samba - Nov 2016 - Logins differ for ip/DNS on ad dc

I set up a samba ad dc (self compiled samba 4.5.1 on Ubuntu 16.04). If I connect
to the server via \\smb.wie (its dns name) I can access netlogon and sysvol. If
I connect via its IP then I can access all my shares (test as an example) - but
either way I cannot connect to the other (I do see them though). Windows always
tells me the login credentials would be wrong for the other one.

This is my config:

[global]
    netbios name = SRV
    realm = SMB.WIE
    server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd,
ntp_signd, kcc, dnsupdate
    workgroup = SMB
    server role = active directory domain controller
    idmap_ldb:use rfc2307 = yes

    interfaces = bond0:0
    bind interfaces only = yes

    winbind enum users = Yes
    winbind enum groups = Yes
    winbind use default domain = Yes
    winbind refresh tickets = Yes
    winbind nested groups = No
    #winbind separator = +

    idmap backend = tdb
    idmap uid = 10000 - 20000
    idmap gid = 10000 - 20000
    idmap config DOMAIN : backend = rid
    idmap config DOMAIN : range   = 10000 - 20000

    passdb backend = tdbsam  # should be default

    domain logons = yes
 [netlogon]
    path = /usr/local/samba/var/locks/sysvol/smb.wie/scripts
    read only = No

 [sysvol]
    path = /usr/local/samba/var/locks/sysvol
    read only = No

 [test] 
    path = /usr/local/samba/var/locks/sysvol/test
    read only = No

And this the access rights:
Result of ll /usr/local/samba/var/locks/sysvol/test

drwxrwx---+ 5 root users 4096 Nov 1 19:42 ./
Result of ll /usr/local/samba/var/locks/sysvol

drwxrwx---+ 5 root users 4096 Nov 1 19:50 ./
log.smbd only tells me the server started successfully and log.samba throws the
following warning which I found on the net to ignore:
samba: setproctitle not initialized, please either call setproctitle_init() or
link against libbsd-ctor.

I guess it is due to this error that profile synchronization also does not work
which is why I need to fix this.

On Sat, 05 Nov 2016 07:06:19 +0100
Maximilian Kirchner via samba <samba at lists.samba.org> wrote:
> I set up a samba ad dc (self compiled samba 4.5.1 on Ubuntu 16.04).
> If I connect to the server via \\smb.wie (its dns name) I can access
> netlogon and sysvol. If I connect via its IP then I can access all my
> shares (test as an example) - but either way I cannot connect to the
> other (I do see them though). Windows always tells me the login
> credentials would be wrong for the other one.
> 
> This is my config:
> 
> [global]
>     netbios name = SRV
>     realm = SMB.WIE
>     server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
> winbindd, ntp_signd, kcc, dnsupdate workgroup = SMB
>     server role = active directory domain controller
>     idmap_ldb:use rfc2307 = yes
> 
>     interfaces = bond0:0
>     bind interfaces only = yes
> 
>     winbind enum users = Yes
>     winbind enum groups = Yes
>     winbind use default domain = Yes
>     winbind refresh tickets = Yes
>     winbind nested groups = No
>     #winbind separator = +
> 
>     idmap backend = tdb
>     idmap uid = 10000 - 20000
>     idmap gid = 10000 - 20000
>     idmap config DOMAIN : backend = rid
>     idmap config DOMAIN : range   = 10000 - 20000
> 
>     passdb backend = tdbsam  # should be default
> 
>     domain logons = yes
>  [netlogon]
>     path = /usr/local/samba/var/locks/sysvol/smb.wie/scripts
>     read only = No
> 
>  [sysvol]
>     path = /usr/local/samba/var/locks/sysvol
>     read only = No
> 
>  [test] 
>     path = /usr/local/samba/var/locks/sysvol/test
>     read only = No
> 
> And this the access rights:
> Result of ll /usr/local/samba/var/locks/sysvol/test
> 
> drwxrwx---+ 5 root users 4096 Nov 1 19:42 ./
> Result of ll /usr/local/samba/var/locks/sysvol
> 
> drwxrwx---+ 5 root users 4096 Nov 1 19:50 ./
> log.smbd only tells me the server started successfully and log.samba
> throws the following warning which I found on the net to ignore:
> samba: setproctitle not initialized, please either call
> setproctitle_init() or link against libbsd-ctor. 
> 
> I guess it is due to this error that profile synchronization also
> does not work which is why I need to fix this.
This is obviously a DC so you should remove the domain member
components from your smb.conf:

    idmap backend = tdb
    idmap uid = 10000 - 20000
    idmap gid = 10000 - 20000
    idmap config DOMAIN : backend = rid
    idmap config DOMAIN : range   = 10000 - 20000

    passdb backend = tdbsam  # should be default

    domain logons = yes

They will not work on a DC.

you should also remove:

    winbind use default domain = Yes

for the same reason.

As you are trying to use the 'rid' backend, I take it you haven't
given
your users and groups any uidNumber or gidNumber attributes.

Can I suggest you try reading the Samba wiki:

https://wiki.samba.org/index.php/Main_Page

Paying attention to:

https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_Domain_Controller#Using_the_Domain_Controller_as_a_File_Server

https://wiki.samba.org/index.php/Shares_with_Windows_ACLs

https://wiki.samba.org/index.php/Implementing_roaming_profiles

Rowland

Thanks for the reply Rowland (and sorry for replying twice). I actually
used the wiki you linked to setup the dc. I just added those idmap settings
because getent could not list my samba users after setting it up, due to
your mail I realised I only needed the winbind options to make it work.

The original problem still remains though, using \\SMB.WIE I can only
access netlogon and sysvol, using \\192.168.1.50 I can only access the
shares.

I am not sure if I understand your comment about the rid backend:
I added users with the samba-tool:
samba-tool user create kirchner
After that getent shows the user with ids:
getent passwd kirchner
SMB\kirchner:*:3000016:100::/home/SMB/kirchner:/bin/false

So the user seems to have an id for user and group and I can use this uid
to give access to files on the server.

2016-11-05 9:08 GMT+01:00 Rowland Penny via samba <samba at
lists.samba.org>:
> On Sat, 05 Nov 2016 07:06:19 +0100
> Maximilian Kirchner via samba <samba at lists.samba.org> wrote:
>
> > I set up a samba ad dc (self compiled samba 4.5.1 on Ubuntu 16.04).
> > If I connect to the server via \\smb.wie (its dns name) I can access
> > netlogon and sysvol. If I connect via its IP then I can access all my
> > shares (test as an example) - but either way I cannot connect to the
> > other (I do see them though). Windows always tells me the login
> > credentials would be wrong for the other one.
> >
> > This is my config:
> >
> > [global]
> >     netbios name = SRV
> >     realm = SMB.WIE
> >     server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
> > winbindd, ntp_signd, kcc, dnsupdate workgroup = SMB
> >     server role = active directory domain controller
> >     idmap_ldb:use rfc2307 = yes
> >
> >     interfaces = bond0:0
> >     bind interfaces only = yes
> >
> >     winbind enum users = Yes
> >     winbind enum groups = Yes
> >     winbind use default domain = Yes
> >     winbind refresh tickets = Yes
> >     winbind nested groups = No
> >     #winbind separator = +
> >
> >     idmap backend = tdb
> >     idmap uid = 10000 - 20000
> >     idmap gid = 10000 - 20000
> >     idmap config DOMAIN : backend = rid
> >     idmap config DOMAIN : range   = 10000 - 20000
> >
> >     passdb backend = tdbsam  # should be default
> >
> >     domain logons = yes
> >  [netlogon]
> >     path = /usr/local/samba/var/locks/sysvol/smb.wie/scripts
> >     read only = No
> >
> >  [sysvol]
> >     path = /usr/local/samba/var/locks/sysvol
> >     read only = No
> >
> >  [test]
> >     path = /usr/local/samba/var/locks/sysvol/test
> >     read only = No
> >
> > And this the access rights:
> > Result of ll /usr/local/samba/var/locks/sysvol/test
> >
> > drwxrwx---+ 5 root users 4096 Nov 1 19:42 ./
> > Result of ll /usr/local/samba/var/locks/sysvol
> >
> > drwxrwx---+ 5 root users 4096 Nov 1 19:50 ./
> > log.smbd only tells me the server started successfully and log.samba
> > throws the following warning which I found on the net to ignore:
> > samba: setproctitle not initialized, please either call
> > setproctitle_init() or link against libbsd-ctor.
> >
> > I guess it is due to this error that profile synchronization also
> > does not work which is why I need to fix this.
>
> This is obviously a DC so you should remove the domain member
> components from your smb.conf:
>
>     idmap backend = tdb
>     idmap uid = 10000 - 20000
>     idmap gid = 10000 - 20000
>     idmap config DOMAIN : backend = rid
>     idmap config DOMAIN : range   = 10000 - 20000
>
>     passdb backend = tdbsam  # should be default
>
>     domain logons = yes
>
> They will not work on a DC.
>
> you should also remove:
>
>     winbind use default domain = Yes
>
> for the same reason.
>
> As you are trying to use the 'rid' backend, I take it you
haven't given
> your users and groups any uidNumber or gidNumber attributes.
>
> Can I suggest you try reading the Samba wiki:
>
> https://wiki.samba.org/index.php/Main_Page
>
> Paying attention to:
>
> https://wiki.samba.org/index.php/Setting_up_Samba_as_an_
> Active_Directory_Domain_Controller#Using_the_Domain_
> Controller_as_a_File_Server
>
> https://wiki.samba.org/index.php/Shares_with_Windows_ACLs
>
> https://wiki.samba.org/index.php/Implementing_roaming_profiles
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba