samba - Nov 2017 - Not able to list domain in new samba DC

Hello list

Samba newbie here, loolking for help.
I am trying to follow the samba wiki to setup a domain controller and
an attendant file server.  I built samba from 4.7.1 source and I am
installing on a set  of Centos 7 VMs.

So far everything looks ok, but when I run smbclient on the DC I get
the following, and cant see the domain presented:

[root at testbox ~]# smbclient -L localhost -U%

        Sharename       Type      Comment
        ---------       ----      -------
        netlogon        Disk
        sysvol          Disk
        IPC$            IPC       IPC Service (Samba 4.7.1)
Reconnecting with SMB1 for workgroup listing.

        Server               Comment
        ---------            -------

        Workgroup            Master
        ---------            -------
On the file server joined to the domain:

[root at testfsrv ~]# smbclient -L testbox -U%

        Sharename       Type      Comment
        ---------       ----      -------
        netlogon        Disk
        sysvol          Disk
        IPC$            IPC       IPC Service (Samba 4.7.1)
Reconnecting with SMB1 for workgroup listing.

        Server               Comment
        ---------            -------

        Workgroup            Master
        ---------            -------

        Sharename       Type      Comment
        ---------       ----      -------
        Anonymous       Disk
        IPC$            IPC       IPC Service (Samba 4.7.1)
Reconnecting with SMB1 for workgroup listing.

        Server               Comment
        ---------            -------

        Workgroup            Master
        ---------            -------
        SAMDOM               TESTFSRV

Please can someone tell me what I am doing wrong?
My smb.confs are:

DC:

# Global parameters
[global]
        dns forwarder = 8.8.8.8
        netbios name = TESTBOX
        realm = SAMDOM.TESTING.COM
        server role = active directory domain controller
        workgroup = SAMDOM
        idmap_ldb:use rfc2307 = yes
        log file = /var/log/samba/%m.log
        log level = 3
        tls enabled = yes

[netlogon]
        path = /usr/local/samba/var/locks/sysvol/samdom.testing.com/scripts
        read only = No

[sysvol]
        path = /usr/local/samba/var/locks/sysvol
        read only = No

File server:
[global]
        security = ADS
        workgroup = SAMDOM
        realm = SAMDOM.TESTING.COM

        log file = /var/log/samba/%m.log
        log level = 1
        idmap config * : backend = tdb
        idmap config * : range = 3000-7999
        idmap config SAMDOM:backend = ad
        idmap config SAMDOM:schema_mode = rfc2307
        idmap config  SAMDOM : range = 10000-999999
        idmap config  SAMDOM : unix_nss_info = yes
        idmap config SAMDOM:unix_primary_group = yes

        template shell = /bin/bash
        template homedir = /share/%U

        username map = /usr/local/samba/etc/user.map
        map to guest = Bad User

[Anonymous]
        path = /anonymous
        writable = yes
        browsable = yes
        guest ok = yes
        guest only = yes
        create mode = 0777
        directory mode = 0777

On Thu, 9 Nov 2017 11:19:02 +0100
Sina Owolabi via samba <samba at lists.samba.org> wrote:
> Hello list
> 
> Samba newbie here, loolking for help.
> I am trying to follow the samba wiki to setup a domain controller and
> an attendant file server.  I built samba from 4.7.1 source and I am
> installing on a set  of Centos 7 VMs.
> 
> So far everything looks ok, but when I run smbclient on the DC I get
> the following, and cant see the domain presented:
> 
> Please can someone tell me what I am doing wrong?
Not reading the release notes ;-)

See here:
https://wiki.samba.org/index.php/Samba_4.7_Features_added/changed

'smbclient' no longer prints a 'Domain=[...] OS=[Windows 6.1]
Server=[...]' banner when connecting to the first server.

Rowland

On Thu, 9 Nov 2017 12:56:35 +0100
Sina Owolabi <notify.sina at gmail.com> wrote:
> Thanks a lot :-)
> Does this mean my current configuration is correct?
> 
Yes, as far as it goes, as long as you have added uidNumber attributes
to the users in AD, containing a unique number inside the range
'10000-999999', they also have a gidNumber that points to a group that
has a gidNumber attribute containing the same number and this number is
also inside the '10000-999999' range.
NOTE: these uidNumber & gidNumber attributes are not added
automatically.

I would also add:

    vfs objects = acl_xattr
    map acl inherit = Yes
    store dos attributes = Yes

Rowland

Thanks Rowland!

My current configs are:

DC:

# Global parameters
[global]
        dns forwarder = 8.8.8.8
        netbios name = TESTBOX
        realm = SAMDOM.TESTING.COM
        server role = active directory domain controller
        workgroup = SAMDOM
        idmap_ldb:use rfc2307 = yes
        log file = /var/log/samba/%m.log
        log level = 3
        tls enabled = yes
        vfs objects = acl_xattr
        map acl inherit = yes
        store dos attributes = yes
        winbind enum groups = Yes
        winbind enum users = Yes
        idmap config * : backend = tdb
        idmap config * : range = 3000-7999
        idmap config SAMDOM:backend = ad
        idmap config SAMDOM:schema_mode = rfc2307
        idmap config  SAMDOM : range = 10000-999999
        idmap config  SAMDOM : unix_nss_info = yes
        idmap config SAMDOM:unix_primary_group = yes

        template shell = /bin/bash
        template homedir = /share/%U

        username map = /usr/local/samba/etc/user.map
[netlogon]
        path = /usr/local/samba/var/locks/sysvol/samdom.testing.com/scripts
        read only = No

[sysvol]
        path = /usr/local/samba/var/locks/sysvol
        read only = No

Domain member/file server:

[global]
        security = ADS
        workgroup = SAMDOM
        realm = SAMDOM.TESTING.COM

        log file = /var/log/samba/%m.log
        log level = 1
        vfs objects = acl_xattr
        map acl inherit = yes
        store dos attributes = yes
        winbind enum groups = Yes
        winbind enum users = Yes
        idmap_ldb:use rfc2307 = yes
        idmap config * : backend = tdb
        idmap config * : range = 3000-7999
        idmap config SAMDOM:backend = ad
        idmap config SAMDOM:schema_mode = rfc2307
        idmap config  SAMDOM : range = 10000-999999
        idmap config  SAMDOM : unix_nss_info = yes
        idmap config SAMDOM:unix_primary_group = yes

        template shell = /bin/bash
        template homedir = /share/%U

        username map = /usr/local/samba/etc/user.map
        map to guest = Bad User

[Anonymous]
        path = /anonymous
        writable = yes
        browsable = yes
        guest ok = yes
        guest only = yes
        create mode = 0777
        directory mode = 0777

[Demo]
        path = /srv/samba/Demo/
        read only = no

I was trying to walk through the creating shares bit and I noticed
that getent passwd and getent group dont work
Am I missing something else?


On Thu, Nov 9, 2017 at 1:13 PM, Rowland Penny via samba
<samba at lists.samba.org> wrote:
> On Thu, 9 Nov 2017 12:56:35 +0100
> Sina Owolabi <notify.sina at gmail.com> wrote:
>
>> Thanks a lot :-)
>> Does this mean my current configuration is correct?
>>
>
> Yes, as far as it goes, as long as you have added uidNumber attributes
> to the users in AD, containing a unique number inside the range
> '10000-999999', they also have a gidNumber that points to a group
that
> has a gidNumber attribute containing the same number and this number is
> also inside the '10000-999999' range.
> NOTE: these uidNumber & gidNumber attributes are not added
> automatically.
>
> I would also add:
>
>     vfs objects = acl_xattr
>     map acl inherit = Yes
>     store dos attributes = Yes
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba