[Samba] Logins differ for ip/DNS on ad dc

Maximilian Kirchner max.kirchner at gmail.com
Sat Nov 5 11:11:20 UTC 2016 

Thanks for the reply Rowland (and sorry for replying twice). I actually
used the wiki you linked to setup the dc. I just added those idmap settings
because getent could not list my samba users after setting it up, due to
your mail I realised I only needed the winbind options to make it work.

The original problem still remains though, using \\SMB.WIE I can only
access netlogon and sysvol, using \\192.168.1.50 I can only access the
shares.

I am not sure if I understand your comment about the rid backend:
I added users with the samba-tool:
samba-tool user create kirchner
After that getent shows the user with ids:
getent passwd kirchner
SMB\kirchner:*:3000016:100::/home/SMB/kirchner:/bin/false

So the user seems to have an id for user and group and I can use this uid
to give access to files on the server.

2016-11-05 9:08 GMT+01:00 Rowland Penny via samba <samba at lists.samba.org>:

> On Sat, 05 Nov 2016 07:06:19 +0100
> Maximilian Kirchner via samba <samba at lists.samba.org> wrote:
>
> > I set up a samba ad dc (self compiled samba 4.5.1 on Ubuntu 16.04).
> > If I connect to the server via \\smb.wie (its dns name) I can access
> > netlogon and sysvol. If I connect via its IP then I can access all my
> > shares (test as an example) - but either way I cannot connect to the
> > other (I do see them though). Windows always tells me the login
> > credentials would be wrong for the other one.
> >
> > This is my config:
> >
> > [global]
> >     netbios name = SRV
> >     realm = SMB.WIE
> >     server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
> > winbindd, ntp_signd, kcc, dnsupdate workgroup = SMB
> >     server role = active directory domain controller
> >     idmap_ldb:use rfc2307 = yes
> >
> >     interfaces = bond0:0
> >     bind interfaces only = yes
> >
> >     winbind enum users = Yes
> >     winbind enum groups = Yes
> >     winbind use default domain = Yes
> >     winbind refresh tickets = Yes
> >     winbind nested groups = No
> >     #winbind separator = +
> >
> >     idmap backend = tdb
> >     idmap uid = 10000 - 20000
> >     idmap gid = 10000 - 20000
> >     idmap config DOMAIN : backend = rid
> >     idmap config DOMAIN : range   = 10000 - 20000
> >
> >     passdb backend = tdbsam  # should be default
> >
> >     domain logons = yes
> >  [netlogon]
> >     path = /usr/local/samba/var/locks/sysvol/smb.wie/scripts
> >     read only = No
> >
> >  [sysvol]
> >     path = /usr/local/samba/var/locks/sysvol
> >     read only = No
> >
> >  [test]
> >     path = /usr/local/samba/var/locks/sysvol/test
> >     read only = No
> >
> > And this the access rights:
> > Result of ll /usr/local/samba/var/locks/sysvol/test
> >
> > drwxrwx---+ 5 root users 4096 Nov 1 19:42 ./
> > Result of ll /usr/local/samba/var/locks/sysvol
> >
> > drwxrwx---+ 5 root users 4096 Nov 1 19:50 ./
> > log.smbd only tells me the server started successfully and log.samba
> > throws the following warning which I found on the net to ignore:
> > samba: setproctitle not initialized, please either call
> > setproctitle_init() or link against libbsd-ctor.
> >
> > I guess it is due to this error that profile synchronization also
> > does not work which is why I need to fix this.
>
> This is obviously a DC so you should remove the domain member
> components from your smb.conf:
>
>     idmap backend = tdb
>     idmap uid = 10000 - 20000
>     idmap gid = 10000 - 20000
>     idmap config DOMAIN : backend = rid
>     idmap config DOMAIN : range   = 10000 - 20000
>
>     passdb backend = tdbsam  # should be default
>
>     domain logons = yes
>
> They will not work on a DC.
>
> you should also remove:
>
>     winbind use default domain = Yes
>
> for the same reason.
>
> As you are trying to use the 'rid' backend, I take it you haven't given
> your users and groups any uidNumber or gidNumber attributes.
>
> Can I suggest you try reading the Samba wiki:
>
> https://wiki.samba.org/index.php/Main_Page
>
> Paying attention to:
>
> https://wiki.samba.org/index.php/Setting_up_Samba_as_an_
> Active_Directory_Domain_Controller#Using_the_Domain_
> Controller_as_a_File_Server
>
> https://wiki.samba.org/index.php/Shares_with_Windows_ACLs
>
> https://wiki.samba.org/index.php/Implementing_roaming_profiles
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list