[Samba] moved DM config to new server : gids different etc

Stefan G. Weichinger lists at xunil.at
Tue Nov 26 17:57:31 UTC 2019

Am 26.11.19 um 18:42 schrieb Rowland penny via samba:
> On 26/11/2019 17:21, Stefan G. Weichinger via samba wrote:
>> Am 26.11.19 um 17:37 schrieb Rowland penny via samba:
>>> How about 'getent group Domain\ Users' ?
>> no result = empty reply
> Then there is something wrong, something isn't set correctly, I take it
> you replaced 'Domain\ Users' with its German equivalent.

I "eye-grepped" for that string as well. Not there. No ADS-groups in

>> The "admin" there is able to access stuff and reset his ACLs already.
> How ? if 'getent' isn't working.
>> So ... things work so far. thanks.
>> I will consider the config Louis suggested ... but not now
> No, 'rid' should work as before, all you really need to backup on a Unix
> domain member is the shares and the smb.conf, all the users & groups are
> stored on the DC.
>> (my reply was rejected by some samba-ml-SMTP-server ... another problem)
> Strange, it didn't reach moderation.
> Can you download this:
> https://github.com/thctlo/samba4/blob/master/samba-collect-debug-info.sh
> Run it on the Unix domain member and paste the output into a post.

a little bit anonymized (I hope)

That DNS-domain is flaky, I see.
That "gigabit.net" came from the former admin and should be rm-ed, I see
.... !


root at samba:~# cat samba-debug-info.txt
Collected config  --- 2019-11-26-18:48 -----------

Hostname: samba
DNS Domain: gigabit.net
FQDN: samba.gigabit.net


Kerberos SRV _kerberos._tcp.gigabit.net record verified ok, sample output:

Non-authoritative answer:
*** Can't find _kerberos._tcp.gigabit.net: No answer

Authoritative answers can be found from:
	origin = ns.123-reg.co.uk
	mail addr = hostmaster.gigabit.net
	serial = 2017030702
	refresh = 14400
	retry = 0
	expire = 604800
	minimum = 14400
Samba is running as a Unix domain member

       Checking file: /etc/os-release

PRETTY_NAME="Debian GNU/Linux 10 (buster)"
NAME="Debian GNU/Linux"
VERSION="10 (buster)"


This computer is running Debian 10.2 x86_64

running command : ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet scope host lo
    inet6 ::1/128 scope host
2: eno1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast
state UP group default qlen 1000
    link/ether 90:b1:1c:a1:1a:a8 brd ff:ff:ff:ff:ff:ff
    inet brd scope global eno1
    inet6 fe80::92b1:1cff:fea1:1aa8/64 scope link

       Checking file: /etc/hosts	localhost

# The following lines are desirable for IPv6 capable hosts
::1		localhost ip6-localhost ip6-loopback
ff02::1		ip6-allnodes
ff02::2		ip6-allrouters	samba.gigabit.net samba


       Checking file: /etc/resolv.conf

domain mydom.de
search mydom.de


       Checking file: /etc/krb5.conf

default_realm = mydom.INTRA
dns_lookup_realm = false
dns_lookup_kdc = true


       Checking file: /etc/nsswitch.conf

# This file is managed remotely, all changes will be lost

# /etc/nsswitch.conf
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.

passwd:         compat winbind
group:          compat winbind
shadow:         compat
gshadow:        files

hosts:          files dns
networks:       files

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

netgroup:       nis


       Checking file: /etc/samba/smb.conf

# Samba config file
# from sgw 2018/jun/15
# with help from Rowland

unix charset = iso8859-15

security = ads
realm = mydom.INTRA
workgroup = mydom

dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab

netbios aliases = u1mydom
server string = U1mydom

winbind cache time = 10
winbind use default domain = yes
winbind refresh tickets = Yes

template homedir = /mnt/MSA2040/smb/Homes/%D/%U

restrict anonymous = 2
domain master = no
local master = no
preferred master = no
invalid users = root bin daemon adm sync shutdown halt mail news \
obey pam restrictions = yes

interfaces =
bind interfaces only = Yes

idmap config * : range = 3000-7999
idmap config * : backend = tdb
idmap config mydom : range = 10000-20000
idmap config mydom : backend = rid

# For ACL support on domain member
vfs objects = acl_xattr full_audit
map acl inherit = Yes
store dos attributes = Yes
inherit acls = yes

unix extensions = no
follow symlinks= yes
wide links= yes

load printers = no
printcap name = /dev/null

acl allow execute always = True

# Audit settings
full_audit:prefix = %u|%I|%m|%S
full_audit:failure = connect
full_audit:success = mkdir rmdir read pread write pwrite rename unlink
full_audit:facility = local5
full_audit:priority = notice

log level = 2

	comment = Home Directories
	#path = /mnt/MSA2040/smb/Homes/mydom/%U
	#path = /mnt/MSA2040/smb/Homes/mydom/%S
	valid users = %S
	browseable = yes
	read only = no
	create mode = 0750
	#directory mask = 0700
	root preexec = /usr/local/sbin/mkhomedir.sh %U %H

	path = /mnt/MSA2040/smb/acltest
	read only = No

(rm-ed share defs)


Running as Unix domain member and no user.map detected.
This is possible with an auth-only setup, checking also for NFS parts
    Warning, /etc/idmapd.conf does not exist


Installed packages:
ii  acl                            2.2.53-4                    amd64
    access control list - utilities
ii  attr                           1:2.4.48-4                  amd64
    utilities for manipulating filesystem extended attributes
ii  krb5-config                    2.6                         all
    Configuration files for Kerberos Version 5
ii  krb5-locales                   1.17-3                      all
    internationalization support for MIT Kerberos
ii  krb5-user                      1.17-3                      amd64
    basic programs to authenticate using MIT Kerberos
ii  libacl1:amd64                  2.2.53-4                    amd64
    access control list - shared library
ii  libattr1:amd64                 1:2.4.48-4                  amd64
    extended attribute handling - shared library
ii  libgssapi-krb5-2:amd64         1.17-3                      amd64
    MIT Kerberos runtime libraries - krb5 GSS-API Mechanism
ii  libkrb5-3:amd64                1.17-3                      amd64
    MIT Kerberos runtime libraries
ii  libkrb5support0:amd64          1.17-3                      amd64
    MIT Kerberos runtime libraries - Support library
ii  libnss-winbind:amd64           2:4.10.10+dfsg-0.1~buster~1 amd64
    Samba nameservice integration plugins
ii  libpam-krb5:amd64              4.8-2                       amd64
    PAM module for MIT Kerberos
ii  libpam-winbind:amd64           2:4.10.10+dfsg-0.1~buster~1 amd64
    Windows domain authentication integration plugin
ii  libsmbclient:amd64             2:4.10.10+dfsg-0.1~buster~1 amd64
    shared library for communication with SMB/CIFS servers
ii  libwbclient0:amd64             2:4.10.10+dfsg-0.1~buster~1 amd64
    Samba winbind client library
ii  python3-samba                  2:4.10.10+dfsg-0.1~buster~1 amd64
    Python 3 bindings for Samba
ii  samba                          2:4.10.10+dfsg-0.1~buster~1 amd64
    SMB/CIFS file, print, and login server for Unix
ii  samba-common                   2:4.10.10+dfsg-0.1~buster~1 all
    common files used by both the Samba server and client
ii  samba-common-bin               2:4.10.10+dfsg-0.1~buster~1 amd64
    Samba common files used by both the server and the client
ii  samba-dsdb-modules:amd64       2:4.10.10+dfsg-0.1~buster~1 amd64
    Samba Directory Services Database
ii  samba-libs:amd64               2:4.10.10+dfsg-0.1~buster~1 amd64
    Samba core libraries
ii  samba-vfs-modules:amd64        2:4.10.10+dfsg-0.1~buster~1 amd64
    Samba Virtual FileSystem plugins
ii  smbclient                      2:4.10.10+dfsg-0.1~buster~1 amd64
    command-line SMB/CIFS clients for Unix
ii  winbind                        2:4.10.10+dfsg-0.1~buster~1 amd64
    service to resolve user and group information from Windows NT servers


More information about the samba mailing list