[Samba] Logins differ for ip/DNS on ad dc
Maximilian Kirchner
max.kirchner at gmail.com
Sat Nov 5 11:11:20 UTC 2016
Thanks for the reply Rowland (and sorry for replying twice). I actually
used the wiki you linked to setup the dc. I just added those idmap settings
because getent could not list my samba users after setting it up, due to
your mail I realised I only needed the winbind options to make it work.
The original problem still remains though, using \\SMB.WIE I can only
access netlogon and sysvol, using \\192.168.1.50 I can only access the
shares.
I am not sure if I understand your comment about the rid backend:
I added users with the samba-tool:
samba-tool user create kirchner
After that getent shows the user with ids:
getent passwd kirchner
SMB\kirchner:*:3000016:100::/home/SMB/kirchner:/bin/false
So the user seems to have an id for user and group and I can use this uid
to give access to files on the server.
2016-11-05 9:08 GMT+01:00 Rowland Penny via samba <samba at lists.samba.org>:
> On Sat, 05 Nov 2016 07:06:19 +0100
> Maximilian Kirchner via samba <samba at lists.samba.org> wrote:
>
> > I set up a samba ad dc (self compiled samba 4.5.1 on Ubuntu 16.04).
> > If I connect to the server via \\smb.wie (its dns name) I can access
> > netlogon and sysvol. If I connect via its IP then I can access all my
> > shares (test as an example) - but either way I cannot connect to the
> > other (I do see them though). Windows always tells me the login
> > credentials would be wrong for the other one.
> >
> > This is my config:
> >
> > [global]
> > netbios name = SRV
> > realm = SMB.WIE
> > server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
> > winbindd, ntp_signd, kcc, dnsupdate workgroup = SMB
> > server role = active directory domain controller
> > idmap_ldb:use rfc2307 = yes
> >
> > interfaces = bond0:0
> > bind interfaces only = yes
> >
> > winbind enum users = Yes
> > winbind enum groups = Yes
> > winbind use default domain = Yes
> > winbind refresh tickets = Yes
> > winbind nested groups = No
> > #winbind separator = +
> >
> > idmap backend = tdb
> > idmap uid = 10000 - 20000
> > idmap gid = 10000 - 20000
> > idmap config DOMAIN : backend = rid
> > idmap config DOMAIN : range = 10000 - 20000
> >
> > passdb backend = tdbsam # should be default
> >
> > domain logons = yes
> > [netlogon]
> > path = /usr/local/samba/var/locks/sysvol/smb.wie/scripts
> > read only = No
> >
> > [sysvol]
> > path = /usr/local/samba/var/locks/sysvol
> > read only = No
> >
> > [test]
> > path = /usr/local/samba/var/locks/sysvol/test
> > read only = No
> >
> > And this the access rights:
> > Result of ll /usr/local/samba/var/locks/sysvol/test
> >
> > drwxrwx---+ 5 root users 4096 Nov 1 19:42 ./
> > Result of ll /usr/local/samba/var/locks/sysvol
> >
> > drwxrwx---+ 5 root users 4096 Nov 1 19:50 ./
> > log.smbd only tells me the server started successfully and log.samba
> > throws the following warning which I found on the net to ignore:
> > samba: setproctitle not initialized, please either call
> > setproctitle_init() or link against libbsd-ctor.
> >
> > I guess it is due to this error that profile synchronization also
> > does not work which is why I need to fix this.
>
> This is obviously a DC so you should remove the domain member
> components from your smb.conf:
>
> idmap backend = tdb
> idmap uid = 10000 - 20000
> idmap gid = 10000 - 20000
> idmap config DOMAIN : backend = rid
> idmap config DOMAIN : range = 10000 - 20000
>
> passdb backend = tdbsam # should be default
>
> domain logons = yes
>
> They will not work on a DC.
>
> you should also remove:
>
> winbind use default domain = Yes
>
> for the same reason.
>
> As you are trying to use the 'rid' backend, I take it you haven't given
> your users and groups any uidNumber or gidNumber attributes.
>
> Can I suggest you try reading the Samba wiki:
>
> https://wiki.samba.org/index.php/Main_Page
>
> Paying attention to:
>
> https://wiki.samba.org/index.php/Setting_up_Samba_as_an_
> Active_Directory_Domain_Controller#Using_the_Domain_
> Controller_as_a_File_Server
>
> https://wiki.samba.org/index.php/Shares_with_Windows_ACLs
>
> https://wiki.samba.org/index.php/Implementing_roaming_profiles
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
More information about the samba
mailing list