Hi Rowland,
I forgot to tell you the results were from my Domain Controller and
not the member server. Member server returned something to the effect of
'user not found'. I am only starting the 3 services(smbd,nmbd and
windbindd) listed in the wiki. Should I be starting Samba with command
line switches to start as a member server? Is that even possible?
Thanks for you smb.conf. I will attempt again using your smb.conf
as a template and try again.
On 12/31/2014 2:20 PM, Rowland Penny wrote:> On 31/12/14 19:07, James wrote:
>> Rowland,
>>
>> I decided to start over with a fresh install and attempted again.
>> Only change I made was to start my mappings at 10000. I gave
'Domain
>> Users' group gid 10000 and 'tuser' has uid 10001. Still
didn't work btw.
>>
>> dn: CN=Test User,CN=Users,DC=domain,DC=local
>> objectClass: top
>> objectClass: person
>> objectClass: organizationalPerson
>> objectClass: user
>> cn: Test User
>> sn: User
>> givenName: Test
>> instanceType: 4
>> whenCreated: 20141231172021.0Z
>> displayName: Test User
>> uSNCreated: 477557
>> name: Test User
>> objectGUID: 90f95763-fe52-42b9-af86-8a84a4d5dd78
>> userAccountControl: 66048
>> codePage: 0
>> countryCode: 0
>> pwdLastSet: 130645200220000000
>> primaryGroupID: 513
>> objectSid: S-1-5-21-940051827-2291820289-3341758437-3126
>> accountExpires: 9223372036854775807
>> sAMAccountName: tuser
>> sAMAccountType: 805306368
>> userPrincipalName: tuser at domain.local
>> objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=domain,DC=local
>> unixUserPassword: ABCD!efgh12345$67890
>> uid: tuser
>> msSFU30Name: tuser
>> msSFU30NisDomain: domain
>> uidNumber: 10001
>> loginShell: /bin/sh
>> unixHomeDirectory: /home/tuser
>> gidNumber: 10000
>> whenChanged: 20141231185807.0Z
>> uSNChanged: 477620
>> distinguishedName: CN=Test User,CN=Users,DC=domain,DC=local
>>
>>
>> On 12/31/2014 1:50 PM, Rowland Penny wrote:
>>> On 31/12/14 18:28, James wrote:
>>>> Hi Rowland,
>>>>
>>>> passwd: compat winbind
>>>> group: compat winbind
>>>>
>>>> 'getent passwd tuser' results in a blank terminal line.
>>>>
>>>>
>>>> On 12/31/2014 1:12 PM, Rowland Penny wrote:
>>>>> On 31/12/14 17:55, James wrote:
>>>>>> Hi Rowland,
>>>>>>
>>>>>> I did. Unfortunately something is still amiss. I do
receive a
>>>>>> response from 'getent group domain
users'(users:x:100).
>>>>>>
>>>>>> On 12/31/2014 12:26 PM, Rowland Penny wrote:
>>>>>>> On 31/12/14 17:23, James wrote:
>>>>>>>> Rowland,
>>>>>>>>
>>>>>>>> I set a user with a uid and domain users
group with a gid
>>>>>>>> but I'm still unable to view them using
'id'. I do notice a few
>>>>>>>> strange observations. If I go to another user
to attempt to
>>>>>>>> assign a uid. I get the default value of 10000.
I would expect
>>>>>>>> 2001 given I set the first user with uid 2000.
Groups however
>>>>>>>> appear to increment.
>>>>>>>>
>>>>>>>> On 12/31/2014 10:52 AM, Rowland Penny wrote:
>>>>>>>>> On 31/12/14 15:42, James wrote:
>>>>>>>>>> Hello Stefan,
>>>>>>>>>>
>>>>>>>>>> I learned the hard way about
.local. I understand going
>>>>>>>>>> forward.
>>>>>>>>>>
>>>>>>>>>> I do have an issue with the member
server. Following along
>>>>>>>>>> with the wiki I get stuck at
'Testing the Winbind user/group
>>>>>>>>>> mapping'. Wbinfo works as expected
but not
>>>>>>>>>>
>>>>>>>>>> #*id DomainUser*
>>>>>>>>>>
>>>>>>>>>> #*getent passwd*
>>>>>>>>>>
>>>>>>>>>> #*getent group*
>>>>>>>>>>
>>>>>>>>>> #*chown DomainUser:DomainGroup file*
>>>>>>>>>>
>>>>>>>>>> #*chgrp DomainGroup file*
>>>>>>>>>>
>>>>>>>>>> etc.
>>>>>>>>>>
>>>>>>>>>> I receive 'id: sambauser: No such
user'. It will only
>>>>>>>>>> retrieve local machine users. Let me
preface by saying this
>>>>>>>>>> is a Ubuntu 12.04 server with Samba
4.1.14. Thanks.
>>>>>>>>>>
>>>>>>>>>> On 12/31/2014 10:00 AM, Stefan Kania
wrote:
>>>>>>>>>>> -----BEGIN PGP SIGNED MESSAGE-----
>>>>>>>>>>> Hash: SHA1
>>>>>>>>>>>
>>>>>>>>>>> Hello James,
>>>>>>>>>>>
>>>>>>>>>>> Am 31.12.2014 um 15:48 schrieb
James:> Hello,
>>>>>>>>>>>> I'm following along with
the wiki(Setup a Samba AD Member
>>>>>>>>>>>> Server)
>>>>>>>>>>>> and I have a question after
reading the 'Set up a basic
>>>>>>>>>>>> smb.conf'
>>>>>>>>>>>> section.
>>>>>>>>>>> Please show us your smb.conf
>>>>>>>>>>>
>>>>>>>>>>> Do I need to extend the schema in
order for my member
>>>>>>>>>>> server to
>>>>>>>>>>>> successfully join and service
file shares?
>>>>>>>>>>> No, you dont have to.
>>>>>>>>>>>
>>>>>>>>>>> Do I need to configure a
>>>>>>>>>>>> krb5.conf file? Thanks.
>>>>>>>>>>> If your DC is a samba4 DC just copy
krb5.conf to your new
>>>>>>>>>>> memberserver
>>>>>>>>>>> Stefan
>>>>>>>>>>>
>>>>>>>>>>> - -- Stefan Kania
>>>>>>>>>>> Landweg 13
>>>>>>>>>>> 25693 St. Michaelisdonn
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> Signieren jeder E-Mail hilft Spam
zu reduzieren. Signieren
>>>>>>>>>>> Sie ihre
>>>>>>>>>>> E-Mail. Weiter Informationen unter
http://www.gnupg.org
>>>>>>>>>>>
>>>>>>>>>>> Mein Schl?ssel liegt auf
>>>>>>>>>>>
>>>>>>>>>>> hkp://subkeys.pgp.net
>>>>>>>>>>>
>>>>>>>>>>> -----BEGIN PGP SIGNATURE-----
>>>>>>>>>>> Version: GnuPG v1
>>>>>>>>>>>
>>>>>>>>>>>
iEYEARECAAYFAlSkD3EACgkQ2JOGcNAHDTZdlwCgwsQF0g/pFp65ldcTMWDcJ1O7
>>>>>>>>>>>
>>>>>>>>>>> LScAoLDzorUJNDCik4FP9dBUxKCbAbGN
>>>>>>>>>>> =SOSt
>>>>>>>>>>> -----END PGP SIGNATURE-----
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>> If you followed the wiki, you will be using
the 'ad' backend.
>>>>>>>>> For this to work, you need to add
'uidNumber' attributes to
>>>>>>>>> your users and a 'gidNumber'
attribute to at least the Domain
>>>>>>>>> Users group. the numbers that you add must
be between the
>>>>>>>>> range you set in your smb.conf, again if
you followed the
>>>>>>>>> wiki, this will be between 500-40000.
>>>>>>>>>
>>>>>>>>> Rowland
>>>>>>>>
>>>>>>>
>>>>>>> You have restarted samba, haven't you ?
>>>>>>> You may have to wait a short time, or clear the
cache with 'net
>>>>>>> cache flush'
>>>>>>>
>>>>>>> Rowland
>>>>>>>
>>>>>>
>>>>> OK, can you post the 'passwd' & 'group'
lines from /etc/nsswitch
>>>>>
>>>>> Do you get anything from 'getent passwd <a domain
user>'
>>>>>
>>>>> Rowland
>>>>>
>>>>
>>> OK, install ldb-tools if not already installed, then run:
>>>
>>> ldbedit -e nano -H /var/lib/samba/private/sam.ldb
sAMAccountName=tuser
>>>
>>> Post the (sanitized) result
>>>
>>> Rowland
>>>
>>
>
> OK, you added that user with ADUC (RSAT) and as such you are using the
> std windows start number 10000, which is the way I run samba. Here is
> my smb.conf from the laptop I am writing this on:
>
> [global]
> workgroup = EXAMPLE
> security = ADS
> realm = EXAMPLE.COM
> dedicated keytab file = /etc/krb5.keytab
> kerberos method = secrets and keytab
> server string = Samba 4 Client %h
> winbind enum users = yes
> winbind enum groups = yes
> winbind use default domain = yes
> winbind expand groups = 4
> winbind nss info = rfc2307
> winbind refresh tickets = Yes
> winbind normalize names = Yes
> idmap config * : backend = tdb
> idmap config * : range = 2000-9999
> idmap config EXAMPLE : backend = ad
> idmap config EXAMPLE : range = 10000-999999
> idmap config EXAMPLE : schema_mode = rfc2307
> printcap name = cups
> cups options = raw
> usershare allow guests = yes
> domain master = no
> local master = no
> preferred master = no
> os level = 20
> map to guest = bad user
> vfs objects = acl_xattr
> map acl inherit = Yes
> store dos attributes = Yes
>
> Compare it with yours, I can assure you it works.
>
> Rowland
>
--
-James
On 01/01/15 00:07, James wrote:> Hi Rowland, > > I forgot to tell you the results were from my Domain Controller > and not the member server. Member server returned something to the > effect of 'user not found'. I am only starting the 3 > services(smbd,nmbd and windbindd) listed in the wiki. Should I be > starting Samba with command line switches to start as a member server? > Is that even possible?Hi, there are two ways of running samba4, the classic or original way that samba3 was used, or as an AD DC. If you run samba4 in the classic way, you need to start the smbd & nmbd deamons and optionally the winbind daemon. If you use samba4 as an AD DC, then you only start the samba daemon, this will start any other required deamons, you only start the samba daemon on an AD DC. As you are trying to set up a member server, you must carry out the tests on the member server. Rowland> > Thanks for you smb.conf. I will attempt again using your smb.conf > as a template and try again. > > On 12/31/2014 2:20 PM, Rowland Penny wrote: >> On 31/12/14 19:07, James wrote: >>> Rowland, >>> >>> I decided to start over with a fresh install and attempted >>> again. Only change I made was to start my mappings at 10000. I gave >>> 'Domain Users' group gid 10000 and 'tuser' has uid 10001. Still >>> didn't work btw. >>> >>> dn: CN=Test User,CN=Users,DC=domain,DC=local >>> objectClass: top >>> objectClass: person >>> objectClass: organizationalPerson >>> objectClass: user >>> cn: Test User >>> sn: User >>> givenName: Test >>> instanceType: 4 >>> whenCreated: 20141231172021.0Z >>> displayName: Test User >>> uSNCreated: 477557 >>> name: Test User >>> objectGUID: 90f95763-fe52-42b9-af86-8a84a4d5dd78 >>> userAccountControl: 66048 >>> codePage: 0 >>> countryCode: 0 >>> pwdLastSet: 130645200220000000 >>> primaryGroupID: 513 >>> objectSid: S-1-5-21-940051827-2291820289-3341758437-3126 >>> accountExpires: 9223372036854775807 >>> sAMAccountName: tuser >>> sAMAccountType: 805306368 >>> userPrincipalName: tuser at domain.local >>> objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=domain,DC=local >>> unixUserPassword: ABCD!efgh12345$67890 >>> uid: tuser >>> msSFU30Name: tuser >>> msSFU30NisDomain: domain >>> uidNumber: 10001 >>> loginShell: /bin/sh >>> unixHomeDirectory: /home/tuser >>> gidNumber: 10000 >>> whenChanged: 20141231185807.0Z >>> uSNChanged: 477620 >>> distinguishedName: CN=Test User,CN=Users,DC=domain,DC=local >>> >>> >>> On 12/31/2014 1:50 PM, Rowland Penny wrote: >>>> On 31/12/14 18:28, James wrote: >>>>> Hi Rowland, >>>>> >>>>> passwd: compat winbind >>>>> group: compat winbind >>>>> >>>>> 'getent passwd tuser' results in a blank terminal line. >>>>> >>>>> >>>>> On 12/31/2014 1:12 PM, Rowland Penny wrote: >>>>>> On 31/12/14 17:55, James wrote: >>>>>>> Hi Rowland, >>>>>>> >>>>>>> I did. Unfortunately something is still amiss. I do receive >>>>>>> a response from 'getent group domain users'(users:x:100). >>>>>>> >>>>>>> On 12/31/2014 12:26 PM, Rowland Penny wrote: >>>>>>>> On 31/12/14 17:23, James wrote: >>>>>>>>> Rowland, >>>>>>>>> >>>>>>>>> I set a user with a uid and domain users group with a gid >>>>>>>>> but I'm still unable to view them using 'id'. I do notice a >>>>>>>>> few strange observations. If I go to another user to attempt >>>>>>>>> to assign a uid. I get the default value of 10000. I would >>>>>>>>> expect 2001 given I set the first user with uid 2000. Groups >>>>>>>>> however appear to increment. >>>>>>>>> >>>>>>>>> On 12/31/2014 10:52 AM, Rowland Penny wrote: >>>>>>>>>> On 31/12/14 15:42, James wrote: >>>>>>>>>>> Hello Stefan, >>>>>>>>>>> >>>>>>>>>>> I learned the hard way about .local. I understand going >>>>>>>>>>> forward. >>>>>>>>>>> >>>>>>>>>>> I do have an issue with the member server. Following along >>>>>>>>>>> with the wiki I get stuck at 'Testing the Winbind user/group >>>>>>>>>>> mapping'. Wbinfo works as expected but not >>>>>>>>>>> >>>>>>>>>>> #*id DomainUser* >>>>>>>>>>> >>>>>>>>>>> #*getent passwd* >>>>>>>>>>> >>>>>>>>>>> #*getent group* >>>>>>>>>>> >>>>>>>>>>> #*chown DomainUser:DomainGroup file* >>>>>>>>>>> >>>>>>>>>>> #*chgrp DomainGroup file* >>>>>>>>>>> >>>>>>>>>>> etc. >>>>>>>>>>> >>>>>>>>>>> I receive 'id: sambauser: No such user'. It will only >>>>>>>>>>> retrieve local machine users. Let me preface by saying this >>>>>>>>>>> is a Ubuntu 12.04 server with Samba 4.1.14. Thanks. >>>>>>>>>>> >>>>>>>>>>> On 12/31/2014 10:00 AM, Stefan Kania wrote: >>>>>>>>>>>> -----BEGIN PGP SIGNED MESSAGE----- >>>>>>>>>>>> Hash: SHA1 >>>>>>>>>>>> >>>>>>>>>>>> Hello James, >>>>>>>>>>>> >>>>>>>>>>>> Am 31.12.2014 um 15:48 schrieb James:> Hello, >>>>>>>>>>>>> I'm following along with the wiki(Setup a Samba AD Member >>>>>>>>>>>>> Server) >>>>>>>>>>>>> and I have a question after reading the 'Set up a basic >>>>>>>>>>>>> smb.conf' >>>>>>>>>>>>> section. >>>>>>>>>>>> Please show us your smb.conf >>>>>>>>>>>> >>>>>>>>>>>> Do I need to extend the schema in order for my member >>>>>>>>>>>> server to >>>>>>>>>>>>> successfully join and service file shares? >>>>>>>>>>>> No, you dont have to. >>>>>>>>>>>> >>>>>>>>>>>> Do I need to configure a >>>>>>>>>>>>> krb5.conf file? Thanks. >>>>>>>>>>>> If your DC is a samba4 DC just copy krb5.conf to your new >>>>>>>>>>>> memberserver >>>>>>>>>>>> Stefan >>>>>>>>>>>> >>>>>>>>>>>> - -- Stefan Kania >>>>>>>>>>>> Landweg 13 >>>>>>>>>>>> 25693 St. Michaelisdonn >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> Signieren jeder E-Mail hilft Spam zu reduzieren. Signieren >>>>>>>>>>>> Sie ihre >>>>>>>>>>>> E-Mail. Weiter Informationen unter http://www.gnupg.org >>>>>>>>>>>> >>>>>>>>>>>> Mein Schl?ssel liegt auf >>>>>>>>>>>> >>>>>>>>>>>> hkp://subkeys.pgp.net >>>>>>>>>>>> >>>>>>>>>>>> -----BEGIN PGP SIGNATURE----- >>>>>>>>>>>> Version: GnuPG v1 >>>>>>>>>>>> >>>>>>>>>>>> iEYEARECAAYFAlSkD3EACgkQ2JOGcNAHDTZdlwCgwsQF0g/pFp65ldcTMWDcJ1O7 >>>>>>>>>>>> >>>>>>>>>>>> LScAoLDzorUJNDCik4FP9dBUxKCbAbGN >>>>>>>>>>>> =SOSt >>>>>>>>>>>> -----END PGP SIGNATURE----- >>>>>>>>>>> >>>>>>>>>> >>>>>>>>>> If you followed the wiki, you will be using the 'ad' backend. >>>>>>>>>> For this to work, you need to add 'uidNumber' attributes to >>>>>>>>>> your users and a 'gidNumber' attribute to at least the Domain >>>>>>>>>> Users group. the numbers that you add must be between the >>>>>>>>>> range you set in your smb.conf, again if you followed the >>>>>>>>>> wiki, this will be between 500-40000. >>>>>>>>>> >>>>>>>>>> Rowland >>>>>>>>> >>>>>>>> >>>>>>>> You have restarted samba, haven't you ? >>>>>>>> You may have to wait a short time, or clear the cache with 'net >>>>>>>> cache flush' >>>>>>>> >>>>>>>> Rowland >>>>>>>> >>>>>>> >>>>>> OK, can you post the 'passwd' & 'group' lines from /etc/nsswitch >>>>>> >>>>>> Do you get anything from 'getent passwd <a domain user>' >>>>>> >>>>>> Rowland >>>>>> >>>>> >>>> OK, install ldb-tools if not already installed, then run: >>>> >>>> ldbedit -e nano -H /var/lib/samba/private/sam.ldb sAMAccountName=tuser >>>> >>>> Post the (sanitized) result >>>> >>>> Rowland >>>> >>> >> >> OK, you added that user with ADUC (RSAT) and as such you are using >> the std windows start number 10000, which is the way I run samba. >> Here is my smb.conf from the laptop I am writing this on: >> >> [global] >> workgroup = EXAMPLE >> security = ADS >> realm = EXAMPLE.COM >> dedicated keytab file = /etc/krb5.keytab >> kerberos method = secrets and keytab >> server string = Samba 4 Client %h >> winbind enum users = yes >> winbind enum groups = yes >> winbind use default domain = yes >> winbind expand groups = 4 >> winbind nss info = rfc2307 >> winbind refresh tickets = Yes >> winbind normalize names = Yes >> idmap config * : backend = tdb >> idmap config * : range = 2000-9999 >> idmap config EXAMPLE : backend = ad >> idmap config EXAMPLE : range = 10000-999999 >> idmap config EXAMPLE : schema_mode = rfc2307 >> printcap name = cups >> cups options = raw >> usershare allow guests = yes >> domain master = no >> local master = no >> preferred master = no >> os level = 20 >> map to guest = bad user >> vfs objects = acl_xattr >> map acl inherit = Yes >> store dos attributes = Yes >> >> Compare it with yours, I can assure you it works. >> >> Rowland >> >
Hi Rowland,
Thanks for the clarification. I have been performing all tests on
the member server. I will attempt again.
On 1/1/2015 4:34 AM, Rowland Penny wrote:> On 01/01/15 00:07, James wrote:
>> Hi Rowland,
>>
>> I forgot to tell you the results were from my Domain Controller
>> and not the member server. Member server returned something to the
>> effect of 'user not found'. I am only starting the 3
>> services(smbd,nmbd and windbindd) listed in the wiki. Should I be
>> starting Samba with command line switches to start as a member
>> server? Is that even possible?
>
> Hi, there are two ways of running samba4, the classic or original way
> that samba3 was used, or as an AD DC. If you run samba4 in the classic
> way, you need to start the smbd & nmbd deamons and optionally the
> winbind daemon. If you use samba4 as an AD DC, then you only start the
> samba daemon, this will start any other required deamons, you only
> start the samba daemon on an AD DC.
>
> As you are trying to set up a member server, you must carry out the
> tests on the member server.
>
> Rowland
>
>>
>> Thanks for you smb.conf. I will attempt again using your smb.conf
>> as a template and try again.
>>
>> On 12/31/2014 2:20 PM, Rowland Penny wrote:
>>> On 31/12/14 19:07, James wrote:
>>>> Rowland,
>>>>
>>>> I decided to start over with a fresh install and attempted
>>>> again. Only change I made was to start my mappings at 10000. I
gave
>>>> 'Domain Users' group gid 10000 and 'tuser' has
uid 10001. Still
>>>> didn't work btw.
>>>>
>>>> dn: CN=Test User,CN=Users,DC=domain,DC=local
>>>> objectClass: top
>>>> objectClass: person
>>>> objectClass: organizationalPerson
>>>> objectClass: user
>>>> cn: Test User
>>>> sn: User
>>>> givenName: Test
>>>> instanceType: 4
>>>> whenCreated: 20141231172021.0Z
>>>> displayName: Test User
>>>> uSNCreated: 477557
>>>> name: Test User
>>>> objectGUID: 90f95763-fe52-42b9-af86-8a84a4d5dd78
>>>> userAccountControl: 66048
>>>> codePage: 0
>>>> countryCode: 0
>>>> pwdLastSet: 130645200220000000
>>>> primaryGroupID: 513
>>>> objectSid: S-1-5-21-940051827-2291820289-3341758437-3126
>>>> accountExpires: 9223372036854775807
>>>> sAMAccountName: tuser
>>>> sAMAccountType: 805306368
>>>> userPrincipalName: tuser at domain.local
>>>> objectCategory:
>>>> CN=Person,CN=Schema,CN=Configuration,DC=domain,DC=local
>>>> unixUserPassword: ABCD!efgh12345$67890
>>>> uid: tuser
>>>> msSFU30Name: tuser
>>>> msSFU30NisDomain: domain
>>>> uidNumber: 10001
>>>> loginShell: /bin/sh
>>>> unixHomeDirectory: /home/tuser
>>>> gidNumber: 10000
>>>> whenChanged: 20141231185807.0Z
>>>> uSNChanged: 477620
>>>> distinguishedName: CN=Test User,CN=Users,DC=domain,DC=local
>>>>
>>>>
>>>> On 12/31/2014 1:50 PM, Rowland Penny wrote:
>>>>> On 31/12/14 18:28, James wrote:
>>>>>> Hi Rowland,
>>>>>>
>>>>>> passwd: compat winbind
>>>>>> group: compat winbind
>>>>>>
>>>>>> 'getent passwd tuser' results in a blank
terminal line.
>>>>>>
>>>>>>
>>>>>> On 12/31/2014 1:12 PM, Rowland Penny wrote:
>>>>>>> On 31/12/14 17:55, James wrote:
>>>>>>>> Hi Rowland,
>>>>>>>>
>>>>>>>> I did. Unfortunately something is still
amiss. I do receive
>>>>>>>> a response from 'getent group domain
users'(users:x:100).
>>>>>>>>
>>>>>>>> On 12/31/2014 12:26 PM, Rowland Penny wrote:
>>>>>>>>> On 31/12/14 17:23, James wrote:
>>>>>>>>>> Rowland,
>>>>>>>>>>
>>>>>>>>>> I set a user with a uid and domain
users group with a gid
>>>>>>>>>> but I'm still unable to view them
using 'id'. I do notice a
>>>>>>>>>> few strange observations. If I go to
another user to attempt
>>>>>>>>>> to assign a uid. I get the default
value of 10000. I would
>>>>>>>>>> expect 2001 given I set the first user
with uid 2000. Groups
>>>>>>>>>> however appear to increment.
>>>>>>>>>>
>>>>>>>>>> On 12/31/2014 10:52 AM, Rowland Penny
wrote:
>>>>>>>>>>> On 31/12/14 15:42, James wrote:
>>>>>>>>>>>> Hello Stefan,
>>>>>>>>>>>>
>>>>>>>>>>>> I learned the hard way
about .local. I understand going
>>>>>>>>>>>> forward.
>>>>>>>>>>>>
>>>>>>>>>>>> I do have an issue with the
member server. Following along
>>>>>>>>>>>> with the wiki I get stuck at
'Testing the Winbind
>>>>>>>>>>>> user/group mapping'. Wbinfo
works as expected but not
>>>>>>>>>>>>
>>>>>>>>>>>> #*id DomainUser*
>>>>>>>>>>>>
>>>>>>>>>>>> #*getent passwd*
>>>>>>>>>>>>
>>>>>>>>>>>> #*getent group*
>>>>>>>>>>>>
>>>>>>>>>>>> #*chown DomainUser:DomainGroup
file*
>>>>>>>>>>>>
>>>>>>>>>>>> #*chgrp DomainGroup file*
>>>>>>>>>>>>
>>>>>>>>>>>> etc.
>>>>>>>>>>>>
>>>>>>>>>>>> I receive 'id: sambauser:
No such user'. It will only
>>>>>>>>>>>> retrieve local machine users.
Let me preface by saying this
>>>>>>>>>>>> is a Ubuntu 12.04 server with
Samba 4.1.14. Thanks.
>>>>>>>>>>>>
>>>>>>>>>>>> On 12/31/2014 10:00 AM, Stefan
Kania wrote:
>>>>>>>>>>>>> -----BEGIN PGP SIGNED
MESSAGE-----
>>>>>>>>>>>>> Hash: SHA1
>>>>>>>>>>>>>
>>>>>>>>>>>>> Hello James,
>>>>>>>>>>>>>
>>>>>>>>>>>>> Am 31.12.2014 um 15:48
schrieb James:> Hello,
>>>>>>>>>>>>>> I'm following along
with the wiki(Setup a Samba AD Member
>>>>>>>>>>>>>> Server)
>>>>>>>>>>>>>> and I have a question
after reading the 'Set up a basic
>>>>>>>>>>>>>> smb.conf'
>>>>>>>>>>>>>> section.
>>>>>>>>>>>>> Please show us your
smb.conf
>>>>>>>>>>>>>
>>>>>>>>>>>>> Do I need to extend the
schema in order for my member
>>>>>>>>>>>>> server to
>>>>>>>>>>>>>> successfully join and
service file shares?
>>>>>>>>>>>>> No, you dont have to.
>>>>>>>>>>>>>
>>>>>>>>>>>>> Do I need to configure a
>>>>>>>>>>>>>> krb5.conf file? Thanks.
>>>>>>>>>>>>> If your DC is a samba4 DC
just copy krb5.conf to your new
>>>>>>>>>>>>> memberserver
>>>>>>>>>>>>> Stefan
>>>>>>>>>>>>>
>>>>>>>>>>>>> - -- Stefan Kania
>>>>>>>>>>>>> Landweg 13
>>>>>>>>>>>>> 25693 St. Michaelisdonn
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> Signieren jeder E-Mail
hilft Spam zu reduzieren. Signieren
>>>>>>>>>>>>> Sie ihre
>>>>>>>>>>>>> E-Mail. Weiter
Informationen unter http://www.gnupg.org
>>>>>>>>>>>>>
>>>>>>>>>>>>> Mein Schl?ssel liegt auf
>>>>>>>>>>>>>
>>>>>>>>>>>>> hkp://subkeys.pgp.net
>>>>>>>>>>>>>
>>>>>>>>>>>>> -----BEGIN PGP
SIGNATURE-----
>>>>>>>>>>>>> Version: GnuPG v1
>>>>>>>>>>>>>
>>>>>>>>>>>>>
iEYEARECAAYFAlSkD3EACgkQ2JOGcNAHDTZdlwCgwsQF0g/pFp65ldcTMWDcJ1O7
>>>>>>>>>>>>>
>>>>>>>>>>>>>
LScAoLDzorUJNDCik4FP9dBUxKCbAbGN
>>>>>>>>>>>>> =SOSt
>>>>>>>>>>>>> -----END PGP SIGNATURE-----
>>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> If you followed the wiki, you will
be using the 'ad'
>>>>>>>>>>> backend. For this to work, you need
to add 'uidNumber'
>>>>>>>>>>> attributes to your users and a
'gidNumber' attribute to at
>>>>>>>>>>> least the Domain Users group. the
numbers that you add must
>>>>>>>>>>> be between the range you set in
your smb.conf, again if you
>>>>>>>>>>> followed the wiki, this will be
between 500-40000.
>>>>>>>>>>>
>>>>>>>>>>> Rowland
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>> You have restarted samba, haven't you ?
>>>>>>>>> You may have to wait a short time, or clear
the cache with
>>>>>>>>> 'net cache flush'
>>>>>>>>>
>>>>>>>>> Rowland
>>>>>>>>>
>>>>>>>>
>>>>>>> OK, can you post the 'passwd' &
'group' lines from /etc/nsswitch
>>>>>>>
>>>>>>> Do you get anything from 'getent passwd <a
domain user>'
>>>>>>>
>>>>>>> Rowland
>>>>>>>
>>>>>>
>>>>> OK, install ldb-tools if not already installed, then run:
>>>>>
>>>>> ldbedit -e nano -H /var/lib/samba/private/sam.ldb
>>>>> sAMAccountName=tuser
>>>>>
>>>>> Post the (sanitized) result
>>>>>
>>>>> Rowland
>>>>>
>>>>
>>>
>>> OK, you added that user with ADUC (RSAT) and as such you are using
>>> the std windows start number 10000, which is the way I run samba.
>>> Here is my smb.conf from the laptop I am writing this on:
>>>
>>> [global]
>>> workgroup = EXAMPLE
>>> security = ADS
>>> realm = EXAMPLE.COM
>>> dedicated keytab file = /etc/krb5.keytab
>>> kerberos method = secrets and keytab
>>> server string = Samba 4 Client %h
>>> winbind enum users = yes
>>> winbind enum groups = yes
>>> winbind use default domain = yes
>>> winbind expand groups = 4
>>> winbind nss info = rfc2307
>>> winbind refresh tickets = Yes
>>> winbind normalize names = Yes
>>> idmap config * : backend = tdb
>>> idmap config * : range = 2000-9999
>>> idmap config EXAMPLE : backend = ad
>>> idmap config EXAMPLE : range = 10000-999999
>>> idmap config EXAMPLE : schema_mode = rfc2307
>>> printcap name = cups
>>> cups options = raw
>>> usershare allow guests = yes
>>> domain master = no
>>> local master = no
>>> preferred master = no
>>> os level = 20
>>> map to guest = bad user
>>> vfs objects = acl_xattr
>>> map acl inherit = Yes
>>> store dos attributes = Yes
>>>
>>> Compare it with yours, I can assure you it works.
>>>
>>> Rowland
>>>
>>
>
--
-James
Hi Rowland,
If you don't mind I like to post my member server configuration as
I attempt again. This is how my member server(Ubuntu 12.04) is
configured after fresh install and prior to Samba build. Anything I'm
missing that could cause my issue as I proceed? I assume no other
prerequisites must be done on the other DC's either? Thanks.
/*# From Wiki for DC build*/
apt-get install build-essential libacl1-dev libattr1-dev libblkid-dev
libgnutls-dev libreadline-dev python-dev libpam0g-dev python-dnspython
gdb pkg-config libpopt-dev libldap2-dev dnsutils libbsd-dev attr
krb5-user docbook-xsl libcups2-dev acl
/*# Fstab file*/
ext4 errors=remount-ro,user_xattr,acl,barrier=1 1 1
*/# Hosts File/*
127.0.0.1 localhost
172.16.232.25 pfmember1.domain.local pfmember1
# The following lines are desirable for IPv6 capable hosts
::1 ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
*/# Hostname/* */File/*
pfmember1.domain.local
*/#/network/interfaces/*
# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).
# The loopback network interface
auto lo
iface lo inet loopback
# The primary network interface
auto eth0
iface eth0 inet static
address 172.16.232.25
netmask 255.255.255.0
gateway 172.16.232.201
network 172.16.232.0
broadcast 172.16.232.255
dns-search domain.local
dns-nameservers 172.16.232.29
On 1/1/2015 4:34 AM, Rowland Penny wrote:> On 01/01/15 00:07, James wrote:
>> Hi Rowland,
>>
>> I forgot to tell you the results were from my Domain Controller
>> and not the member server. Member server returned something to the
>> effect of 'user not found'. I am only starting the 3
>> services(smbd,nmbd and windbindd) listed in the wiki. Should I be
>> starting Samba with command line switches to start as a member
>> server? Is that even possible?
>
> Hi, there are two ways of running samba4, the classic or original way
> that samba3 was used, or as an AD DC. If you run samba4 in the classic
> way, you need to start the smbd & nmbd deamons and optionally the
> winbind daemon. If you use samba4 as an AD DC, then you only start the
> samba daemon, this will start any other required deamons, you only
> start the samba daemon on an AD DC.
>
> As you are trying to set up a member server, you must carry out the
> tests on the member server.
>
> Rowland
>
>>
>> Thanks for you smb.conf. I will attempt again using your smb.conf
>> as a template and try again.
>>
>> On 12/31/2014 2:20 PM, Rowland Penny wrote:
>>> On 31/12/14 19:07, James wrote:
>>>> Rowland,
>>>>
>>>> I decided to start over with a fresh install and attempted
>>>> again. Only change I made was to start my mappings at 10000. I
gave
>>>> 'Domain Users' group gid 10000 and 'tuser' has
uid 10001. Still
>>>> didn't work btw.
>>>>
>>>> dn: CN=Test User,CN=Users,DC=domain,DC=local
>>>> objectClass: top
>>>> objectClass: person
>>>> objectClass: organizationalPerson
>>>> objectClass: user
>>>> cn: Test User
>>>> sn: User
>>>> givenName: Test
>>>> instanceType: 4
>>>> whenCreated: 20141231172021.0Z
>>>> displayName: Test User
>>>> uSNCreated: 477557
>>>> name: Test User
>>>> objectGUID: 90f95763-fe52-42b9-af86-8a84a4d5dd78
>>>> userAccountControl: 66048
>>>> codePage: 0
>>>> countryCode: 0
>>>> pwdLastSet: 130645200220000000
>>>> primaryGroupID: 513
>>>> objectSid: S-1-5-21-940051827-2291820289-3341758437-3126
>>>> accountExpires: 9223372036854775807
>>>> sAMAccountName: tuser
>>>> sAMAccountType: 805306368
>>>> userPrincipalName: tuser at domain.local
>>>> objectCategory:
>>>> CN=Person,CN=Schema,CN=Configuration,DC=domain,DC=local
>>>> unixUserPassword: ABCD!efgh12345$67890
>>>> uid: tuser
>>>> msSFU30Name: tuser
>>>> msSFU30NisDomain: domain
>>>> uidNumber: 10001
>>>> loginShell: /bin/sh
>>>> unixHomeDirectory: /home/tuser
>>>> gidNumber: 10000
>>>> whenChanged: 20141231185807.0Z
>>>> uSNChanged: 477620
>>>> distinguishedName: CN=Test User,CN=Users,DC=domain,DC=local
>>>>
>>>>
>>>> On 12/31/2014 1:50 PM, Rowland Penny wrote:
>>>>> On 31/12/14 18:28, James wrote:
>>>>>> Hi Rowland,
>>>>>>
>>>>>> passwd: compat winbind
>>>>>> group: compat winbind
>>>>>>
>>>>>> 'getent passwd tuser' results in a blank
terminal line.
>>>>>>
>>>>>>
>>>>>> On 12/31/2014 1:12 PM, Rowland Penny wrote:
>>>>>>> On 31/12/14 17:55, James wrote:
>>>>>>>> Hi Rowland,
>>>>>>>>
>>>>>>>> I did. Unfortunately something is still
amiss. I do receive
>>>>>>>> a response from 'getent group domain
users'(users:x:100).
>>>>>>>>
>>>>>>>> On 12/31/2014 12:26 PM, Rowland Penny wrote:
>>>>>>>>> On 31/12/14 17:23, James wrote:
>>>>>>>>>> Rowland,
>>>>>>>>>>
>>>>>>>>>> I set a user with a uid and domain
users group with a gid
>>>>>>>>>> but I'm still unable to view them
using 'id'. I do notice a
>>>>>>>>>> few strange observations. If I go to
another user to attempt
>>>>>>>>>> to assign a uid. I get the default
value of 10000. I would
>>>>>>>>>> expect 2001 given I set the first user
with uid 2000. Groups
>>>>>>>>>> however appear to increment.
>>>>>>>>>>
>>>>>>>>>> On 12/31/2014 10:52 AM, Rowland Penny
wrote:
>>>>>>>>>>> On 31/12/14 15:42, James wrote:
>>>>>>>>>>>> Hello Stefan,
>>>>>>>>>>>>
>>>>>>>>>>>> I learned the hard way
about .local. I understand going
>>>>>>>>>>>> forward.
>>>>>>>>>>>>
>>>>>>>>>>>> I do have an issue with the
member server. Following along
>>>>>>>>>>>> with the wiki I get stuck at
'Testing the Winbind
>>>>>>>>>>>> user/group mapping'. Wbinfo
works as expected but not
>>>>>>>>>>>>
>>>>>>>>>>>> #*id DomainUser*
>>>>>>>>>>>>
>>>>>>>>>>>> #*getent passwd*
>>>>>>>>>>>>
>>>>>>>>>>>> #*getent group*
>>>>>>>>>>>>
>>>>>>>>>>>> #*chown DomainUser:DomainGroup
file*
>>>>>>>>>>>>
>>>>>>>>>>>> #*chgrp DomainGroup file*
>>>>>>>>>>>>
>>>>>>>>>>>> etc.
>>>>>>>>>>>>
>>>>>>>>>>>> I receive 'id: sambauser:
No such user'. It will only
>>>>>>>>>>>> retrieve local machine users.
Let me preface by saying this
>>>>>>>>>>>> is a Ubuntu 12.04 server with
Samba 4.1.14. Thanks.
>>>>>>>>>>>>
>>>>>>>>>>>> On 12/31/2014 10:00 AM, Stefan
Kania wrote:
>>>>>>>>>>>>> -----BEGIN PGP SIGNED
MESSAGE-----
>>>>>>>>>>>>> Hash: SHA1
>>>>>>>>>>>>>
>>>>>>>>>>>>> Hello James,
>>>>>>>>>>>>>
>>>>>>>>>>>>> Am 31.12.2014 um 15:48
schrieb James:> Hello,
>>>>>>>>>>>>>> I'm following along
with the wiki(Setup a Samba AD Member
>>>>>>>>>>>>>> Server)
>>>>>>>>>>>>>> and I have a question
after reading the 'Set up a basic
>>>>>>>>>>>>>> smb.conf'
>>>>>>>>>>>>>> section.
>>>>>>>>>>>>> Please show us your
smb.conf
>>>>>>>>>>>>>
>>>>>>>>>>>>> Do I need to extend the
schema in order for my member
>>>>>>>>>>>>> server to
>>>>>>>>>>>>>> successfully join and
service file shares?
>>>>>>>>>>>>> No, you dont have to.
>>>>>>>>>>>>>
>>>>>>>>>>>>> Do I need to configure a
>>>>>>>>>>>>>> krb5.conf file? Thanks.
>>>>>>>>>>>>> If your DC is a samba4 DC
just copy krb5.conf to your new
>>>>>>>>>>>>> memberserver
>>>>>>>>>>>>> Stefan
>>>>>>>>>>>>>
>>>>>>>>>>>>> - -- Stefan Kania
>>>>>>>>>>>>> Landweg 13
>>>>>>>>>>>>> 25693 St. Michaelisdonn
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> Signieren jeder E-Mail
hilft Spam zu reduzieren. Signieren
>>>>>>>>>>>>> Sie ihre
>>>>>>>>>>>>> E-Mail. Weiter
Informationen unter http://www.gnupg.org
>>>>>>>>>>>>>
>>>>>>>>>>>>> Mein Schl?ssel liegt auf
>>>>>>>>>>>>>
>>>>>>>>>>>>> hkp://subkeys.pgp.net
>>>>>>>>>>>>>
>>>>>>>>>>>>> -----BEGIN PGP
SIGNATURE-----
>>>>>>>>>>>>> Version: GnuPG v1
>>>>>>>>>>>>>
>>>>>>>>>>>>>
iEYEARECAAYFAlSkD3EACgkQ2JOGcNAHDTZdlwCgwsQF0g/pFp65ldcTMWDcJ1O7
>>>>>>>>>>>>>
>>>>>>>>>>>>>
LScAoLDzorUJNDCik4FP9dBUxKCbAbGN
>>>>>>>>>>>>> =SOSt
>>>>>>>>>>>>> -----END PGP SIGNATURE-----
>>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> If you followed the wiki, you will
be using the 'ad'
>>>>>>>>>>> backend. For this to work, you need
to add 'uidNumber'
>>>>>>>>>>> attributes to your users and a
'gidNumber' attribute to at
>>>>>>>>>>> least the Domain Users group. the
numbers that you add must
>>>>>>>>>>> be between the range you set in
your smb.conf, again if you
>>>>>>>>>>> followed the wiki, this will be
between 500-40000.
>>>>>>>>>>>
>>>>>>>>>>> Rowland
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>> You have restarted samba, haven't you ?
>>>>>>>>> You may have to wait a short time, or clear
the cache with
>>>>>>>>> 'net cache flush'
>>>>>>>>>
>>>>>>>>> Rowland
>>>>>>>>>
>>>>>>>>
>>>>>>> OK, can you post the 'passwd' &
'group' lines from /etc/nsswitch
>>>>>>>
>>>>>>> Do you get anything from 'getent passwd <a
domain user>'
>>>>>>>
>>>>>>> Rowland
>>>>>>>
>>>>>>
>>>>> OK, install ldb-tools if not already installed, then run:
>>>>>
>>>>> ldbedit -e nano -H /var/lib/samba/private/sam.ldb
>>>>> sAMAccountName=tuser
>>>>>
>>>>> Post the (sanitized) result
>>>>>
>>>>> Rowland
>>>>>
>>>>
>>>
>>> OK, you added that user with ADUC (RSAT) and as such you are using
>>> the std windows start number 10000, which is the way I run samba.
>>> Here is my smb.conf from the laptop I am writing this on:
>>>
>>> [global]
>>> workgroup = EXAMPLE
>>> security = ADS
>>> realm = EXAMPLE.COM
>>> dedicated keytab file = /etc/krb5.keytab
>>> kerberos method = secrets and keytab
>>> server string = Samba 4 Client %h
>>> winbind enum users = yes
>>> winbind enum groups = yes
>>> winbind use default domain = yes
>>> winbind expand groups = 4
>>> winbind nss info = rfc2307
>>> winbind refresh tickets = Yes
>>> winbind normalize names = Yes
>>> idmap config * : backend = tdb
>>> idmap config * : range = 2000-9999
>>> idmap config EXAMPLE : backend = ad
>>> idmap config EXAMPLE : range = 10000-999999
>>> idmap config EXAMPLE : schema_mode = rfc2307
>>> printcap name = cups
>>> cups options = raw
>>> usershare allow guests = yes
>>> domain master = no
>>> local master = no
>>> preferred master = no
>>> os level = 20
>>> map to guest = bad user
>>> vfs objects = acl_xattr
>>> map acl inherit = Yes
>>> store dos attributes = Yes
>>>
>>> Compare it with yours, I can assure you it works.
>>>
>>> Rowland
>>>
>>
>
--
-James