On Wed, 25 Feb 2015 10:18:04 +0000 Rowland Penny <rowlandpenny at googlemail.com> wrote:> > > OK, going to need more info here, can you post the smb.conf you have > tried so far. You mention that you want to use the LDAP and Kerberos > provided by samba, this will mean that you will need to run samba4 as > an AD DC, yet you refer to creating users with pdbedit? >If there is another way to create users I have not discovered it yet. At the moment I do not have the windows boxes in house yet, so I have no native MS=Windows tools. The following smb4.conf is hand tweaked from a sample I found on the net. The one generated by samba-tool would not even allow a connection to be made using smbclient. ------------------cut here------------------------------------------- # Global parameters [global] workgroup = WYNN auth methods = pam sam winbind kerberos method = secrets and keytab local master = yes netbios name = PRD2 log level = 4 # dcerpc endpoint servers = epmapper, wkssvc, rpcecho, samr, netlogon, lsa rpc, spoolss, drsuapi, dssetup, unixinfo, browser, eventlog6, backupkey, dnsserv er, winreg, srvsvc dcerpc endpoint servers = epmapper, wkssvc, rpcecho, samr, netlogon, lsa rpc, spoolss, drsuapi, dssetup, unixinfo, browser, eventlog6, backupkey, winreg , srvsvc realm = WYNN.COM os level = 20 username map = /var/db/samba4/private/users.map client max protocol = SMB3 # server min protocol = SMB3 hide dot files = no winbind trusted domains only = yes # server services = rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbind, ntp _signd, kcc, dnsupdate, dns, smb server services = rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbind, nt p_signd, kcc, smb winbind use default domain = yes dns forwarder = 199.89.147.3 domain logons = yes smb encrypt = yes security = user encrypt passwords = yes preferred master = yes # idmap_ldb:use rfc2307 = yes wins support = true server role = active directory domain controller # kerberos stuff # # security = ADS # password server = prd2.wynn.com [netlogon] path = /var/db/samba4/sysvol/wynn.com/scripts read only = No [sysvol] path = /var/db/samba4/sysvol read only = No [archive] writeable = yes browseable = yes valid users = wynkoop write list = wynkoop, at wheel user = wynkoop path = /archive force user = wynkoop comment = /archive # revalidate = yes # vfs objects = zfsacl # nfs4:mode = special # nfs4:chown = yes # zfsacl:acesort = dontcare --------------------cut here----------------- Oddball word wraps are the fault of my mail client. So I hope someone can show me my error. This samba was built last night on FreeBSD 10.1 from ports and is version 4.1.17. -Brett -- wynkoop at wynn.com http://prd4.wynn.com/wynkoop/pgp-keys.txt 917-642-6925 The Second Amendment extends, prima facie, to all instruments that constitute bearable arms, even those that were not in existence at the time of the founding. ~ Justice Scalia
On 25/02/15 19:31, Brett Wynkoop wrote:> On Wed, 25 Feb 2015 10:18:04 +0000 Rowland Penny> <rowlandpenny at googlemail.com> wrote: > >> >> >> OK, going to need more info here, can you post the smb.conf you >> have tried so far. You mention that you want to use the LDAP and >> Kerberos provided by samba, this will mean that you will need to >> run samba4 as an AD DC, yet you refer to creating users with >> pdbedit? >> > > If there is another way to create users I have not discovered it > yet. At the moment I do not have the windows boxes in house yet, so I > have no native MS=Windows tools. > > The following smb4.conf is hand tweaked from a sample I found on the > net. The one generated by samba-tool would not even allow a > connection to be made using smbclient. > > ------------------cut > here------------------------------------------- # Global parameters > [global] workgroup = WYNN auth methods = pam sam winbind kerberos > method = secrets and keytab local master = yes netbios name = PRD2 > log level = 4 # dcerpc endpoint servers = epmapper, wkssvc, > rpcecho, samr, netlogon, lsa rpc, spoolss, drsuapi, dssetup, > unixinfo, browser, eventlog6, backupkey, dnsserv er, winreg, srvsvc > dcerpc endpoint servers = epmapper, wkssvc, rpcecho, samr, netlogon, > lsa rpc, spoolss, drsuapi, dssetup, unixinfo, browser, eventlog6, > backupkey, winreg , srvsvc realm = WYNN.COM os level = 20 username > map = /var/db/samba4/private/users.map client max protocol = SMB3 # > server min protocol = SMB3 hide dot files = no winbind trusted > domains only = yes # server services = rpc, nbt, wrepl, ldap, > cldap, kdc, drepl, winbind, ntp _signd, kcc, dnsupdate, dns, smb > server services = rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbind, > nt p_signd, kcc, smb winbind use default domain = yes dns forwarder > 199.89.147.3 domain logons = yes smb encrypt = yes security = user > encrypt passwords = yes preferred master = yes # idmap_ldb:use > rfc2307 = yes wins support = true server role = active directory > domain controller > > > # kerberos stuff # # security = ADS # password server > prd2.wynn.com > > > [netlogon] path = /var/db/samba4/sysvol/wynn.com/scripts read only > No > > [sysvol] path = /var/db/samba4/sysvol read only = No > > > [archive] writeable = yes browseable = yes valid users = wynkoop > write list = wynkoop, at wheel user = wynkoop path = /archive force user > = wynkoop comment = /archive # revalidate = yes # vfs > objects = zfsacl # nfs4:mode = special # nfs4:chown > yes # zfsacl:acesort = dontcare > > > --------------------cut here----------------- > > Oddball word wraps are the fault of my mail client. > > So I hope someone can show me my error. This samba was built last > night on FreeBSD 10.1 from ports and is version 4.1.17. > > -Brett > OK, you would appear to be running samba4 in AD mode, i.e. you provisioned it. You have now tried to add things to your smb.conf to make it work like samba3, this will not work! Put your smb.conf back to what it was like just after the provision and then go and read the samba wiki : https://wiki.samba.org/index.php/Main_Page and search the internet on how to run an Active Directory domain. This will probably entail adding 'uidNumber' attributes to your AD users and 'gidNumber' attributes to some of your AD groups. As for creating users & groups, samba 4 comes with 'samba-tool' for more info on this, run 'samba-tool --help' or 'samba-tool user add --help', you can also run 'man samba-tool' Rowland
On Wed, 25 Feb 2015 19:48:07 +0000 Rowland Penny <rowlandpenny at googlemail.com> wrote:> OK, you would appear to be running samba4 in AD mode, i.e. you > provisioned it. > > You have now tried to add things to your smb.conf to make it work > like samba3, this will not work! Put your smb.conf back to what it > was like just after the provision and then go and read the samba > wiki : https://wiki.samba.org/index.php/Main_Page and search the > internet on how to run an Active Directory domain. This will probably > entail adding 'uidNumber' attributes to your AD users and 'gidNumber' > attributes to some of your AD groups. > > As for creating users & groups, samba 4 comes with 'samba-tool' for > more info on this, run 'samba-tool --help' or 'samba-tool user add > --help', you can also run 'man samba-tool' > > Rowland >The config file produced by samba-tool produced a server that would allow no connections. Here is the samba-tool produced config: root at prd2:/usr/local/etc # cat smb4.conf.initial # Global parameters [global] workgroup = WYNN realm = WYNN.COM netbios name = PRD2 server role = active directory domain controller dns forwarder = 199.89.147.1 idmap_ldb:use rfc2307 = yes [netlogon] path = /var/db/samba4/sysvol/wynn.com/scripts read only = No [sysvol] path = /var/db/samba4/sysvol read only = No This is not the first time you have said "read the documentation". I have 30 years as a Unix admin and have been reading and writing documentation for as long. I will point out that the first time I came to this group with this issue I had spent 3 weeks reading everything I could find on the web to find a solution. This included the official docs as well as any other source that seemed to have any information. Now after a couple of months away from the project because of other matters that were more pressing at the time I have returned to the problem. I did the same due diligence before I made my most recent request for help. It is most refreshing to get the answer RTFM yet again. Thank you for all your help. -Brett -- wynkoop at wynn.com http://prd4.wynn.com/wynkoop/pgp-keys.txt 917-642-6925 929-272-0000 Amendment III No soldier shall, in time of peace be quartered in any house, without the consent of the owner, nor in time of war, but in a manner to be prescribed by law.
On Wed, 25 Feb 2015 19:48:07 +0000 Rowland Penny <rowlandpenny at googlemail.com> wrote:> As for creating users & groups, samba 4 comes with 'samba-tool' for > more info on this, run 'samba-tool --help' or 'samba-tool user add > --help', you can also run 'man samba-tool' > > Rowland >Nothing in the samba-tool man page speaks to setting a specific UID for a specific USER. Please show me the passage in the samba-tool docs that speak to this. I am on 4.1.17. I could be wrong, but I believe I am finding documentation bugs and shortcomings. It would make sense for the project to fix documentation if it leaves systems staff uninformed after reading it. Thank you. -Brett -- wynkoop at wynn.com http://prd4.wynn.com/wynkoop/pgp-keys.txt 917-642-6925 929-272-0000 Amendment I Congress shall make no law respecting an establishment of religion, or prohibiting the free exercise thereof; or abridging the freedom of speech, or of the press; or the right of the people peaceably to assemble, and to petition the government for a redress of grievances.