DC so you should remove the domain member
components from your smb.conf:
idmap backend = tdb
idmap uid = 10000 - 20000
idmap gid = 10000 - 20000
idmap config DOMAIN : backend = rid
idmap config DOMAIN : range = 10000 - 20000
passdb backend = tdbsam # should be default
domain logons = yes
They will not work on a DC.
you should also remove:
winbind use default domain = Yes
for the same reason.
As you are trying to use the 'rid' backend, I take it you haven't given
your users and groups any uidNumber or gidNumber attributes.
Can I suggest you try reading the Samba wiki:
https://wiki.samba.org/index.php/Main_Page
Paying attention to:
https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_Domain_Controller#Using_the_Domain_Controller_as_a_File_Server
https://wiki.samba.org/index.php/Shares_with_Windows_ACLs
https://wiki.samba.org/index.php/Implementing_roaming_profiles
Rowland
More information about the samba
mailing list