samba - Aug 2013 - Samba4 Member Server not working

Hi,

I have one Samba4 server running as Active Directory Domain Controller.
It's working like a charm.

So I needed to add another server to be a Member Server (File Server).

The server is running samba-4.0.9.

Configured and compiled ok:

./configure --prefix=/usr/local/samba --sysconfdir=/etc
--localstatedir=/var --mandir=/usr/man --bindir=/usr/bin
--sbindir=/usr/sbin --libdir=/lib --enable-fhs --with-ads
--with-shared-modules=idmap_ad,pam

Installed ok.

Kerberos OK.
I can run kinit and klist

root at MYNETSRV08:/etc/samba# kinit Administrator
Password for Administrator at MYNET.NET:
root at MYSRV08:/etc/samba#

root at MYNETSRV08:/etc/samba# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: Administrator at MYNET.NET

Valid starting    Expires           Service principal
28/08/2013 19:59  29/08/2013 05:59  krbtgt/MYNET.NET at MYNET.NET
        renew until 29/08/2013 19:59
root at MYNETSRV08:/etc/samba#

My SMB.CONF is below:

[global]

   workgroup = MYNET
   security = ADS
   realm = MYNET.NET
   encrypt passwords = yes

   idmap config *:backend = tdb
   idmap config *:range = 70001-80000
   idmap config MYNET:backend = ad
   idmap config MYNET:schema_mode = rfc2307

   idmap config MYNET:range = 500-40000

   winbind nss info = rfc2307
   winbind trusted domains only = no
   winbind use default domain = yes
   winbind enum users  = yes
   winbind enum groups = yes

[test]
   path = /mnt/files
   read only = no



I can add my server to domain:

root at PCOSRV08:/etc/samba# net ads join -U administrator
Enter administrator's password:
Using short domain name -- MYNET
Joined 'MYNETSRV08' to dns domain 'mynet.net'
root at MYNETSRV08:/etc/samba#

libnss_winbind.so is in the right place:

root at MYNETSRV08:/etc/samba# ls /lib/libnss_winbind.so*
/lib/libnss_winbind.so  /lib/libnss_winbind.so.2

The libs are loaded fine:

root at MYNETSRV08:/etc/samba# ldconfig -v | grep libnss
        libnss_hesiod.so.2 -> libnss_hesiod-2.13.so
        libnss_compat.so.2 -> libnss_compat-2.13.so
        libnss_dns.so.2 -> libnss_dns-2.13.so
        libnss_ldap.so.2 -> libnss_ldap.so.2
        libnss_nis.so.2 -> libnss_nis-2.13.so
        libnss_nisplus.so.2 -> libnss_nisplus-2.13.so
        libnss_files.so.2 -> libnss_files-2.13.so
        libnss_wins.so -> libnss_wins.so.2
        libnss_winbind.so -> libnss_winbind.so.2
        libnss_hesiod.so.2 -> libnss_hesiod-2.13.so
        libnss_compat.so.2 -> libnss_compat-2.13.so
        libnss_dns.so.2 -> libnss_dns-2.13.so
        libnss_nis.so.2 -> libnss_nis-2.13.so
        libnss_nisplus.so.2 -> libnss_nisplus-2.13.so
        libnss_files.so.2 -> libnss_files-2.13.so
root at MYNETSRV08:/etc/samba#

I added winbind to my nsswitch.conf

passwd: compat winbind
group:  compat winbind

I can start the daemon without issues:

smbd
nmbd
winbindd

"wbinfo -u" list all my domain users

"wbinfo -g" list all my domain groups


Here is the problems:

When I run "getent passwd", it lists only the local users.

When I run "id Administrator", it returns "No such user".


If I try to access the share defined in smb.conf, the server does not
recognizes my user/password.

I'm lost.


Thanks in advance.






-- 
http://www.endomondo.com/profile/3312580

Veja: " http://naofoiacidente.org/blog/por-quem/ "

On Wed, 2013-08-28 at 20:11 -0300, Carlos Alberto Borges Garcia
wrote:
> Hi,
> 
> I have one Samba4 server running as Active Directory Domain Controller.
> It's working like a charm.
> 
> So I needed to add another server to be a Member Server (File Server).
> 
> The server is running samba-4.0.9.
> 
> Configured and compiled ok:
> 
> ./configure --prefix=/usr/local/samba --sysconfdir=/etc
> --localstatedir=/var --mandir=/usr/man --bindir=/usr/bin
> --sbindir=/usr/sbin --libdir=/lib --enable-fhs --with-ads
> --with-shared-modules=idmap_ad,pam
> 
> Installed ok.
> 
> Kerberos OK.
> I can run kinit and klist
> 
> root at MYNETSRV08:/etc/samba# kinit Administrator
> Password for Administrator at MYNET.NET:
> root at MYSRV08:/etc/samba#
> 
> root at MYNETSRV08:/etc/samba# klist
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: Administrator at MYNET.NET
> 
> Valid starting    Expires           Service principal
> 28/08/2013 19:59  29/08/2013 05:59  krbtgt/MYNET.NET at MYNET.NET
>         renew until 29/08/2013 19:59
> root at MYNETSRV08:/etc/samba#
> 
> My SMB.CONF is below:
> 
> [global]
> 
>    workgroup = MYNET
>    security = ADS
>    realm = MYNET.NET
>    encrypt passwords = yes
> 
>    idmap config *:backend = tdb
>    idmap config *:range = 70001-80000
>    idmap config MYNET:backend = ad
>    idmap config MYNET:schema_mode = rfc2307
> 
>    idmap config MYNET:range = 500-40000
> 
>    winbind nss info = rfc2307
>    winbind trusted domains only = no
>    winbind use default domain = yes
>    winbind enum users  = yes
>    winbind enum groups = yes
> 
> [test]
>    path = /mnt/files
>    read only = no
> 
> 
> 
> I can add my server to domain:
> 
> root at PCOSRV08:/etc/samba# net ads join -U administrator
> Enter administrator's password:
> Using short domain name -- MYNET
> Joined 'MYNETSRV08' to dns domain 'mynet.net'
> root at MYNETSRV08:/etc/samba#
> 
> libnss_winbind.so is in the right place:
> 
> root at MYNETSRV08:/etc/samba# ls /lib/libnss_winbind.so*
> /lib/libnss_winbind.so  /lib/libnss_winbind.so.2
> 
> The libs are loaded fine:
> 
> root at MYNETSRV08:/etc/samba# ldconfig -v | grep libnss
>         libnss_hesiod.so.2 -> libnss_hesiod-2.13.so
>         libnss_compat.so.2 -> libnss_compat-2.13.so
>         libnss_dns.so.2 -> libnss_dns-2.13.so
>         libnss_ldap.so.2 -> libnss_ldap.so.2
>         libnss_nis.so.2 -> libnss_nis-2.13.so
>         libnss_nisplus.so.2 -> libnss_nisplus-2.13.so
>         libnss_files.so.2 -> libnss_files-2.13.so
>         libnss_wins.so -> libnss_wins.so.2
>         libnss_winbind.so -> libnss_winbind.so.2
>         libnss_hesiod.so.2 -> libnss_hesiod-2.13.so
>         libnss_compat.so.2 -> libnss_compat-2.13.so
>         libnss_dns.so.2 -> libnss_dns-2.13.so
>         libnss_nis.so.2 -> libnss_nis-2.13.so
>         libnss_nisplus.so.2 -> libnss_nisplus-2.13.so
>         libnss_files.so.2 -> libnss_files-2.13.so
> root at MYNETSRV08:/etc/samba#
> 
> I added winbind to my nsswitch.conf
> 
> passwd: compat winbind
> group:  compat winbind
> 
> I can start the daemon without issues:
> 
> smbd
> nmbd
> winbindd
> 
> "wbinfo -u" list all my domain users
> 
> "wbinfo -g" list all my domain groups
> 
> 
> Here is the problems:
> 
> When I run "getent passwd", it lists only the local users.
For performance reasons, by default we do not list users in the AD
domain.  See winbind enum users in your smb.conf
> When I run "id Administrator", it returns "No such
user".
You need to use 'id MYNET\\administrator'
> If I try to access the share defined in smb.conf, the server does not
> recognizes my user/password.
Can you give more detail on this part of the issue, and include logs
etc?

Thanks,

Andrew Bartlett

-- 
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Catalyst IT                   http://catalyst.net.nz