Hi Rowland,
If you don't mind I like to post my member server configuration as
I attempt again. This is how my member server(Ubuntu 12.04) is
configured after fresh install and prior to Samba build. Anything I'm
missing that could cause my issue as I proceed? I assume no other
prerequisites must be done on the other DC's either? Thanks.
/*# From Wiki for DC build*/
apt-get install build-essential libacl1-dev libattr1-dev libblkid-dev
libgnutls-dev libreadline-dev python-dev libpam0g-dev python-dnspython
gdb pkg-config libpopt-dev libldap2-dev dnsutils libbsd-dev attr
krb5-user docbook-xsl libcups2-dev acl
/*# Fstab file*/
ext4 errors=remount-ro,user_xattr,acl,barrier=1 1 1
*/# Hosts File/*
127.0.0.1 localhost
172.16.232.25 pfmember1.domain.local pfmember1
# The following lines are desirable for IPv6 capable hosts
::1 ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
*/# Hostname/* */File/*
pfmember1.domain.local
*/#/network/interfaces/*
# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).
# The loopback network interface
auto lo
iface lo inet loopback
# The primary network interface
auto eth0
iface eth0 inet static
address 172.16.232.25
netmask 255.255.255.0
gateway 172.16.232.201
network 172.16.232.0
broadcast 172.16.232.255
dns-search domain.local
dns-nameservers 172.16.232.29
On 1/1/2015 4:34 AM, Rowland Penny wrote:> On 01/01/15 00:07, James wrote:
>> Hi Rowland,
>>
>> I forgot to tell you the results were from my Domain Controller
>> and not the member server. Member server returned something to the
>> effect of 'user not found'. I am only starting the 3
>> services(smbd,nmbd and windbindd) listed in the wiki. Should I be
>> starting Samba with command line switches to start as a member
>> server? Is that even possible?
>
> Hi, there are two ways of running samba4, the classic or original way
> that samba3 was used, or as an AD DC. If you run samba4 in the classic
> way, you need to start the smbd & nmbd deamons and optionally the
> winbind daemon. If you use samba4 as an AD DC, then you only start the
> samba daemon, this will start any other required deamons, you only
> start the samba daemon on an AD DC.
>
> As you are trying to set up a member server, you must carry out the
> tests on the member server.
>
> Rowland
>
>>
>> Thanks for you smb.conf. I will attempt again using your smb.conf
>> as a template and try again.
>>
>> On 12/31/2014 2:20 PM, Rowland Penny wrote:
>>> On 31/12/14 19:07, James wrote:
>>>> Rowland,
>>>>
>>>> I decided to start over with a fresh install and attempted
>>>> again. Only change I made was to start my mappings at 10000. I
gave
>>>> 'Domain Users' group gid 10000 and 'tuser' has
uid 10001. Still
>>>> didn't work btw.
>>>>
>>>> dn: CN=Test User,CN=Users,DC=domain,DC=local
>>>> objectClass: top
>>>> objectClass: person
>>>> objectClass: organizationalPerson
>>>> objectClass: user
>>>> cn: Test User
>>>> sn: User
>>>> givenName: Test
>>>> instanceType: 4
>>>> whenCreated: 20141231172021.0Z
>>>> displayName: Test User
>>>> uSNCreated: 477557
>>>> name: Test User
>>>> objectGUID: 90f95763-fe52-42b9-af86-8a84a4d5dd78
>>>> userAccountControl: 66048
>>>> codePage: 0
>>>> countryCode: 0
>>>> pwdLastSet: 130645200220000000
>>>> primaryGroupID: 513
>>>> objectSid: S-1-5-21-940051827-2291820289-3341758437-3126
>>>> accountExpires: 9223372036854775807
>>>> sAMAccountName: tuser
>>>> sAMAccountType: 805306368
>>>> userPrincipalName: tuser at domain.local
>>>> objectCategory:
>>>> CN=Person,CN=Schema,CN=Configuration,DC=domain,DC=local
>>>> unixUserPassword: ABCD!efgh12345$67890
>>>> uid: tuser
>>>> msSFU30Name: tuser
>>>> msSFU30NisDomain: domain
>>>> uidNumber: 10001
>>>> loginShell: /bin/sh
>>>> unixHomeDirectory: /home/tuser
>>>> gidNumber: 10000
>>>> whenChanged: 20141231185807.0Z
>>>> uSNChanged: 477620
>>>> distinguishedName: CN=Test User,CN=Users,DC=domain,DC=local
>>>>
>>>>
>>>> On 12/31/2014 1:50 PM, Rowland Penny wrote:
>>>>> On 31/12/14 18:28, James wrote:
>>>>>> Hi Rowland,
>>>>>>
>>>>>> passwd: compat winbind
>>>>>> group: compat winbind
>>>>>>
>>>>>> 'getent passwd tuser' results in a blank
terminal line.
>>>>>>
>>>>>>
>>>>>> On 12/31/2014 1:12 PM, Rowland Penny wrote:
>>>>>>> On 31/12/14 17:55, James wrote:
>>>>>>>> Hi Rowland,
>>>>>>>>
>>>>>>>> I did. Unfortunately something is still
amiss. I do receive
>>>>>>>> a response from 'getent group domain
users'(users:x:100).
>>>>>>>>
>>>>>>>> On 12/31/2014 12:26 PM, Rowland Penny wrote:
>>>>>>>>> On 31/12/14 17:23, James wrote:
>>>>>>>>>> Rowland,
>>>>>>>>>>
>>>>>>>>>> I set a user with a uid and domain
users group with a gid
>>>>>>>>>> but I'm still unable to view them
using 'id'. I do notice a
>>>>>>>>>> few strange observations. If I go to
another user to attempt
>>>>>>>>>> to assign a uid. I get the default
value of 10000. I would
>>>>>>>>>> expect 2001 given I set the first user
with uid 2000. Groups
>>>>>>>>>> however appear to increment.
>>>>>>>>>>
>>>>>>>>>> On 12/31/2014 10:52 AM, Rowland Penny
wrote:
>>>>>>>>>>> On 31/12/14 15:42, James wrote:
>>>>>>>>>>>> Hello Stefan,
>>>>>>>>>>>>
>>>>>>>>>>>> I learned the hard way
about .local. I understand going
>>>>>>>>>>>> forward.
>>>>>>>>>>>>
>>>>>>>>>>>> I do have an issue with the
member server. Following along
>>>>>>>>>>>> with the wiki I get stuck at
'Testing the Winbind
>>>>>>>>>>>> user/group mapping'. Wbinfo
works as expected but not
>>>>>>>>>>>>
>>>>>>>>>>>> #*id DomainUser*
>>>>>>>>>>>>
>>>>>>>>>>>> #*getent passwd*
>>>>>>>>>>>>
>>>>>>>>>>>> #*getent group*
>>>>>>>>>>>>
>>>>>>>>>>>> #*chown DomainUser:DomainGroup
file*
>>>>>>>>>>>>
>>>>>>>>>>>> #*chgrp DomainGroup file*
>>>>>>>>>>>>
>>>>>>>>>>>> etc.
>>>>>>>>>>>>
>>>>>>>>>>>> I receive 'id: sambauser:
No such user'. It will only
>>>>>>>>>>>> retrieve local machine users.
Let me preface by saying this
>>>>>>>>>>>> is a Ubuntu 12.04 server with
Samba 4.1.14. Thanks.
>>>>>>>>>>>>
>>>>>>>>>>>> On 12/31/2014 10:00 AM, Stefan
Kania wrote:
>>>>>>>>>>>>> -----BEGIN PGP SIGNED
MESSAGE-----
>>>>>>>>>>>>> Hash: SHA1
>>>>>>>>>>>>>
>>>>>>>>>>>>> Hello James,
>>>>>>>>>>>>>
>>>>>>>>>>>>> Am 31.12.2014 um 15:48
schrieb James:> Hello,
>>>>>>>>>>>>>> I'm following along
with the wiki(Setup a Samba AD Member
>>>>>>>>>>>>>> Server)
>>>>>>>>>>>>>> and I have a question
after reading the 'Set up a basic
>>>>>>>>>>>>>> smb.conf'
>>>>>>>>>>>>>> section.
>>>>>>>>>>>>> Please show us your
smb.conf
>>>>>>>>>>>>>
>>>>>>>>>>>>> Do I need to extend the
schema in order for my member
>>>>>>>>>>>>> server to
>>>>>>>>>>>>>> successfully join and
service file shares?
>>>>>>>>>>>>> No, you dont have to.
>>>>>>>>>>>>>
>>>>>>>>>>>>> Do I need to configure a
>>>>>>>>>>>>>> krb5.conf file? Thanks.
>>>>>>>>>>>>> If your DC is a samba4 DC
just copy krb5.conf to your new
>>>>>>>>>>>>> memberserver
>>>>>>>>>>>>> Stefan
>>>>>>>>>>>>>
>>>>>>>>>>>>> - -- Stefan Kania
>>>>>>>>>>>>> Landweg 13
>>>>>>>>>>>>> 25693 St. Michaelisdonn
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> Signieren jeder E-Mail
hilft Spam zu reduzieren. Signieren
>>>>>>>>>>>>> Sie ihre
>>>>>>>>>>>>> E-Mail. Weiter
Informationen unter http://www.gnupg.org
>>>>>>>>>>>>>
>>>>>>>>>>>>> Mein Schl?ssel liegt auf
>>>>>>>>>>>>>
>>>>>>>>>>>>> hkp://subkeys.pgp.net
>>>>>>>>>>>>>
>>>>>>>>>>>>> -----BEGIN PGP
SIGNATURE-----
>>>>>>>>>>>>> Version: GnuPG v1
>>>>>>>>>>>>>
>>>>>>>>>>>>>
iEYEARECAAYFAlSkD3EACgkQ2JOGcNAHDTZdlwCgwsQF0g/pFp65ldcTMWDcJ1O7
>>>>>>>>>>>>>
>>>>>>>>>>>>>
LScAoLDzorUJNDCik4FP9dBUxKCbAbGN
>>>>>>>>>>>>> =SOSt
>>>>>>>>>>>>> -----END PGP SIGNATURE-----
>>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> If you followed the wiki, you will
be using the 'ad'
>>>>>>>>>>> backend. For this to work, you need
to add 'uidNumber'
>>>>>>>>>>> attributes to your users and a
'gidNumber' attribute to at
>>>>>>>>>>> least the Domain Users group. the
numbers that you add must
>>>>>>>>>>> be between the range you set in
your smb.conf, again if you
>>>>>>>>>>> followed the wiki, this will be
between 500-40000.
>>>>>>>>>>>
>>>>>>>>>>> Rowland
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>> You have restarted samba, haven't you ?
>>>>>>>>> You may have to wait a short time, or clear
the cache with
>>>>>>>>> 'net cache flush'
>>>>>>>>>
>>>>>>>>> Rowland
>>>>>>>>>
>>>>>>>>
>>>>>>> OK, can you post the 'passwd' &
'group' lines from /etc/nsswitch
>>>>>>>
>>>>>>> Do you get anything from 'getent passwd <a
domain user>'
>>>>>>>
>>>>>>> Rowland
>>>>>>>
>>>>>>
>>>>> OK, install ldb-tools if not already installed, then run:
>>>>>
>>>>> ldbedit -e nano -H /var/lib/samba/private/sam.ldb
>>>>> sAMAccountName=tuser
>>>>>
>>>>> Post the (sanitized) result
>>>>>
>>>>> Rowland
>>>>>
>>>>
>>>
>>> OK, you added that user with ADUC (RSAT) and as such you are using
>>> the std windows start number 10000, which is the way I run samba.
>>> Here is my smb.conf from the laptop I am writing this on:
>>>
>>> [global]
>>> workgroup = EXAMPLE
>>> security = ADS
>>> realm = EXAMPLE.COM
>>> dedicated keytab file = /etc/krb5.keytab
>>> kerberos method = secrets and keytab
>>> server string = Samba 4 Client %h
>>> winbind enum users = yes
>>> winbind enum groups = yes
>>> winbind use default domain = yes
>>> winbind expand groups = 4
>>> winbind nss info = rfc2307
>>> winbind refresh tickets = Yes
>>> winbind normalize names = Yes
>>> idmap config * : backend = tdb
>>> idmap config * : range = 2000-9999
>>> idmap config EXAMPLE : backend = ad
>>> idmap config EXAMPLE : range = 10000-999999
>>> idmap config EXAMPLE : schema_mode = rfc2307
>>> printcap name = cups
>>> cups options = raw
>>> usershare allow guests = yes
>>> domain master = no
>>> local master = no
>>> preferred master = no
>>> os level = 20
>>> map to guest = bad user
>>> vfs objects = acl_xattr
>>> map acl inherit = Yes
>>> store dos attributes = Yes
>>>
>>> Compare it with yours, I can assure you it works.
>>>
>>> Rowland
>>>
>>
>
--
-James
On 02/01/15 13:41, James wrote:> Hi Rowland, > > If you don't mind I like to post my member server configuration as > I attempt again. This is how my member server(Ubuntu 12.04) is > configured after fresh install and prior to Samba build. Anything I'm > missing that could cause my issue as I proceed? I assume no other > prerequisites must be done on the other DC's either? Thanks. > > /*# From Wiki for DC build*/ > apt-get install build-essential libacl1-dev libattr1-dev libblkid-dev > libgnutls-dev libreadline-dev python-dev libpam0g-dev python-dnspython > gdb pkg-config libpopt-dev libldap2-dev dnsutils libbsd-dev attr > krb5-user docbook-xsl libcups2-dev acl > > > /*# Fstab file*/ > ext4 errors=remount-ro,user_xattr,acl,barrier=1 1 1 > > > */# Hosts File/* > 127.0.0.1 localhost > 172.16.232.25 pfmember1.domain.local pfmember1 > > # The following lines are desirable for IPv6 capable hosts > ::1 ip6-localhost ip6-loopback > fe00::0 ip6-localnet > ff00::0 ip6-mcastprefix > ff02::1 ip6-allnodes > ff02::2 ip6-allrouters > > > */# Hostname/* */File/* > pfmember1.domain.localif you are referring to /etc/hostname, then it should just contain 'pfmember1'. Also, are you fixed on using Ubuntu 12.04, if you were to use Debian Wheezy and backports, you wouldn't have to compile samba4. Rowland> > */#/network/interfaces/* > # This file describes the network interfaces available on your system > # and how to activate them. For more information, see interfaces(5). > > # The loopback network interface > auto lo > iface lo inet loopback > > # The primary network interface > auto eth0 > iface eth0 inet static > address 172.16.232.25 > netmask 255.255.255.0 > gateway 172.16.232.201 > network 172.16.232.0 > broadcast 172.16.232.255 > dns-search domain.local > dns-nameservers 172.16.232.29 > > > > > > On 1/1/2015 4:34 AM, Rowland Penny wrote: >> On 01/01/15 00:07, James wrote: >>> Hi Rowland, >>> >>> I forgot to tell you the results were from my Domain Controller >>> and not the member server. Member server returned something to the >>> effect of 'user not found'. I am only starting the 3 >>> services(smbd,nmbd and windbindd) listed in the wiki. Should I be >>> starting Samba with command line switches to start as a member >>> server? Is that even possible? >> >> Hi, there are two ways of running samba4, the classic or original way >> that samba3 was used, or as an AD DC. If you run samba4 in the >> classic way, you need to start the smbd & nmbd deamons and optionally >> the winbind daemon. If you use samba4 as an AD DC, then you only >> start the samba daemon, this will start any other required deamons, >> you only start the samba daemon on an AD DC. >> >> As you are trying to set up a member server, you must carry out the >> tests on the member server. >> >> Rowland >> >>> >>> Thanks for you smb.conf. I will attempt again using your >>> smb.conf as a template and try again. >>> >>> On 12/31/2014 2:20 PM, Rowland Penny wrote: >>>> On 31/12/14 19:07, James wrote: >>>>> Rowland, >>>>> >>>>> I decided to start over with a fresh install and attempted >>>>> again. Only change I made was to start my mappings at 10000. I >>>>> gave 'Domain Users' group gid 10000 and 'tuser' has uid 10001. >>>>> Still didn't work btw. >>>>> >>>>> dn: CN=Test User,CN=Users,DC=domain,DC=local >>>>> objectClass: top >>>>> objectClass: person >>>>> objectClass: organizationalPerson >>>>> objectClass: user >>>>> cn: Test User >>>>> sn: User >>>>> givenName: Test >>>>> instanceType: 4 >>>>> whenCreated: 20141231172021.0Z >>>>> displayName: Test User >>>>> uSNCreated: 477557 >>>>> name: Test User >>>>> objectGUID: 90f95763-fe52-42b9-af86-8a84a4d5dd78 >>>>> userAccountControl: 66048 >>>>> codePage: 0 >>>>> countryCode: 0 >>>>> pwdLastSet: 130645200220000000 >>>>> primaryGroupID: 513 >>>>> objectSid: S-1-5-21-940051827-2291820289-3341758437-3126 >>>>> accountExpires: 9223372036854775807 >>>>> sAMAccountName: tuser >>>>> sAMAccountType: 805306368 >>>>> userPrincipalName: tuser at domain.local >>>>> objectCategory: >>>>> CN=Person,CN=Schema,CN=Configuration,DC=domain,DC=local >>>>> unixUserPassword: ABCD!efgh12345$67890 >>>>> uid: tuser >>>>> msSFU30Name: tuser >>>>> msSFU30NisDomain: domain >>>>> uidNumber: 10001 >>>>> loginShell: /bin/sh >>>>> unixHomeDirectory: /home/tuser >>>>> gidNumber: 10000 >>>>> whenChanged: 20141231185807.0Z >>>>> uSNChanged: 477620 >>>>> distinguishedName: CN=Test User,CN=Users,DC=domain,DC=local >>>>> >>>>> >>>>> On 12/31/2014 1:50 PM, Rowland Penny wrote: >>>>>> On 31/12/14 18:28, James wrote: >>>>>>> Hi Rowland, >>>>>>> >>>>>>> passwd: compat winbind >>>>>>> group: compat winbind >>>>>>> >>>>>>> 'getent passwd tuser' results in a blank terminal line. >>>>>>> >>>>>>> >>>>>>> On 12/31/2014 1:12 PM, Rowland Penny wrote: >>>>>>>> On 31/12/14 17:55, James wrote: >>>>>>>>> Hi Rowland, >>>>>>>>> >>>>>>>>> I did. Unfortunately something is still amiss. I do >>>>>>>>> receive a response from 'getent group domain users'(users:x:100). >>>>>>>>> >>>>>>>>> On 12/31/2014 12:26 PM, Rowland Penny wrote: >>>>>>>>>> On 31/12/14 17:23, James wrote: >>>>>>>>>>> Rowland, >>>>>>>>>>> >>>>>>>>>>> I set a user with a uid and domain users group with a >>>>>>>>>>> gid but I'm still unable to view them using 'id'. I do >>>>>>>>>>> notice a few strange observations. If I go to another user >>>>>>>>>>> to attempt to assign a uid. I get the default value of >>>>>>>>>>> 10000. I would expect 2001 given I set the first user with >>>>>>>>>>> uid 2000. Groups however appear to increment. >>>>>>>>>>> >>>>>>>>>>> On 12/31/2014 10:52 AM, Rowland Penny wrote: >>>>>>>>>>>> On 31/12/14 15:42, James wrote: >>>>>>>>>>>>> Hello Stefan, >>>>>>>>>>>>> >>>>>>>>>>>>> I learned the hard way about .local. I understand >>>>>>>>>>>>> going forward. >>>>>>>>>>>>> >>>>>>>>>>>>> I do have an issue with the member server. Following along >>>>>>>>>>>>> with the wiki I get stuck at 'Testing the Winbind >>>>>>>>>>>>> user/group mapping'. Wbinfo works as expected but not >>>>>>>>>>>>> >>>>>>>>>>>>> #*id DomainUser* >>>>>>>>>>>>> >>>>>>>>>>>>> #*getent passwd* >>>>>>>>>>>>> >>>>>>>>>>>>> #*getent group* >>>>>>>>>>>>> >>>>>>>>>>>>> #*chown DomainUser:DomainGroup file* >>>>>>>>>>>>> >>>>>>>>>>>>> #*chgrp DomainGroup file* >>>>>>>>>>>>> >>>>>>>>>>>>> etc. >>>>>>>>>>>>> >>>>>>>>>>>>> I receive 'id: sambauser: No such user'. It will only >>>>>>>>>>>>> retrieve local machine users. Let me preface by saying >>>>>>>>>>>>> this is a Ubuntu 12.04 server with Samba 4.1.14. Thanks. >>>>>>>>>>>>> >>>>>>>>>>>>> On 12/31/2014 10:00 AM, Stefan Kania wrote: >>>>>>>>>>>>>> -----BEGIN PGP SIGNED MESSAGE----- >>>>>>>>>>>>>> Hash: SHA1 >>>>>>>>>>>>>> >>>>>>>>>>>>>> Hello James, >>>>>>>>>>>>>> >>>>>>>>>>>>>> Am 31.12.2014 um 15:48 schrieb James:> Hello, >>>>>>>>>>>>>>> I'm following along with the wiki(Setup a Samba AD >>>>>>>>>>>>>>> Member Server) >>>>>>>>>>>>>>> and I have a question after reading the 'Set up a basic >>>>>>>>>>>>>>> smb.conf' >>>>>>>>>>>>>>> section. >>>>>>>>>>>>>> Please show us your smb.conf >>>>>>>>>>>>>> >>>>>>>>>>>>>> Do I need to extend the schema in order for my member >>>>>>>>>>>>>> server to >>>>>>>>>>>>>>> successfully join and service file shares? >>>>>>>>>>>>>> No, you dont have to. >>>>>>>>>>>>>> >>>>>>>>>>>>>> Do I need to configure a >>>>>>>>>>>>>>> krb5.conf file? Thanks. >>>>>>>>>>>>>> If your DC is a samba4 DC just copy krb5.conf to your new >>>>>>>>>>>>>> memberserver >>>>>>>>>>>>>> Stefan >>>>>>>>>>>>>> >>>>>>>>>>>>>> - -- Stefan Kania >>>>>>>>>>>>>> Landweg 13 >>>>>>>>>>>>>> 25693 St. Michaelisdonn >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> Signieren jeder E-Mail hilft Spam zu reduzieren. >>>>>>>>>>>>>> Signieren Sie ihre >>>>>>>>>>>>>> E-Mail. Weiter Informationen unter http://www.gnupg.org >>>>>>>>>>>>>> >>>>>>>>>>>>>> Mein Schl?ssel liegt auf >>>>>>>>>>>>>> >>>>>>>>>>>>>> hkp://subkeys.pgp.net >>>>>>>>>>>>>> >>>>>>>>>>>>>> -----BEGIN PGP SIGNATURE----- >>>>>>>>>>>>>> Version: GnuPG v1 >>>>>>>>>>>>>> >>>>>>>>>>>>>> iEYEARECAAYFAlSkD3EACgkQ2JOGcNAHDTZdlwCgwsQF0g/pFp65ldcTMWDcJ1O7 >>>>>>>>>>>>>> >>>>>>>>>>>>>> LScAoLDzorUJNDCik4FP9dBUxKCbAbGN >>>>>>>>>>>>>> =SOSt >>>>>>>>>>>>>> -----END PGP SIGNATURE----- >>>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> If you followed the wiki, you will be using the 'ad' >>>>>>>>>>>> backend. For this to work, you need to add 'uidNumber' >>>>>>>>>>>> attributes to your users and a 'gidNumber' attribute to at >>>>>>>>>>>> least the Domain Users group. the numbers that you add must >>>>>>>>>>>> be between the range you set in your smb.conf, again if you >>>>>>>>>>>> followed the wiki, this will be between 500-40000. >>>>>>>>>>>> >>>>>>>>>>>> Rowland >>>>>>>>>>> >>>>>>>>>> >>>>>>>>>> You have restarted samba, haven't you ? >>>>>>>>>> You may have to wait a short time, or clear the cache with >>>>>>>>>> 'net cache flush' >>>>>>>>>> >>>>>>>>>> Rowland >>>>>>>>>> >>>>>>>>> >>>>>>>> OK, can you post the 'passwd' & 'group' lines from /etc/nsswitch >>>>>>>> >>>>>>>> Do you get anything from 'getent passwd <a domain user>' >>>>>>>> >>>>>>>> Rowland >>>>>>>> >>>>>>> >>>>>> OK, install ldb-tools if not already installed, then run: >>>>>> >>>>>> ldbedit -e nano -H /var/lib/samba/private/sam.ldb >>>>>> sAMAccountName=tuser >>>>>> >>>>>> Post the (sanitized) result >>>>>> >>>>>> Rowland >>>>>> >>>>> >>>> >>>> OK, you added that user with ADUC (RSAT) and as such you are using >>>> the std windows start number 10000, which is the way I run samba. >>>> Here is my smb.conf from the laptop I am writing this on: >>>> >>>> [global] >>>> workgroup = EXAMPLE >>>> security = ADS >>>> realm = EXAMPLE.COM >>>> dedicated keytab file = /etc/krb5.keytab >>>> kerberos method = secrets and keytab >>>> server string = Samba 4 Client %h >>>> winbind enum users = yes >>>> winbind enum groups = yes >>>> winbind use default domain = yes >>>> winbind expand groups = 4 >>>> winbind nss info = rfc2307 >>>> winbind refresh tickets = Yes >>>> winbind normalize names = Yes >>>> idmap config * : backend = tdb >>>> idmap config * : range = 2000-9999 >>>> idmap config EXAMPLE : backend = ad >>>> idmap config EXAMPLE : range = 10000-999999 >>>> idmap config EXAMPLE : schema_mode = rfc2307 >>>> printcap name = cups >>>> cups options = raw >>>> usershare allow guests = yes >>>> domain master = no >>>> local master = no >>>> preferred master = no >>>> os level = 20 >>>> map to guest = bad user >>>> vfs objects = acl_xattr >>>> map acl inherit = Yes >>>> store dos attributes = Yes >>>> >>>> Compare it with yours, I can assure you it works. >>>> >>>> Rowland >>>> >>> >> > > -- > -James
Hi Rowland,
Yes 'etc/hostname/'. No I'm not fixed on Ubuntu. I'm
currently
using Ubuntu for all DC's and have compiled them as well. I can
certainly try Debian Wheezy.
On 1/2/2015 8:55 AM, Rowland Penny wrote:> On 02/01/15 13:41, James wrote:
>> Hi Rowland,
>>
>> If you don't mind I like to post my member server configuration
>> as I attempt again. This is how my member server(Ubuntu 12.04) is
>> configured after fresh install and prior to Samba build. Anything
I'm
>> missing that could cause my issue as I proceed? I assume no other
>> prerequisites must be done on the other DC's either? Thanks.
>>
>> /*# From Wiki for DC build*/
>> apt-get install build-essential libacl1-dev libattr1-dev libblkid-dev
>> libgnutls-dev libreadline-dev python-dev libpam0g-dev
>> python-dnspython gdb pkg-config libpopt-dev libldap2-dev dnsutils
>> libbsd-dev attr krb5-user docbook-xsl libcups2-dev acl
>>
>>
>> /*# Fstab file*/
>> ext4 errors=remount-ro,user_xattr,acl,barrier=1 1 1
>>
>>
>> */# Hosts File/*
>> 127.0.0.1 localhost
>> 172.16.232.25 pfmember1.domain.local pfmember1
>>
>> # The following lines are desirable for IPv6 capable hosts
>> ::1 ip6-localhost ip6-loopback
>> fe00::0 ip6-localnet
>> ff00::0 ip6-mcastprefix
>> ff02::1 ip6-allnodes
>> ff02::2 ip6-allrouters
>>
>>
>> */# Hostname/* */File/*
>> pfmember1.domain.local
>
> if you are referring to /etc/hostname, then it should just contain
> 'pfmember1'.
>
> Also, are you fixed on using Ubuntu 12.04, if you were to use Debian
> Wheezy and backports, you wouldn't have to compile samba4.
>
> Rowland
>
>>
>> */#/network/interfaces/*
>> # This file describes the network interfaces available on your system
>> # and how to activate them. For more information, see interfaces(5).
>>
>> # The loopback network interface
>> auto lo
>> iface lo inet loopback
>>
>> # The primary network interface
>> auto eth0
>> iface eth0 inet static
>> address 172.16.232.25
>> netmask 255.255.255.0
>> gateway 172.16.232.201
>> network 172.16.232.0
>> broadcast 172.16.232.255
>> dns-search domain.local
>> dns-nameservers 172.16.232.29
>>
>>
>>
>>
>>
>> On 1/1/2015 4:34 AM, Rowland Penny wrote:
>>> On 01/01/15 00:07, James wrote:
>>>> Hi Rowland,
>>>>
>>>> I forgot to tell you the results were from my Domain
Controller
>>>> and not the member server. Member server returned something to
the
>>>> effect of 'user not found'. I am only starting the 3
>>>> services(smbd,nmbd and windbindd) listed in the wiki. Should I
be
>>>> starting Samba with command line switches to start as a member
>>>> server? Is that even possible?
>>>
>>> Hi, there are two ways of running samba4, the classic or original
>>> way that samba3 was used, or as an AD DC. If you run samba4 in the
>>> classic way, you need to start the smbd & nmbd deamons and
>>> optionally the winbind daemon. If you use samba4 as an AD DC, then
>>> you only start the samba daemon, this will start any other required
>>> deamons, you only start the samba daemon on an AD DC.
>>>
>>> As you are trying to set up a member server, you must carry out the
>>> tests on the member server.
>>>
>>> Rowland
>>>
>>>>
>>>> Thanks for you smb.conf. I will attempt again using your
>>>> smb.conf as a template and try again.
>>>>
>>>> On 12/31/2014 2:20 PM, Rowland Penny wrote:
>>>>> On 31/12/14 19:07, James wrote:
>>>>>> Rowland,
>>>>>>
>>>>>> I decided to start over with a fresh install and
attempted
>>>>>> again. Only change I made was to start my mappings at
10000. I
>>>>>> gave 'Domain Users' group gid 10000 and
'tuser' has uid 10001.
>>>>>> Still didn't work btw.
>>>>>>
>>>>>> dn: CN=Test User,CN=Users,DC=domain,DC=local
>>>>>> objectClass: top
>>>>>> objectClass: person
>>>>>> objectClass: organizationalPerson
>>>>>> objectClass: user
>>>>>> cn: Test User
>>>>>> sn: User
>>>>>> givenName: Test
>>>>>> instanceType: 4
>>>>>> whenCreated: 20141231172021.0Z
>>>>>> displayName: Test User
>>>>>> uSNCreated: 477557
>>>>>> name: Test User
>>>>>> objectGUID: 90f95763-fe52-42b9-af86-8a84a4d5dd78
>>>>>> userAccountControl: 66048
>>>>>> codePage: 0
>>>>>> countryCode: 0
>>>>>> pwdLastSet: 130645200220000000
>>>>>> primaryGroupID: 513
>>>>>> objectSid:
S-1-5-21-940051827-2291820289-3341758437-3126
>>>>>> accountExpires: 9223372036854775807
>>>>>> sAMAccountName: tuser
>>>>>> sAMAccountType: 805306368
>>>>>> userPrincipalName: tuser at domain.local
>>>>>> objectCategory:
>>>>>> CN=Person,CN=Schema,CN=Configuration,DC=domain,DC=local
>>>>>> unixUserPassword: ABCD!efgh12345$67890
>>>>>> uid: tuser
>>>>>> msSFU30Name: tuser
>>>>>> msSFU30NisDomain: domain
>>>>>> uidNumber: 10001
>>>>>> loginShell: /bin/sh
>>>>>> unixHomeDirectory: /home/tuser
>>>>>> gidNumber: 10000
>>>>>> whenChanged: 20141231185807.0Z
>>>>>> uSNChanged: 477620
>>>>>> distinguishedName: CN=Test
User,CN=Users,DC=domain,DC=local
>>>>>>
>>>>>>
>>>>>> On 12/31/2014 1:50 PM, Rowland Penny wrote:
>>>>>>> On 31/12/14 18:28, James wrote:
>>>>>>>> Hi Rowland,
>>>>>>>>
>>>>>>>> passwd: compat winbind
>>>>>>>> group: compat winbind
>>>>>>>>
>>>>>>>> 'getent passwd tuser' results in a
blank terminal line.
>>>>>>>>
>>>>>>>>
>>>>>>>> On 12/31/2014 1:12 PM, Rowland Penny wrote:
>>>>>>>>> On 31/12/14 17:55, James wrote:
>>>>>>>>>> Hi Rowland,
>>>>>>>>>>
>>>>>>>>>> I did. Unfortunately something is
still amiss. I do
>>>>>>>>>> receive a response from 'getent
group domain
>>>>>>>>>> users'(users:x:100).
>>>>>>>>>>
>>>>>>>>>> On 12/31/2014 12:26 PM, Rowland Penny
wrote:
>>>>>>>>>>> On 31/12/14 17:23, James wrote:
>>>>>>>>>>>> Rowland,
>>>>>>>>>>>>
>>>>>>>>>>>> I set a user with a uid and
domain users group with a
>>>>>>>>>>>> gid but I'm still unable to
view them using 'id'. I do
>>>>>>>>>>>> notice a few strange
observations. If I go to another user
>>>>>>>>>>>> to attempt to assign a uid. I
get the default value of
>>>>>>>>>>>> 10000. I would expect 2001
given I set the first user with
>>>>>>>>>>>> uid 2000. Groups however appear
to increment.
>>>>>>>>>>>>
>>>>>>>>>>>> On 12/31/2014 10:52 AM, Rowland
Penny wrote:
>>>>>>>>>>>>> On 31/12/14 15:42, James
wrote:
>>>>>>>>>>>>>> Hello Stefan,
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> I learned the hard
way about .local. I understand
>>>>>>>>>>>>>> going forward.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> I do have an issue with
the member server. Following
>>>>>>>>>>>>>> along with the wiki I
get stuck at 'Testing the Winbind
>>>>>>>>>>>>>> user/group
mapping'. Wbinfo works as expected but not
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> #*id DomainUser*
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> #*getent passwd*
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> #*getent group*
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> #*chown
DomainUser:DomainGroup file*
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> #*chgrp DomainGroup
file*
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> etc.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> I receive 'id:
sambauser: No such user'. It will only
>>>>>>>>>>>>>> retrieve local machine
users. Let me preface by saying
>>>>>>>>>>>>>> this is a Ubuntu 12.04
server with Samba 4.1.14. Thanks.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> On 12/31/2014 10:00 AM,
Stefan Kania wrote:
>>>>>>>>>>>>>>> -----BEGIN PGP
SIGNED MESSAGE-----
>>>>>>>>>>>>>>> Hash: SHA1
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Hello James,
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Am 31.12.2014 um
15:48 schrieb James:> Hello,
>>>>>>>>>>>>>>>> I'm
following along with the wiki(Setup a Samba AD
>>>>>>>>>>>>>>>> Member Server)
>>>>>>>>>>>>>>>> and I have a
question after reading the 'Set up a basic
>>>>>>>>>>>>>>>> smb.conf'
>>>>>>>>>>>>>>>> section.
>>>>>>>>>>>>>>> Please show us your
smb.conf
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Do I need to
extend the schema in order for my member
>>>>>>>>>>>>>>> server to
>>>>>>>>>>>>>>>> successfully
join and service file shares?
>>>>>>>>>>>>>>> No, you dont have
to.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Do I need to
configure a
>>>>>>>>>>>>>>>> krb5.conf file?
Thanks.
>>>>>>>>>>>>>>> If your DC is a
samba4 DC just copy krb5.conf to your
>>>>>>>>>>>>>>> new memberserver
>>>>>>>>>>>>>>> Stefan
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> - -- Stefan Kania
>>>>>>>>>>>>>>> Landweg 13
>>>>>>>>>>>>>>> 25693 St.
Michaelisdonn
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Signieren jeder
E-Mail hilft Spam zu reduzieren.
>>>>>>>>>>>>>>> Signieren Sie ihre
>>>>>>>>>>>>>>> E-Mail. Weiter
Informationen unter http://www.gnupg.org
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Mein Schl?ssel
liegt auf
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
hkp://subkeys.pgp.net
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> -----BEGIN PGP
SIGNATURE-----
>>>>>>>>>>>>>>> Version: GnuPG v1
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
iEYEARECAAYFAlSkD3EACgkQ2JOGcNAHDTZdlwCgwsQF0g/pFp65ldcTMWDcJ1O7
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
LScAoLDzorUJNDCik4FP9dBUxKCbAbGN
>>>>>>>>>>>>>>> =SOSt
>>>>>>>>>>>>>>> -----END PGP
SIGNATURE-----
>>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> If you followed the wiki,
you will be using the 'ad'
>>>>>>>>>>>>> backend. For this to work,
you need to add 'uidNumber'
>>>>>>>>>>>>> attributes to your users
and a 'gidNumber' attribute to at
>>>>>>>>>>>>> least the Domain Users
group. the numbers that you add
>>>>>>>>>>>>> must be between the range
you set in your smb.conf, again
>>>>>>>>>>>>> if you followed the wiki,
this will be between 500-40000.
>>>>>>>>>>>>>
>>>>>>>>>>>>> Rowland
>>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> You have restarted samba,
haven't you ?
>>>>>>>>>>> You may have to wait a short time,
or clear the cache with
>>>>>>>>>>> 'net cache flush'
>>>>>>>>>>>
>>>>>>>>>>> Rowland
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>> OK, can you post the 'passwd' &
'group' lines from /etc/nsswitch
>>>>>>>>>
>>>>>>>>> Do you get anything from 'getent passwd
<a domain user>'
>>>>>>>>>
>>>>>>>>> Rowland
>>>>>>>>>
>>>>>>>>
>>>>>>> OK, install ldb-tools if not already installed,
then run:
>>>>>>>
>>>>>>> ldbedit -e nano -H /var/lib/samba/private/sam.ldb
>>>>>>> sAMAccountName=tuser
>>>>>>>
>>>>>>> Post the (sanitized) result
>>>>>>>
>>>>>>> Rowland
>>>>>>>
>>>>>>
>>>>>
>>>>> OK, you added that user with ADUC (RSAT) and as such you
are using
>>>>> the std windows start number 10000, which is the way I run
samba.
>>>>> Here is my smb.conf from the laptop I am writing this on:
>>>>>
>>>>> [global]
>>>>> workgroup = EXAMPLE
>>>>> security = ADS
>>>>> realm = EXAMPLE.COM
>>>>> dedicated keytab file = /etc/krb5.keytab
>>>>> kerberos method = secrets and keytab
>>>>> server string = Samba 4 Client %h
>>>>> winbind enum users = yes
>>>>> winbind enum groups = yes
>>>>> winbind use default domain = yes
>>>>> winbind expand groups = 4
>>>>> winbind nss info = rfc2307
>>>>> winbind refresh tickets = Yes
>>>>> winbind normalize names = Yes
>>>>> idmap config * : backend = tdb
>>>>> idmap config * : range = 2000-9999
>>>>> idmap config EXAMPLE : backend = ad
>>>>> idmap config EXAMPLE : range = 10000-999999
>>>>> idmap config EXAMPLE : schema_mode = rfc2307
>>>>> printcap name = cups
>>>>> cups options = raw
>>>>> usershare allow guests = yes
>>>>> domain master = no
>>>>> local master = no
>>>>> preferred master = no
>>>>> os level = 20
>>>>> map to guest = bad user
>>>>> vfs objects = acl_xattr
>>>>> map acl inherit = Yes
>>>>> store dos attributes = Yes
>>>>>
>>>>> Compare it with yours, I can assure you it works.
>>>>>
>>>>> Rowland
>>>>>
>>>>
>>>
>>
>> --
>> -James
>
--
-James
Rowland,
I fail on 'Enter Administrator at DOMAIN.LOCAL's password'. I
receive
'Failed to join domain: failed to connect to AD: Operations error'. I
was not prompted to enter any Kerberos info while installing the
package's either.
On 1/2/2015 8:55 AM, Rowland Penny wrote:> On 02/01/15 13:41, James wrote:
>> Hi Rowland,
>>
>> If you don't mind I like to post my member server configuration
>> as I attempt again. This is how my member server(Ubuntu 12.04) is
>> configured after fresh install and prior to Samba build. Anything
I'm
>> missing that could cause my issue as I proceed? I assume no other
>> prerequisites must be done on the other DC's either? Thanks.
>>
>> /*# From Wiki for DC build*/
>> apt-get install build-essential libacl1-dev libattr1-dev libblkid-dev
>> libgnutls-dev libreadline-dev python-dev libpam0g-dev
>> python-dnspython gdb pkg-config libpopt-dev libldap2-dev dnsutils
>> libbsd-dev attr krb5-user docbook-xsl libcups2-dev acl
>>
>>
>> /*# Fstab file*/
>> ext4 errors=remount-ro,user_xattr,acl,barrier=1 1 1
>>
>>
>> */# Hosts File/*
>> 127.0.0.1 localhost
>> 172.16.232.25 pfmember1.domain.local pfmember1
>>
>> # The following lines are desirable for IPv6 capable hosts
>> ::1 ip6-localhost ip6-loopback
>> fe00::0 ip6-localnet
>> ff00::0 ip6-mcastprefix
>> ff02::1 ip6-allnodes
>> ff02::2 ip6-allrouters
>>
>>
>> */# Hostname/* */File/*
>> pfmember1.domain.local
>
> if you are referring to /etc/hostname, then it should just contain
> 'pfmember1'.
>
> Also, are you fixed on using Ubuntu 12.04, if you were to use Debian
> Wheezy and backports, you wouldn't have to compile samba4.
>
> Rowland
>
>>
>> */#/network/interfaces/*
>> # This file describes the network interfaces available on your system
>> # and how to activate them. For more information, see interfaces(5).
>>
>> # The loopback network interface
>> auto lo
>> iface lo inet loopback
>>
>> # The primary network interface
>> auto eth0
>> iface eth0 inet static
>> address 172.16.232.25
>> netmask 255.255.255.0
>> gateway 172.16.232.201
>> network 172.16.232.0
>> broadcast 172.16.232.255
>> dns-search domain.local
>> dns-nameservers 172.16.232.29
>>
>>
>>
>>
>>
>> On 1/1/2015 4:34 AM, Rowland Penny wrote:
>>> On 01/01/15 00:07, James wrote:
>>>> Hi Rowland,
>>>>
>>>> I forgot to tell you the results were from my Domain
Controller
>>>> and not the member server. Member server returned something to
the
>>>> effect of 'user not found'. I am only starting the 3
>>>> services(smbd,nmbd and windbindd) listed in the wiki. Should I
be
>>>> starting Samba with command line switches to start as a member
>>>> server? Is that even possible?
>>>
>>> Hi, there are two ways of running samba4, the classic or original
>>> way that samba3 was used, or as an AD DC. If you run samba4 in the
>>> classic way, you need to start the smbd & nmbd deamons and
>>> optionally the winbind daemon. If you use samba4 as an AD DC, then
>>> you only start the samba daemon, this will start any other required
>>> deamons, you only start the samba daemon on an AD DC.
>>>
>>> As you are trying to set up a member server, you must carry out the
>>> tests on the member server.
>>>
>>> Rowland
>>>
>>>>
>>>> Thanks for you smb.conf. I will attempt again using your
>>>> smb.conf as a template and try again.
>>>>
>>>> On 12/31/2014 2:20 PM, Rowland Penny wrote:
>>>>> On 31/12/14 19:07, James wrote:
>>>>>> Rowland,
>>>>>>
>>>>>> I decided to start over with a fresh install and
attempted
>>>>>> again. Only change I made was to start my mappings at
10000. I
>>>>>> gave 'Domain Users' group gid 10000 and
'tuser' has uid 10001.
>>>>>> Still didn't work btw.
>>>>>>
>>>>>> dn: CN=Test User,CN=Users,DC=domain,DC=local
>>>>>> objectClass: top
>>>>>> objectClass: person
>>>>>> objectClass: organizationalPerson
>>>>>> objectClass: user
>>>>>> cn: Test User
>>>>>> sn: User
>>>>>> givenName: Test
>>>>>> instanceType: 4
>>>>>> whenCreated: 20141231172021.0Z
>>>>>> displayName: Test User
>>>>>> uSNCreated: 477557
>>>>>> name: Test User
>>>>>> objectGUID: 90f95763-fe52-42b9-af86-8a84a4d5dd78
>>>>>> userAccountControl: 66048
>>>>>> codePage: 0
>>>>>> countryCode: 0
>>>>>> pwdLastSet: 130645200220000000
>>>>>> primaryGroupID: 513
>>>>>> objectSid:
S-1-5-21-940051827-2291820289-3341758437-3126
>>>>>> accountExpires: 9223372036854775807
>>>>>> sAMAccountName: tuser
>>>>>> sAMAccountType: 805306368
>>>>>> userPrincipalName: tuser at domain.local
>>>>>> objectCategory:
>>>>>> CN=Person,CN=Schema,CN=Configuration,DC=domain,DC=local
>>>>>> unixUserPassword: ABCD!efgh12345$67890
>>>>>> uid: tuser
>>>>>> msSFU30Name: tuser
>>>>>> msSFU30NisDomain: domain
>>>>>> uidNumber: 10001
>>>>>> loginShell: /bin/sh
>>>>>> unixHomeDirectory: /home/tuser
>>>>>> gidNumber: 10000
>>>>>> whenChanged: 20141231185807.0Z
>>>>>> uSNChanged: 477620
>>>>>> distinguishedName: CN=Test
User,CN=Users,DC=domain,DC=local
>>>>>>
>>>>>>
>>>>>> On 12/31/2014 1:50 PM, Rowland Penny wrote:
>>>>>>> On 31/12/14 18:28, James wrote:
>>>>>>>> Hi Rowland,
>>>>>>>>
>>>>>>>> passwd: compat winbind
>>>>>>>> group: compat winbind
>>>>>>>>
>>>>>>>> 'getent passwd tuser' results in a
blank terminal line.
>>>>>>>>
>>>>>>>>
>>>>>>>> On 12/31/2014 1:12 PM, Rowland Penny wrote:
>>>>>>>>> On 31/12/14 17:55, James wrote:
>>>>>>>>>> Hi Rowland,
>>>>>>>>>>
>>>>>>>>>> I did. Unfortunately something is
still amiss. I do
>>>>>>>>>> receive a response from 'getent
group domain
>>>>>>>>>> users'(users:x:100).
>>>>>>>>>>
>>>>>>>>>> On 12/31/2014 12:26 PM, Rowland Penny
wrote:
>>>>>>>>>>> On 31/12/14 17:23, James wrote:
>>>>>>>>>>>> Rowland,
>>>>>>>>>>>>
>>>>>>>>>>>> I set a user with a uid and
domain users group with a
>>>>>>>>>>>> gid but I'm still unable to
view them using 'id'. I do
>>>>>>>>>>>> notice a few strange
observations. If I go to another user
>>>>>>>>>>>> to attempt to assign a uid. I
get the default value of
>>>>>>>>>>>> 10000. I would expect 2001
given I set the first user with
>>>>>>>>>>>> uid 2000. Groups however appear
to increment.
>>>>>>>>>>>>
>>>>>>>>>>>> On 12/31/2014 10:52 AM, Rowland
Penny wrote:
>>>>>>>>>>>>> On 31/12/14 15:42, James
wrote:
>>>>>>>>>>>>>> Hello Stefan,
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> I learned the hard
way about .local. I understand
>>>>>>>>>>>>>> going forward.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> I do have an issue with
the member server. Following
>>>>>>>>>>>>>> along with the wiki I
get stuck at 'Testing the Winbind
>>>>>>>>>>>>>> user/group
mapping'. Wbinfo works as expected but not
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> #*id DomainUser*
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> #*getent passwd*
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> #*getent group*
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> #*chown
DomainUser:DomainGroup file*
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> #*chgrp DomainGroup
file*
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> etc.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> I receive 'id:
sambauser: No such user'. It will only
>>>>>>>>>>>>>> retrieve local machine
users. Let me preface by saying
>>>>>>>>>>>>>> this is a Ubuntu 12.04
server with Samba 4.1.14. Thanks.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> On 12/31/2014 10:00 AM,
Stefan Kania wrote:
>>>>>>>>>>>>>>> -----BEGIN PGP
SIGNED MESSAGE-----
>>>>>>>>>>>>>>> Hash: SHA1
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Hello James,
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Am 31.12.2014 um
15:48 schrieb James:> Hello,
>>>>>>>>>>>>>>>> I'm
following along with the wiki(Setup a Samba AD
>>>>>>>>>>>>>>>> Member Server)
>>>>>>>>>>>>>>>> and I have a
question after reading the 'Set up a basic
>>>>>>>>>>>>>>>> smb.conf'
>>>>>>>>>>>>>>>> section.
>>>>>>>>>>>>>>> Please show us your
smb.conf
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Do I need to
extend the schema in order for my member
>>>>>>>>>>>>>>> server to
>>>>>>>>>>>>>>>> successfully
join and service file shares?
>>>>>>>>>>>>>>> No, you dont have
to.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Do I need to
configure a
>>>>>>>>>>>>>>>> krb5.conf file?
Thanks.
>>>>>>>>>>>>>>> If your DC is a
samba4 DC just copy krb5.conf to your
>>>>>>>>>>>>>>> new memberserver
>>>>>>>>>>>>>>> Stefan
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> - -- Stefan Kania
>>>>>>>>>>>>>>> Landweg 13
>>>>>>>>>>>>>>> 25693 St.
Michaelisdonn
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Signieren jeder
E-Mail hilft Spam zu reduzieren.
>>>>>>>>>>>>>>> Signieren Sie ihre
>>>>>>>>>>>>>>> E-Mail. Weiter
Informationen unter http://www.gnupg.org
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Mein Schl?ssel
liegt auf
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
hkp://subkeys.pgp.net
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> -----BEGIN PGP
SIGNATURE-----
>>>>>>>>>>>>>>> Version: GnuPG v1
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
iEYEARECAAYFAlSkD3EACgkQ2JOGcNAHDTZdlwCgwsQF0g/pFp65ldcTMWDcJ1O7
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
LScAoLDzorUJNDCik4FP9dBUxKCbAbGN
>>>>>>>>>>>>>>> =SOSt
>>>>>>>>>>>>>>> -----END PGP
SIGNATURE-----
>>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> If you followed the wiki,
you will be using the 'ad'
>>>>>>>>>>>>> backend. For this to work,
you need to add 'uidNumber'
>>>>>>>>>>>>> attributes to your users
and a 'gidNumber' attribute to at
>>>>>>>>>>>>> least the Domain Users
group. the numbers that you add
>>>>>>>>>>>>> must be between the range
you set in your smb.conf, again
>>>>>>>>>>>>> if you followed the wiki,
this will be between 500-40000.
>>>>>>>>>>>>>
>>>>>>>>>>>>> Rowland
>>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> You have restarted samba,
haven't you ?
>>>>>>>>>>> You may have to wait a short time,
or clear the cache with
>>>>>>>>>>> 'net cache flush'
>>>>>>>>>>>
>>>>>>>>>>> Rowland
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>> OK, can you post the 'passwd' &
'group' lines from /etc/nsswitch
>>>>>>>>>
>>>>>>>>> Do you get anything from 'getent passwd
<a domain user>'
>>>>>>>>>
>>>>>>>>> Rowland
>>>>>>>>>
>>>>>>>>
>>>>>>> OK, install ldb-tools if not already installed,
then run:
>>>>>>>
>>>>>>> ldbedit -e nano -H /var/lib/samba/private/sam.ldb
>>>>>>> sAMAccountName=tuser
>>>>>>>
>>>>>>> Post the (sanitized) result
>>>>>>>
>>>>>>> Rowland
>>>>>>>
>>>>>>
>>>>>
>>>>> OK, you added that user with ADUC (RSAT) and as such you
are using
>>>>> the std windows start number 10000, which is the way I run
samba.
>>>>> Here is my smb.conf from the laptop I am writing this on:
>>>>>
>>>>> [global]
>>>>> workgroup = EXAMPLE
>>>>> security = ADS
>>>>> realm = EXAMPLE.COM
>>>>> dedicated keytab file = /etc/krb5.keytab
>>>>> kerberos method = secrets and keytab
>>>>> server string = Samba 4 Client %h
>>>>> winbind enum users = yes
>>>>> winbind enum groups = yes
>>>>> winbind use default domain = yes
>>>>> winbind expand groups = 4
>>>>> winbind nss info = rfc2307
>>>>> winbind refresh tickets = Yes
>>>>> winbind normalize names = Yes
>>>>> idmap config * : backend = tdb
>>>>> idmap config * : range = 2000-9999
>>>>> idmap config EXAMPLE : backend = ad
>>>>> idmap config EXAMPLE : range = 10000-999999
>>>>> idmap config EXAMPLE : schema_mode = rfc2307
>>>>> printcap name = cups
>>>>> cups options = raw
>>>>> usershare allow guests = yes
>>>>> domain master = no
>>>>> local master = no
>>>>> preferred master = no
>>>>> os level = 20
>>>>> map to guest = bad user
>>>>> vfs objects = acl_xattr
>>>>> map acl inherit = Yes
>>>>> store dos attributes = Yes
>>>>>
>>>>> Compare it with yours, I can assure you it works.
>>>>>
>>>>> Rowland
>>>>>
>>>>
>>>
>>
>> --
>> -James
>
--
-James
Rowland,
I've gotten a bit further. It appears my use of '.local' is
causing
the issue from what I've researched. I ran '|/etc/init.d/avahi-daemon
stop'. |This allowed me to successfully join the domain.
Enter administrator at DOMAIN.LOCAL's password:
Using short domain name -- DOMAIN
Joined 'PFMEMBER1' to dns domain 'domain.local'
DNS Update for pfmember1.local failed: ERROR_DNS_UPDATE_FAILED
DNS update failed: NT_STATUS_UNSUCCESSFUL
||
On 1/2/2015 8:55 AM, Rowland Penny wrote:> On 02/01/15 13:41, James wrote:
>> Hi Rowland,
>>
>> If you don't mind I like to post my member server configuration
>> as I attempt again. This is how my member server(Ubuntu 12.04) is
>> configured after fresh install and prior to Samba build. Anything
I'm
>> missing that could cause my issue as I proceed? I assume no other
>> prerequisites must be done on the other DC's either? Thanks.
>>
>> /*# From Wiki for DC build*/
>> apt-get install build-essential libacl1-dev libattr1-dev libblkid-dev
>> libgnutls-dev libreadline-dev python-dev libpam0g-dev
>> python-dnspython gdb pkg-config libpopt-dev libldap2-dev dnsutils
>> libbsd-dev attr krb5-user docbook-xsl libcups2-dev acl
>>
>>
>> /*# Fstab file*/
>> ext4 errors=remount-ro,user_xattr,acl,barrier=1 1 1
>>
>>
>> */# Hosts File/*
>> 127.0.0.1 localhost
>> 172.16.232.25 pfmember1.domain.local pfmember1
>>
>> # The following lines are desirable for IPv6 capable hosts
>> ::1 ip6-localhost ip6-loopback
>> fe00::0 ip6-localnet
>> ff00::0 ip6-mcastprefix
>> ff02::1 ip6-allnodes
>> ff02::2 ip6-allrouters
>>
>>
>> */# Hostname/* */File/*
>> pfmember1.domain.local
>
> if you are referring to /etc/hostname, then it should just contain
> 'pfmember1'.
>
> Also, are you fixed on using Ubuntu 12.04, if you were to use Debian
> Wheezy and backports, you wouldn't have to compile samba4.
>
> Rowland
>
>>
>> */#/network/interfaces/*
>> # This file describes the network interfaces available on your system
>> # and how to activate them. For more information, see interfaces(5).
>>
>> # The loopback network interface
>> auto lo
>> iface lo inet loopback
>>
>> # The primary network interface
>> auto eth0
>> iface eth0 inet static
>> address 172.16.232.25
>> netmask 255.255.255.0
>> gateway 172.16.232.201
>> network 172.16.232.0
>> broadcast 172.16.232.255
>> dns-search domain.local
>> dns-nameservers 172.16.232.29
>>
>>
>>
>>
>>
>> On 1/1/2015 4:34 AM, Rowland Penny wrote:
>>> On 01/01/15 00:07, James wrote:
>>>> Hi Rowland,
>>>>
>>>> I forgot to tell you the results were from my Domain
Controller
>>>> and not the member server. Member server returned something to
the
>>>> effect of 'user not found'. I am only starting the 3
>>>> services(smbd,nmbd and windbindd) listed in the wiki. Should I
be
>>>> starting Samba with command line switches to start as a member
>>>> server? Is that even possible?
>>>
>>> Hi, there are two ways of running samba4, the classic or original
>>> way that samba3 was used, or as an AD DC. If you run samba4 in the
>>> classic way, you need to start the smbd & nmbd deamons and
>>> optionally the winbind daemon. If you use samba4 as an AD DC, then
>>> you only start the samba daemon, this will start any other required
>>> deamons, you only start the samba daemon on an AD DC.
>>>
>>> As you are trying to set up a member server, you must carry out the
>>> tests on the member server.
>>>
>>> Rowland
>>>
>>>>
>>>> Thanks for you smb.conf. I will attempt again using your
>>>> smb.conf as a template and try again.
>>>>
>>>> On 12/31/2014 2:20 PM, Rowland Penny wrote:
>>>>> On 31/12/14 19:07, James wrote:
>>>>>> Rowland,
>>>>>>
>>>>>> I decided to start over with a fresh install and
attempted
>>>>>> again. Only change I made was to start my mappings at
10000. I
>>>>>> gave 'Domain Users' group gid 10000 and
'tuser' has uid 10001.
>>>>>> Still didn't work btw.
>>>>>>
>>>>>> dn: CN=Test User,CN=Users,DC=domain,DC=local
>>>>>> objectClass: top
>>>>>> objectClass: person
>>>>>> objectClass: organizationalPerson
>>>>>> objectClass: user
>>>>>> cn: Test User
>>>>>> sn: User
>>>>>> givenName: Test
>>>>>> instanceType: 4
>>>>>> whenCreated: 20141231172021.0Z
>>>>>> displayName: Test User
>>>>>> uSNCreated: 477557
>>>>>> name: Test User
>>>>>> objectGUID: 90f95763-fe52-42b9-af86-8a84a4d5dd78
>>>>>> userAccountControl: 66048
>>>>>> codePage: 0
>>>>>> countryCode: 0
>>>>>> pwdLastSet: 130645200220000000
>>>>>> primaryGroupID: 513
>>>>>> objectSid:
S-1-5-21-940051827-2291820289-3341758437-3126
>>>>>> accountExpires: 9223372036854775807
>>>>>> sAMAccountName: tuser
>>>>>> sAMAccountType: 805306368
>>>>>> userPrincipalName: tuser at domain.local
>>>>>> objectCategory:
>>>>>> CN=Person,CN=Schema,CN=Configuration,DC=domain,DC=local
>>>>>> unixUserPassword: ABCD!efgh12345$67890
>>>>>> uid: tuser
>>>>>> msSFU30Name: tuser
>>>>>> msSFU30NisDomain: domain
>>>>>> uidNumber: 10001
>>>>>> loginShell: /bin/sh
>>>>>> unixHomeDirectory: /home/tuser
>>>>>> gidNumber: 10000
>>>>>> whenChanged: 20141231185807.0Z
>>>>>> uSNChanged: 477620
>>>>>> distinguishedName: CN=Test
User,CN=Users,DC=domain,DC=local
>>>>>>
>>>>>>
>>>>>> On 12/31/2014 1:50 PM, Rowland Penny wrote:
>>>>>>> On 31/12/14 18:28, James wrote:
>>>>>>>> Hi Rowland,
>>>>>>>>
>>>>>>>> passwd: compat winbind
>>>>>>>> group: compat winbind
>>>>>>>>
>>>>>>>> 'getent passwd tuser' results in a
blank terminal line.
>>>>>>>>
>>>>>>>>
>>>>>>>> On 12/31/2014 1:12 PM, Rowland Penny wrote:
>>>>>>>>> On 31/12/14 17:55, James wrote:
>>>>>>>>>> Hi Rowland,
>>>>>>>>>>
>>>>>>>>>> I did. Unfortunately something is
still amiss. I do
>>>>>>>>>> receive a response from 'getent
group domain
>>>>>>>>>> users'(users:x:100).
>>>>>>>>>>
>>>>>>>>>> On 12/31/2014 12:26 PM, Rowland Penny
wrote:
>>>>>>>>>>> On 31/12/14 17:23, James wrote:
>>>>>>>>>>>> Rowland,
>>>>>>>>>>>>
>>>>>>>>>>>> I set a user with a uid and
domain users group with a
>>>>>>>>>>>> gid but I'm still unable to
view them using 'id'. I do
>>>>>>>>>>>> notice a few strange
observations. If I go to another user
>>>>>>>>>>>> to attempt to assign a uid. I
get the default value of
>>>>>>>>>>>> 10000. I would expect 2001
given I set the first user with
>>>>>>>>>>>> uid 2000. Groups however appear
to increment.
>>>>>>>>>>>>
>>>>>>>>>>>> On 12/31/2014 10:52 AM, Rowland
Penny wrote:
>>>>>>>>>>>>> On 31/12/14 15:42, James
wrote:
>>>>>>>>>>>>>> Hello Stefan,
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> I learned the hard
way about .local. I understand
>>>>>>>>>>>>>> going forward.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> I do have an issue with
the member server. Following
>>>>>>>>>>>>>> along with the wiki I
get stuck at 'Testing the Winbind
>>>>>>>>>>>>>> user/group
mapping'. Wbinfo works as expected but not
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> #*id DomainUser*
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> #*getent passwd*
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> #*getent group*
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> #*chown
DomainUser:DomainGroup file*
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> #*chgrp DomainGroup
file*
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> etc.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> I receive 'id:
sambauser: No such user'. It will only
>>>>>>>>>>>>>> retrieve local machine
users. Let me preface by saying
>>>>>>>>>>>>>> this is a Ubuntu 12.04
server with Samba 4.1.14. Thanks.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> On 12/31/2014 10:00 AM,
Stefan Kania wrote:
>>>>>>>>>>>>>>> -----BEGIN PGP
SIGNED MESSAGE-----
>>>>>>>>>>>>>>> Hash: SHA1
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Hello James,
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Am 31.12.2014 um
15:48 schrieb James:> Hello,
>>>>>>>>>>>>>>>> I'm
following along with the wiki(Setup a Samba AD
>>>>>>>>>>>>>>>> Member Server)
>>>>>>>>>>>>>>>> and I have a
question after reading the 'Set up a basic
>>>>>>>>>>>>>>>> smb.conf'
>>>>>>>>>>>>>>>> section.
>>>>>>>>>>>>>>> Please show us your
smb.conf
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Do I need to
extend the schema in order for my member
>>>>>>>>>>>>>>> server to
>>>>>>>>>>>>>>>> successfully
join and service file shares?
>>>>>>>>>>>>>>> No, you dont have
to.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Do I need to
configure a
>>>>>>>>>>>>>>>> krb5.conf file?
Thanks.
>>>>>>>>>>>>>>> If your DC is a
samba4 DC just copy krb5.conf to your
>>>>>>>>>>>>>>> new memberserver
>>>>>>>>>>>>>>> Stefan
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> - -- Stefan Kania
>>>>>>>>>>>>>>> Landweg 13
>>>>>>>>>>>>>>> 25693 St.
Michaelisdonn
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Signieren jeder
E-Mail hilft Spam zu reduzieren.
>>>>>>>>>>>>>>> Signieren Sie ihre
>>>>>>>>>>>>>>> E-Mail. Weiter
Informationen unter http://www.gnupg.org
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Mein Schl?ssel
liegt auf
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
hkp://subkeys.pgp.net
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> -----BEGIN PGP
SIGNATURE-----
>>>>>>>>>>>>>>> Version: GnuPG v1
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
iEYEARECAAYFAlSkD3EACgkQ2JOGcNAHDTZdlwCgwsQF0g/pFp65ldcTMWDcJ1O7
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
LScAoLDzorUJNDCik4FP9dBUxKCbAbGN
>>>>>>>>>>>>>>> =SOSt
>>>>>>>>>>>>>>> -----END PGP
SIGNATURE-----
>>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> If you followed the wiki,
you will be using the 'ad'
>>>>>>>>>>>>> backend. For this to work,
you need to add 'uidNumber'
>>>>>>>>>>>>> attributes to your users
and a 'gidNumber' attribute to at
>>>>>>>>>>>>> least the Domain Users
group. the numbers that you add
>>>>>>>>>>>>> must be between the range
you set in your smb.conf, again
>>>>>>>>>>>>> if you followed the wiki,
this will be between 500-40000.
>>>>>>>>>>>>>
>>>>>>>>>>>>> Rowland
>>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> You have restarted samba,
haven't you ?
>>>>>>>>>>> You may have to wait a short time,
or clear the cache with
>>>>>>>>>>> 'net cache flush'
>>>>>>>>>>>
>>>>>>>>>>> Rowland
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>> OK, can you post the 'passwd' &
'group' lines from /etc/nsswitch
>>>>>>>>>
>>>>>>>>> Do you get anything from 'getent passwd
<a domain user>'
>>>>>>>>>
>>>>>>>>> Rowland
>>>>>>>>>
>>>>>>>>
>>>>>>> OK, install ldb-tools if not already installed,
then run:
>>>>>>>
>>>>>>> ldbedit -e nano -H /var/lib/samba/private/sam.ldb
>>>>>>> sAMAccountName=tuser
>>>>>>>
>>>>>>> Post the (sanitized) result
>>>>>>>
>>>>>>> Rowland
>>>>>>>
>>>>>>
>>>>>
>>>>> OK, you added that user with ADUC (RSAT) and as such you
are using
>>>>> the std windows start number 10000, which is the way I run
samba.
>>>>> Here is my smb.conf from the laptop I am writing this on:
>>>>>
>>>>> [global]
>>>>> workgroup = EXAMPLE
>>>>> security = ADS
>>>>> realm = EXAMPLE.COM
>>>>> dedicated keytab file = /etc/krb5.keytab
>>>>> kerberos method = secrets and keytab
>>>>> server string = Samba 4 Client %h
>>>>> winbind enum users = yes
>>>>> winbind enum groups = yes
>>>>> winbind use default domain = yes
>>>>> winbind expand groups = 4
>>>>> winbind nss info = rfc2307
>>>>> winbind refresh tickets = Yes
>>>>> winbind normalize names = Yes
>>>>> idmap config * : backend = tdb
>>>>> idmap config * : range = 2000-9999
>>>>> idmap config EXAMPLE : backend = ad
>>>>> idmap config EXAMPLE : range = 10000-999999
>>>>> idmap config EXAMPLE : schema_mode = rfc2307
>>>>> printcap name = cups
>>>>> cups options = raw
>>>>> usershare allow guests = yes
>>>>> domain master = no
>>>>> local master = no
>>>>> preferred master = no
>>>>> os level = 20
>>>>> map to guest = bad user
>>>>> vfs objects = acl_xattr
>>>>> map acl inherit = Yes
>>>>> store dos attributes = Yes
>>>>>
>>>>> Compare it with yours, I can assure you it works.
>>>>>
>>>>> Rowland
>>>>>
>>>>
>>>
>>
>> --
>> -James
>
--
-James