[Samba] Ubuntu 18:04 not getting 'home' directory from DC
L.P.H. van Belle
belle at bazuin.nl
Fri Jun 22 06:44:44 UTC 2018
Do you have the "cifs/UPN" for both servers set?
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Bob
> Thomas via samba
> Verzonden: donderdag 21 juni 2018 18:02
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] Ubuntu 18:04 not getting 'home'
> directory from DC
>
> Thank You Louis and Rowland for your help,
>
> Seems samba version in Ubuntu 18.04 was the key, (Samba
> version 4.7.6-Ubuntu).
> I was using an old smb.conf that has always worked on my
> Ubuntu 16.04 workstations:
>
> [global]
> realm = XX.DOMAIN.COM
> workgroup = XX
> security = ADS
> dedicated keytab file = /etc/krb5.keytab
> kerberos method = secrets and keytab
> idmap config *:backend = tdb
> idmap config *:range = 2000-9999
> idmap config XX:backend = ad
> idmap config XX:range = 10000-99999
> idmap config XX:schema_mode = rfc2307
> *idmap config XX:unix_nss_info = yes****# winbind nss info = rfc2307*
> winbind use default domain = Yes
> winbind refresh tickets = Yes
> winbind normalize names = Yes
> store dos attributes = Yes
> vfs objects = acl_xattr
> map acl inherit = Yes
>
> After changing: 'winbind nss info = rfc2307' to 'idmap config
> CY:unix_nss_info = yes'
> the DC UNIX attributes are correctly applied.
>
> I am still having issues running some programs after home
> mounts from the server, for example
> Thunderbird doesn't get to the account setup popup, and
> chromium doesn't even start.
> both seem to be "permissions" related. I think will see if
> the sec=krb5 resolves it but haven't got that working yet,
> setting "sec=krb5"
> give me this. (ips edited)
>
> cifs.upcall: key description:
> cifs.spnego;0;0;39010000;ver=0x2;host=1x.1xx.1.3x;ip4=1x.1xx.1
> .3x;sec=krb5;uid=0x277d;creduid=0x0;user=test;pid=0x4ba
> cifs.upcall: ver=2
> cifs.upcall: host=1x.1xx.1.3x
> cifs.upcall: ip=1x.1xx.1.3x
> cifs.upcall: sec=1
> uid=10109
> creduid=0
> user=test
> pid=1210
> get_cachename_from_process_env: pid == 0
> get_existing_cc: default ccache is FILE:/tmp/krb5cc_0
> cifs.upcall: get_tgt_time: unable to get principal
> cifs.upcall: krb5_get_init_creds_keytab: -1765328203
> cifs.upcall: Exit status 1
> lightdm[830]: (mount.c:72): Messages from underlying mount program:
> lightdm[830]: (mount.c:76): mount error(126): Required key
> not available
>
> Do you have a good wiki for setting up sec=krb5 for mount
> authentication?
>
> Thanks again,
>
> Bob
>
>
>
> ---------------------------------------
>
>
> Hai,
>
> Now i dont use GUI on my servers, but i would check the
> following if i had your problem.
> Ubuntu 16 and 18 its samba versions are very different keep
> that in mind.
>
> This must be checked: smbmount/smblcient and protocol mismatches.
> Lookup where the mount command is done and add -m SMB2
> Probely /etc/security/pam_mount.conf.xml
>
> Last, smbclient/mount are also using krb5.conf settings.
> Adding this to libdefaults might help also a bit so the
> cyphers are more aligned.
> ; for Windows 2003
> ; default_tgs_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
> ; default_tkt_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
> ; permitted_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
>
> ; for Windows 2008 with AES
> default_tgs_enctypes = aes128-cts-hmac-sha1-96
> aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
> default_tkt_enctypes = aes128-cts-hmac-sha1-96
> aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
> permitted_enctypes = aes128-cts-hmac-sha1-96
> aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
>
> If im correct above would fix a possible right problem on
> /home/username/.Xauthority but you only know that if you mount works.
> If the mount works but login fails: check this one
> out.https://blog.laczik.org/xauth-and-xauthority/
>
>
> This looks a bit the same as a problem, i had when mounting
> the user homedir with kerberos nfsv4 mounts.
> I needed to add : ignore_k5login = true
> Because even root and Administrator are locked out of my user
> home dirs. ( ! Note, as it should imo. Its my default setting)
>
>
>
> Greetz,
>
> Louis
>
>
>
>
> On 6/20/2018 3:12 PM, Bob Thomas wrote:
> > Rowland,
> >
> > How would I find this info?
> >
> > Check if 'Rachel Jones' has a 'gecos' attribute in AD.
> >
> > You seem to be being denied access to '.Xauthority', was it
> created on
> > another machine ? No
> >
> > However, I am sure '-13' usually means incorrect password.
> >
> > I am sure the password is correct, the /mnt/home/rachel
> folder is created
>
> > but the user files are not created because access is
> denied. The folder
> > stays empty and the computer flashes back to the login screen.
> >
> >
> > Bob
> >
> >
> >
> > On Wed, 20 Jun 2018 12:01:57 -0400
> > Bob Thomas via samba <samba at lists.samba.org
> <https://lists.samba.org/mailman/listinfo/samba>> wrote:
> >
> > >/Thank you for your reply. />//>/First I am using 'ad'
> backend (DC config is in first post below) and
> > wland />/until I did a fresh install of a new DC Samba
> 4.8.2 on Ubuntu 18.04 />/the user/group id, shell, and home
> directory paths were correctly />/obtained from the RSAT UNIX
> Attribute Tab settings on the DC. It />/seems that is still
> working for users already created with existing />/home
> directories on the file server, it is new users or any user
> that />/needs to build a home directory on the file server.
> This behavior is />/happening on both Ubuntu 18.04 and 16.04
> now, so I believe it is />/related to the new DC. />//>/do I
> need 'winbind nss info = template' and if so what does it do? /
> > No, because it is the default setting and it tells winbind to only
> > obtain the users ID amd primary group from AD.
> >
> > >//>/Anyway, I tried Louis' suggestion and was able to get
> a better />/response after adding this to the *file server
> smb.conf*: />//>/ template homedir = /mnt/home/%U (
> also tried />//mnt/Filestore/user-folders/%U ) />/
> template shell = /bin/sh />//>/both resulted in correct mount
> points and shell: />//>/getent passwd 'rachelj'
> />/rachelj:*:10161:10001::/mnt/home/rachelj:/bin/sh />//>/but
> expected: />/rachelj:*:10161:10001:Rachel
> Jones:/mnt/home/rachelj:/bin/sh /
> > Check if 'Rachel Jones' has a 'gecos' attribute in AD.
> >
> > >/But when I tried to login, after a short pause it snaps
> back to a />/login. The mount point (rachelj) was created
> but nothing is in the />/directory. Note this is a new user
> and nothing exists on the file />/server other than the
> folder created via RSAT during the user setup. />//>/Jun 20
> 10:29:35 CY-MKT-10 systemd[1]: Started User Manager for
> />/UID 10161. Jun 20 10:29:35 CY-MKT-10 lightdm[823]: **
> (process:1419): />/WARNING **: Error reading existing
> Xauthority: Failed to open file
> />/'/mnt/home/rachelj/.Xauthority': Permission denied />/Jun
> 20 10:29:35 CY-MKT-10 lightdm[823]: Error writing X
> authority: />/Failed to open X authority
> /mnt/home/rachelj/.Xauthority: Permission />/denied Jun 20
> 10:29:35 CY-MKT-10 lightdm[823]: (pam_mount.c:116): />/Clean
> global config (0) />/Jun 20 10:29:35 CY-MKT-10 lightdm[823]:
> (pam_mount.c:133): clean />/system authtok=0x1a22910 (0)
> />/Jun 20 10:29:36 CY-MKT-10 acpid: client 880[0:0] has
> disconnected />/Jun 20 10:29:36 CY-MKT-10 acpid: clie
> nt connected from 1463[0:0] />/Jun 20 10:29:36 CY-MKT-10
> acpid: 1 client rule loaded />/Jun 20 10:29:36 CY-MKT-10
> kernel: [ 97.169343] Status code returned />/0xc000006d
> STATUS_LOGON_FAILURE />/Jun 20 10:29:36 CY-MKT-10 kernel: [
> 97.169355] CIFS VFS: Send error />/in SessSetup = -13 />/Jun
> 20 10:29:36 CY-MKT-10 kernel: [ 97.169436] CIFS VFS:
> cifs_mount />/failed w/return code = -13 /
> > You seem to be being denied access to '.Xauthority', was it
> created on
> > another machine ?
> > However, I am sure '-13' usually means incorrect password.
> >
> > Rowland
> >
> > On 6/20/2018 12:01 PM, Bob Thomas wrote:
> >>
> >> Thank you for your reply.
> >>
> >> First I am using 'ad' backend (DC config is in first post
> below) and
> >> until I did a fresh install of a new DC Samba 4.8.2 on
> Ubuntu 18.04
> >> the user/group id, shell, and home directory paths were correctly
> >> obtained from the RSAT UNIX Attribute Tab settings on the DC. It
> >> seems that is still working for users already created with
> existing
> >> home directories on the file server, it is new users or
> any user that
> >> needs to build a home directory on the file server. This
> behavior is
> >> happening on both Ubuntu 18.04 and 16.04 now, so I believe it is
> >> related to the new DC.
> >>
> >> do I need 'winbind nss info = template' and if so what does it do?
> >>
> >> Anyway, I tried Louis' suggestion and was able to get a better
> >> response after adding this to the *file server smb.conf*:
> >>
> >> template homedir = /mnt/home/%U ( also tried
> >> /mnt/Filestore/user-folders/%U )
> >> template shell = /bin/sh
> >>
> >> both resulted in correct mount points and shell:
> >>
> >> getent passwd 'rachelj'
> >> rachelj:*:10161:10001::/mnt/home/rachelj:/bin/sh
> >>
> >> but expected:
> >> rachelj:*:10161:10001:Rachel Jones:/mnt/home/rachelj:/bin/sh
> >>
> >> But when I tried to login, after a short pause it snaps back to a
> >> login. The mount point (rachelj) was created but nothing
> is in the
> >> directory. Note this is a new user and nothing exists on the file
> >> server other than the folder created via RSAT during the
> user setup.
> >>
> >> Jun 20 10:29:35 CY-MKT-10 lightdm[823]: (rdconf1.c:744): path to
> >> luserconf set to /mnt/home/rachelj/.pam_mount.conf.xml
> >> Jun 20 10:29:35 CY-MKT-10 lightdm[823]: (pam_mount.c:568):
> pam_mount
> >> 2.14: entering session stage
> >> Jun 20 10:29:35 CY-MKT-10 lightdm[823]: (mount.c:786):
> Could not get
> >> realpath of /mnt/home/rachelj: No such file or directory
> >> Jun 20 10:29:35 CY-MKT-10 lightdm[823]: (mount.c:267): Mount info:
> >> globalconf, user=rachelj <volume fstype="cifs" server="cy-vault"
> >> path="home/rachelj" mountpoint="/mnt/home/rachelj" cipher="(null)"
> >> fskeypath="(null)" fskeycipher="(n$
> >> Jun 20 10:29:35 CY-MKT-10 lightdm[823]: (mount.c:309):
> mkmountpoint:
> >> checking /mnt
> >> Jun 20 10:29:35 CY-MKT-10 lightdm[823]: (mount.c:309):
> mkmountpoint:
> >> checking /mnt/home
> >> Jun 20 10:29:35 CY-MKT-10 lightdm[823]: (mount.c:309):
> mkmountpoint:
> >> checking /mnt/home/rachelj
> >> Jun 20 10:29:35 CY-MKT-10 lightdm[823]: (mount.c:349): mkdir[0]
> >> /mnt/home/rachelj
> >> Jun 20 10:29:35 CY-MKT-10 lightdm[823]: (mount.c:357): chown
> >> /mnt/home/rachelj -> 10161:10001
> >> Jun 20 10:29:35 CY-MKT-10 lightdm[823]: (mount.c:664):
> Password will
> >> be sent to helper as-is.
> >> Jun 20 10:29:35 CY-MKT-10 lightdm[823]: command: 'mount'
> '-t' 'cifs'
> >> '//cy-vault/home/rachelj' '/mnt/home/rachelj' '-o'
> >> 'username=rachelj,uid=10161,gid=10001,vers=2.1'
> >> Jun 20 10:29:35 CY-MKT-10 lightdm[823]: (mount.c:558): 18
> 24 0:17 /
> >> /sys rw,nosuid,nodev,noexec,relatime shared:7 - sysfs sysfs rw
> >> Jun 20 10:29:35 CY-MKT-10 lightdm[823]: (mount.c:558): 19 24 0:4 /
> >> /proc rw,nosuid,nodev,noexec,relatime shared:12 - proc proc rw
> >> Jun 20 10:29:35 CY-MKT-10 lightdm[823]: (mount.c:558): 20 24 0:6 /
> >> /dev rw,nosuid,relatime shared:2 - devtmpfs udev
> >> rw,size=1965792k,nr_inodes=491448,mode=755
> >> Jun 20 10:29:35 CY-MKT-10 lightdm[823]: (mount.c:558): 21
> 20 0:18 /
> >> /dev/pts rw,nosuid,noexec,relatime shared:3 - devpts devpts
> >> rw,gid=5,mode=620,ptmxmode=000
> >> Jun 20 10:29:35 CY-MKT-10 lightdm[823]: (mount.c:558): 22
> 24 0:19 /
> >> /run rw,nosuid,noexec,relatime shared:5 - tmpfs tmpfs
> >> rw,size=397688k,mode=755
> >> Jun 20 10:29:35 CY-MKT-10 lightdm[823]: (mount.c:558): 24
> 0 8:1 / /
> >> rw,relatime shared:1 - ext4 /dev/sda1
> rw,errors=remount-ro,data=ordered
> >> Jun 20 10:29:35 CY-MKT-10 lightdm[823]: (mount.c:558): 25
> 18 0:13 /
> >> /sys/kernel/security rw,nosuid,nodev,noexec,relatime shared:8 -
> >> securityfs securityfs rw
> >> Jun 20 10:29:35 CY-MKT-10 lightdm[823]: (mount.c:558): 26
> 20 0:21 /
> >> /dev/shm rw,nosuid,nodev shared:4 - tmpfs tmpfs rw
> >> Jun 20 10:29:35 CY-MKT-10 lightdm[823]: (mount.c:558): 27
> 22 0:22 /
> >> /run/lock rw,nosuid,nodev,noexec,relatime shared:6 - tmpfs tmpfs
> >> rw,size=5120k
> >> Jun 20 10:29:35 CY-MKT-10 lightdm[823]: (mount.c:558): 28
> 18 0:23 /
> >> /sys/fs/cgroup rw shared:9 - tmpfs tmpfs rw,mode=755
> >> Jun 20 10:29:35 CY-MKT-10 lightdm[823]: (mount.c:558): 29
> 28 0:24 /
> >> /sys/fs/cgroup/systemd rw,nosuid,nodev,noexec,relatime shared:10 -
> >> cgroup cgroup
> >>
> rw,xattr,release_agent=/lib/systemd/systemd-cgroups-agent,name=systemd
> >> Jun 20 10:29:35 CY-MKT-10 lightdm[823]: (mount.c:558): 30
> 18 0:25 /
> >> /sys/fs/pstore rw,nosuid,nodev,noexec,relatime shared:11 - pstore
> >> pstore rw
> >> Jun 20 10:29:35 CY-MKT-10 lightdm[823]: (mount.c:558): 31
> 28 0:26 /
> >> /sys/fs/cgroup/memory rw,nosuid,nodev,noexec,relatime shared:13 -
> >> cgroup cgroup rw,memory
> >> Jun 20 10:29:35 CY-MKT-10 lightdm[823]: (mount.c:558): 32
> 28 0:27 /
> >> /sys/fs/cgroup/devices rw,nosuid,nodev,noexec,relatime shared:14 -
> >> cgroup cgroup rw,devices
> >> Jun 20 10:29:35 CY-MKT-10 lightdm[823]: (mount.c:558): 33
> 28 0:28 /
> >> /sys/fs/cgroup/perf_event rw,nosuid,nodev,noexec,relatime
> shared:15 -
> >> cgroup cgroup
> >>
> rw,perf_event,release_agent=/run/cgmanager/agents/cgm-release-
> agent.perf_event
> >> Jun 20 10:29:35 CY-MKT-10 lightdm[823]: (mount.c:558): 34
> 28 0:29 /
> >> /sys/fs/cgroup/cpu,cpuacct rw,nosuid,nodev,noexec,relatime
> shared:16
> >> - cgroup cgroup rw,cpu,cpuacct
> >> Jun 20 10:29:35 CY-MKT-10 lightdm[823]: (mount.c:558): 35
> 28 0:30 /
> >> /sys/fs/cgroup/cpuset rw,nosuid,nodev,noexec,relatime shared:17 -
> >> cgroup cgroup rw,cpuset,clone_children
> >> Jun 20 10:29:35 CY-MKT-10 lightdm[823]: (mount.c:558): 36
> 28 0:31 /
> >> /sys/fs/cgroup/pids rw,nosuid,nodev,noexec,relatime shared:18 -
> >> cgroup cgroup
> >> rw,pids,release_agent=/run/cgmanager/agents/cgm-release-agent.pids
> >> Jun 20 10:29:35 CY-MKT-10 lightdm[823]: (mount.c:558): 37
> 28 0:32 /
> >> /sys/fs/cgroup/hugetlb rw,nosuid,nodev,noexec,relatime shared:19 -
> >> cgroup cgroup
> >>
> rw,hugetlb,release_agent=/run/cgmanager/agents/cgm-release-age
> nt.hugetlb
> >> Jun 20 10:29:35 CY-MKT-10 lightdm[823]: (mount.c:558): 38
> 28 0:33 /
> >> /sys/fs/cgroup/net_cls,net_prio rw,nosuid,nodev,noexec,relatime
> >> shared:20 - cgroup cgroup rw,net_cls,net_prio
> >> Jun 20 10:29:35 CY-MKT-10 lightdm[823]: (mount.c:558): 39
> 28 0:34 /
> >> /sys/fs/cgroup/blkio rw,nosuid,nodev,noexec,relatime shared:21 -
> >> cgroup cgroup rw,blkio
> >> Jun 20 10:29:35 CY-MKT-10 lightdm[823]: (mount.c:558): 40
> 28 0:35 /
> >> /sys/fs/cgroup/freezer rw,nosuid,nodev,noexec,relatime shared:22 -
> >> cgroup cgroup rw,freezer
> >> Jun 20 10:29:35 CY-MKT-10 lightdm[823]: (mount.c:558): 41
> 19 0:36 /
> >> /proc/sys/fs/binfmt_misc rw,relatime shared:23 - autofs systemd-1
> >>
> rw,fd=31,pgrp=1,timeout=0,minproto=5,maxproto=5,direct,pipe_ino=12818
> >> Jun 20 10:29:35 CY-MKT-10 lightdm[823]: (mount.c:558): 75 18 0:7 /
> >> /sys/kernel/debug rw,relatime shared:56 - debugfs debugfs rw
> >> Jun 20 10:29:35 CY-MKT-10 lightdm[823]: (mount.c:558): 77
> 20 0:37 /
> >> /dev/hugepages rw,relatime shared:58 - hugetlbfs hugetlbfs rw
> >> Jun 20 10:29:35 CY-MKT-10 lightdm[823]: (mount.c:558): 79
> 20 0:16 /
> >> /dev/mqueue rw,relatime shared:60 - mqueue mqueue rw
> >> Jun 20 10:29:35 CY-MKT-10 lightdm[823]: (mount.c:558): 81
> 18 0:38 /
> >> /sys/fs/fuse/connections rw,relatime shared:62 - fusectl fusectl rw
> >> Jun 20 10:29:35 CY-MKT-10 lightdm[823]: (mount.c:558): 42
> 41 0:39 /
> >> /proc/sys/fs/binfmt_misc rw,relatime shared:24 - binfmt_misc
> >> binfmt_misc rw
> >> Jun 20 10:29:35 CY-MKT-10 lightdm[823]: (mount.c:558): 44
> 22 0:40 /
> >> /run/cgmanager/fs rw,relatime shared:25 - tmpfs cgmfs
> >> rw,size=100k,mode=755
> >> Jun 20 10:29:35 CY-MKT-10 lightdm[823]: (mount.c:558): 155
> 22 0:43 /
> >> /run/user/108 rw,nosuid,nodev,relatime shared:113 - tmpfs tmpfs
> >> rw,size=397688k,mode=700,uid=108,gid=114
> >> Jun 20 10:29:35 CY-MKT-10 lightdm[823]: (mount.c:558): 163
> 22 0:45 /
> >> /run/user/0 rw,nosuid,nodev,relatime shared:121 - tmpfs tmpfs
> >> rw,size=397688k,mode=700
> >> Jun 20 10:29:35 CY-MKT-10 lightdm[823]: (mount.c:558): 109 24 0:42
> >> /rachelj /mnt/home/rachelj rw,relatime shared:68 - cifs
> >> //cy-vault/home/rachelj
> >>
> rw,vers=2.1,sec=ntlmssp,cache=strict,username=rachelj,domain=C
> Y,uid=10161,forceuid,gid$
> >> Jun 20 10:29:35 CY-MKT-10 lightdm[823]: command: 'pmvarrun' '-u'
> >> 'rachelj' '-o' '1'
> >> Jun 20 10:29:35 CY-MKT-10 lightdm[823]: (pmvarrun.c:258): parsed
> >> count value 0
> >> Jun 20 10:29:35 CY-MKT-10 lightdm[823]: (pam_mount.c:441):
> pmvarrun
> >> says login count is 1
> >> Jun 20 10:29:35 CY-MKT-10 lightdm[823]: (pam_mount.c:660): done
> >> opening session (ret=0)
> >> Jun 20 10:29:35 CY-MKT-10 systemd[1]: Created slice User Slice of
> >> rachelj.
> >> Jun 20 10:29:35 CY-MKT-10 systemd[1]: Starting User
> Manager for UID
> >> 10161...Jun 20 10:29:35 CY-MKT-10 systemd[1437]: Reached
> target Paths.
> >> Jun 20 10:29:35 CY-MKT-10 systemd[1437]: Reached target Sockets.
> >> Jun 20 10:29:35 CY-MKT-10 systemd[1437]: Reached target Timers.
> >> Jun 20 10:29:35 CY-MKT-10 systemd[1437]: Reached target
> Basic System.
> >> Jun 20 10:29:35 CY-MKT-10 systemd[1437]: Reached target Default.
> >> Jun 20 10:29:35 CY-MKT-10 systemd[1437]: Startup finished in 22ms.
> >> Jun 20 10:29:35 CY-MKT-10 systemd[1]: Started User Manager
> for UID 10161.
> >> Jun 20 10:29:35 CY-MKT-10 lightdm[823]: ** (process:1419): WARNING
> >> **: Error reading existing Xauthority: Failed to open file
> >> '/mnt/home/rachelj/.Xauthority': Permission denied
> >> Jun 20 10:29:35 CY-MKT-10 lightdm[823]: Error writing X authority:
> >> Failed to open X authority /mnt/home/rachelj/.Xauthority:
> Permission
> >> denied
> >> Jun 20 10:29:35 CY-MKT-10 lightdm[823]: (pam_mount.c:116): Clean
> >> global config (0)
> >> Jun 20 10:29:35 CY-MKT-10 lightdm[823]: (pam_mount.c:133): clean
> >> system authtok=0x1a22910 (0)
> >> Jun 20 10:29:36 CY-MKT-10 acpid: client 880[0:0] has disconnected
> >> Jun 20 10:29:36 CY-MKT-10 acpid: client connected from 1463[0:0]
> >> Jun 20 10:29:36 CY-MKT-10 acpid: 1 client rule loaded
> >> Jun 20 10:29:36 CY-MKT-10 kernel: [ 97.169343] Status
> code returned
> >> 0xc000006d STATUS_LOGON_FAILURE
> >> Jun 20 10:29:36 CY-MKT-10 kernel: [ 97.169355] CIFS VFS:
> Send error
> >> in SessSetup = -13
> >> Jun 20 10:29:36 CY-MKT-10 kernel: [ 97.169436] CIFS VFS:
> cifs_mount
> >> failed w/return code = -13
> >>
> >> Bob Thomas
> >>
> >> On Wed, 20 Jun 2018 11:36:06 +0200
> >> "L.P.H. van Belle via samba"<samba at lists.samba.org> wrote:
> >>
> >>> Hai Bob,
> >>>
> >>> And what does the wiki tell you about RID/AD backend AND .....
> >>> Well even i had troubles finding the page again. So..
> .its not you..
> >>>
> >>> The wiki, is getting to complex and is having to much
> side links to
> >>> other pages. You need to set one or more of the following
> settings.
> >>>
> >>> template homedir =/home/%D/%U
> >>> template shell = /bin/false
> >>> usershare template share =
> >>> winbind nss info = template
> >>>
> >>>
> >>> Rowland can you follow this path.
> >>> ( think in, install a member )
> >>> 1)
> >>>
> https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member
> >>> Look for any reference for the template settings, if you use RID.
> >>>
> >>> Maybe its an option to link some specific settings to these on the
> >>> page. ad idmap config ad idmap_ad(8)
> >>> rid idmap config rid idmap_rid(8)
> >>>
> >>> Anyhow, for you i suggest the folling.
> >>>
> >>> Member : home path in the share.
> >>> /mnt/Filestore/user-folders
> >>>
> >>> And this is the default:
> >>> template homedir =/home/%D/%U
> >>>
> >>> Change/add this
> >>> template homedir =/mnt/Filestore/%U
> >>>
> >>>
> >>>
> >>> Greetz,
> >>>
> >>> Louis
> >>>
> >>>
> >> The problem with the wikipage is, just what Louis said, it is too
> >> complex and all over the place. Until somebody said
> something, I wasn't
> >> going to alter it, mainly because when I pointed this out,
> I upset the
> >> person that wrote it.
> >>
> >> In my opinion, the wiki should be easy to understand and
> follow, even
> >> if this means the same information being on several pages.
> To me, the
> >> whole idea of a wiki, is to get the information across to
> users, not to
> >> make it easy to maintain.
> >>
> >> As is, it is very easy to miss that you must add various options to
> >> smb.conf to get a fully working Unix domain member.
> >>
> >> I am open to ideas on how to update the Unix domain member
> wikipage, my
> >> first thought is to put everything on one page, but as I
> say, I am open
> >> to suggestions.
> >>
> >> Rowland
> >>
> >>
> >> On Wed, 20 Jun 2018 11:36:06 +0200
> >> "L.P.H. van Belle via samba"<samba at lists.samba.org> wrote:
> >>
> >>> Hai Bob,
> >>>
> >>> And what does the wiki tell you about RID/AD backend AND .....
> >>> Well even i had troubles finding the page again. So..
> .its not you..
> >>>
> >>> The wiki, is getting to complex and is having to much
> side links to
> >>> other pages. You need to set one or more of the following
> settings.
> >>>
> >>> template homedir =/home/%D/%U
> >>> template shell = /bin/false
> >>> usershare template share =
> >>> winbind nss info = template
> >>>
> >>>
> >>> Rowland can you follow this path.
> >>> ( think in, install a member )
> >>> 1)
> >>>
> https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member
> >>> Look for any reference for the template settings, if you use RID.
> >>>
> >>> Maybe its an option to link some specific settings to these on the
> >>> page. ad idmap config ad idmap_ad(8)
> >>> rid idmap config rid idmap_rid(8)
> >>>
> >>> Anyhow, for you i suggest the folling.
> >>>
> >>> Member : home path in the share.
> >>> /mnt/Filestore/user-folders
> >>>
> >>> And this is the default:
> >>> template homedir =/home/%D/%U
> >>>
> >>> Change/add this
> >>> template homedir =/mnt/Filestore/%U
> >>>
> >>>
> >>>
> >>> Greetz,
> >>>
> >>> Louis
> >>>
> >>>
> >> The problem with the wikipage is, just what Louis said, it is too
> >> complex and all over the place. Until somebody said
> something, I wasn't
> >> going to alter it, mainly because when I pointed this out,
> I upset the
> >> person that wrote it.
> >>
> >> In my opinion, the wiki should be easy to understand and
> follow, even
> >> if this means the same information being on several pages.
> To me, the
> >> whole idea of a wiki, is to get the information across to
> users, not to
> >> make it easy to maintain.
> >>
> >> As is, it is very easy to miss that you must add various options to
> >> smb.conf to get a fully working Unix domain member.
> >>
> >> I am open to ideas on how to update the Unix domain member
> wikipage, my
> >> first thought is to put everything on one page, but as I
> say, I am open
> >> to suggestions.
> >>
> >> Rowland
> >>
> >>
> >> recommendation
> >>
> >>
> >> On 6/19/2018 2:57 PM, Bob Thomas wrote:
> >>>
> >>> Hello,
> >>>
> >>> I've been trying to get Ubuntu 18.04 to work with Samba
> AD, seems I
> >>> am almost there but am unable to get home directories to mount
> >>> properly. The domain join went without a problem but because the
> >>> default cifs ver changed in Ubuntu to get other Samba shares on a
> >>> samba file server to mount I had to add to it's smb.conf:
> >>>
> >>> client min protocol = SMB2
> >>> client min protocol = SMB3
> >>>
> >>> So I can now mount shares, but home directory will not mount and
> >>> build on the Ubuntu 18.04 client. I believe the the
> issue is this:
> >>>
> >>> On Ubuntu 16.04 client getent passwd kiarar properly
> gives the DC's
> >>> home directory setting of:
> >>> root at CY-SALES-JM:~# getent passwd 'kiarar'
> >>> kiarar:*:10155:10001:Kiara Ratcliff:/mnt/home/kiarar:/bin/sh
> >>>
> >>> On Ubuntu 18.04 client getent passwd kiarar gives:
> >>> root at CY-SALE:~# getent passwd 'kiarar'
> >>> kiarar:*:10155:10001::/home/CY/kiarar:/bin/false
> >>>
> >>> So it gets the correct UID and GID but not the login
> shell or home
> >>> directory set in the UNIX Attributes tab.
> >>>
> >>> Samba DC version 4.8.2 on Ubuntu 18.04 config:
> >>>
> >>> [global]
> >>> netbios name = CY-DC
> >>> realm = CY.MYDOMAIN.COM
> >>> workgroup = CY
> >>> server role = active directory domain controller
> >>> server services = s3fs, rpc, nbt, wrepl, ldap,
> cldap, kdc,
> >>> drepl, winbindd, ntp_signd, kcc, dnsupdate
> >>> idmap_ldb:use rfc2307 = yes
> >>> idmap config CY:unix_nss_info = yes
> >>> ldap server require strong auth = no
> >>> allow dns updates = nonsecure and secure
> >>> log level = 2
> >>> ntlm auth = yes
> >>>
> >>> # stops cups errors in log file
> >>> load printers = no
> >>> printing = bsd
> >>> printcap name = /dev/null
> >>> disable spoolss = yes
> >>>
> >>> [netlogon]
> >>> path = /var/lib/samba/sysvol/cy.cybernetics.com/scripts
> >>> read only = No
> >>>
> >>> [sysvol]
> >>> path = /var/lib/samba/sysvol
> >>> read only = No
> >>>
> >>> Samba File server version 4.7.4 on Ubuntu 16.04 config:
> >>>
> >>> [global]
> >>> realm = CY.CYBERNETICS.COM
> >>> workgroup = CY
> >>> netbios name = cy-vault
> >>> security = ADS
> >>> server role = member server
> >>> encrypt passwords = yes
> >>> client min protocol = SMB2
> >>> client max protocol = SMB3
> >>>
> >>> idmap config *:backend = tdb
> >>> idmap config *:range = 2000-9999
> >>>
> >>> idmap config CY:backend = ad
> >>> idmap config CY:schema_mode = rfc2307
> >>> idmap config CY:range = 10000-99999
> >>> idmap config CY : unix_nss_info = yes
> >>>
> >>> winbind trusted domains only = no
> >>> winbind use default domain = yes
> >>>
> >>> vfs objects = acl_xattr
> >>> map acl inherit = Yes
> >>> store dos attributes = Yes
> >>>
> >>> username map = /etc/samba/user.map
> >>>
> >>> log level=3
> >>> log file = /var/log/samba/log.%m
> >>> max log size = 500
> >>>
> >>> # Stops cups errors in log file
> >>> load printers = no
> >>> printing = bsd
> >>> printcap name = /dev/null
> >>> disable spoolss = yes
> >>>
> >>> ####### User folder for Ubuntu ##########
> >>>
> >>> [home]
> >>> comment = UNIX Home Directories
> >>> path = /mnt/Filestore/user-folders
> >>> read only = no
> >>> level2 oplocks =no
> >>> oplocks = no
> >>> locking = no
> >>> strict locking = no
> >>>
> >>> Any help?
> >>>
> >>> Bob Thomas
> >>>
> >>>
> >>
> >> On Wed, 20 Jun 2018 11:36:06 +0200
> >> "L.P.H. van Belle via samba"<samba at lists.samba.org> wrote:
> >>
> >>> Hai Bob,
> >>>
> >>> And what does the wiki tell you about RID/AD backend AND .....
> >>> Well even i had troubles finding the page again. So..
> .its not you..
> >>>
> >>> The wiki, is getting to complex and is having to much
> side links to
> >>> other pages. You need to set one or more of the following
> settings.
> >>>
> >>> template homedir =/home/%D/%U
> >>> template shell = /bin/false
> >>> usershare template share =
> >>> winbind nss info = template
> >>>
> >>>
> >>> Rowland can you follow this path.
> >>> ( think in, install a member )
> >>> 1)
> >>>
> https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member
> >>> Look for any reference for the template settings, if you use RID.
> >>>
> >>> Maybe its an option to link some specific settings to these on the
> >>> page. ad idmap config ad idmap_ad(8)
> >>> rid idmap config rid idmap_rid(8)
> >>>
> >>> Anyhow, for you i suggest the folling.
> >>>
> >>> Member : home path in the share.
> >>> /mnt/Filestore/user-folders
> >>>
> >>> And this is the default:
> >>> template homedir =/home/%D/%U
> >>>
> >>> Change/add this
> >>> template homedir =/mnt/Filestore/%U
> >>>
> >>>
> >>>
> >>> Greetz,
> >>>
> >>> Louis
> >>>
> >>>
> >> The problem with the wikipage is, just what Louis said, it is too
> >> complex and all over the place. Until somebody said
> something, I wasn't
> >> going to alter it, mainly because when I pointed this out,
> I upset the
> >> person that wrote it.
> >>
> >> In my opinion, the wiki should be easy to understand and
> follow, even
> >> if this means the same information being on several pages.
> To me, the
> >> whole idea of a wiki, is to get the information across to
> users, not to
> >> make it easy to maintain.
> >>
> >> As is, it is very easy to miss that you must add various options to
> >> smb.conf to get a fully working Unix domain member.
> >>
> >> I am open to ideas on how to update the Unix domain member
> wikipage, my
> >> first thought is to put everything on one page, but as I
> say, I am open
> >> to suggestions.
> >>
> >> Rowland
> >
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
>
More information about the samba
mailing list