Hi all, I'm quite stuck here at the moment. I have tried this multiple times to get built and can't seem to get it working properly. I have a test virtual server running as a domain controller with Samba 4.1.15 using (9.10.1) bind_dlz as the back end and all works properly. I have the server setup as domain controller and have added a user and I can look that user up with the samba-tool command.? I cannot however get the users to appear when issue any of the commands such as ID or getent. I have followed the following articles located here and both seem to compile and configure without issue. Samba Domain Controller:?https://wiki.samba.org/index.php/Samba_AD_DC_HOWTO#Introduction Samba Domain Member:?https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server#Introduction Kerberos works fine as I can run kinit and kdestroy on both the DC and member server and they work fine. Time is set to ?the default time servers right now as installed by the ntp install, but both servers are in sync for their time and working correctly. On the member server, I am able to get it bound to the domain without issue and I can see that it adds its name into the DNS service. I cannot however get it to lookup any users either, which is odd, since when I setup a SAMBA3 server to be a member server, I am able to get winbindd, smbd, and nmbd playing nicely together and can look users up without issue against the DC. I'm not exactly sure what I'm missing here so I thought I would turn to the list. I saw on the list last week that there was a similar issue but that was with an Actual windows DC and not a SambaDC, so that issue doesn't apply to me here. Here is the relevant information (I think) that's needed and I appreciate any help anyone can provide me with in order to get this working properly. Base systems are both Debian Wheezy 64 Bit with all applied updates and patches. Samba: 4.1.15 (compiled by hand on both) Samba: 4.1.15 on member server:?./configure --with-ads --with-shared-modules=idmap_ad Bind: 9.10.1 (compiled by hand on DC) SMB.CONF file on DC Server ================================================# Global parameters [global] workgroup = DIGIDNS realm = DIGIDNS.PRIVATE netbios name = DC01 server role = active directory domain controller server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbind, ntp_signd, kcc, dnsupdate idmap_ldb:use rfc2307 = yes [netlogon] path = /usr/local/samba/var/locks/sysvol/digidns.private/scripts read only = No [sysvol] path = /usr/local/samba/var/locks/sysvol read only = No [home] path = /home/ read only = no ================================================ SMB.CONF file on member Server ================================================[global] ? ?netbios name = fs? ? ?workgroup = DIGIDNS ? ?security = ADS ? ?realm = DIGIDNS.PRIVATE ? ?encrypt passwords = yes ? ?idmap config *:backend = tdb ? ?idmap config *:range = 70001-80000 ? ?idmap config DIGIDNS:backend = ad ? ?idmap config DIGIDNS:schema_mode = rfc2307 ? ?idmap config DIGIDNS:range = 500-40000 ? ?winbind nss info = rfc2307 ? ?winbind trusted domains only = no ? ?winbind use default domain = yes ? ?winbind enum users ?= yes ? ?winbind enum groups = yes ================================================ nsswitch.conf file on member server: ================================================ passwd: ? ? ? ? compat winbind group: ? ? ? ? ?compat winbind shadow: ? ? ? ? compat ================================================ Please let me know if you any other information is?required?or if its best for me to attend clown college instead...especially if its?to attend clown college. Thanks, David
On 14/01/15 21:46, David Thompson wrote:> Hi all, > > > I'm quite stuck here at the moment. I have tried this multiple times to get built and can't seem to get it working properly. I have a test virtual server running as a domain controller with Samba 4.1.15 using (9.10.1) bind_dlz as the back end and all works properly. I have the server setup as domain controller and have added a user and I can look that user up with the samba-tool command. > > > I cannot however get the users to appear when issue any of the commands such as ID or getent. > > > I have followed the following articles located here and both seem to compile and configure without issue. > > > Samba Domain Controller: https://wiki.samba.org/index.php/Samba_AD_DC_HOWTO#Introduction > Samba Domain Member: https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server#Introduction > > > Kerberos works fine as I can run kinit and kdestroy on both the DC and member server and they work fine. Time is set to the default time servers right now as installed by the ntp install, but both servers are in sync for their time and working correctly. > > > On the member server, I am able to get it bound to the domain without issue and I can see that it adds its name into the DNS service. > I cannot however get it to lookup any users either, which is odd, since when I setup a SAMBA3 server to be a member server, I am able to get winbindd, smbd, and nmbd playing nicely together and can look users up without issue against the DC. > > > I'm not exactly sure what I'm missing here so I thought I would turn to the list. I saw on the list last week that there was a similar issue but that was with an Actual windows DC and not a SambaDC, so that issue doesn't apply to me here. > > > Here is the relevant information (I think) that's needed and I appreciate any help anyone can provide me with in order to get this working properly. > > > Base systems are both Debian Wheezy 64 Bit with all applied updates and patches. > Samba: 4.1.15 (compiled by hand on both) > Samba: 4.1.15 on member server: ./configure --with-ads --with-shared-modules=idmap_ad > Bind: 9.10.1 (compiled by hand on DC) > > > SMB.CONF file on DC Server > ================================================> # Global parameters > > > [global] > workgroup = DIGIDNS > realm = DIGIDNS.PRIVATE > netbios name = DC01 > server role = active directory domain controller > server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbind, ntp_signd, kcc, dnsupdate > idmap_ldb:use rfc2307 = yes > > > [netlogon] > path = /usr/local/samba/var/locks/sysvol/digidns.private/scripts > read only = No > > > [sysvol] > path = /usr/local/samba/var/locks/sysvol > read only = No > > > [home] > path = /home/ > read only = no > > > ================================================> > > > SMB.CONF file on member Server > ================================================> [global] > > > > netbios name = fs > workgroup = DIGIDNS > security = ADS > realm = DIGIDNS.PRIVATE > encrypt passwords = yes > > > idmap config *:backend = tdb > idmap config *:range = 70001-80000 > idmap config DIGIDNS:backend = ad > idmap config DIGIDNS:schema_mode = rfc2307 > idmap config DIGIDNS:range = 500-40000 > > > winbind nss info = rfc2307 > winbind trusted domains only = no > winbind use default domain = yes > winbind enum users = yes > winbind enum groups = yes > > > > ================================================> > > nsswitch.conf file on member server: > > ================================================> > > > passwd: compat winbind > group: compat winbind > shadow: compat > > > ================================================> > > > > Please let me know if you any other information is required or if its best for me to attend clown college instead...especially if its to attend clown college. > > > Thanks, > > > > > DavidHi, I take it as read that you have joined the domain and that /etc/resolv.conf has the DC has the first or only nameserver. The first thing that comes to mind is, have you given your users a uidNumber inside the range '500-40000' ? What is in /etc/krb5.conf ? Rowland
On Wed, 14 Jan 2015, David Thompson wrote:> Kerberos works fine as I can run kinit and kdestroy on both the DC and member server and they work fine. Time is set to ?the default time servers right now as installed by the ntp install, but both servers are in sync for their time and working correctly. > > On the member server, I am able to get it bound to the domain without issue and I can see that it adds its name into the DNS service. > I cannot however get it to lookup any users either, which is odd, since when I setup a SAMBA3 server to be a member server, I am able to get winbindd, smbd, and nmbd playing nicely together and can look users up without issue against the DC.Make sure winbind is actually running on the member server. Also, make sure your users actually have uid and gid attributes in ldap. If not, I don't think they will show up (I use sssd, so my windind is rusty). If wbinfo -u does show users, but getent passwd does not, this is likely your problem. Make sure you use the --uid-number and --gid-number options when you create users with samba-tool, or you can add them with ADUC, or you can use scripts like http://linuxcostablanca.blogspot.com/2012/02/samba-4-posix-domain-user.html
Seems to be the same problem like last week. I also couldn't get a member server to run. wbinfo worked while getent didn't. Is there any detailed instruction for sssd? Tim Am 14. Januar 2015 23:42:20 MEZ, schrieb Sketch <smblist at rednsx.org>:>On Wed, 14 Jan 2015, David Thompson wrote: > >> Kerberos works fine as I can run kinit and kdestroy on both the DC >and member server and they work fine. Time is set to ?the default time >servers right now as installed by the ntp install, but both servers are >in sync for their time and working correctly. >> >> On the member server, I am able to get it bound to the domain without >issue and I can see that it adds its name into the DNS service. >> I cannot however get it to lookup any users either, which is odd, >since when I setup a SAMBA3 server to be a member server, I am able to >get winbindd, smbd, and nmbd playing nicely together and can look users >up without issue against the DC. > >Make sure winbind is actually running on the member server. > >Also, make sure your users actually have uid and gid attributes in >ldap. >If not, I don't think they will show up (I use sssd, so my windind is >rusty). If wbinfo -u does show users, but getent passwd does not, this >is >likely your problem. Make sure you use the --uid-number and >--gid-number >options when you create users with samba-tool, or you can add them with > >ADUC, or you can use scripts like >http://linuxcostablanca.blogspot.com/2012/02/samba-4-posix-domain-user.html > > >------------------------------------------------------------------------ > >-- >To unsubscribe from this list go to the following URL and read the >instructions: https://lists.samba.org/mailman/options/samba