I try to set up a small ADS infrastructure: 1 samba ADS-controller, 1 samba file server, 2 Linux and 6 Windows clients. Starting with controller and file server, quite a lot of things work, but not everything. Here it starts getting complicate: looking for manuals, googling for error messages leads to lots of different advices for different versions... not easy. There are open questions, but I am not sure where is the best point to start - I'll give it a try: File server and Linux clients shall use the AD-backend, so I read and followed <https://wiki.samba.org/index.php/Idmap_config_ad>. There it says: "Whichever setting you use, the group (or groups) set as the users primary group must have the gidNumber attribute set" If I look at the group "domain users" the gidNumber attribute is not set at all. The group is created automatically while provisioning the server, and I can neither find an option to set the gid, nor a way to alter it later on. Can I? Just in case that the above text was the wrong question: The actual *practical* problem that hit me after installation is: | root at fileserver:~# net ads user -UAdministrator | Enter Administrator's password: | Guest | test | Administrator | krbtgt | root at fileserver:~# wbinfo -u | guest | test | administrator | krbtgt | root at fileserver:~# wbinfo -i test | failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND | Could not get info for user test | root at fileserver:~# wbinfo -n test | S-1-5-21-734461581-300303633-3375534526-1120 SID_USER (1) I found the hint that I need resolving gidNumbers for accounts in order to work - and as this does not seem to be the case I try to resolve that first. (Of course, configuration or log files can be provided if helpful - there are just too many files on two machines, so I'd rather post what ever seems to be helpful. The only log message I consider relevant right now is in log.nmbd on the fileserver: | [2019/06/13 19:14:02.586604, 0] | ../source3/nmbd/nmbd_serverlistdb.c:340(write_browse_list) | write_browse_list: Fatal error - cannot find my workgroup | SAMDOM But again, googling this did not enlighten me, escpecially as: | root at herakles:~# net ads workgroup | Workgroup: SAMDOM | root at fileserver:~# net ads testjoin | Join is OK Any hints are welcome... Bye, Stefan -- Die Macht des Wissens! Stefan, Trost in den Stunden des Zorns! Sloganizer, https://www.poetron-zone.de/
On 13/06/2019 18:21, Stefan Froehlich via samba wrote:> I try to set up a small ADS infrastructure: 1 samba ADS-controller, > 1 samba file server, 2 Linux and 6 Windows clients. Starting with > controller and file server, quite a lot of things work, but not > everything. Here it starts getting complicate: looking for manuals, > googling for error messages leads to lots of different advices for > different versions... not easy. There are open questions, but I am > not sure where is the best point to start - I'll give it a try: > > File server and Linux clients shall use the AD-backend, so I read > and followed <https://wiki.samba.org/index.php/Idmap_config_ad>. > There it says: > > "Whichever setting you use, the group (or groups) set as the users > primary group must have the gidNumber attribute set"I thought that was plain enough, but obviously not ;-) All domain users are members of the 'Domain Users' group as their primary group and to make the group known to the Unix OS it must have a gidNumber attribute. Also winbind relies on the group being known to the Unix OS, if it isn't, then (whatever you do), no users will be known to the Unix OS. There are very few domain users and groups that need to be known to Unix.> > If I look at the group "domain users" the gidNumber attribute is not > set at all. The group is created automatically while provisioning > the server, and I can neither find an option to set the gid, nor a > way to alter it later on. Can I?By default, no rfc2307 attributes are added to AD, you have to do this manually. It used to be easy from Windows using the Unix Attributes tab in ADUC, but this has been removed from Windows 10. The easiest way is to script around ldb-tools or ldap-utils.> > > > > Just in case that the above text was the wrong question: The actual > *practical* problem that hit me after installation is: > > | root at fileserver:~# net ads user -UAdministrator > | Enter Administrator's password: > | Guest > | test > | Administrator > | krbtgt > | root at fileserver:~# wbinfo -u > | guest > | test > | administrator > | krbtgt > | root at fileserver:~# wbinfo -i test > | failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND > | Could not get info for user testThis should have worked.> | root at fileserver:~# wbinfo -n test > | S-1-5-21-734461581-300303633-3375534526-1120 SID_USER (1) > > I found the hint that I need resolving gidNumbers for accounts in > order to work - and as this does not seem to be the case I try to > resolve that first. > > (Of course, configuration or log files can be provided if helpful - > there are just too many files on two machines, so I'd rather post > what ever seems to be helpful. The only log message I consider > relevant right now is in log.nmbd on the fileserver: > > | [2019/06/13 19:14:02.586604, 0] > | ../source3/nmbd/nmbd_serverlistdb.c:340(write_browse_list) > | write_browse_list: Fatal error - cannot find my workgroup > | SAMDOM > > But again, googling this did not enlighten me, escpecially as: > > | root at herakles:~# net ads workgroup > | Workgroup: SAMDOM > | root at fileserver:~# net ads testjoin > | Join is OK > > Any hints are welcome...This is all very strange, lets start with the obvious, please post your smb.conf files and tell us what OS you are using. Rowland
On Thu, Jun 13, 2019 at 07:02:27PM +0100, Rowland penny via samba wrote:> On 13/06/2019 18:21, Stefan Froehlich via samba wrote: > >File server and Linux clients shall use the AD-backend, so I read > >and followed <https://wiki.samba.org/index.php/Idmap_config_ad>. > >There it says: > > > >"Whichever setting you use, the group (or groups) set as the users > >primary group must have the gidNumber attribute set" > > I thought that was plain enough, but obviously not ;-)Yes and no.> All domain users are members of the 'Domain Users' group as their > primary group and to make the group known to the Unix OS it must > have a gidNumber attribute. Also winbind relies on the group being > known to the Unix OS, if it isn't, then (whatever you do), no > users will be known to the Unix OS. There are very few domain > users and groups that need to be known to Unix.I did understand this (some parts were really obvious, some parts only after browsing through the docs). What I did not get was that besides the various config files and control programs like samba-tool and net you need to dig into the LDAP database to set the gid for "domain users" (at least I have basic knowledge about LDAP, but I did not need this for the last 20 yrs). There are: $ samba-tool user add --gid-number --uid-number $ samba-tool group add --gid-number ...so I was looking for a corresponding option of "samba-tool domain provision" or for something named like "samba-tool group modify".> It used to be easy from Windows using the Unix Attributes tab in > ADUC, but this has been removed from Windows 10. > > The easiest way is to script around ldb-tools or ldap-utils.Windows is no option anyway, I only have ssh access and do all the stuff from remote. But ldbedit did the trick, thanks a lot.> >| root at fileserver:~# wbinfo -i test > >| failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND > >| Could not get info for user test > This should have worked.And - heureka! - now it does: | root at fileserver:~# wbinfo -i test | test:*:10001:10000::/home/test:/bin/bash So for the moment I can continue - let's see if anything else comes up. Thanks, Stefan -- Stefan - das faulste Werbegeschenk, welches es je gab. Sloganizer, https://www.poetron-zone.de/