Rowland,
I did forget to change it. Is it as simple as renaming now or did I
screw up?
On 1/2/2015 12:18 PM, Rowland Penny wrote:> On 02/01/15 17:07, James wrote:
>> Rowland,
>>
>> I had a typo in my hosts file which is the reason my initial DNS
>> update failed. Corrected and joined again. Successfully joined and
>> updated DNS A record. I then made sure to give 'Domain users' a
id of
>> 10000. I am now able to run' getent passwd' and see all my
domain
>> users! YES! However I still see something that confuses me. When I
>> run 'id tuser' I get the following.
>>
>> uid=2155(tuser) gid=2002(domain_users)
>>
groups=2002(domain_users),2004(remote_desktop_users_group),2001(BUILTIN\users)
>>
>> Why is the uid 2155 and not 10001?
>>
>>
>>
>> On 1/2/2015 12:00 PM, Rowland Penny wrote:
>>> On 02/01/15 16:57, James wrote:
>>>> Rowland,
>>>>
>>>> I've gotten a bit further. It appears my use of
'.local' is
>>>> causing the issue from what I've researched. I ran
>>>> '|/etc/init.d/avahi-daemon stop'. |This allowed me to
successfully
>>>> join the domain.
>>>>
>>>> Enter administrator at DOMAIN.LOCAL's password:
>>>> Using short domain name -- DOMAIN
>>>> Joined 'PFMEMBER1' to dns domain 'domain.local'
>>>> DNS Update for pfmember1.local failed: ERROR_DNS_UPDATE_FAILED
>>>> DNS update failed: NT_STATUS_UNSUCCESSFUL
>>>> ||
>>>> On 1/2/2015 8:55 AM, Rowland Penny wrote:
>>>>> On 02/01/15 13:41, James wrote:
>>>>>> Hi Rowland,
>>>>>>
>>>>>> If you don't mind I like to post my member
server
>>>>>> configuration as I attempt again. This is how my member
>>>>>> server(Ubuntu 12.04) is configured after fresh install
and prior
>>>>>> to Samba build. Anything I'm missing that could
cause my issue as
>>>>>> I proceed? I assume no other prerequisites must be done
on the
>>>>>> other DC's either? Thanks.
>>>>>>
>>>>>> /*# From Wiki for DC build*/
>>>>>> apt-get install build-essential libacl1-dev
libattr1-dev
>>>>>> libblkid-dev libgnutls-dev libreadline-dev python-dev
>>>>>> libpam0g-dev python-dnspython gdb pkg-config
libpopt-dev
>>>>>> libldap2-dev dnsutils libbsd-dev attr krb5-user
docbook-xsl
>>>>>> libcups2-dev acl
>>>>>>
>>>>>>
>>>>>> /*# Fstab file*/
>>>>>> ext4 errors=remount-ro,user_xattr,acl,barrier=1 1
1
>>>>>>
>>>>>>
>>>>>> */# Hosts File/*
>>>>>> 127.0.0.1 localhost
>>>>>> 172.16.232.25 pfmember1.domain.local pfmember1
>>>>>>
>>>>>> # The following lines are desirable for IPv6 capable
hosts
>>>>>> ::1 ip6-localhost ip6-loopback
>>>>>> fe00::0 ip6-localnet
>>>>>> ff00::0 ip6-mcastprefix
>>>>>> ff02::1 ip6-allnodes
>>>>>> ff02::2 ip6-allrouters
>>>>>>
>>>>>>
>>>>>> */# Hostname/* */File/*
>>>>>> pfmember1.domain.local
>>>>>
>>>>> if you are referring to /etc/hostname, then it should just
contain
>>>>> 'pfmember1'.
>>>>>
>>>>> Also, are you fixed on using Ubuntu 12.04, if you were to
use
>>>>> Debian Wheezy and backports, you wouldn't have to
compile samba4.
>>>>>
>>>>> Rowland
>>>>>
>>>>>>
>>>>>> */#/network/interfaces/*
>>>>>> # This file describes the network interfaces available
on your system
>>>>>> # and how to activate them. For more information, see
interfaces(5).
>>>>>>
>>>>>> # The loopback network interface
>>>>>> auto lo
>>>>>> iface lo inet loopback
>>>>>>
>>>>>> # The primary network interface
>>>>>> auto eth0
>>>>>> iface eth0 inet static
>>>>>> address 172.16.232.25
>>>>>> netmask 255.255.255.0
>>>>>> gateway 172.16.232.201
>>>>>> network 172.16.232.0
>>>>>> broadcast 172.16.232.255
>>>>>> dns-search domain.local
>>>>>> dns-nameservers 172.16.232.29
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> On 1/1/2015 4:34 AM, Rowland Penny wrote:
>>>>>>> On 01/01/15 00:07, James wrote:
>>>>>>>> Hi Rowland,
>>>>>>>>
>>>>>>>> I forgot to tell you the results were from
my Domain
>>>>>>>> Controller and not the member server. Member
server returned
>>>>>>>> something to the effect of 'user not
found'. I am only starting
>>>>>>>> the 3 services(smbd,nmbd and windbindd) listed
in the wiki.
>>>>>>>> Should I be starting Samba with command line
switches to start
>>>>>>>> as a member server? Is that even possible?
>>>>>>>
>>>>>>> Hi, there are two ways of running samba4, the
classic or
>>>>>>> original way that samba3 was used, or as an AD DC.
If you run
>>>>>>> samba4 in the classic way, you need to start the
smbd & nmbd
>>>>>>> deamons and optionally the winbind daemon. If you
use samba4 as
>>>>>>> an AD DC, then you only start the samba daemon,
this will start
>>>>>>> any other required deamons, you only start the
samba daemon on
>>>>>>> an AD DC.
>>>>>>>
>>>>>>> As you are trying to set up a member server, you
must carry out
>>>>>>> the tests on the member server.
>>>>>>>
>>>>>>> Rowland
>>>>>>>
>>>>>>>>
>>>>>>>> Thanks for you smb.conf. I will attempt
again using your
>>>>>>>> smb.conf as a template and try again.
>>>>>>>>
>>>>>>>> On 12/31/2014 2:20 PM, Rowland Penny wrote:
>>>>>>>>> On 31/12/14 19:07, James wrote:
>>>>>>>>>> Rowland,
>>>>>>>>>>
>>>>>>>>>> I decided to start over with a
fresh install and
>>>>>>>>>> attempted again. Only change I made was
to start my mappings
>>>>>>>>>> at 10000. I gave 'Domain Users'
group gid 10000 and 'tuser'
>>>>>>>>>> has uid 10001. Still didn't work
btw.
>>>>>>>>>>
>>>>>>>>>> dn: CN=Test
User,CN=Users,DC=domain,DC=local
>>>>>>>>>> objectClass: top
>>>>>>>>>> objectClass: person
>>>>>>>>>> objectClass: organizationalPerson
>>>>>>>>>> objectClass: user
>>>>>>>>>> cn: Test User
>>>>>>>>>> sn: User
>>>>>>>>>> givenName: Test
>>>>>>>>>> instanceType: 4
>>>>>>>>>> whenCreated: 20141231172021.0Z
>>>>>>>>>> displayName: Test User
>>>>>>>>>> uSNCreated: 477557
>>>>>>>>>> name: Test User
>>>>>>>>>> objectGUID:
90f95763-fe52-42b9-af86-8a84a4d5dd78
>>>>>>>>>> userAccountControl: 66048
>>>>>>>>>> codePage: 0
>>>>>>>>>> countryCode: 0
>>>>>>>>>> pwdLastSet: 130645200220000000
>>>>>>>>>> primaryGroupID: 513
>>>>>>>>>> objectSid:
S-1-5-21-940051827-2291820289-3341758437-3126
>>>>>>>>>> accountExpires: 9223372036854775807
>>>>>>>>>> sAMAccountName: tuser
>>>>>>>>>> sAMAccountType: 805306368
>>>>>>>>>> userPrincipalName: tuser at
domain.local
>>>>>>>>>> objectCategory:
>>>>>>>>>>
CN=Person,CN=Schema,CN=Configuration,DC=domain,DC=local
>>>>>>>>>> unixUserPassword: ABCD!efgh12345$67890
>>>>>>>>>> uid: tuser
>>>>>>>>>> msSFU30Name: tuser
>>>>>>>>>> msSFU30NisDomain: domain
>>>>>>>>>> uidNumber: 10001
>>>>>>>>>> loginShell: /bin/sh
>>>>>>>>>> unixHomeDirectory: /home/tuser
>>>>>>>>>> gidNumber: 10000
>>>>>>>>>> whenChanged: 20141231185807.0Z
>>>>>>>>>> uSNChanged: 477620
>>>>>>>>>> distinguishedName: CN=Test
User,CN=Users,DC=domain,DC=local
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> On 12/31/2014 1:50 PM, Rowland Penny
wrote:
>>>>>>>>>>> On 31/12/14 18:28, James wrote:
>>>>>>>>>>>> Hi Rowland,
>>>>>>>>>>>>
>>>>>>>>>>>> passwd: compat
winbind
>>>>>>>>>>>> group: compat
winbind
>>>>>>>>>>>>
>>>>>>>>>>>> 'getent passwd tuser'
results in a blank terminal line.
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> On 12/31/2014 1:12 PM, Rowland
Penny wrote:
>>>>>>>>>>>>> On 31/12/14 17:55, James
wrote:
>>>>>>>>>>>>>> Hi Rowland,
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> I did.
Unfortunately something is still amiss. I do
>>>>>>>>>>>>>> receive a response from
'getent group domain
>>>>>>>>>>>>>>
users'(users:x:100).
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> On 12/31/2014 12:26 PM,
Rowland Penny wrote:
>>>>>>>>>>>>>>> On 31/12/14 17:23,
James wrote:
>>>>>>>>>>>>>>>> Rowland,
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> I set a
user with a uid and domain users group with
>>>>>>>>>>>>>>>> a gid but
I'm still unable to view them using 'id'. I
>>>>>>>>>>>>>>>> do notice a few
strange observations. If I go to
>>>>>>>>>>>>>>>> another user to
attempt to assign a uid. I get the
>>>>>>>>>>>>>>>> default value
of 10000. I would expect 2001 given I set
>>>>>>>>>>>>>>>> the first user
with uid 2000. Groups however appear to
>>>>>>>>>>>>>>>> increment.
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> On 12/31/2014
10:52 AM, Rowland Penny wrote:
>>>>>>>>>>>>>>>>> On 31/12/14
15:42, James wrote:
>>>>>>>>>>>>>>>>>> Hello
Stefan,
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> I
learned the hard way about .local. I understand
>>>>>>>>>>>>>>>>>> going
forward.
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> I do
have an issue with the member server. Following
>>>>>>>>>>>>>>>>>> along
with the wiki I get stuck at 'Testing the
>>>>>>>>>>>>>>>>>> Winbind
user/group mapping'. Wbinfo works as expected
>>>>>>>>>>>>>>>>>> but not
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> #*id
DomainUser*
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>
#*getent passwd*
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>
#*getent group*
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> #*chown
DomainUser:DomainGroup file*
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> #*chgrp
DomainGroup file*
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> etc.
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> I
receive 'id: sambauser: No such user'. It will only
>>>>>>>>>>>>>>>>>>
retrieve local machine users. Let me preface by
>>>>>>>>>>>>>>>>>> saying
this is a Ubuntu 12.04 server with Samba
>>>>>>>>>>>>>>>>>> 4.1.14.
Thanks.
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> On
12/31/2014 10:00 AM, Stefan Kania wrote:
>>>>>>>>>>>>>>>>>>>
-----BEGIN PGP SIGNED MESSAGE-----
>>>>>>>>>>>>>>>>>>>
Hash: SHA1
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>
Hello James,
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> Am
31.12.2014 um 15:48 schrieb James:> Hello,
>>>>>>>>>>>>>>>>>>>>
I'm following along with the wiki(Setup a Samba AD
>>>>>>>>>>>>>>>>>>>>
Member Server)
>>>>>>>>>>>>>>>>>>>>
and I have a question after reading the 'Set up a
>>>>>>>>>>>>>>>>>>>>
basic smb.conf'
>>>>>>>>>>>>>>>>>>>>
section.
>>>>>>>>>>>>>>>>>>>
Please show us your smb.conf
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>
Do I need to extend the schema in order for my
>>>>>>>>>>>>>>>>>>>
member server to
>>>>>>>>>>>>>>>>>>>>
successfully join and service file shares?
>>>>>>>>>>>>>>>>>>> No,
you dont have to.
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> Do
I need to configure a
>>>>>>>>>>>>>>>>>>>>
krb5.conf file? Thanks.
>>>>>>>>>>>>>>>>>>> If
your DC is a samba4 DC just copy krb5.conf to
>>>>>>>>>>>>>>>>>>>
your new memberserver
>>>>>>>>>>>>>>>>>>>
Stefan
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> -
-- Stefan Kania
>>>>>>>>>>>>>>>>>>>
Landweg 13
>>>>>>>>>>>>>>>>>>>
25693 St. Michaelisdonn
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>
Signieren jeder E-Mail hilft Spam zu reduzieren.
>>>>>>>>>>>>>>>>>>>
Signieren Sie ihre
>>>>>>>>>>>>>>>>>>>
E-Mail. Weiter Informationen unter http://www.gnupg.org
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>
Mein Schl?ssel liegt auf
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>
hkp://subkeys.pgp.net
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>
-----BEGIN PGP SIGNATURE-----
>>>>>>>>>>>>>>>>>>>
Version: GnuPG v1
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>
iEYEARECAAYFAlSkD3EACgkQ2JOGcNAHDTZdlwCgwsQF0g/pFp65ldcTMWDcJ1O7
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>
LScAoLDzorUJNDCik4FP9dBUxKCbAbGN
>>>>>>>>>>>>>>>>>>>
=SOSt
>>>>>>>>>>>>>>>>>>>
-----END PGP SIGNATURE-----
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> If you
followed the wiki, you will be using the 'ad'
>>>>>>>>>>>>>>>>> backend.
For this to work, you need to add 'uidNumber'
>>>>>>>>>>>>>>>>> attributes
to your users and a 'gidNumber' attribute
>>>>>>>>>>>>>>>>> to at least
the Domain Users group. the numbers that
>>>>>>>>>>>>>>>>> you add
must be between the range you set in your
>>>>>>>>>>>>>>>>> smb.conf,
again if you followed the wiki, this will be
>>>>>>>>>>>>>>>>> between
500-40000.
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> Rowland
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> You have restarted
samba, haven't you ?
>>>>>>>>>>>>>>> You may have to
wait a short time, or clear the cache
>>>>>>>>>>>>>>> with 'net cache
flush'
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Rowland
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>> OK, can you post the
'passwd' & 'group' lines from
>>>>>>>>>>>>> /etc/nsswitch
>>>>>>>>>>>>>
>>>>>>>>>>>>> Do you get anything from
'getent passwd <a domain user>'
>>>>>>>>>>>>>
>>>>>>>>>>>>> Rowland
>>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>> OK, install ldb-tools if not
already installed, then run:
>>>>>>>>>>>
>>>>>>>>>>> ldbedit -e nano -H
/var/lib/samba/private/sam.ldb
>>>>>>>>>>> sAMAccountName=tuser
>>>>>>>>>>>
>>>>>>>>>>> Post the (sanitized) result
>>>>>>>>>>>
>>>>>>>>>>> Rowland
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>> OK, you added that user with ADUC (RSAT)
and as such you are
>>>>>>>>> using the std windows start number 10000,
which is the way I
>>>>>>>>> run samba. Here is my smb.conf from the
laptop I am writing
>>>>>>>>> this on:
>>>>>>>>>
>>>>>>>>> [global]
>>>>>>>>> workgroup = EXAMPLE
>>>>>>>>> security = ADS
>>>>>>>>> realm = EXAMPLE.COM
>>>>>>>>> dedicated keytab file =
/etc/krb5.keytab
>>>>>>>>> kerberos method = secrets and
keytab
>>>>>>>>> server string = Samba 4 Client %h
>>>>>>>>> winbind enum users = yes
>>>>>>>>> winbind enum groups = yes
>>>>>>>>> winbind use default domain = yes
>>>>>>>>> winbind expand groups = 4
>>>>>>>>> winbind nss info = rfc2307
>>>>>>>>> winbind refresh tickets = Yes
>>>>>>>>> winbind normalize names = Yes
>>>>>>>>> idmap config * : backend = tdb
>>>>>>>>> idmap config * : range = 2000-9999
>>>>>>>>> idmap config EXAMPLE : backend =
ad
>>>>>>>>> idmap config EXAMPLE : range =
10000-999999
>>>>>>>>> idmap config EXAMPLE : schema_mode
= rfc2307
>>>>>>>>> printcap name = cups
>>>>>>>>> cups options = raw
>>>>>>>>> usershare allow guests = yes
>>>>>>>>> domain master = no
>>>>>>>>> local master = no
>>>>>>>>> preferred master = no
>>>>>>>>> os level = 20
>>>>>>>>> map to guest = bad user
>>>>>>>>> vfs objects = acl_xattr
>>>>>>>>> map acl inherit = Yes
>>>>>>>>> store dos attributes = Yes
>>>>>>>>>
>>>>>>>>> Compare it with yours, I can assure you it
works.
>>>>>>>>>
>>>>>>>>> Rowland
>>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>
>>>>>> --
>>>>>> -James
>>>>>
>>>>
>>>> --
>>>> -James
>>>
>>> OK, you have *now* found out one of the reasons you shouldn't
use
>>> the .local suffix
>>>
>>> But does anything else work?
>>>
>>> Rowland
>>
>> --
>> -James
>
> OK, well it seems to be a step in the right direction :-)
>
> Have you changed 'EXAMPLE' in these lines:
>
> idmap config * : backend = tdb
> idmap config * : range = 2000-9999
> idmap config EXAMPLE : backend = ad
> idmap config EXAMPLE : range = 10000-999999
> idmap config EXAMPLE:schema_mode = rfc2307
>
> They need to be changed for your *WORKGROUP* name.
>
> Rowland
>
>
--
-James
On 02/01/15 17:26, James wrote:> Rowland, > > I did forget to change it. Is it as simple as renaming now or did > I screw up? > > On 1/2/2015 12:18 PM, Rowland Penny wrote: >> On 02/01/15 17:07, James wrote: >>> Rowland, >>> >>> I had a typo in my hosts file which is the reason my initial DNS >>> update failed. Corrected and joined again. Successfully joined and >>> updated DNS A record. I then made sure to give 'Domain users' a id >>> of 10000. I am now able to run' getent passwd' and see all my domain >>> users! YES! However I still see something that confuses me. When I >>> run 'id tuser' I get the following. >>> >>> uid=2155(tuser) gid=2002(domain_users) >>> groups=2002(domain_users),2004(remote_desktop_users_group),2001(BUILTIN\users) >>> >>> Why is the uid 2155 and not 10001? >>> >>> >>> >>> On 1/2/2015 12:00 PM, Rowland Penny wrote: >>>> On 02/01/15 16:57, James wrote: >>>>> Rowland, >>>>> >>>>> I've gotten a bit further. It appears my use of '.local' is >>>>> causing the issue from what I've researched. I ran >>>>> '|/etc/init.d/avahi-daemon stop'. |This allowed me to successfully >>>>> join the domain. >>>>> >>>>> Enter administrator at DOMAIN.LOCAL's password: >>>>> Using short domain name -- DOMAIN >>>>> Joined 'PFMEMBER1' to dns domain 'domain.local' >>>>> DNS Update for pfmember1.local failed: ERROR_DNS_UPDATE_FAILED >>>>> DNS update failed: NT_STATUS_UNSUCCESSFUL >>>>> || >>>>> On 1/2/2015 8:55 AM, Rowland Penny wrote: >>>>>> On 02/01/15 13:41, James wrote: >>>>>>> Hi Rowland, >>>>>>> >>>>>>> If you don't mind I like to post my member server >>>>>>> configuration as I attempt again. This is how my member >>>>>>> server(Ubuntu 12.04) is configured after fresh install and prior >>>>>>> to Samba build. Anything I'm missing that could cause my issue >>>>>>> as I proceed? I assume no other prerequisites must be done on >>>>>>> the other DC's either? Thanks. >>>>>>> >>>>>>> /*# From Wiki for DC build*/ >>>>>>> apt-get install build-essential libacl1-dev libattr1-dev >>>>>>> libblkid-dev libgnutls-dev libreadline-dev python-dev >>>>>>> libpam0g-dev python-dnspython gdb pkg-config libpopt-dev >>>>>>> libldap2-dev dnsutils libbsd-dev attr krb5-user docbook-xsl >>>>>>> libcups2-dev acl >>>>>>> >>>>>>> >>>>>>> /*# Fstab file*/ >>>>>>> ext4 errors=remount-ro,user_xattr,acl,barrier=1 1 1 >>>>>>> >>>>>>> >>>>>>> */# Hosts File/* >>>>>>> 127.0.0.1 localhost >>>>>>> 172.16.232.25 pfmember1.domain.local pfmember1 >>>>>>> >>>>>>> # The following lines are desirable for IPv6 capable hosts >>>>>>> ::1 ip6-localhost ip6-loopback >>>>>>> fe00::0 ip6-localnet >>>>>>> ff00::0 ip6-mcastprefix >>>>>>> ff02::1 ip6-allnodes >>>>>>> ff02::2 ip6-allrouters >>>>>>> >>>>>>> >>>>>>> */# Hostname/* */File/* >>>>>>> pfmember1.domain.local >>>>>> >>>>>> if you are referring to /etc/hostname, then it should just >>>>>> contain 'pfmember1'. >>>>>> >>>>>> Also, are you fixed on using Ubuntu 12.04, if you were to use >>>>>> Debian Wheezy and backports, you wouldn't have to compile samba4. >>>>>> >>>>>> Rowland >>>>>> >>>>>>> >>>>>>> */#/network/interfaces/* >>>>>>> # This file describes the network interfaces available on your >>>>>>> system >>>>>>> # and how to activate them. For more information, see interfaces(5). >>>>>>> >>>>>>> # The loopback network interface >>>>>>> auto lo >>>>>>> iface lo inet loopback >>>>>>> >>>>>>> # The primary network interface >>>>>>> auto eth0 >>>>>>> iface eth0 inet static >>>>>>> address 172.16.232.25 >>>>>>> netmask 255.255.255.0 >>>>>>> gateway 172.16.232.201 >>>>>>> network 172.16.232.0 >>>>>>> broadcast 172.16.232.255 >>>>>>> dns-search domain.local >>>>>>> dns-nameservers 172.16.232.29 >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> On 1/1/2015 4:34 AM, Rowland Penny wrote: >>>>>>>> On 01/01/15 00:07, James wrote: >>>>>>>>> Hi Rowland, >>>>>>>>> >>>>>>>>> I forgot to tell you the results were from my Domain >>>>>>>>> Controller and not the member server. Member server returned >>>>>>>>> something to the effect of 'user not found'. I am only >>>>>>>>> starting the 3 services(smbd,nmbd and windbindd) listed in the >>>>>>>>> wiki. Should I be starting Samba with command line switches to >>>>>>>>> start as a member server? Is that even possible? >>>>>>>> >>>>>>>> Hi, there are two ways of running samba4, the classic or >>>>>>>> original way that samba3 was used, or as an AD DC. If you run >>>>>>>> samba4 in the classic way, you need to start the smbd & nmbd >>>>>>>> deamons and optionally the winbind daemon. If you use samba4 as >>>>>>>> an AD DC, then you only start the samba daemon, this will start >>>>>>>> any other required deamons, you only start the samba daemon on >>>>>>>> an AD DC. >>>>>>>> >>>>>>>> As you are trying to set up a member server, you must carry out >>>>>>>> the tests on the member server. >>>>>>>> >>>>>>>> Rowland >>>>>>>> >>>>>>>>> >>>>>>>>> Thanks for you smb.conf. I will attempt again using your >>>>>>>>> smb.conf as a template and try again. >>>>>>>>> >>>>>>>>> On 12/31/2014 2:20 PM, Rowland Penny wrote: >>>>>>>>>> On 31/12/14 19:07, James wrote: >>>>>>>>>>> Rowland, >>>>>>>>>>> >>>>>>>>>>> I decided to start over with a fresh install and >>>>>>>>>>> attempted again. Only change I made was to start my mappings >>>>>>>>>>> at 10000. I gave 'Domain Users' group gid 10000 and 'tuser' >>>>>>>>>>> has uid 10001. Still didn't work btw. >>>>>>>>>>> >>>>>>>>>>> dn: CN=Test User,CN=Users,DC=domain,DC=local >>>>>>>>>>> objectClass: top >>>>>>>>>>> objectClass: person >>>>>>>>>>> objectClass: organizationalPerson >>>>>>>>>>> objectClass: user >>>>>>>>>>> cn: Test User >>>>>>>>>>> sn: User >>>>>>>>>>> givenName: Test >>>>>>>>>>> instanceType: 4 >>>>>>>>>>> whenCreated: 20141231172021.0Z >>>>>>>>>>> displayName: Test User >>>>>>>>>>> uSNCreated: 477557 >>>>>>>>>>> name: Test User >>>>>>>>>>> objectGUID: 90f95763-fe52-42b9-af86-8a84a4d5dd78 >>>>>>>>>>> userAccountControl: 66048 >>>>>>>>>>> codePage: 0 >>>>>>>>>>> countryCode: 0 >>>>>>>>>>> pwdLastSet: 130645200220000000 >>>>>>>>>>> primaryGroupID: 513 >>>>>>>>>>> objectSid: S-1-5-21-940051827-2291820289-3341758437-3126 >>>>>>>>>>> accountExpires: 9223372036854775807 >>>>>>>>>>> sAMAccountName: tuser >>>>>>>>>>> sAMAccountType: 805306368 >>>>>>>>>>> userPrincipalName: tuser at domain.local >>>>>>>>>>> objectCategory: >>>>>>>>>>> CN=Person,CN=Schema,CN=Configuration,DC=domain,DC=local >>>>>>>>>>> unixUserPassword: ABCD!efgh12345$67890 >>>>>>>>>>> uid: tuser >>>>>>>>>>> msSFU30Name: tuser >>>>>>>>>>> msSFU30NisDomain: domain >>>>>>>>>>> uidNumber: 10001 >>>>>>>>>>> loginShell: /bin/sh >>>>>>>>>>> unixHomeDirectory: /home/tuser >>>>>>>>>>> gidNumber: 10000 >>>>>>>>>>> whenChanged: 20141231185807.0Z >>>>>>>>>>> uSNChanged: 477620 >>>>>>>>>>> distinguishedName: CN=Test User,CN=Users,DC=domain,DC=local >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> On 12/31/2014 1:50 PM, Rowland Penny wrote: >>>>>>>>>>>> On 31/12/14 18:28, James wrote: >>>>>>>>>>>>> Hi Rowland, >>>>>>>>>>>>> >>>>>>>>>>>>> passwd: compat winbind >>>>>>>>>>>>> group: compat winbind >>>>>>>>>>>>> >>>>>>>>>>>>> 'getent passwd tuser' results in a blank terminal line. >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> On 12/31/2014 1:12 PM, Rowland Penny wrote: >>>>>>>>>>>>>> On 31/12/14 17:55, James wrote: >>>>>>>>>>>>>>> Hi Rowland, >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> I did. Unfortunately something is still amiss. I do >>>>>>>>>>>>>>> receive a response from 'getent group domain >>>>>>>>>>>>>>> users'(users:x:100). >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> On 12/31/2014 12:26 PM, Rowland Penny wrote: >>>>>>>>>>>>>>>> On 31/12/14 17:23, James wrote: >>>>>>>>>>>>>>>>> Rowland, >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> I set a user with a uid and domain users group >>>>>>>>>>>>>>>>> with a gid but I'm still unable to view them using >>>>>>>>>>>>>>>>> 'id'. I do notice a few strange observations. If I go >>>>>>>>>>>>>>>>> to another user to attempt to assign a uid. I get the >>>>>>>>>>>>>>>>> default value of 10000. I would expect 2001 given I >>>>>>>>>>>>>>>>> set the first user with uid 2000. Groups however >>>>>>>>>>>>>>>>> appear to increment. >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> On 12/31/2014 10:52 AM, Rowland Penny wrote: >>>>>>>>>>>>>>>>>> On 31/12/14 15:42, James wrote: >>>>>>>>>>>>>>>>>>> Hello Stefan, >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> I learned the hard way about .local. I >>>>>>>>>>>>>>>>>>> understand going forward. >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> I do have an issue with the member server. Following >>>>>>>>>>>>>>>>>>> along with the wiki I get stuck at 'Testing the >>>>>>>>>>>>>>>>>>> Winbind user/group mapping'. Wbinfo works as >>>>>>>>>>>>>>>>>>> expected but not >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> #*id DomainUser* >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> #*getent passwd* >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> #*getent group* >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> #*chown DomainUser:DomainGroup file* >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> #*chgrp DomainGroup file* >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> etc. >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> I receive 'id: sambauser: No such user'. It will >>>>>>>>>>>>>>>>>>> only retrieve local machine users. Let me preface by >>>>>>>>>>>>>>>>>>> saying this is a Ubuntu 12.04 server with Samba >>>>>>>>>>>>>>>>>>> 4.1.14. Thanks. >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> On 12/31/2014 10:00 AM, Stefan Kania wrote: >>>>>>>>>>>>>>>>>>>> -----BEGIN PGP SIGNED MESSAGE----- >>>>>>>>>>>>>>>>>>>> Hash: SHA1 >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> Hello James, >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> Am 31.12.2014 um 15:48 schrieb James:> Hello, >>>>>>>>>>>>>>>>>>>>> I'm following along with the wiki(Setup a Samba AD >>>>>>>>>>>>>>>>>>>>> Member Server) >>>>>>>>>>>>>>>>>>>>> and I have a question after reading the 'Set up a >>>>>>>>>>>>>>>>>>>>> basic smb.conf' >>>>>>>>>>>>>>>>>>>>> section. >>>>>>>>>>>>>>>>>>>> Please show us your smb.conf >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> Do I need to extend the schema in order for my >>>>>>>>>>>>>>>>>>>> member server to >>>>>>>>>>>>>>>>>>>>> successfully join and service file shares? >>>>>>>>>>>>>>>>>>>> No, you dont have to. >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> Do I need to configure a >>>>>>>>>>>>>>>>>>>>> krb5.conf file? Thanks. >>>>>>>>>>>>>>>>>>>> If your DC is a samba4 DC just copy krb5.conf to >>>>>>>>>>>>>>>>>>>> your new memberserver >>>>>>>>>>>>>>>>>>>> Stefan >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> - -- Stefan Kania >>>>>>>>>>>>>>>>>>>> Landweg 13 >>>>>>>>>>>>>>>>>>>> 25693 St. Michaelisdonn >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> Signieren jeder E-Mail hilft Spam zu reduzieren. >>>>>>>>>>>>>>>>>>>> Signieren Sie ihre >>>>>>>>>>>>>>>>>>>> E-Mail. Weiter Informationen unter >>>>>>>>>>>>>>>>>>>> http://www.gnupg.org >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> Mein Schl?ssel liegt auf >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> hkp://subkeys.pgp.net >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> -----BEGIN PGP SIGNATURE----- >>>>>>>>>>>>>>>>>>>> Version: GnuPG v1 >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> iEYEARECAAYFAlSkD3EACgkQ2JOGcNAHDTZdlwCgwsQF0g/pFp65ldcTMWDcJ1O7 >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> LScAoLDzorUJNDCik4FP9dBUxKCbAbGN >>>>>>>>>>>>>>>>>>>> =SOSt >>>>>>>>>>>>>>>>>>>> -----END PGP SIGNATURE----- >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> If you followed the wiki, you will be using the 'ad' >>>>>>>>>>>>>>>>>> backend. For this to work, you need to add >>>>>>>>>>>>>>>>>> 'uidNumber' attributes to your users and a >>>>>>>>>>>>>>>>>> 'gidNumber' attribute to at least the Domain Users >>>>>>>>>>>>>>>>>> group. the numbers that you add must be between the >>>>>>>>>>>>>>>>>> range you set in your smb.conf, again if you followed >>>>>>>>>>>>>>>>>> the wiki, this will be between 500-40000. >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> Rowland >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> You have restarted samba, haven't you ? >>>>>>>>>>>>>>>> You may have to wait a short time, or clear the cache >>>>>>>>>>>>>>>> with 'net cache flush' >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> Rowland >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>> OK, can you post the 'passwd' & 'group' lines from >>>>>>>>>>>>>> /etc/nsswitch >>>>>>>>>>>>>> >>>>>>>>>>>>>> Do you get anything from 'getent passwd <a domain user>' >>>>>>>>>>>>>> >>>>>>>>>>>>>> Rowland >>>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>> OK, install ldb-tools if not already installed, then run: >>>>>>>>>>>> >>>>>>>>>>>> ldbedit -e nano -H /var/lib/samba/private/sam.ldb >>>>>>>>>>>> sAMAccountName=tuser >>>>>>>>>>>> >>>>>>>>>>>> Post the (sanitized) result >>>>>>>>>>>> >>>>>>>>>>>> Rowland >>>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>> >>>>>>>>>> OK, you added that user with ADUC (RSAT) and as such you are >>>>>>>>>> using the std windows start number 10000, which is the way I >>>>>>>>>> run samba. Here is my smb.conf from the laptop I am writing >>>>>>>>>> this on: >>>>>>>>>> >>>>>>>>>> [global] >>>>>>>>>> workgroup = EXAMPLE >>>>>>>>>> security = ADS >>>>>>>>>> realm = EXAMPLE.COM >>>>>>>>>> dedicated keytab file = /etc/krb5.keytab >>>>>>>>>> kerberos method = secrets and keytab >>>>>>>>>> server string = Samba 4 Client %h >>>>>>>>>> winbind enum users = yes >>>>>>>>>> winbind enum groups = yes >>>>>>>>>> winbind use default domain = yes >>>>>>>>>> winbind expand groups = 4 >>>>>>>>>> winbind nss info = rfc2307 >>>>>>>>>> winbind refresh tickets = Yes >>>>>>>>>> winbind normalize names = Yes >>>>>>>>>> idmap config * : backend = tdb >>>>>>>>>> idmap config * : range = 2000-9999 >>>>>>>>>> idmap config EXAMPLE : backend = ad >>>>>>>>>> idmap config EXAMPLE : range = 10000-999999 >>>>>>>>>> idmap config EXAMPLE : schema_mode = rfc2307 >>>>>>>>>> printcap name = cups >>>>>>>>>> cups options = raw >>>>>>>>>> usershare allow guests = yes >>>>>>>>>> domain master = no >>>>>>>>>> local master = no >>>>>>>>>> preferred master = no >>>>>>>>>> os level = 20 >>>>>>>>>> map to guest = bad user >>>>>>>>>> vfs objects = acl_xattr >>>>>>>>>> map acl inherit = Yes >>>>>>>>>> store dos attributes = Yes >>>>>>>>>> >>>>>>>>>> Compare it with yours, I can assure you it works. >>>>>>>>>> >>>>>>>>>> Rowland >>>>>>>>>> >>>>>>>>> >>>>>>>> >>>>>>> >>>>>>> -- >>>>>>> -James >>>>>> >>>>> >>>>> -- >>>>> -James >>>> >>>> OK, you have *now* found out one of the reasons you shouldn't use >>>> the .local suffix >>>> >>>> But does anything else work? >>>> >>>> Rowland >>> >>> -- >>> -James >> >> OK, well it seems to be a step in the right direction :-) >> >> Have you changed 'EXAMPLE' in these lines: >> >> idmap config * : backend = tdb >> idmap config * : range = 2000-9999 >> idmap config EXAMPLE : backend = ad >> idmap config EXAMPLE : range = 10000-999999 >> idmap config EXAMPLE:schema_mode = rfc2307 >> >> They need to be changed for your *WORKGROUP* name. >> >> Rowland >> >> > > -- > -JamesJust change it, stop samba and winbind, run 'net cache flush' and restart samba & winbind. Rowland
Rowland,
That did it! Thank you so much. I do have a question regarding the
'getent' command before setting up file shares. When I run 'getent
group
Domain\ Users' I get
domain_users:x:10000:user1,user2,user3,user4,user5,user6,user7,user8
Why does it show these specific users? I would assume it would only show
my 'tuser'. I don't have uid's set for anyone else.
On 1/2/2015 12:38 PM, Rowland Penny wrote:> On 02/01/15 17:26, James wrote:
>> Rowland,
>>
>> I did forget to change it. Is it as simple as renaming now or did
>> I screw up?
>>
>> On 1/2/2015 12:18 PM, Rowland Penny wrote:
>>> On 02/01/15 17:07, James wrote:
>>>> Rowland,
>>>>
>>>> I had a typo in my hosts file which is the reason my
initial
>>>> DNS update failed. Corrected and joined again. Successfully
joined
>>>> and updated DNS A record. I then made sure to give 'Domain
users' a
>>>> id of 10000. I am now able to run' getent passwd' and
see all my
>>>> domain users! YES! However I still see something that confuses
me.
>>>> When I run 'id tuser' I get the following.
>>>>
>>>> uid=2155(tuser) gid=2002(domain_users)
>>>>
groups=2002(domain_users),2004(remote_desktop_users_group),2001(BUILTIN\users)
>>>>
>>>> Why is the uid 2155 and not 10001?
>>>>
>>>>
>>>>
>>>> On 1/2/2015 12:00 PM, Rowland Penny wrote:
>>>>> On 02/01/15 16:57, James wrote:
>>>>>> Rowland,
>>>>>>
>>>>>> I've gotten a bit further. It appears my use of
'.local' is
>>>>>> causing the issue from what I've researched. I ran
>>>>>> '|/etc/init.d/avahi-daemon stop'. |This allowed
me to
>>>>>> successfully join the domain.
>>>>>>
>>>>>> Enter administrator at DOMAIN.LOCAL's password:
>>>>>> Using short domain name -- DOMAIN
>>>>>> Joined 'PFMEMBER1' to dns domain
'domain.local'
>>>>>> DNS Update for pfmember1.local failed:
ERROR_DNS_UPDATE_FAILED
>>>>>> DNS update failed: NT_STATUS_UNSUCCESSFUL
>>>>>> ||
>>>>>> On 1/2/2015 8:55 AM, Rowland Penny wrote:
>>>>>>> On 02/01/15 13:41, James wrote:
>>>>>>>> Hi Rowland,
>>>>>>>>
>>>>>>>> If you don't mind I like to post my
member server
>>>>>>>> configuration as I attempt again. This is how
my member
>>>>>>>> server(Ubuntu 12.04) is configured after fresh
install and
>>>>>>>> prior to Samba build. Anything I'm missing
that could cause my
>>>>>>>> issue as I proceed? I assume no other
prerequisites must be
>>>>>>>> done on the other DC's either? Thanks.
>>>>>>>>
>>>>>>>> /*# From Wiki for DC build*/
>>>>>>>> apt-get install build-essential libacl1-dev
libattr1-dev
>>>>>>>> libblkid-dev libgnutls-dev libreadline-dev
python-dev
>>>>>>>> libpam0g-dev python-dnspython gdb pkg-config
libpopt-dev
>>>>>>>> libldap2-dev dnsutils libbsd-dev attr krb5-user
docbook-xsl
>>>>>>>> libcups2-dev acl
>>>>>>>>
>>>>>>>>
>>>>>>>> /*# Fstab file*/
>>>>>>>> ext4
errors=remount-ro,user_xattr,acl,barrier=1 1 1
>>>>>>>>
>>>>>>>>
>>>>>>>> */# Hosts File/*
>>>>>>>> 127.0.0.1 localhost
>>>>>>>> 172.16.232.25 pfmember1.domain.local
pfmember1
>>>>>>>>
>>>>>>>> # The following lines are desirable for IPv6
capable hosts
>>>>>>>> ::1 ip6-localhost ip6-loopback
>>>>>>>> fe00::0 ip6-localnet
>>>>>>>> ff00::0 ip6-mcastprefix
>>>>>>>> ff02::1 ip6-allnodes
>>>>>>>> ff02::2 ip6-allrouters
>>>>>>>>
>>>>>>>>
>>>>>>>> */# Hostname/* */File/*
>>>>>>>> pfmember1.domain.local
>>>>>>>
>>>>>>> if you are referring to /etc/hostname, then it
should just
>>>>>>> contain 'pfmember1'.
>>>>>>>
>>>>>>> Also, are you fixed on using Ubuntu 12.04, if you
were to use
>>>>>>> Debian Wheezy and backports, you wouldn't have
to compile samba4.
>>>>>>>
>>>>>>> Rowland
>>>>>>>
>>>>>>>>
>>>>>>>> */#/network/interfaces/*
>>>>>>>> # This file describes the network interfaces
available on your
>>>>>>>> system
>>>>>>>> # and how to activate them. For more
information, see
>>>>>>>> interfaces(5).
>>>>>>>>
>>>>>>>> # The loopback network interface
>>>>>>>> auto lo
>>>>>>>> iface lo inet loopback
>>>>>>>>
>>>>>>>> # The primary network interface
>>>>>>>> auto eth0
>>>>>>>> iface eth0 inet static
>>>>>>>> address 172.16.232.25
>>>>>>>> netmask 255.255.255.0
>>>>>>>> gateway 172.16.232.201
>>>>>>>> network 172.16.232.0
>>>>>>>> broadcast 172.16.232.255
>>>>>>>> dns-search domain.local
>>>>>>>> dns-nameservers 172.16.232.29
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> On 1/1/2015 4:34 AM, Rowland Penny wrote:
>>>>>>>>> On 01/01/15 00:07, James wrote:
>>>>>>>>>> Hi Rowland,
>>>>>>>>>>
>>>>>>>>>> I forgot to tell you the results
were from my Domain
>>>>>>>>>> Controller and not the member server.
Member server returned
>>>>>>>>>> something to the effect of 'user
not found'. I am only
>>>>>>>>>> starting the 3 services(smbd,nmbd and
windbindd) listed in
>>>>>>>>>> the wiki. Should I be starting Samba
with command line
>>>>>>>>>> switches to start as a member server?
Is that even possible?
>>>>>>>>>
>>>>>>>>> Hi, there are two ways of running samba4,
the classic or
>>>>>>>>> original way that samba3 was used, or as an
AD DC. If you run
>>>>>>>>> samba4 in the classic way, you need to
start the smbd & nmbd
>>>>>>>>> deamons and optionally the winbind daemon.
If you use samba4
>>>>>>>>> as an AD DC, then you only start the samba
daemon, this will
>>>>>>>>> start any other required deamons, you only
start the samba
>>>>>>>>> daemon on an AD DC.
>>>>>>>>>
>>>>>>>>> As you are trying to set up a member
server, you must carry
>>>>>>>>> out the tests on the member server.
>>>>>>>>>
>>>>>>>>> Rowland
>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> Thanks for you smb.conf. I will
attempt again using your
>>>>>>>>>> smb.conf as a template and try again.
>>>>>>>>>>
>>>>>>>>>> On 12/31/2014 2:20 PM, Rowland Penny
wrote:
>>>>>>>>>>> On 31/12/14 19:07, James wrote:
>>>>>>>>>>>> Rowland,
>>>>>>>>>>>>
>>>>>>>>>>>> I decided to start over
with a fresh install and
>>>>>>>>>>>> attempted again. Only change I
made was to start my
>>>>>>>>>>>> mappings at 10000. I gave
'Domain Users' group gid 10000
>>>>>>>>>>>> and 'tuser' has uid
10001. Still didn't work btw.
>>>>>>>>>>>>
>>>>>>>>>>>> dn: CN=Test
User,CN=Users,DC=domain,DC=local
>>>>>>>>>>>> objectClass: top
>>>>>>>>>>>> objectClass: person
>>>>>>>>>>>> objectClass:
organizationalPerson
>>>>>>>>>>>> objectClass: user
>>>>>>>>>>>> cn: Test User
>>>>>>>>>>>> sn: User
>>>>>>>>>>>> givenName: Test
>>>>>>>>>>>> instanceType: 4
>>>>>>>>>>>> whenCreated: 20141231172021.0Z
>>>>>>>>>>>> displayName: Test User
>>>>>>>>>>>> uSNCreated: 477557
>>>>>>>>>>>> name: Test User
>>>>>>>>>>>> objectGUID:
90f95763-fe52-42b9-af86-8a84a4d5dd78
>>>>>>>>>>>> userAccountControl: 66048
>>>>>>>>>>>> codePage: 0
>>>>>>>>>>>> countryCode: 0
>>>>>>>>>>>> pwdLastSet: 130645200220000000
>>>>>>>>>>>> primaryGroupID: 513
>>>>>>>>>>>> objectSid:
S-1-5-21-940051827-2291820289-3341758437-3126
>>>>>>>>>>>> accountExpires:
9223372036854775807
>>>>>>>>>>>> sAMAccountName: tuser
>>>>>>>>>>>> sAMAccountType: 805306368
>>>>>>>>>>>> userPrincipalName: tuser at
domain.local
>>>>>>>>>>>> objectCategory:
>>>>>>>>>>>>
CN=Person,CN=Schema,CN=Configuration,DC=domain,DC=local
>>>>>>>>>>>> unixUserPassword:
ABCD!efgh12345$67890
>>>>>>>>>>>> uid: tuser
>>>>>>>>>>>> msSFU30Name: tuser
>>>>>>>>>>>> msSFU30NisDomain: domain
>>>>>>>>>>>> uidNumber: 10001
>>>>>>>>>>>> loginShell: /bin/sh
>>>>>>>>>>>> unixHomeDirectory: /home/tuser
>>>>>>>>>>>> gidNumber: 10000
>>>>>>>>>>>> whenChanged: 20141231185807.0Z
>>>>>>>>>>>> uSNChanged: 477620
>>>>>>>>>>>> distinguishedName: CN=Test
User,CN=Users,DC=domain,DC=local
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> On 12/31/2014 1:50 PM, Rowland
Penny wrote:
>>>>>>>>>>>>> On 31/12/14 18:28, James
wrote:
>>>>>>>>>>>>>> Hi Rowland,
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> passwd:
compat winbind
>>>>>>>>>>>>>> group:
compat winbind
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> 'getent passwd
tuser' results in a blank terminal line.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> On 12/31/2014 1:12 PM,
Rowland Penny wrote:
>>>>>>>>>>>>>>> On 31/12/14 17:55,
James wrote:
>>>>>>>>>>>>>>>> Hi Rowland,
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> I did.
Unfortunately something is still amiss. I do
>>>>>>>>>>>>>>>> receive a
response from 'getent group domain
>>>>>>>>>>>>>>>>
users'(users:x:100).
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> On 12/31/2014
12:26 PM, Rowland Penny wrote:
>>>>>>>>>>>>>>>>> On 31/12/14
17:23, James wrote:
>>>>>>>>>>>>>>>>>>
Rowland,
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> I
set a user with a uid and domain users group
>>>>>>>>>>>>>>>>>> with a
gid but I'm still unable to view them using
>>>>>>>>>>>>>>>>>>
'id'. I do notice a few strange observations. If I go
>>>>>>>>>>>>>>>>>> to
another user to attempt to assign a uid. I get the
>>>>>>>>>>>>>>>>>> default
value of 10000. I would expect 2001 given I
>>>>>>>>>>>>>>>>>> set the
first user with uid 2000. Groups however
>>>>>>>>>>>>>>>>>> appear
to increment.
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> On
12/31/2014 10:52 AM, Rowland Penny wrote:
>>>>>>>>>>>>>>>>>>> On
31/12/14 15:42, James wrote:
>>>>>>>>>>>>>>>>>>>>
Hello Stefan,
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>
I learned the hard way about .local. I
>>>>>>>>>>>>>>>>>>>>
understand going forward.
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>
I do have an issue with the member server.
>>>>>>>>>>>>>>>>>>>>
Following along with the wiki I get stuck at
>>>>>>>>>>>>>>>>>>>>
'Testing the Winbind user/group mapping'. Wbinfo
>>>>>>>>>>>>>>>>>>>>
works as expected but not
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>
#*id DomainUser*
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>
#*getent passwd*
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>
#*getent group*
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>
#*chown DomainUser:DomainGroup file*
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>
#*chgrp DomainGroup file*
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>
etc.
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>
I receive 'id: sambauser: No such user'. It will
>>>>>>>>>>>>>>>>>>>>
only retrieve local machine users. Let me preface
>>>>>>>>>>>>>>>>>>>>
by saying this is a Ubuntu 12.04 server with Samba
>>>>>>>>>>>>>>>>>>>>
4.1.14. Thanks.
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>
On 12/31/2014 10:00 AM, Stefan Kania wrote:
>>>>>>>>>>>>>>>>>>>>>
-----BEGIN PGP SIGNED MESSAGE-----
>>>>>>>>>>>>>>>>>>>>>
Hash: SHA1
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>
Hello James,
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>
Am 31.12.2014 um 15:48 schrieb James:> Hello,
>>>>>>>>>>>>>>>>>>>>>>
I'm following along with the wiki(Setup a Samba
>>>>>>>>>>>>>>>>>>>>>>
AD Member Server)
>>>>>>>>>>>>>>>>>>>>>>
and I have a question after reading the 'Set up a
>>>>>>>>>>>>>>>>>>>>>>
basic smb.conf'
>>>>>>>>>>>>>>>>>>>>>>
section.
>>>>>>>>>>>>>>>>>>>>>
Please show us your smb.conf
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>
Do I need to extend the schema in order for my
>>>>>>>>>>>>>>>>>>>>>
member server to
>>>>>>>>>>>>>>>>>>>>>>
successfully join and service file shares?
>>>>>>>>>>>>>>>>>>>>>
No, you dont have to.
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>
Do I need to configure a
>>>>>>>>>>>>>>>>>>>>>>
krb5.conf file? Thanks.
>>>>>>>>>>>>>>>>>>>>>
If your DC is a samba4 DC just copy krb5.conf to
>>>>>>>>>>>>>>>>>>>>>
your new memberserver
>>>>>>>>>>>>>>>>>>>>>
Stefan
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>
- -- Stefan Kania
>>>>>>>>>>>>>>>>>>>>>
Landweg 13
>>>>>>>>>>>>>>>>>>>>>
25693 St. Michaelisdonn
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>
Signieren jeder E-Mail hilft Spam zu reduzieren.
>>>>>>>>>>>>>>>>>>>>>
Signieren Sie ihre
>>>>>>>>>>>>>>>>>>>>>
E-Mail. Weiter Informationen unter
>>>>>>>>>>>>>>>>>>>>>
http://www.gnupg.org
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>
Mein Schl?ssel liegt auf
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>
hkp://subkeys.pgp.net
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>
-----BEGIN PGP SIGNATURE-----
>>>>>>>>>>>>>>>>>>>>>
Version: GnuPG v1
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>
iEYEARECAAYFAlSkD3EACgkQ2JOGcNAHDTZdlwCgwsQF0g/pFp65ldcTMWDcJ1O7
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>
LScAoLDzorUJNDCik4FP9dBUxKCbAbGN
>>>>>>>>>>>>>>>>>>>>>
=SOSt
>>>>>>>>>>>>>>>>>>>>>
-----END PGP SIGNATURE-----
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> If
you followed the wiki, you will be using the 'ad'
>>>>>>>>>>>>>>>>>>>
backend. For this to work, you need to add
>>>>>>>>>>>>>>>>>>>
'uidNumber' attributes to your users and a
>>>>>>>>>>>>>>>>>>>
'gidNumber' attribute to at least the Domain Users
>>>>>>>>>>>>>>>>>>>
group. the numbers that you add must be between the
>>>>>>>>>>>>>>>>>>>
range you set in your smb.conf, again if you
>>>>>>>>>>>>>>>>>>>
followed the wiki, this will be between 500-40000.
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>
Rowland
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> You have
restarted samba, haven't you ?
>>>>>>>>>>>>>>>>> You may
have to wait a short time, or clear the cache
>>>>>>>>>>>>>>>>> with
'net cache flush'
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> Rowland
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> OK, can you post
the 'passwd' & 'group' lines from
>>>>>>>>>>>>>>> /etc/nsswitch
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Do you get anything
from 'getent passwd <a domain user>'
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Rowland
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>> OK, install ldb-tools if
not already installed, then run:
>>>>>>>>>>>>>
>>>>>>>>>>>>> ldbedit -e nano -H
/var/lib/samba/private/sam.ldb
>>>>>>>>>>>>> sAMAccountName=tuser
>>>>>>>>>>>>>
>>>>>>>>>>>>> Post the (sanitized) result
>>>>>>>>>>>>>
>>>>>>>>>>>>> Rowland
>>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> OK, you added that user with ADUC
(RSAT) and as such you are
>>>>>>>>>>> using the std windows start number
10000, which is the way I
>>>>>>>>>>> run samba. Here is my smb.conf from
the laptop I am writing
>>>>>>>>>>> this on:
>>>>>>>>>>>
>>>>>>>>>>> [global]
>>>>>>>>>>> workgroup = EXAMPLE
>>>>>>>>>>> security = ADS
>>>>>>>>>>> realm = EXAMPLE.COM
>>>>>>>>>>> dedicated keytab file =
/etc/krb5.keytab
>>>>>>>>>>> kerberos method = secrets
and keytab
>>>>>>>>>>> server string = Samba 4
Client %h
>>>>>>>>>>> winbind enum users = yes
>>>>>>>>>>> winbind enum groups = yes
>>>>>>>>>>> winbind use default domain
= yes
>>>>>>>>>>> winbind expand groups = 4
>>>>>>>>>>> winbind nss info = rfc2307
>>>>>>>>>>> winbind refresh tickets =
Yes
>>>>>>>>>>> winbind normalize names =
Yes
>>>>>>>>>>> idmap config * : backend =
tdb
>>>>>>>>>>> idmap config * : range =
2000-9999
>>>>>>>>>>> idmap config EXAMPLE :
backend = ad
>>>>>>>>>>> idmap config EXAMPLE :
range = 10000-999999
>>>>>>>>>>> idmap config EXAMPLE :
schema_mode = rfc2307
>>>>>>>>>>> printcap name = cups
>>>>>>>>>>> cups options = raw
>>>>>>>>>>> usershare allow guests =
yes
>>>>>>>>>>> domain master = no
>>>>>>>>>>> local master = no
>>>>>>>>>>> preferred master = no
>>>>>>>>>>> os level = 20
>>>>>>>>>>> map to guest = bad user
>>>>>>>>>>> vfs objects = acl_xattr
>>>>>>>>>>> map acl inherit = Yes
>>>>>>>>>>> store dos attributes = Yes
>>>>>>>>>>>
>>>>>>>>>>> Compare it with yours, I can assure
you it works.
>>>>>>>>>>>
>>>>>>>>>>> Rowland
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>> --
>>>>>>>> -James
>>>>>>>
>>>>>>
>>>>>> --
>>>>>> -James
>>>>>
>>>>> OK, you have *now* found out one of the reasons you
shouldn't use
>>>>> the .local suffix
>>>>>
>>>>> But does anything else work?
>>>>>
>>>>> Rowland
>>>>
>>>> --
>>>> -James
>>>
>>> OK, well it seems to be a step in the right direction :-)
>>>
>>> Have you changed 'EXAMPLE' in these lines:
>>>
>>> idmap config * : backend = tdb
>>> idmap config * : range = 2000-9999
>>> idmap config EXAMPLE : backend = ad
>>> idmap config EXAMPLE : range = 10000-999999
>>> idmap config EXAMPLE:schema_mode = rfc2307
>>>
>>> They need to be changed for your *WORKGROUP* name.
>>>
>>> Rowland
>>>
>>>
>>
>> --
>> -James
>
> Just change it, stop samba and winbind, run 'net cache flush' and
> restart samba & winbind.
>
> Rowland
>
--
-James