[Samba] Unable to set up home share correctly

Udo Willke udo.willke at freenet.de
Mon Oct 17 21:09:34 UTC 2016 

Hello Rowland,

Am 17.10.2016 um 18:06 schrieb Rowland Penny via samba:
> See inline comments:
>
> On Mon, 17 Oct 2016 17:14:43 +0200
> Udo Willke via samba <samba at lists.samba.org> wrote:
>
>> So, to summarize the discussion:
>>
>> System accounts should not have rfc2307 IDs, only (unprivileged)
>> users should. The Administrator account is the exception. It can be
>> mapped to root trough the "username map" directive
> Basically yes, you can also give Domain Admins a gidNumber and then
> make any users you want to be admins, members of this group.
>
>> Today, I followed the wiki page
>> <https://wiki.samba.org/index.php/User_home_drives> with all the
>> prerequisites. Unfortunately, the automatic home folder creation
>> still does not work.
> Just followed it myself and it does work against a Samba fileserver.
Hmm, then I must be doing it wrong somehow ... :-[
>
> Where do you expect the home directory to be created ?

On the Samba member server as defined in the [home] share definition 
(and also as defined in the user profile (home drive/home share))

> Is it on a Samba machine and if so what have you got in smb.conf ?

Here comes my smb.conf of the member server == file server

[global]
     netbios name = FILESERVER2
     security = ADS
     workgroup = MYDOMAIN
     realm = MYDOMAIN.LAN
     server string = Virtual Server

     log level = 5
     log file = /var/log/samba/%m.log

     password server = 192.168.6.8

     dedicated keytab file = /etc/krb5.keytab
     kerberos method = secrets and keytab

     username map = /etc/samba/user.map

     ;; Use settings from AD for login shell and home directory
     winbind nss info = rfc2307
     winbind trusted domains only = no
     winbind use default domain = no
     winbind enum users  = yes
     winbind enum groups = yes
     winbind refresh tickets = Yes
     winbind cache time = 60

     ;; Default idmap config used for BUILTIN and local accounts/groups
     idmap config * : backend = tdb
     idmap config * : range = 2000-9999

     ;; idmap config for domain MYDOMAIN
     idmap config MYDOMAIN : backend = ad
     idmap config MYDOMAIN : schema_mode = rfc2307
     idmap config MYDOMAIN : range = 10000-99999

     vfs objects = acl_xattr
     map acl inherit = yes
     store dos attributes = yes

     load printers = no
     printing = bsd
     printcap name = /dev/null
     disable spoolss = yes

     template homedir = /var/share/samba/homes/%U


[home]
     path = /var/share/samba/homes
     guest ok = no
     read only = no
     browseable = yes

[profiles]
     path = /var/share/samba/profiles
     read only = no
     store dos attributes = yes
     create mask = 0600
     directory mask = 0700
     guest ok = no
     profile acls = yes
     csc policy = disable
>
>> So I checked all my logs and I guess I have
>> another problem with DDNS and DHCP:
>>
>> Oct 17 16:15:41 addc01 named[6074]: samba_dlz: starting transaction
>> on zone 6.168.192.in-addr.arpa
>> Oct 17 16:15:41 addc01 named[6074]: samba_dlz: spnego update failed
>> Oct 17 16:15:41 addc01 named[6074]: client 127.0.0.1#59487/key
>> rndc-key: updating zone '6.168.192.in-addr.arpa/NONE': update failed:
>> rejected by secure update (REFUSED)
>> Oct 17 16:15:41 addc01 named[6074]: samba_dlz: cancelling transaction
>> on zone 6.168.192.in-addr.arpa
>> Oct 17 16:15:41 addc01 dhcpd[6062]: DHCPREQUEST for 192.168.6.56 from
>> 00:0c:29:3c:4c:bc (Admin-PC) via ens32
>> Oct 17 16:15:41 addc01 dhcpd[6062]: DHCPACK on 192.168.6.56 to
>> 00:0c:29:3c:4c:bc (Admin-PC) via ens32
>> Oct 17 16:15:41 addc01 dhcpd[6062]: Unable to add reverse map from
>> 56.6.168.192.in-addr.arpa. to Admin-PC.mydomain.lan: REFUSED
>>
> Are you running the dhcp server on the DC along with Bind9 ?

Yes, I do.

> If so, please post your dhcpd.conf
This is my dhcpd.conf

include "/etc/dhcp/ddns-keys/rndc.key";

update-static-leases on;
allow unknown-clients;
use-host-decl-names on;
default-lease-time 3600;

zone mydomain.lan. {
   primary 127.0.0.1; # This server is the primary DNS server for the zone
   key rndc-key;       # Use the key we defined earlier for dynamic updates
}

zone 6.168.192.in-addr.arpa. {
   primary 127.0.0.1; # This server is the primary reverse DNS server 
for the zone
   key rndc-key;       # Use the key we defined earlier for dynamic updates
}

subnet 192.168.6.0 netmask 255.255.255.0 {
   range 192.168.6.16 192.168.6.63;
   authoritative;
   option subnet-mask 255.255.255.0;
   option routers 192.168.6.1;
   option domain-name-servers 192.168.6.8;
   option domain-name "mydomain.lan";
   ddns-domainname "mydomain.lan.";
   # ddns-rev-domainname "6.168.192.in-addr.arpa.";
   ddns-rev-domainname "in-addr.arpa.";
}

ddns-update-style interim;

max-lease-time 7200;

authoritative;

log-facility local7;


My intention was to have static addresses for the DC(s) an the file 
server(s) from 192.168.6.1 - 192.168.6.15 and use DHCP for the Windows 7 
Workstations (easier to roll out).

Best regards

Udo

>
>> This translates into missing PTR records of my two virtual PCs in the
>> DNS (configured to get their IPs over DHCP). Can this be related to
>> my first problem or has this other side effects?
>>
> Not having reverse records isn't go to help, but I don't think this is
> your problem.
>
> Rowland
>

More information about the samba mailing list