Rowland, Thanks for the clarification. It appears the member server is joined and I have created a share. [demoshare] path = /srv/samba/test read only = no I have enabled ACL support and given 'SeDiskOperatorPrivilege' per the wiki. I can navigate to the share using Windows Explorer. If I set the share permissions to only me(Full Control). I can't access the share. The 'Everyone' and 'Domain Users' group allows me access. On my DC's this has worked in the past. Am I missing something? This is the error I receive. \\pfmember1\demoshare is not accessible. You might not have permission to use this network resource. Contact the administrator of this server to find out if you have access permissions. Multiple connections to a server or shared resource by the same user, using more than one user name, are not allowed. Disconnect all previous connections to the server or shared resource and try again. On 1/2/2015 1:14 PM, Rowland Penny wrote:> On 02/01/15 18:01, James wrote: >> Rowland, >> >> That did it! Thank you so much. I do have a question regarding >> the 'getent' command before setting up file shares. When I run >> 'getent group Domain\ Users' I get >> >> domain_users:x:10000:user1,user2,user3,user4,user5,user6,user7,user8 >> >> Why does it show these specific users? I would assume it would only >> show my 'tuser'. I don't have uid's set for anyone else. > > When you run 'getent group Domain\ Users' it gets the groups gidNumber > (10000 in your case) and the contents any 'member' attributes, so I > presume if you examine the groups AD object, you would find 8 'member' > attribute lines. > > But if you were to run 'getent passwd user5', you would only get a > response if 'user5' has a 'uidNumber'. > > Rowland > >> >> On 1/2/2015 12:38 PM, Rowland Penny wrote: >>> On 02/01/15 17:26, James wrote: >>>> Rowland, >>>> >>>> I did forget to change it. Is it as simple as renaming now or >>>> did I screw up? >>>> >>>> On 1/2/2015 12:18 PM, Rowland Penny wrote: >>>>> On 02/01/15 17:07, James wrote: >>>>>> Rowland, >>>>>> >>>>>> I had a typo in my hosts file which is the reason my initial >>>>>> DNS update failed. Corrected and joined again. Successfully >>>>>> joined and updated DNS A record. I then made sure to give 'Domain >>>>>> users' a id of 10000. I am now able to run' getent passwd' and >>>>>> see all my domain users! YES! However I still see something that >>>>>> confuses me. When I run 'id tuser' I get the following. >>>>>> >>>>>> uid=2155(tuser) gid=2002(domain_users) >>>>>> groups=2002(domain_users),2004(remote_desktop_users_group),2001(BUILTIN\users) >>>>>> >>>>>> Why is the uid 2155 and not 10001? >>>>>> >>>>>> >>>>>> >>>>>> On 1/2/2015 12:00 PM, Rowland Penny wrote: >>>>>>> On 02/01/15 16:57, James wrote: >>>>>>>> Rowland, >>>>>>>> >>>>>>>> I've gotten a bit further. It appears my use of '.local' is >>>>>>>> causing the issue from what I've researched. I ran >>>>>>>> '|/etc/init.d/avahi-daemon stop'. |This allowed me to >>>>>>>> successfully join the domain. >>>>>>>> >>>>>>>> Enter administrator at DOMAIN.LOCAL's password: >>>>>>>> Using short domain name -- DOMAIN >>>>>>>> Joined 'PFMEMBER1' to dns domain 'domain.local' >>>>>>>> DNS Update for pfmember1.local failed: ERROR_DNS_UPDATE_FAILED >>>>>>>> DNS update failed: NT_STATUS_UNSUCCESSFUL >>>>>>>> || >>>>>>>> On 1/2/2015 8:55 AM, Rowland Penny wrote: >>>>>>>>> On 02/01/15 13:41, James wrote: >>>>>>>>>> Hi Rowland, >>>>>>>>>> >>>>>>>>>> If you don't mind I like to post my member server >>>>>>>>>> configuration as I attempt again. This is how my member >>>>>>>>>> server(Ubuntu 12.04) is configured after fresh install and >>>>>>>>>> prior to Samba build. Anything I'm missing that could cause >>>>>>>>>> my issue as I proceed? I assume no other prerequisites must >>>>>>>>>> be done on the other DC's either? Thanks. >>>>>>>>>> >>>>>>>>>> /*# From Wiki for DC build*/ >>>>>>>>>> apt-get install build-essential libacl1-dev libattr1-dev >>>>>>>>>> libblkid-dev libgnutls-dev libreadline-dev python-dev >>>>>>>>>> libpam0g-dev python-dnspython gdb pkg-config libpopt-dev >>>>>>>>>> libldap2-dev dnsutils libbsd-dev attr krb5-user docbook-xsl >>>>>>>>>> libcups2-dev acl >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> /*# Fstab file*/ >>>>>>>>>> ext4 errors=remount-ro,user_xattr,acl,barrier=1 1 1 >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> */# Hosts File/* >>>>>>>>>> 127.0.0.1 localhost >>>>>>>>>> 172.16.232.25 pfmember1.domain.local pfmember1 >>>>>>>>>> >>>>>>>>>> # The following lines are desirable for IPv6 capable hosts >>>>>>>>>> ::1 ip6-localhost ip6-loopback >>>>>>>>>> fe00::0 ip6-localnet >>>>>>>>>> ff00::0 ip6-mcastprefix >>>>>>>>>> ff02::1 ip6-allnodes >>>>>>>>>> ff02::2 ip6-allrouters >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> */# Hostname/* */File/* >>>>>>>>>> pfmember1.domain.local >>>>>>>>> >>>>>>>>> if you are referring to /etc/hostname, then it should just >>>>>>>>> contain 'pfmember1'. >>>>>>>>> >>>>>>>>> Also, are you fixed on using Ubuntu 12.04, if you were to use >>>>>>>>> Debian Wheezy and backports, you wouldn't have to compile samba4. >>>>>>>>> >>>>>>>>> Rowland >>>>>>>>> >>>>>>>>>> >>>>>>>>>> */#/network/interfaces/* >>>>>>>>>> # This file describes the network interfaces available on >>>>>>>>>> your system >>>>>>>>>> # and how to activate them. For more information, see >>>>>>>>>> interfaces(5). >>>>>>>>>> >>>>>>>>>> # The loopback network interface >>>>>>>>>> auto lo >>>>>>>>>> iface lo inet loopback >>>>>>>>>> >>>>>>>>>> # The primary network interface >>>>>>>>>> auto eth0 >>>>>>>>>> iface eth0 inet static >>>>>>>>>> address 172.16.232.25 >>>>>>>>>> netmask 255.255.255.0 >>>>>>>>>> gateway 172.16.232.201 >>>>>>>>>> network 172.16.232.0 >>>>>>>>>> broadcast 172.16.232.255 >>>>>>>>>> dns-search domain.local >>>>>>>>>> dns-nameservers 172.16.232.29 >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> On 1/1/2015 4:34 AM, Rowland Penny wrote: >>>>>>>>>>> On 01/01/15 00:07, James wrote: >>>>>>>>>>>> Hi Rowland, >>>>>>>>>>>> >>>>>>>>>>>> I forgot to tell you the results were from my Domain >>>>>>>>>>>> Controller and not the member server. Member server >>>>>>>>>>>> returned something to the effect of 'user not found'. I am >>>>>>>>>>>> only starting the 3 services(smbd,nmbd and windbindd) >>>>>>>>>>>> listed in the wiki. Should I be starting Samba with command >>>>>>>>>>>> line switches to start as a member server? Is that even >>>>>>>>>>>> possible? >>>>>>>>>>> >>>>>>>>>>> Hi, there are two ways of running samba4, the classic or >>>>>>>>>>> original way that samba3 was used, or as an AD DC. If you >>>>>>>>>>> run samba4 in the classic way, you need to start the smbd & >>>>>>>>>>> nmbd deamons and optionally the winbind daemon. If you use >>>>>>>>>>> samba4 as an AD DC, then you only start the samba daemon, >>>>>>>>>>> this will start any other required deamons, you only start >>>>>>>>>>> the samba daemon on an AD DC. >>>>>>>>>>> >>>>>>>>>>> As you are trying to set up a member server, you must carry >>>>>>>>>>> out the tests on the member server. >>>>>>>>>>> >>>>>>>>>>> Rowland >>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> Thanks for you smb.conf. I will attempt again using >>>>>>>>>>>> your smb.conf as a template and try again. >>>>>>>>>>>> >>>>>>>>>>>> On 12/31/2014 2:20 PM, Rowland Penny wrote: >>>>>>>>>>>>> On 31/12/14 19:07, James wrote: >>>>>>>>>>>>>> Rowland, >>>>>>>>>>>>>> >>>>>>>>>>>>>> I decided to start over with a fresh install and >>>>>>>>>>>>>> attempted again. Only change I made was to start my >>>>>>>>>>>>>> mappings at 10000. I gave 'Domain Users' group gid 10000 >>>>>>>>>>>>>> and 'tuser' has uid 10001. Still didn't work btw. >>>>>>>>>>>>>> >>>>>>>>>>>>>> dn: CN=Test User,CN=Users,DC=domain,DC=local >>>>>>>>>>>>>> objectClass: top >>>>>>>>>>>>>> objectClass: person >>>>>>>>>>>>>> objectClass: organizationalPerson >>>>>>>>>>>>>> objectClass: user >>>>>>>>>>>>>> cn: Test User >>>>>>>>>>>>>> sn: User >>>>>>>>>>>>>> givenName: Test >>>>>>>>>>>>>> instanceType: 4 >>>>>>>>>>>>>> whenCreated: 20141231172021.0Z >>>>>>>>>>>>>> displayName: Test User >>>>>>>>>>>>>> uSNCreated: 477557 >>>>>>>>>>>>>> name: Test User >>>>>>>>>>>>>> objectGUID: 90f95763-fe52-42b9-af86-8a84a4d5dd78 >>>>>>>>>>>>>> userAccountControl: 66048 >>>>>>>>>>>>>> codePage: 0 >>>>>>>>>>>>>> countryCode: 0 >>>>>>>>>>>>>> pwdLastSet: 130645200220000000 >>>>>>>>>>>>>> primaryGroupID: 513 >>>>>>>>>>>>>> objectSid: S-1-5-21-940051827-2291820289-3341758437-3126 >>>>>>>>>>>>>> accountExpires: 9223372036854775807 >>>>>>>>>>>>>> sAMAccountName: tuser >>>>>>>>>>>>>> sAMAccountType: 805306368 >>>>>>>>>>>>>> userPrincipalName: tuser at domain.local >>>>>>>>>>>>>> objectCategory: >>>>>>>>>>>>>> CN=Person,CN=Schema,CN=Configuration,DC=domain,DC=local >>>>>>>>>>>>>> unixUserPassword: ABCD!efgh12345$67890 >>>>>>>>>>>>>> uid: tuser >>>>>>>>>>>>>> msSFU30Name: tuser >>>>>>>>>>>>>> msSFU30NisDomain: domain >>>>>>>>>>>>>> uidNumber: 10001 >>>>>>>>>>>>>> loginShell: /bin/sh >>>>>>>>>>>>>> unixHomeDirectory: /home/tuser >>>>>>>>>>>>>> gidNumber: 10000 >>>>>>>>>>>>>> whenChanged: 20141231185807.0Z >>>>>>>>>>>>>> uSNChanged: 477620 >>>>>>>>>>>>>> distinguishedName: CN=Test User,CN=Users,DC=domain,DC=local >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> On 12/31/2014 1:50 PM, Rowland Penny wrote: >>>>>>>>>>>>>>> On 31/12/14 18:28, James wrote: >>>>>>>>>>>>>>>> Hi Rowland, >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> passwd: compat winbind >>>>>>>>>>>>>>>> group: compat winbind >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> 'getent passwd tuser' results in a blank terminal line. >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> On 12/31/2014 1:12 PM, Rowland Penny wrote: >>>>>>>>>>>>>>>>> On 31/12/14 17:55, James wrote: >>>>>>>>>>>>>>>>>> Hi Rowland, >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> I did. Unfortunately something is still amiss. I >>>>>>>>>>>>>>>>>> do receive a response from 'getent group domain >>>>>>>>>>>>>>>>>> users'(users:x:100). >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> On 12/31/2014 12:26 PM, Rowland Penny wrote: >>>>>>>>>>>>>>>>>>> On 31/12/14 17:23, James wrote: >>>>>>>>>>>>>>>>>>>> Rowland, >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> I set a user with a uid and domain users group >>>>>>>>>>>>>>>>>>>> with a gid but I'm still unable to view them using >>>>>>>>>>>>>>>>>>>> 'id'. I do notice a few strange observations. If I >>>>>>>>>>>>>>>>>>>> go to another user to attempt to assign a uid. I >>>>>>>>>>>>>>>>>>>> get the default value of 10000. I would expect 2001 >>>>>>>>>>>>>>>>>>>> given I set the first user with uid 2000. Groups >>>>>>>>>>>>>>>>>>>> however appear to increment. >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> On 12/31/2014 10:52 AM, Rowland Penny wrote: >>>>>>>>>>>>>>>>>>>>> On 31/12/14 15:42, James wrote: >>>>>>>>>>>>>>>>>>>>>> Hello Stefan, >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> I learned the hard way about .local. I >>>>>>>>>>>>>>>>>>>>>> understand going forward. >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> I do have an issue with the member server. >>>>>>>>>>>>>>>>>>>>>> Following along with the wiki I get stuck at >>>>>>>>>>>>>>>>>>>>>> 'Testing the Winbind user/group mapping'. Wbinfo >>>>>>>>>>>>>>>>>>>>>> works as expected but not >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> #*id DomainUser* >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> #*getent passwd* >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> #*getent group* >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> #*chown DomainUser:DomainGroup file* >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> #*chgrp DomainGroup file* >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> etc. >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> I receive 'id: sambauser: No such user'. It will >>>>>>>>>>>>>>>>>>>>>> only retrieve local machine users. Let me preface >>>>>>>>>>>>>>>>>>>>>> by saying this is a Ubuntu 12.04 server with >>>>>>>>>>>>>>>>>>>>>> Samba 4.1.14. Thanks. >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> On 12/31/2014 10:00 AM, Stefan Kania wrote: >>>>>>>>>>>>>>>>>>>>>>> -----BEGIN PGP SIGNED MESSAGE----- >>>>>>>>>>>>>>>>>>>>>>> Hash: SHA1 >>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>> Hello James, >>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>> Am 31.12.2014 um 15:48 schrieb James:> Hello, >>>>>>>>>>>>>>>>>>>>>>>> I'm following along with the wiki(Setup a Samba >>>>>>>>>>>>>>>>>>>>>>>> AD Member Server) >>>>>>>>>>>>>>>>>>>>>>>> and I have a question after reading the 'Set up >>>>>>>>>>>>>>>>>>>>>>>> a basic smb.conf' >>>>>>>>>>>>>>>>>>>>>>>> section. >>>>>>>>>>>>>>>>>>>>>>> Please show us your smb.conf >>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>> Do I need to extend the schema in order for my >>>>>>>>>>>>>>>>>>>>>>> member server to >>>>>>>>>>>>>>>>>>>>>>>> successfully join and service file shares? >>>>>>>>>>>>>>>>>>>>>>> No, you dont have to. >>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>> Do I need to configure a >>>>>>>>>>>>>>>>>>>>>>>> krb5.conf file? Thanks. >>>>>>>>>>>>>>>>>>>>>>> If your DC is a samba4 DC just copy krb5.conf to >>>>>>>>>>>>>>>>>>>>>>> your new memberserver >>>>>>>>>>>>>>>>>>>>>>> Stefan >>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>> - -- Stefan Kania >>>>>>>>>>>>>>>>>>>>>>> Landweg 13 >>>>>>>>>>>>>>>>>>>>>>> 25693 St. Michaelisdonn >>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>> Signieren jeder E-Mail hilft Spam zu reduzieren. >>>>>>>>>>>>>>>>>>>>>>> Signieren Sie ihre >>>>>>>>>>>>>>>>>>>>>>> E-Mail. Weiter Informationen unter >>>>>>>>>>>>>>>>>>>>>>> http://www.gnupg.org >>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>> Mein Schl?ssel liegt auf >>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>> hkp://subkeys.pgp.net >>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>> -----BEGIN PGP SIGNATURE----- >>>>>>>>>>>>>>>>>>>>>>> Version: GnuPG v1 >>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>> iEYEARECAAYFAlSkD3EACgkQ2JOGcNAHDTZdlwCgwsQF0g/pFp65ldcTMWDcJ1O7 >>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>> LScAoLDzorUJNDCik4FP9dBUxKCbAbGN >>>>>>>>>>>>>>>>>>>>>>> =SOSt >>>>>>>>>>>>>>>>>>>>>>> -----END PGP SIGNATURE----- >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> If you followed the wiki, you will be using the >>>>>>>>>>>>>>>>>>>>> 'ad' backend. For this to work, you need to add >>>>>>>>>>>>>>>>>>>>> 'uidNumber' attributes to your users and a >>>>>>>>>>>>>>>>>>>>> 'gidNumber' attribute to at least the Domain Users >>>>>>>>>>>>>>>>>>>>> group. the numbers that you add must be between >>>>>>>>>>>>>>>>>>>>> the range you set in your smb.conf, again if you >>>>>>>>>>>>>>>>>>>>> followed the wiki, this will be between 500-40000. >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> Rowland >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> You have restarted samba, haven't you ? >>>>>>>>>>>>>>>>>>> You may have to wait a short time, or clear the >>>>>>>>>>>>>>>>>>> cache with 'net cache flush' >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> Rowland >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> OK, can you post the 'passwd' & 'group' lines from >>>>>>>>>>>>>>>>> /etc/nsswitch >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> Do you get anything from 'getent passwd <a domain user>' >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> Rowland >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>> OK, install ldb-tools if not already installed, then run: >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> ldbedit -e nano -H /var/lib/samba/private/sam.ldb >>>>>>>>>>>>>>> sAMAccountName=tuser >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> Post the (sanitized) result >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> Rowland >>>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> OK, you added that user with ADUC (RSAT) and as such you >>>>>>>>>>>>> are using the std windows start number 10000, which is the >>>>>>>>>>>>> way I run samba. Here is my smb.conf from the laptop I am >>>>>>>>>>>>> writing this on: >>>>>>>>>>>>> >>>>>>>>>>>>> [global] >>>>>>>>>>>>> workgroup = EXAMPLE >>>>>>>>>>>>> security = ADS >>>>>>>>>>>>> realm = EXAMPLE.COM >>>>>>>>>>>>> dedicated keytab file = /etc/krb5.keytab >>>>>>>>>>>>> kerberos method = secrets and keytab >>>>>>>>>>>>> server string = Samba 4 Client %h >>>>>>>>>>>>> winbind enum users = yes >>>>>>>>>>>>> winbind enum groups = yes >>>>>>>>>>>>> winbind use default domain = yes >>>>>>>>>>>>> winbind expand groups = 4 >>>>>>>>>>>>> winbind nss info = rfc2307 >>>>>>>>>>>>> winbind refresh tickets = Yes >>>>>>>>>>>>> winbind normalize names = Yes >>>>>>>>>>>>> idmap config * : backend = tdb >>>>>>>>>>>>> idmap config * : range = 2000-9999 >>>>>>>>>>>>> idmap config EXAMPLE : backend = ad >>>>>>>>>>>>> idmap config EXAMPLE : range = 10000-999999 >>>>>>>>>>>>> idmap config EXAMPLE : schema_mode = rfc2307 >>>>>>>>>>>>> printcap name = cups >>>>>>>>>>>>> cups options = raw >>>>>>>>>>>>> usershare allow guests = yes >>>>>>>>>>>>> domain master = no >>>>>>>>>>>>> local master = no >>>>>>>>>>>>> preferred master = no >>>>>>>>>>>>> os level = 20 >>>>>>>>>>>>> map to guest = bad user >>>>>>>>>>>>> vfs objects = acl_xattr >>>>>>>>>>>>> map acl inherit = Yes >>>>>>>>>>>>> store dos attributes = Yes >>>>>>>>>>>>> >>>>>>>>>>>>> Compare it with yours, I can assure you it works. >>>>>>>>>>>>> >>>>>>>>>>>>> Rowland >>>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>> >>>>>>>>>> -- >>>>>>>>>> -James >>>>>>>>> >>>>>>>> >>>>>>>> -- >>>>>>>> -James >>>>>>> >>>>>>> OK, you have *now* found out one of the reasons you shouldn't >>>>>>> use the .local suffix >>>>>>> >>>>>>> But does anything else work? >>>>>>> >>>>>>> Rowland >>>>>> >>>>>> -- >>>>>> -James >>>>> >>>>> OK, well it seems to be a step in the right direction :-) >>>>> >>>>> Have you changed 'EXAMPLE' in these lines: >>>>> >>>>> idmap config * : backend = tdb >>>>> idmap config * : range = 2000-9999 >>>>> idmap config EXAMPLE : backend = ad >>>>> idmap config EXAMPLE : range = 10000-999999 >>>>> idmap config EXAMPLE:schema_mode = rfc2307 >>>>> >>>>> They need to be changed for your *WORKGROUP* name. >>>>> >>>>> Rowland >>>>> >>>>> >>>> >>>> -- >>>> -James >>> >>> Just change it, stop samba and winbind, run 'net cache flush' and >>> restart samba & winbind. >>> >>> Rowland >>> >> >> -- >> -James >-- -James
On 02/01/15 18:35, James wrote:> Rowland, > > Thanks for the clarification. It appears the member server is > joined and I have created a share. > > [demoshare] > path = /srv/samba/test > read only = no > > > I have enabled ACL support and given 'SeDiskOperatorPrivilege' per the > wiki. I can navigate to the share using Windows Explorer. If I set the > share permissions to only me(Full Control). I can't access the share. > The 'Everyone' and 'Domain Users' group allows me access. On my DC's > this has worked in the past. Am I missing something? This is the error > I receive. > > \\pfmember1\demoshare is not accessible. You might not have permission > to use this network resource. Contact the administrator of this server > to find out if you have access permissions. > > Multiple connections to a server or shared resource by the same user, > using more than one user name, are not allowed. Disconnect all > previous connections to the server or shared resource and try again.You seem to have a connection to the share already open, close this and try again. If this fails, post the results of: ls -la /srv/samba/test and getfacl /srv/samba/test Rowland> > On 1/2/2015 1:14 PM, Rowland Penny wrote: >> On 02/01/15 18:01, James wrote: >>> Rowland, >>> >>> That did it! Thank you so much. I do have a question regarding >>> the 'getent' command before setting up file shares. When I run >>> 'getent group Domain\ Users' I get >>> >>> domain_users:x:10000:user1,user2,user3,user4,user5,user6,user7,user8 >>> >>> Why does it show these specific users? I would assume it would only >>> show my 'tuser'. I don't have uid's set for anyone else. >> >> When you run 'getent group Domain\ Users' it gets the groups >> gidNumber (10000 in your case) and the contents any 'member' >> attributes, so I presume if you examine the groups AD object, you >> would find 8 'member' attribute lines. >> >> But if you were to run 'getent passwd user5', you would only get a >> response if 'user5' has a 'uidNumber'. >> >> Rowland >> >>> >>> On 1/2/2015 12:38 PM, Rowland Penny wrote: >>>> On 02/01/15 17:26, James wrote: >>>>> Rowland, >>>>> >>>>> I did forget to change it. Is it as simple as renaming now or >>>>> did I screw up? >>>>> >>>>> On 1/2/2015 12:18 PM, Rowland Penny wrote: >>>>>> On 02/01/15 17:07, James wrote: >>>>>>> Rowland, >>>>>>> >>>>>>> I had a typo in my hosts file which is the reason my initial >>>>>>> DNS update failed. Corrected and joined again. Successfully >>>>>>> joined and updated DNS A record. I then made sure to give >>>>>>> 'Domain users' a id of 10000. I am now able to run' getent >>>>>>> passwd' and see all my domain users! YES! However I still see >>>>>>> something that confuses me. When I run 'id tuser' I get the >>>>>>> following. >>>>>>> >>>>>>> uid=2155(tuser) gid=2002(domain_users) >>>>>>> groups=2002(domain_users),2004(remote_desktop_users_group),2001(BUILTIN\users) >>>>>>> >>>>>>> Why is the uid 2155 and not 10001? >>>>>>> >>>>>>> >>>>>>> >>>>>>> On 1/2/2015 12:00 PM, Rowland Penny wrote: >>>>>>>> On 02/01/15 16:57, James wrote: >>>>>>>>> Rowland, >>>>>>>>> >>>>>>>>> I've gotten a bit further. It appears my use of '.local' >>>>>>>>> is causing the issue from what I've researched. I ran >>>>>>>>> '|/etc/init.d/avahi-daemon stop'. |This allowed me to >>>>>>>>> successfully join the domain. >>>>>>>>> >>>>>>>>> Enter administrator at DOMAIN.LOCAL's password: >>>>>>>>> Using short domain name -- DOMAIN >>>>>>>>> Joined 'PFMEMBER1' to dns domain 'domain.local' >>>>>>>>> DNS Update for pfmember1.local failed: ERROR_DNS_UPDATE_FAILED >>>>>>>>> DNS update failed: NT_STATUS_UNSUCCESSFUL >>>>>>>>> || >>>>>>>>> On 1/2/2015 8:55 AM, Rowland Penny wrote: >>>>>>>>>> On 02/01/15 13:41, James wrote: >>>>>>>>>>> Hi Rowland, >>>>>>>>>>> >>>>>>>>>>> If you don't mind I like to post my member server >>>>>>>>>>> configuration as I attempt again. This is how my member >>>>>>>>>>> server(Ubuntu 12.04) is configured after fresh install and >>>>>>>>>>> prior to Samba build. Anything I'm missing that could cause >>>>>>>>>>> my issue as I proceed? I assume no other prerequisites must >>>>>>>>>>> be done on the other DC's either? Thanks. >>>>>>>>>>> >>>>>>>>>>> /*# From Wiki for DC build*/ >>>>>>>>>>> apt-get install build-essential libacl1-dev libattr1-dev >>>>>>>>>>> libblkid-dev libgnutls-dev libreadline-dev python-dev >>>>>>>>>>> libpam0g-dev python-dnspython gdb pkg-config libpopt-dev >>>>>>>>>>> libldap2-dev dnsutils libbsd-dev attr krb5-user docbook-xsl >>>>>>>>>>> libcups2-dev acl >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> /*# Fstab file*/ >>>>>>>>>>> ext4 errors=remount-ro,user_xattr,acl,barrier=1 1 1 >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> */# Hosts File/* >>>>>>>>>>> 127.0.0.1 localhost >>>>>>>>>>> 172.16.232.25 pfmember1.domain.local pfmember1 >>>>>>>>>>> >>>>>>>>>>> # The following lines are desirable for IPv6 capable hosts >>>>>>>>>>> ::1 ip6-localhost ip6-loopback >>>>>>>>>>> fe00::0 ip6-localnet >>>>>>>>>>> ff00::0 ip6-mcastprefix >>>>>>>>>>> ff02::1 ip6-allnodes >>>>>>>>>>> ff02::2 ip6-allrouters >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> */# Hostname/* */File/* >>>>>>>>>>> pfmember1.domain.local >>>>>>>>>> >>>>>>>>>> if you are referring to /etc/hostname, then it should just >>>>>>>>>> contain 'pfmember1'. >>>>>>>>>> >>>>>>>>>> Also, are you fixed on using Ubuntu 12.04, if you were to use >>>>>>>>>> Debian Wheezy and backports, you wouldn't have to compile samba4. >>>>>>>>>> >>>>>>>>>> Rowland >>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> */#/network/interfaces/* >>>>>>>>>>> # This file describes the network interfaces available on >>>>>>>>>>> your system >>>>>>>>>>> # and how to activate them. For more information, see >>>>>>>>>>> interfaces(5). >>>>>>>>>>> >>>>>>>>>>> # The loopback network interface >>>>>>>>>>> auto lo >>>>>>>>>>> iface lo inet loopback >>>>>>>>>>> >>>>>>>>>>> # The primary network interface >>>>>>>>>>> auto eth0 >>>>>>>>>>> iface eth0 inet static >>>>>>>>>>> address 172.16.232.25 >>>>>>>>>>> netmask 255.255.255.0 >>>>>>>>>>> gateway 172.16.232.201 >>>>>>>>>>> network 172.16.232.0 >>>>>>>>>>> broadcast 172.16.232.255 >>>>>>>>>>> dns-search domain.local >>>>>>>>>>> dns-nameservers 172.16.232.29 >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> On 1/1/2015 4:34 AM, Rowland Penny wrote: >>>>>>>>>>>> On 01/01/15 00:07, James wrote: >>>>>>>>>>>>> Hi Rowland, >>>>>>>>>>>>> >>>>>>>>>>>>> I forgot to tell you the results were from my Domain >>>>>>>>>>>>> Controller and not the member server. Member server >>>>>>>>>>>>> returned something to the effect of 'user not found'. I am >>>>>>>>>>>>> only starting the 3 services(smbd,nmbd and windbindd) >>>>>>>>>>>>> listed in the wiki. Should I be starting Samba with >>>>>>>>>>>>> command line switches to start as a member server? Is that >>>>>>>>>>>>> even possible? >>>>>>>>>>>> >>>>>>>>>>>> Hi, there are two ways of running samba4, the classic or >>>>>>>>>>>> original way that samba3 was used, or as an AD DC. If you >>>>>>>>>>>> run samba4 in the classic way, you need to start the smbd & >>>>>>>>>>>> nmbd deamons and optionally the winbind daemon. If you use >>>>>>>>>>>> samba4 as an AD DC, then you only start the samba daemon, >>>>>>>>>>>> this will start any other required deamons, you only start >>>>>>>>>>>> the samba daemon on an AD DC. >>>>>>>>>>>> >>>>>>>>>>>> As you are trying to set up a member server, you must carry >>>>>>>>>>>> out the tests on the member server. >>>>>>>>>>>> >>>>>>>>>>>> Rowland >>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> Thanks for you smb.conf. I will attempt again using >>>>>>>>>>>>> your smb.conf as a template and try again. >>>>>>>>>>>>> >>>>>>>>>>>>> On 12/31/2014 2:20 PM, Rowland Penny wrote: >>>>>>>>>>>>>> On 31/12/14 19:07, James wrote: >>>>>>>>>>>>>>> Rowland, >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> I decided to start over with a fresh install and >>>>>>>>>>>>>>> attempted again. Only change I made was to start my >>>>>>>>>>>>>>> mappings at 10000. I gave 'Domain Users' group gid 10000 >>>>>>>>>>>>>>> and 'tuser' has uid 10001. Still didn't work btw. >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> dn: CN=Test User,CN=Users,DC=domain,DC=local >>>>>>>>>>>>>>> objectClass: top >>>>>>>>>>>>>>> objectClass: person >>>>>>>>>>>>>>> objectClass: organizationalPerson >>>>>>>>>>>>>>> objectClass: user >>>>>>>>>>>>>>> cn: Test User >>>>>>>>>>>>>>> sn: User >>>>>>>>>>>>>>> givenName: Test >>>>>>>>>>>>>>> instanceType: 4 >>>>>>>>>>>>>>> whenCreated: 20141231172021.0Z >>>>>>>>>>>>>>> displayName: Test User >>>>>>>>>>>>>>> uSNCreated: 477557 >>>>>>>>>>>>>>> name: Test User >>>>>>>>>>>>>>> objectGUID: 90f95763-fe52-42b9-af86-8a84a4d5dd78 >>>>>>>>>>>>>>> userAccountControl: 66048 >>>>>>>>>>>>>>> codePage: 0 >>>>>>>>>>>>>>> countryCode: 0 >>>>>>>>>>>>>>> pwdLastSet: 130645200220000000 >>>>>>>>>>>>>>> primaryGroupID: 513 >>>>>>>>>>>>>>> objectSid: S-1-5-21-940051827-2291820289-3341758437-3126 >>>>>>>>>>>>>>> accountExpires: 9223372036854775807 >>>>>>>>>>>>>>> sAMAccountName: tuser >>>>>>>>>>>>>>> sAMAccountType: 805306368 >>>>>>>>>>>>>>> userPrincipalName: tuser at domain.local >>>>>>>>>>>>>>> objectCategory: >>>>>>>>>>>>>>> CN=Person,CN=Schema,CN=Configuration,DC=domain,DC=local >>>>>>>>>>>>>>> unixUserPassword: ABCD!efgh12345$67890 >>>>>>>>>>>>>>> uid: tuser >>>>>>>>>>>>>>> msSFU30Name: tuser >>>>>>>>>>>>>>> msSFU30NisDomain: domain >>>>>>>>>>>>>>> uidNumber: 10001 >>>>>>>>>>>>>>> loginShell: /bin/sh >>>>>>>>>>>>>>> unixHomeDirectory: /home/tuser >>>>>>>>>>>>>>> gidNumber: 10000 >>>>>>>>>>>>>>> whenChanged: 20141231185807.0Z >>>>>>>>>>>>>>> uSNChanged: 477620 >>>>>>>>>>>>>>> distinguishedName: CN=Test User,CN=Users,DC=domain,DC=local >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> On 12/31/2014 1:50 PM, Rowland Penny wrote: >>>>>>>>>>>>>>>> On 31/12/14 18:28, James wrote: >>>>>>>>>>>>>>>>> Hi Rowland, >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> passwd: compat winbind >>>>>>>>>>>>>>>>> group: compat winbind >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> 'getent passwd tuser' results in a blank terminal line. >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> On 12/31/2014 1:12 PM, Rowland Penny wrote: >>>>>>>>>>>>>>>>>> On 31/12/14 17:55, James wrote: >>>>>>>>>>>>>>>>>>> Hi Rowland, >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> I did. Unfortunately something is still amiss. I >>>>>>>>>>>>>>>>>>> do receive a response from 'getent group domain >>>>>>>>>>>>>>>>>>> users'(users:x:100). >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> On 12/31/2014 12:26 PM, Rowland Penny wrote: >>>>>>>>>>>>>>>>>>>> On 31/12/14 17:23, James wrote: >>>>>>>>>>>>>>>>>>>>> Rowland, >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> I set a user with a uid and domain users group >>>>>>>>>>>>>>>>>>>>> with a gid but I'm still unable to view them using >>>>>>>>>>>>>>>>>>>>> 'id'. I do notice a few strange observations. If I >>>>>>>>>>>>>>>>>>>>> go to another user to attempt to assign a uid. I >>>>>>>>>>>>>>>>>>>>> get the default value of 10000. I would expect >>>>>>>>>>>>>>>>>>>>> 2001 given I set the first user with uid 2000. >>>>>>>>>>>>>>>>>>>>> Groups however appear to increment. >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> On 12/31/2014 10:52 AM, Rowland Penny wrote: >>>>>>>>>>>>>>>>>>>>>> On 31/12/14 15:42, James wrote: >>>>>>>>>>>>>>>>>>>>>>> Hello Stefan, >>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>> I learned the hard way about .local. I >>>>>>>>>>>>>>>>>>>>>>> understand going forward. >>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>> I do have an issue with the member server. >>>>>>>>>>>>>>>>>>>>>>> Following along with the wiki I get stuck at >>>>>>>>>>>>>>>>>>>>>>> 'Testing the Winbind user/group mapping'. Wbinfo >>>>>>>>>>>>>>>>>>>>>>> works as expected but not >>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>> #*id DomainUser* >>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>> #*getent passwd* >>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>> #*getent group* >>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>> #*chown DomainUser:DomainGroup file* >>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>> #*chgrp DomainGroup file* >>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>> etc. >>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>> I receive 'id: sambauser: No such user'. It will >>>>>>>>>>>>>>>>>>>>>>> only retrieve local machine users. Let me >>>>>>>>>>>>>>>>>>>>>>> preface by saying this is a Ubuntu 12.04 server >>>>>>>>>>>>>>>>>>>>>>> with Samba 4.1.14. Thanks. >>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>> On 12/31/2014 10:00 AM, Stefan Kania wrote: >>>>>>>>>>>>>>>>>>>>>>>> -----BEGIN PGP SIGNED MESSAGE----- >>>>>>>>>>>>>>>>>>>>>>>> Hash: SHA1 >>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>> Hello James, >>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>> Am 31.12.2014 um 15:48 schrieb James:> Hello, >>>>>>>>>>>>>>>>>>>>>>>>> I'm following along with the wiki(Setup a >>>>>>>>>>>>>>>>>>>>>>>>> Samba AD Member Server) >>>>>>>>>>>>>>>>>>>>>>>>> and I have a question after reading the 'Set >>>>>>>>>>>>>>>>>>>>>>>>> up a basic smb.conf' >>>>>>>>>>>>>>>>>>>>>>>>> section. >>>>>>>>>>>>>>>>>>>>>>>> Please show us your smb.conf >>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>> Do I need to extend the schema in order for >>>>>>>>>>>>>>>>>>>>>>>> my member server to >>>>>>>>>>>>>>>>>>>>>>>>> successfully join and service file shares? >>>>>>>>>>>>>>>>>>>>>>>> No, you dont have to. >>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>> Do I need to configure a >>>>>>>>>>>>>>>>>>>>>>>>> krb5.conf file? Thanks. >>>>>>>>>>>>>>>>>>>>>>>> If your DC is a samba4 DC just copy krb5.conf >>>>>>>>>>>>>>>>>>>>>>>> to your new memberserver >>>>>>>>>>>>>>>>>>>>>>>> Stefan >>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>> - -- Stefan Kania >>>>>>>>>>>>>>>>>>>>>>>> Landweg 13 >>>>>>>>>>>>>>>>>>>>>>>> 25693 St. Michaelisdonn >>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>> Signieren jeder E-Mail hilft Spam zu >>>>>>>>>>>>>>>>>>>>>>>> reduzieren. Signieren Sie ihre >>>>>>>>>>>>>>>>>>>>>>>> E-Mail. Weiter Informationen unter >>>>>>>>>>>>>>>>>>>>>>>> http://www.gnupg.org >>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>> Mein Schl?ssel liegt auf >>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>> hkp://subkeys.pgp.net >>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>> -----BEGIN PGP SIGNATURE----- >>>>>>>>>>>>>>>>>>>>>>>> Version: GnuPG v1 >>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>> iEYEARECAAYFAlSkD3EACgkQ2JOGcNAHDTZdlwCgwsQF0g/pFp65ldcTMWDcJ1O7 >>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>> LScAoLDzorUJNDCik4FP9dBUxKCbAbGN >>>>>>>>>>>>>>>>>>>>>>>> =SOSt >>>>>>>>>>>>>>>>>>>>>>>> -----END PGP SIGNATURE----- >>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> If you followed the wiki, you will be using the >>>>>>>>>>>>>>>>>>>>>> 'ad' backend. For this to work, you need to add >>>>>>>>>>>>>>>>>>>>>> 'uidNumber' attributes to your users and a >>>>>>>>>>>>>>>>>>>>>> 'gidNumber' attribute to at least the Domain >>>>>>>>>>>>>>>>>>>>>> Users group. the numbers that you add must be >>>>>>>>>>>>>>>>>>>>>> between the range you set in your smb.conf, again >>>>>>>>>>>>>>>>>>>>>> if you followed the wiki, this will be between >>>>>>>>>>>>>>>>>>>>>> 500-40000. >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> Rowland >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> You have restarted samba, haven't you ? >>>>>>>>>>>>>>>>>>>> You may have to wait a short time, or clear the >>>>>>>>>>>>>>>>>>>> cache with 'net cache flush' >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> Rowland >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> OK, can you post the 'passwd' & 'group' lines from >>>>>>>>>>>>>>>>>> /etc/nsswitch >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> Do you get anything from 'getent passwd <a domain user>' >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> Rowland >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> OK, install ldb-tools if not already installed, then run: >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> ldbedit -e nano -H /var/lib/samba/private/sam.ldb >>>>>>>>>>>>>>>> sAMAccountName=tuser >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> Post the (sanitized) result >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> Rowland >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> OK, you added that user with ADUC (RSAT) and as such you >>>>>>>>>>>>>> are using the std windows start number 10000, which is >>>>>>>>>>>>>> the way I run samba. Here is my smb.conf from the laptop >>>>>>>>>>>>>> I am writing this on: >>>>>>>>>>>>>> >>>>>>>>>>>>>> [global] >>>>>>>>>>>>>> workgroup = EXAMPLE >>>>>>>>>>>>>> security = ADS >>>>>>>>>>>>>> realm = EXAMPLE.COM >>>>>>>>>>>>>> dedicated keytab file = /etc/krb5.keytab >>>>>>>>>>>>>> kerberos method = secrets and keytab >>>>>>>>>>>>>> server string = Samba 4 Client %h >>>>>>>>>>>>>> winbind enum users = yes >>>>>>>>>>>>>> winbind enum groups = yes >>>>>>>>>>>>>> winbind use default domain = yes >>>>>>>>>>>>>> winbind expand groups = 4 >>>>>>>>>>>>>> winbind nss info = rfc2307 >>>>>>>>>>>>>> winbind refresh tickets = Yes >>>>>>>>>>>>>> winbind normalize names = Yes >>>>>>>>>>>>>> idmap config * : backend = tdb >>>>>>>>>>>>>> idmap config * : range = 2000-9999 >>>>>>>>>>>>>> idmap config EXAMPLE : backend = ad >>>>>>>>>>>>>> idmap config EXAMPLE : range = 10000-999999 >>>>>>>>>>>>>> idmap config EXAMPLE : schema_mode = rfc2307 >>>>>>>>>>>>>> printcap name = cups >>>>>>>>>>>>>> cups options = raw >>>>>>>>>>>>>> usershare allow guests = yes >>>>>>>>>>>>>> domain master = no >>>>>>>>>>>>>> local master = no >>>>>>>>>>>>>> preferred master = no >>>>>>>>>>>>>> os level = 20 >>>>>>>>>>>>>> map to guest = bad user >>>>>>>>>>>>>> vfs objects = acl_xattr >>>>>>>>>>>>>> map acl inherit = Yes >>>>>>>>>>>>>> store dos attributes = Yes >>>>>>>>>>>>>> >>>>>>>>>>>>>> Compare it with yours, I can assure you it works. >>>>>>>>>>>>>> >>>>>>>>>>>>>> Rowland >>>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> -- >>>>>>>>>>> -James >>>>>>>>>> >>>>>>>>> >>>>>>>>> -- >>>>>>>>> -James >>>>>>>> >>>>>>>> OK, you have *now* found out one of the reasons you shouldn't >>>>>>>> use the .local suffix >>>>>>>> >>>>>>>> But does anything else work? >>>>>>>> >>>>>>>> Rowland >>>>>>> >>>>>>> -- >>>>>>> -James >>>>>> >>>>>> OK, well it seems to be a step in the right direction :-) >>>>>> >>>>>> Have you changed 'EXAMPLE' in these lines: >>>>>> >>>>>> idmap config * : backend = tdb >>>>>> idmap config * : range = 2000-9999 >>>>>> idmap config EXAMPLE : backend = ad >>>>>> idmap config EXAMPLE : range = 10000-999999 >>>>>> idmap config EXAMPLE:schema_mode = rfc2307 >>>>>> >>>>>> They need to be changed for your *WORKGROUP* name. >>>>>> >>>>>> Rowland >>>>>> >>>>>> >>>>> >>>>> -- >>>>> -James >>>> >>>> Just change it, stop samba and winbind, run 'net cache flush' and >>>> restart samba & winbind. >>>> >>>> Rowland >>>> >>> >>> -- >>> -James >> > > -- > -James
Rowland, That was the issue. Windows computer management console showed 0 connections. That obviously wasn't correct. A reboot corrected the issue. ACL's working as expected. I probably should have ran a 'netstat' to verify. Any best practices on who should or shouldn't have uid's or gid's set in AD? I've read where the Administrator account should not have one set. On 1/2/2015 1:47 PM, Rowland Penny wrote:> On 02/01/15 18:35, James wrote: >> Rowland, >> >> Thanks for the clarification. It appears the member server is >> joined and I have created a share. >> >> [demoshare] >> path = /srv/samba/test >> read only = no >> >> >> I have enabled ACL support and given 'SeDiskOperatorPrivilege' per >> the wiki. I can navigate to the share using Windows Explorer. If I >> set the share permissions to only me(Full Control). I can't access >> the share. The 'Everyone' and 'Domain Users' group allows me access. >> On my DC's this has worked in the past. Am I missing something? This >> is the error I receive. >> >> \\pfmember1\demoshare is not accessible. You might not have >> permission to use this network resource. Contact the administrator of >> this server to find out if you have access permissions. >> >> Multiple connections to a server or shared resource by the same user, >> using more than one user name, are not allowed. Disconnect all >> previous connections to the server or shared resource and try again. > > You seem to have a connection to the share already open, close this > and try again. > If this fails, post the results of: > > ls -la /srv/samba/test > > and > > getfacl /srv/samba/test > > Rowland > >> >> On 1/2/2015 1:14 PM, Rowland Penny wrote: >>> On 02/01/15 18:01, James wrote: >>>> Rowland, >>>> >>>> That did it! Thank you so much. I do have a question regarding >>>> the 'getent' command before setting up file shares. When I run >>>> 'getent group Domain\ Users' I get >>>> >>>> domain_users:x:10000:user1,user2,user3,user4,user5,user6,user7,user8 >>>> >>>> Why does it show these specific users? I would assume it would only >>>> show my 'tuser'. I don't have uid's set for anyone else. >>> >>> When you run 'getent group Domain\ Users' it gets the groups >>> gidNumber (10000 in your case) and the contents any 'member' >>> attributes, so I presume if you examine the groups AD object, you >>> would find 8 'member' attribute lines. >>> >>> But if you were to run 'getent passwd user5', you would only get a >>> response if 'user5' has a 'uidNumber'. >>> >>> Rowland >>> >>>> >>>> On 1/2/2015 12:38 PM, Rowland Penny wrote: >>>>> On 02/01/15 17:26, James wrote: >>>>>> Rowland, >>>>>> >>>>>> I did forget to change it. Is it as simple as renaming now or >>>>>> did I screw up? >>>>>> >>>>>> On 1/2/2015 12:18 PM, Rowland Penny wrote: >>>>>>> On 02/01/15 17:07, James wrote: >>>>>>>> Rowland, >>>>>>>> >>>>>>>> I had a typo in my hosts file which is the reason my >>>>>>>> initial DNS update failed. Corrected and joined again. >>>>>>>> Successfully joined and updated DNS A record. I then made sure >>>>>>>> to give 'Domain users' a id of 10000. I am now able to run' >>>>>>>> getent passwd' and see all my domain users! YES! However I >>>>>>>> still see something that confuses me. When I run 'id tuser' I >>>>>>>> get the following. >>>>>>>> >>>>>>>> uid=2155(tuser) gid=2002(domain_users) >>>>>>>> groups=2002(domain_users),2004(remote_desktop_users_group),2001(BUILTIN\users) >>>>>>>> >>>>>>>> Why is the uid 2155 and not 10001? >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> On 1/2/2015 12:00 PM, Rowland Penny wrote: >>>>>>>>> On 02/01/15 16:57, James wrote: >>>>>>>>>> Rowland, >>>>>>>>>> >>>>>>>>>> I've gotten a bit further. It appears my use of '.local' >>>>>>>>>> is causing the issue from what I've researched. I ran >>>>>>>>>> '|/etc/init.d/avahi-daemon stop'. |This allowed me to >>>>>>>>>> successfully join the domain. >>>>>>>>>> >>>>>>>>>> Enter administrator at DOMAIN.LOCAL's password: >>>>>>>>>> Using short domain name -- DOMAIN >>>>>>>>>> Joined 'PFMEMBER1' to dns domain 'domain.local' >>>>>>>>>> DNS Update for pfmember1.local failed: ERROR_DNS_UPDATE_FAILED >>>>>>>>>> DNS update failed: NT_STATUS_UNSUCCESSFUL >>>>>>>>>> || >>>>>>>>>> On 1/2/2015 8:55 AM, Rowland Penny wrote: >>>>>>>>>>> On 02/01/15 13:41, James wrote: >>>>>>>>>>>> Hi Rowland, >>>>>>>>>>>> >>>>>>>>>>>> If you don't mind I like to post my member server >>>>>>>>>>>> configuration as I attempt again. This is how my member >>>>>>>>>>>> server(Ubuntu 12.04) is configured after fresh install and >>>>>>>>>>>> prior to Samba build. Anything I'm missing that could cause >>>>>>>>>>>> my issue as I proceed? I assume no other prerequisites must >>>>>>>>>>>> be done on the other DC's either? Thanks. >>>>>>>>>>>> >>>>>>>>>>>> /*# From Wiki for DC build*/ >>>>>>>>>>>> apt-get install build-essential libacl1-dev libattr1-dev >>>>>>>>>>>> libblkid-dev libgnutls-dev libreadline-dev python-dev >>>>>>>>>>>> libpam0g-dev python-dnspython gdb pkg-config libpopt-dev >>>>>>>>>>>> libldap2-dev dnsutils libbsd-dev attr krb5-user docbook-xsl >>>>>>>>>>>> libcups2-dev acl >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> /*# Fstab file*/ >>>>>>>>>>>> ext4 errors=remount-ro,user_xattr,acl,barrier=1 1 1 >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> */# Hosts File/* >>>>>>>>>>>> 127.0.0.1 localhost >>>>>>>>>>>> 172.16.232.25 pfmember1.domain.local pfmember1 >>>>>>>>>>>> >>>>>>>>>>>> # The following lines are desirable for IPv6 capable hosts >>>>>>>>>>>> ::1 ip6-localhost ip6-loopback >>>>>>>>>>>> fe00::0 ip6-localnet >>>>>>>>>>>> ff00::0 ip6-mcastprefix >>>>>>>>>>>> ff02::1 ip6-allnodes >>>>>>>>>>>> ff02::2 ip6-allrouters >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> */# Hostname/* */File/* >>>>>>>>>>>> pfmember1.domain.local >>>>>>>>>>> >>>>>>>>>>> if you are referring to /etc/hostname, then it should just >>>>>>>>>>> contain 'pfmember1'. >>>>>>>>>>> >>>>>>>>>>> Also, are you fixed on using Ubuntu 12.04, if you were to >>>>>>>>>>> use Debian Wheezy and backports, you wouldn't have to >>>>>>>>>>> compile samba4. >>>>>>>>>>> >>>>>>>>>>> Rowland >>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> */#/network/interfaces/* >>>>>>>>>>>> # This file describes the network interfaces available on >>>>>>>>>>>> your system >>>>>>>>>>>> # and how to activate them. For more information, see >>>>>>>>>>>> interfaces(5). >>>>>>>>>>>> >>>>>>>>>>>> # The loopback network interface >>>>>>>>>>>> auto lo >>>>>>>>>>>> iface lo inet loopback >>>>>>>>>>>> >>>>>>>>>>>> # The primary network interface >>>>>>>>>>>> auto eth0 >>>>>>>>>>>> iface eth0 inet static >>>>>>>>>>>> address 172.16.232.25 >>>>>>>>>>>> netmask 255.255.255.0 >>>>>>>>>>>> gateway 172.16.232.201 >>>>>>>>>>>> network 172.16.232.0 >>>>>>>>>>>> broadcast 172.16.232.255 >>>>>>>>>>>> dns-search domain.local >>>>>>>>>>>> dns-nameservers 172.16.232.29 >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> On 1/1/2015 4:34 AM, Rowland Penny wrote: >>>>>>>>>>>>> On 01/01/15 00:07, James wrote: >>>>>>>>>>>>>> Hi Rowland, >>>>>>>>>>>>>> >>>>>>>>>>>>>> I forgot to tell you the results were from my Domain >>>>>>>>>>>>>> Controller and not the member server. Member server >>>>>>>>>>>>>> returned something to the effect of 'user not found'. I >>>>>>>>>>>>>> am only starting the 3 services(smbd,nmbd and windbindd) >>>>>>>>>>>>>> listed in the wiki. Should I be starting Samba with >>>>>>>>>>>>>> command line switches to start as a member server? Is >>>>>>>>>>>>>> that even possible? >>>>>>>>>>>>> >>>>>>>>>>>>> Hi, there are two ways of running samba4, the classic or >>>>>>>>>>>>> original way that samba3 was used, or as an AD DC. If you >>>>>>>>>>>>> run samba4 in the classic way, you need to start the smbd >>>>>>>>>>>>> & nmbd deamons and optionally the winbind daemon. If you >>>>>>>>>>>>> use samba4 as an AD DC, then you only start the samba >>>>>>>>>>>>> daemon, this will start any other required deamons, you >>>>>>>>>>>>> only start the samba daemon on an AD DC. >>>>>>>>>>>>> >>>>>>>>>>>>> As you are trying to set up a member server, you must >>>>>>>>>>>>> carry out the tests on the member server. >>>>>>>>>>>>> >>>>>>>>>>>>> Rowland >>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> Thanks for you smb.conf. I will attempt again using >>>>>>>>>>>>>> your smb.conf as a template and try again. >>>>>>>>>>>>>> >>>>>>>>>>>>>> On 12/31/2014 2:20 PM, Rowland Penny wrote: >>>>>>>>>>>>>>> On 31/12/14 19:07, James wrote: >>>>>>>>>>>>>>>> Rowland, >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> I decided to start over with a fresh install and >>>>>>>>>>>>>>>> attempted again. Only change I made was to start my >>>>>>>>>>>>>>>> mappings at 10000. I gave 'Domain Users' group gid >>>>>>>>>>>>>>>> 10000 and 'tuser' has uid 10001. Still didn't work btw. >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> dn: CN=Test User,CN=Users,DC=domain,DC=local >>>>>>>>>>>>>>>> objectClass: top >>>>>>>>>>>>>>>> objectClass: person >>>>>>>>>>>>>>>> objectClass: organizationalPerson >>>>>>>>>>>>>>>> objectClass: user >>>>>>>>>>>>>>>> cn: Test User >>>>>>>>>>>>>>>> sn: User >>>>>>>>>>>>>>>> givenName: Test >>>>>>>>>>>>>>>> instanceType: 4 >>>>>>>>>>>>>>>> whenCreated: 20141231172021.0Z >>>>>>>>>>>>>>>> displayName: Test User >>>>>>>>>>>>>>>> uSNCreated: 477557 >>>>>>>>>>>>>>>> name: Test User >>>>>>>>>>>>>>>> objectGUID: 90f95763-fe52-42b9-af86-8a84a4d5dd78 >>>>>>>>>>>>>>>> userAccountControl: 66048 >>>>>>>>>>>>>>>> codePage: 0 >>>>>>>>>>>>>>>> countryCode: 0 >>>>>>>>>>>>>>>> pwdLastSet: 130645200220000000 >>>>>>>>>>>>>>>> primaryGroupID: 513 >>>>>>>>>>>>>>>> objectSid: S-1-5-21-940051827-2291820289-3341758437-3126 >>>>>>>>>>>>>>>> accountExpires: 9223372036854775807 >>>>>>>>>>>>>>>> sAMAccountName: tuser >>>>>>>>>>>>>>>> sAMAccountType: 805306368 >>>>>>>>>>>>>>>> userPrincipalName: tuser at domain.local >>>>>>>>>>>>>>>> objectCategory: >>>>>>>>>>>>>>>> CN=Person,CN=Schema,CN=Configuration,DC=domain,DC=local >>>>>>>>>>>>>>>> unixUserPassword: ABCD!efgh12345$67890 >>>>>>>>>>>>>>>> uid: tuser >>>>>>>>>>>>>>>> msSFU30Name: tuser >>>>>>>>>>>>>>>> msSFU30NisDomain: domain >>>>>>>>>>>>>>>> uidNumber: 10001 >>>>>>>>>>>>>>>> loginShell: /bin/sh >>>>>>>>>>>>>>>> unixHomeDirectory: /home/tuser >>>>>>>>>>>>>>>> gidNumber: 10000 >>>>>>>>>>>>>>>> whenChanged: 20141231185807.0Z >>>>>>>>>>>>>>>> uSNChanged: 477620 >>>>>>>>>>>>>>>> distinguishedName: CN=Test >>>>>>>>>>>>>>>> User,CN=Users,DC=domain,DC=local >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> On 12/31/2014 1:50 PM, Rowland Penny wrote: >>>>>>>>>>>>>>>>> On 31/12/14 18:28, James wrote: >>>>>>>>>>>>>>>>>> Hi Rowland, >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> passwd: compat winbind >>>>>>>>>>>>>>>>>> group: compat winbind >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> 'getent passwd tuser' results in a blank terminal line. >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> On 12/31/2014 1:12 PM, Rowland Penny wrote: >>>>>>>>>>>>>>>>>>> On 31/12/14 17:55, James wrote: >>>>>>>>>>>>>>>>>>>> Hi Rowland, >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> I did. Unfortunately something is still amiss. >>>>>>>>>>>>>>>>>>>> I do receive a response from 'getent group domain >>>>>>>>>>>>>>>>>>>> users'(users:x:100). >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> On 12/31/2014 12:26 PM, Rowland Penny wrote: >>>>>>>>>>>>>>>>>>>>> On 31/12/14 17:23, James wrote: >>>>>>>>>>>>>>>>>>>>>> Rowland, >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> I set a user with a uid and domain users >>>>>>>>>>>>>>>>>>>>>> group with a gid but I'm still unable to view >>>>>>>>>>>>>>>>>>>>>> them using 'id'. I do notice a few strange >>>>>>>>>>>>>>>>>>>>>> observations. If I go to another user to attempt >>>>>>>>>>>>>>>>>>>>>> to assign a uid. I get the default value of >>>>>>>>>>>>>>>>>>>>>> 10000. I would expect 2001 given I set the first >>>>>>>>>>>>>>>>>>>>>> user with uid 2000. Groups however appear to >>>>>>>>>>>>>>>>>>>>>> increment. >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> On 12/31/2014 10:52 AM, Rowland Penny wrote: >>>>>>>>>>>>>>>>>>>>>>> On 31/12/14 15:42, James wrote: >>>>>>>>>>>>>>>>>>>>>>>> Hello Stefan, >>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>> I learned the hard way about .local. I >>>>>>>>>>>>>>>>>>>>>>>> understand going forward. >>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>> I do have an issue with the member server. >>>>>>>>>>>>>>>>>>>>>>>> Following along with the wiki I get stuck at >>>>>>>>>>>>>>>>>>>>>>>> 'Testing the Winbind user/group mapping'. >>>>>>>>>>>>>>>>>>>>>>>> Wbinfo works as expected but not >>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>> #*id DomainUser* >>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>> #*getent passwd* >>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>> #*getent group* >>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>> #*chown DomainUser:DomainGroup file* >>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>> #*chgrp DomainGroup file* >>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>> etc. >>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>> I receive 'id: sambauser: No such user'. It >>>>>>>>>>>>>>>>>>>>>>>> will only retrieve local machine users. Let me >>>>>>>>>>>>>>>>>>>>>>>> preface by saying this is a Ubuntu 12.04 server >>>>>>>>>>>>>>>>>>>>>>>> with Samba 4.1.14. Thanks. >>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>> On 12/31/2014 10:00 AM, Stefan Kania wrote: >>>>>>>>>>>>>>>>>>>>>>>>> -----BEGIN PGP SIGNED MESSAGE----- >>>>>>>>>>>>>>>>>>>>>>>>> Hash: SHA1 >>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>> Hello James, >>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>> Am 31.12.2014 um 15:48 schrieb James:> Hello, >>>>>>>>>>>>>>>>>>>>>>>>>> I'm following along with the wiki(Setup a >>>>>>>>>>>>>>>>>>>>>>>>>> Samba AD Member Server) >>>>>>>>>>>>>>>>>>>>>>>>>> and I have a question after reading the 'Set >>>>>>>>>>>>>>>>>>>>>>>>>> up a basic smb.conf' >>>>>>>>>>>>>>>>>>>>>>>>>> section. >>>>>>>>>>>>>>>>>>>>>>>>> Please show us your smb.conf >>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>> Do I need to extend the schema in order for >>>>>>>>>>>>>>>>>>>>>>>>> my member server to >>>>>>>>>>>>>>>>>>>>>>>>>> successfully join and service file shares? >>>>>>>>>>>>>>>>>>>>>>>>> No, you dont have to. >>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>> Do I need to configure a >>>>>>>>>>>>>>>>>>>>>>>>>> krb5.conf file? Thanks. >>>>>>>>>>>>>>>>>>>>>>>>> If your DC is a samba4 DC just copy krb5.conf >>>>>>>>>>>>>>>>>>>>>>>>> to your new memberserver >>>>>>>>>>>>>>>>>>>>>>>>> Stefan >>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>> - -- Stefan Kania >>>>>>>>>>>>>>>>>>>>>>>>> Landweg 13 >>>>>>>>>>>>>>>>>>>>>>>>> 25693 St. Michaelisdonn >>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>> Signieren jeder E-Mail hilft Spam zu >>>>>>>>>>>>>>>>>>>>>>>>> reduzieren. Signieren Sie ihre >>>>>>>>>>>>>>>>>>>>>>>>> E-Mail. Weiter Informationen unter >>>>>>>>>>>>>>>>>>>>>>>>> http://www.gnupg.org >>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>> Mein Schl?ssel liegt auf >>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>> hkp://subkeys.pgp.net >>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>> -----BEGIN PGP SIGNATURE----- >>>>>>>>>>>>>>>>>>>>>>>>> Version: GnuPG v1 >>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>> iEYEARECAAYFAlSkD3EACgkQ2JOGcNAHDTZdlwCgwsQF0g/pFp65ldcTMWDcJ1O7 >>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>> LScAoLDzorUJNDCik4FP9dBUxKCbAbGN >>>>>>>>>>>>>>>>>>>>>>>>> =SOSt >>>>>>>>>>>>>>>>>>>>>>>>> -----END PGP SIGNATURE----- >>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>> If you followed the wiki, you will be using the >>>>>>>>>>>>>>>>>>>>>>> 'ad' backend. For this to work, you need to add >>>>>>>>>>>>>>>>>>>>>>> 'uidNumber' attributes to your users and a >>>>>>>>>>>>>>>>>>>>>>> 'gidNumber' attribute to at least the Domain >>>>>>>>>>>>>>>>>>>>>>> Users group. the numbers that you add must be >>>>>>>>>>>>>>>>>>>>>>> between the range you set in your smb.conf, >>>>>>>>>>>>>>>>>>>>>>> again if you followed the wiki, this will be >>>>>>>>>>>>>>>>>>>>>>> between 500-40000. >>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>> Rowland >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> You have restarted samba, haven't you ? >>>>>>>>>>>>>>>>>>>>> You may have to wait a short time, or clear the >>>>>>>>>>>>>>>>>>>>> cache with 'net cache flush' >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> Rowland >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> OK, can you post the 'passwd' & 'group' lines from >>>>>>>>>>>>>>>>>>> /etc/nsswitch >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> Do you get anything from 'getent passwd <a domain >>>>>>>>>>>>>>>>>>> user>' >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> Rowland >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> OK, install ldb-tools if not already installed, then run: >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> ldbedit -e nano -H /var/lib/samba/private/sam.ldb >>>>>>>>>>>>>>>>> sAMAccountName=tuser >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> Post the (sanitized) result >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> Rowland >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> OK, you added that user with ADUC (RSAT) and as such you >>>>>>>>>>>>>>> are using the std windows start number 10000, which is >>>>>>>>>>>>>>> the way I run samba. Here is my smb.conf from the laptop >>>>>>>>>>>>>>> I am writing this on: >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> [global] >>>>>>>>>>>>>>> workgroup = EXAMPLE >>>>>>>>>>>>>>> security = ADS >>>>>>>>>>>>>>> realm = EXAMPLE.COM >>>>>>>>>>>>>>> dedicated keytab file = /etc/krb5.keytab >>>>>>>>>>>>>>> kerberos method = secrets and keytab >>>>>>>>>>>>>>> server string = Samba 4 Client %h >>>>>>>>>>>>>>> winbind enum users = yes >>>>>>>>>>>>>>> winbind enum groups = yes >>>>>>>>>>>>>>> winbind use default domain = yes >>>>>>>>>>>>>>> winbind expand groups = 4 >>>>>>>>>>>>>>> winbind nss info = rfc2307 >>>>>>>>>>>>>>> winbind refresh tickets = Yes >>>>>>>>>>>>>>> winbind normalize names = Yes >>>>>>>>>>>>>>> idmap config * : backend = tdb >>>>>>>>>>>>>>> idmap config * : range = 2000-9999 >>>>>>>>>>>>>>> idmap config EXAMPLE : backend = ad >>>>>>>>>>>>>>> idmap config EXAMPLE : range = 10000-999999 >>>>>>>>>>>>>>> idmap config EXAMPLE : schema_mode = rfc2307 >>>>>>>>>>>>>>> printcap name = cups >>>>>>>>>>>>>>> cups options = raw >>>>>>>>>>>>>>> usershare allow guests = yes >>>>>>>>>>>>>>> domain master = no >>>>>>>>>>>>>>> local master = no >>>>>>>>>>>>>>> preferred master = no >>>>>>>>>>>>>>> os level = 20 >>>>>>>>>>>>>>> map to guest = bad user >>>>>>>>>>>>>>> vfs objects = acl_xattr >>>>>>>>>>>>>>> map acl inherit = Yes >>>>>>>>>>>>>>> store dos attributes = Yes >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> Compare it with yours, I can assure you it works. >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> Rowland >>>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> -- >>>>>>>>>>>> -James >>>>>>>>>>> >>>>>>>>>> >>>>>>>>>> -- >>>>>>>>>> -James >>>>>>>>> >>>>>>>>> OK, you have *now* found out one of the reasons you shouldn't >>>>>>>>> use the .local suffix >>>>>>>>> >>>>>>>>> But does anything else work? >>>>>>>>> >>>>>>>>> Rowland >>>>>>>> >>>>>>>> -- >>>>>>>> -James >>>>>>> >>>>>>> OK, well it seems to be a step in the right direction :-) >>>>>>> >>>>>>> Have you changed 'EXAMPLE' in these lines: >>>>>>> >>>>>>> idmap config * : backend = tdb >>>>>>> idmap config * : range = 2000-9999 >>>>>>> idmap config EXAMPLE : backend = ad >>>>>>> idmap config EXAMPLE : range = 10000-999999 >>>>>>> idmap config EXAMPLE:schema_mode = rfc2307 >>>>>>> >>>>>>> They need to be changed for your *WORKGROUP* name. >>>>>>> >>>>>>> Rowland >>>>>>> >>>>>>> >>>>>> >>>>>> -- >>>>>> -James >>>>> >>>>> Just change it, stop samba and winbind, run 'net cache flush' and >>>>> restart samba & winbind. >>>>> >>>>> Rowland >>>>> >>>> >>>> -- >>>> -James >>> >> >> -- >> -James >-- -James