Rowland,
I had a typo in my hosts file which is the reason my initial DNS
update failed. Corrected and joined again. Successfully joined and
updated DNS A record. I then made sure to give 'Domain users' a id of
10000. I am now able to run' getent passwd' and see all my domain users!
YES! However I still see something that confuses me. When I run 'id
tuser' I get the following.
uid=2155(tuser) gid=2002(domain_users)
groups=2002(domain_users),2004(remote_desktop_users_group),2001(BUILTIN\users)
Why is the uid 2155 and not 10001?
On 1/2/2015 12:00 PM, Rowland Penny wrote:> On 02/01/15 16:57, James wrote:
>> Rowland,
>>
>> I've gotten a bit further. It appears my use of
'.local' is
>> causing the issue from what I've researched. I ran
>> '|/etc/init.d/avahi-daemon stop'. |This allowed me to
successfully
>> join the domain.
>>
>> Enter administrator at DOMAIN.LOCAL's password:
>> Using short domain name -- DOMAIN
>> Joined 'PFMEMBER1' to dns domain 'domain.local'
>> DNS Update for pfmember1.local failed: ERROR_DNS_UPDATE_FAILED
>> DNS update failed: NT_STATUS_UNSUCCESSFUL
>> ||
>> On 1/2/2015 8:55 AM, Rowland Penny wrote:
>>> On 02/01/15 13:41, James wrote:
>>>> Hi Rowland,
>>>>
>>>> If you don't mind I like to post my member server
configuration
>>>> as I attempt again. This is how my member server(Ubuntu 12.04)
is
>>>> configured after fresh install and prior to Samba build.
Anything
>>>> I'm missing that could cause my issue as I proceed? I
assume no
>>>> other prerequisites must be done on the other DC's either?
Thanks.
>>>>
>>>> /*# From Wiki for DC build*/
>>>> apt-get install build-essential libacl1-dev libattr1-dev
>>>> libblkid-dev libgnutls-dev libreadline-dev python-dev
libpam0g-dev
>>>> python-dnspython gdb pkg-config libpopt-dev libldap2-dev
dnsutils
>>>> libbsd-dev attr krb5-user docbook-xsl libcups2-dev acl
>>>>
>>>>
>>>> /*# Fstab file*/
>>>> ext4 errors=remount-ro,user_xattr,acl,barrier=1 1 1
>>>>
>>>>
>>>> */# Hosts File/*
>>>> 127.0.0.1 localhost
>>>> 172.16.232.25 pfmember1.domain.local pfmember1
>>>>
>>>> # The following lines are desirable for IPv6 capable hosts
>>>> ::1 ip6-localhost ip6-loopback
>>>> fe00::0 ip6-localnet
>>>> ff00::0 ip6-mcastprefix
>>>> ff02::1 ip6-allnodes
>>>> ff02::2 ip6-allrouters
>>>>
>>>>
>>>> */# Hostname/* */File/*
>>>> pfmember1.domain.local
>>>
>>> if you are referring to /etc/hostname, then it should just contain
>>> 'pfmember1'.
>>>
>>> Also, are you fixed on using Ubuntu 12.04, if you were to use
Debian
>>> Wheezy and backports, you wouldn't have to compile samba4.
>>>
>>> Rowland
>>>
>>>>
>>>> */#/network/interfaces/*
>>>> # This file describes the network interfaces available on your
system
>>>> # and how to activate them. For more information, see
interfaces(5).
>>>>
>>>> # The loopback network interface
>>>> auto lo
>>>> iface lo inet loopback
>>>>
>>>> # The primary network interface
>>>> auto eth0
>>>> iface eth0 inet static
>>>> address 172.16.232.25
>>>> netmask 255.255.255.0
>>>> gateway 172.16.232.201
>>>> network 172.16.232.0
>>>> broadcast 172.16.232.255
>>>> dns-search domain.local
>>>> dns-nameservers 172.16.232.29
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> On 1/1/2015 4:34 AM, Rowland Penny wrote:
>>>>> On 01/01/15 00:07, James wrote:
>>>>>> Hi Rowland,
>>>>>>
>>>>>> I forgot to tell you the results were from my
Domain
>>>>>> Controller and not the member server. Member server
returned
>>>>>> something to the effect of 'user not found'. I
am only starting
>>>>>> the 3 services(smbd,nmbd and windbindd) listed in the
wiki.
>>>>>> Should I be starting Samba with command line switches
to start as
>>>>>> a member server? Is that even possible?
>>>>>
>>>>> Hi, there are two ways of running samba4, the classic or
original
>>>>> way that samba3 was used, or as an AD DC. If you run samba4
in the
>>>>> classic way, you need to start the smbd & nmbd deamons
and
>>>>> optionally the winbind daemon. If you use samba4 as an AD
DC, then
>>>>> you only start the samba daemon, this will start any other
>>>>> required deamons, you only start the samba daemon on an AD
DC.
>>>>>
>>>>> As you are trying to set up a member server, you must carry
out
>>>>> the tests on the member server.
>>>>>
>>>>> Rowland
>>>>>
>>>>>>
>>>>>> Thanks for you smb.conf. I will attempt again using
your
>>>>>> smb.conf as a template and try again.
>>>>>>
>>>>>> On 12/31/2014 2:20 PM, Rowland Penny wrote:
>>>>>>> On 31/12/14 19:07, James wrote:
>>>>>>>> Rowland,
>>>>>>>>
>>>>>>>> I decided to start over with a fresh
install and attempted
>>>>>>>> again. Only change I made was to start my
mappings at 10000. I
>>>>>>>> gave 'Domain Users' group gid 10000 and
'tuser' has uid 10001.
>>>>>>>> Still didn't work btw.
>>>>>>>>
>>>>>>>> dn: CN=Test User,CN=Users,DC=domain,DC=local
>>>>>>>> objectClass: top
>>>>>>>> objectClass: person
>>>>>>>> objectClass: organizationalPerson
>>>>>>>> objectClass: user
>>>>>>>> cn: Test User
>>>>>>>> sn: User
>>>>>>>> givenName: Test
>>>>>>>> instanceType: 4
>>>>>>>> whenCreated: 20141231172021.0Z
>>>>>>>> displayName: Test User
>>>>>>>> uSNCreated: 477557
>>>>>>>> name: Test User
>>>>>>>> objectGUID:
90f95763-fe52-42b9-af86-8a84a4d5dd78
>>>>>>>> userAccountControl: 66048
>>>>>>>> codePage: 0
>>>>>>>> countryCode: 0
>>>>>>>> pwdLastSet: 130645200220000000
>>>>>>>> primaryGroupID: 513
>>>>>>>> objectSid:
S-1-5-21-940051827-2291820289-3341758437-3126
>>>>>>>> accountExpires: 9223372036854775807
>>>>>>>> sAMAccountName: tuser
>>>>>>>> sAMAccountType: 805306368
>>>>>>>> userPrincipalName: tuser at domain.local
>>>>>>>> objectCategory:
>>>>>>>>
CN=Person,CN=Schema,CN=Configuration,DC=domain,DC=local
>>>>>>>> unixUserPassword: ABCD!efgh12345$67890
>>>>>>>> uid: tuser
>>>>>>>> msSFU30Name: tuser
>>>>>>>> msSFU30NisDomain: domain
>>>>>>>> uidNumber: 10001
>>>>>>>> loginShell: /bin/sh
>>>>>>>> unixHomeDirectory: /home/tuser
>>>>>>>> gidNumber: 10000
>>>>>>>> whenChanged: 20141231185807.0Z
>>>>>>>> uSNChanged: 477620
>>>>>>>> distinguishedName: CN=Test
User,CN=Users,DC=domain,DC=local
>>>>>>>>
>>>>>>>>
>>>>>>>> On 12/31/2014 1:50 PM, Rowland Penny wrote:
>>>>>>>>> On 31/12/14 18:28, James wrote:
>>>>>>>>>> Hi Rowland,
>>>>>>>>>>
>>>>>>>>>> passwd: compat winbind
>>>>>>>>>> group: compat winbind
>>>>>>>>>>
>>>>>>>>>> 'getent passwd tuser' results
in a blank terminal line.
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> On 12/31/2014 1:12 PM, Rowland Penny
wrote:
>>>>>>>>>>> On 31/12/14 17:55, James wrote:
>>>>>>>>>>>> Hi Rowland,
>>>>>>>>>>>>
>>>>>>>>>>>> I did. Unfortunately
something is still amiss. I do
>>>>>>>>>>>> receive a response from
'getent group domain
>>>>>>>>>>>> users'(users:x:100).
>>>>>>>>>>>>
>>>>>>>>>>>> On 12/31/2014 12:26 PM, Rowland
Penny wrote:
>>>>>>>>>>>>> On 31/12/14 17:23, James
wrote:
>>>>>>>>>>>>>> Rowland,
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> I set a user with a
uid and domain users group with a
>>>>>>>>>>>>>> gid but I'm still
unable to view them using 'id'. I do
>>>>>>>>>>>>>> notice a few strange
observations. If I go to another
>>>>>>>>>>>>>> user to attempt to
assign a uid. I get the default value
>>>>>>>>>>>>>> of 10000. I would
expect 2001 given I set the first user
>>>>>>>>>>>>>> with uid 2000. Groups
however appear to increment.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> On 12/31/2014 10:52 AM,
Rowland Penny wrote:
>>>>>>>>>>>>>>> On 31/12/14 15:42,
James wrote:
>>>>>>>>>>>>>>>> Hello Stefan,
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> I learned
the hard way about .local. I understand
>>>>>>>>>>>>>>>> going forward.
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> I do have an
issue with the member server. Following
>>>>>>>>>>>>>>>> along with the
wiki I get stuck at 'Testing the Winbind
>>>>>>>>>>>>>>>> user/group
mapping'. Wbinfo works as expected but not
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> #*id
DomainUser*
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> #*getent
passwd*
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> #*getent group*
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> #*chown
DomainUser:DomainGroup file*
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> #*chgrp
DomainGroup file*
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> etc.
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> I receive
'id: sambauser: No such user'. It will only
>>>>>>>>>>>>>>>> retrieve local
machine users. Let me preface by saying
>>>>>>>>>>>>>>>> this is a
Ubuntu 12.04 server with Samba 4.1.14. Thanks.
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> On 12/31/2014
10:00 AM, Stefan Kania wrote:
>>>>>>>>>>>>>>>>> -----BEGIN
PGP SIGNED MESSAGE-----
>>>>>>>>>>>>>>>>> Hash: SHA1
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> Hello
James,
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> Am
31.12.2014 um 15:48 schrieb James:> Hello,
>>>>>>>>>>>>>>>>>> I'm
following along with the wiki(Setup a Samba AD
>>>>>>>>>>>>>>>>>> Member
Server)
>>>>>>>>>>>>>>>>>> and I
have a question after reading the 'Set up a
>>>>>>>>>>>>>>>>>> basic
smb.conf'
>>>>>>>>>>>>>>>>>>
section.
>>>>>>>>>>>>>>>>> Please show
us your smb.conf
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> Do I need
to extend the schema in order for my
>>>>>>>>>>>>>>>>> member
server to
>>>>>>>>>>>>>>>>>>
successfully join and service file shares?
>>>>>>>>>>>>>>>>> No, you
dont have to.
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> Do I need
to configure a
>>>>>>>>>>>>>>>>>>
krb5.conf file? Thanks.
>>>>>>>>>>>>>>>>> If your DC
is a samba4 DC just copy krb5.conf to your
>>>>>>>>>>>>>>>>> new
memberserver
>>>>>>>>>>>>>>>>> Stefan
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> - -- Stefan
Kania
>>>>>>>>>>>>>>>>> Landweg 13
>>>>>>>>>>>>>>>>> 25693 St.
Michaelisdonn
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> Signieren
jeder E-Mail hilft Spam zu reduzieren.
>>>>>>>>>>>>>>>>> Signieren
Sie ihre
>>>>>>>>>>>>>>>>> E-Mail.
Weiter Informationen unter http://www.gnupg.org
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> Mein
Schl?ssel liegt auf
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>
hkp://subkeys.pgp.net
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> -----BEGIN
PGP SIGNATURE-----
>>>>>>>>>>>>>>>>> Version:
GnuPG v1
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>
iEYEARECAAYFAlSkD3EACgkQ2JOGcNAHDTZdlwCgwsQF0g/pFp65ldcTMWDcJ1O7
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>
LScAoLDzorUJNDCik4FP9dBUxKCbAbGN
>>>>>>>>>>>>>>>>> =SOSt
>>>>>>>>>>>>>>>>> -----END
PGP SIGNATURE-----
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> If you followed the
wiki, you will be using the 'ad'
>>>>>>>>>>>>>>> backend. For this
to work, you need to add 'uidNumber'
>>>>>>>>>>>>>>> attributes to your
users and a 'gidNumber' attribute to
>>>>>>>>>>>>>>> at least the Domain
Users group. the numbers that you
>>>>>>>>>>>>>>> add must be between
the range you set in your smb.conf,
>>>>>>>>>>>>>>> again if you
followed the wiki, this will be between
>>>>>>>>>>>>>>> 500-40000.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Rowland
>>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> You have restarted samba,
haven't you ?
>>>>>>>>>>>>> You may have to wait a
short time, or clear the cache with
>>>>>>>>>>>>> 'net cache flush'
>>>>>>>>>>>>>
>>>>>>>>>>>>> Rowland
>>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>> OK, can you post the
'passwd' & 'group' lines from
>>>>>>>>>>> /etc/nsswitch
>>>>>>>>>>>
>>>>>>>>>>> Do you get anything from
'getent passwd <a domain user>'
>>>>>>>>>>>
>>>>>>>>>>> Rowland
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>> OK, install ldb-tools if not already
installed, then run:
>>>>>>>>>
>>>>>>>>> ldbedit -e nano -H
/var/lib/samba/private/sam.ldb
>>>>>>>>> sAMAccountName=tuser
>>>>>>>>>
>>>>>>>>> Post the (sanitized) result
>>>>>>>>>
>>>>>>>>> Rowland
>>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>> OK, you added that user with ADUC (RSAT) and as
such you are
>>>>>>> using the std windows start number 10000, which is
the way I run
>>>>>>> samba. Here is my smb.conf from the laptop I am
writing this on:
>>>>>>>
>>>>>>> [global]
>>>>>>> workgroup = EXAMPLE
>>>>>>> security = ADS
>>>>>>> realm = EXAMPLE.COM
>>>>>>> dedicated keytab file = /etc/krb5.keytab
>>>>>>> kerberos method = secrets and keytab
>>>>>>> server string = Samba 4 Client %h
>>>>>>> winbind enum users = yes
>>>>>>> winbind enum groups = yes
>>>>>>> winbind use default domain = yes
>>>>>>> winbind expand groups = 4
>>>>>>> winbind nss info = rfc2307
>>>>>>> winbind refresh tickets = Yes
>>>>>>> winbind normalize names = Yes
>>>>>>> idmap config * : backend = tdb
>>>>>>> idmap config * : range = 2000-9999
>>>>>>> idmap config EXAMPLE : backend = ad
>>>>>>> idmap config EXAMPLE : range = 10000-999999
>>>>>>> idmap config EXAMPLE : schema_mode =
rfc2307
>>>>>>> printcap name = cups
>>>>>>> cups options = raw
>>>>>>> usershare allow guests = yes
>>>>>>> domain master = no
>>>>>>> local master = no
>>>>>>> preferred master = no
>>>>>>> os level = 20
>>>>>>> map to guest = bad user
>>>>>>> vfs objects = acl_xattr
>>>>>>> map acl inherit = Yes
>>>>>>> store dos attributes = Yes
>>>>>>>
>>>>>>> Compare it with yours, I can assure you it works.
>>>>>>>
>>>>>>> Rowland
>>>>>>>
>>>>>>
>>>>>
>>>>
>>>> --
>>>> -James
>>>
>>
>> --
>> -James
>
> OK, you have *now* found out one of the reasons you shouldn't use the
> .local suffix
>
> But does anything else work?
>
> Rowland
--
-James
On 02/01/15 17:07, James wrote:> Rowland, > > I had a typo in my hosts file which is the reason my initial DNS > update failed. Corrected and joined again. Successfully joined and > updated DNS A record. I then made sure to give 'Domain users' a id of > 10000. I am now able to run' getent passwd' and see all my domain > users! YES! However I still see something that confuses me. When I run > 'id tuser' I get the following. > > uid=2155(tuser) gid=2002(domain_users) > groups=2002(domain_users),2004(remote_desktop_users_group),2001(BUILTIN\users) > > Why is the uid 2155 and not 10001? > > > > On 1/2/2015 12:00 PM, Rowland Penny wrote: >> On 02/01/15 16:57, James wrote: >>> Rowland, >>> >>> I've gotten a bit further. It appears my use of '.local' is >>> causing the issue from what I've researched. I ran >>> '|/etc/init.d/avahi-daemon stop'. |This allowed me to successfully >>> join the domain. >>> >>> Enter administrator at DOMAIN.LOCAL's password: >>> Using short domain name -- DOMAIN >>> Joined 'PFMEMBER1' to dns domain 'domain.local' >>> DNS Update for pfmember1.local failed: ERROR_DNS_UPDATE_FAILED >>> DNS update failed: NT_STATUS_UNSUCCESSFUL >>> || >>> On 1/2/2015 8:55 AM, Rowland Penny wrote: >>>> On 02/01/15 13:41, James wrote: >>>>> Hi Rowland, >>>>> >>>>> If you don't mind I like to post my member server >>>>> configuration as I attempt again. This is how my member >>>>> server(Ubuntu 12.04) is configured after fresh install and prior >>>>> to Samba build. Anything I'm missing that could cause my issue as >>>>> I proceed? I assume no other prerequisites must be done on the >>>>> other DC's either? Thanks. >>>>> >>>>> /*# From Wiki for DC build*/ >>>>> apt-get install build-essential libacl1-dev libattr1-dev >>>>> libblkid-dev libgnutls-dev libreadline-dev python-dev libpam0g-dev >>>>> python-dnspython gdb pkg-config libpopt-dev libldap2-dev dnsutils >>>>> libbsd-dev attr krb5-user docbook-xsl libcups2-dev acl >>>>> >>>>> >>>>> /*# Fstab file*/ >>>>> ext4 errors=remount-ro,user_xattr,acl,barrier=1 1 1 >>>>> >>>>> >>>>> */# Hosts File/* >>>>> 127.0.0.1 localhost >>>>> 172.16.232.25 pfmember1.domain.local pfmember1 >>>>> >>>>> # The following lines are desirable for IPv6 capable hosts >>>>> ::1 ip6-localhost ip6-loopback >>>>> fe00::0 ip6-localnet >>>>> ff00::0 ip6-mcastprefix >>>>> ff02::1 ip6-allnodes >>>>> ff02::2 ip6-allrouters >>>>> >>>>> >>>>> */# Hostname/* */File/* >>>>> pfmember1.domain.local >>>> >>>> if you are referring to /etc/hostname, then it should just contain >>>> 'pfmember1'. >>>> >>>> Also, are you fixed on using Ubuntu 12.04, if you were to use >>>> Debian Wheezy and backports, you wouldn't have to compile samba4. >>>> >>>> Rowland >>>> >>>>> >>>>> */#/network/interfaces/* >>>>> # This file describes the network interfaces available on your system >>>>> # and how to activate them. For more information, see interfaces(5). >>>>> >>>>> # The loopback network interface >>>>> auto lo >>>>> iface lo inet loopback >>>>> >>>>> # The primary network interface >>>>> auto eth0 >>>>> iface eth0 inet static >>>>> address 172.16.232.25 >>>>> netmask 255.255.255.0 >>>>> gateway 172.16.232.201 >>>>> network 172.16.232.0 >>>>> broadcast 172.16.232.255 >>>>> dns-search domain.local >>>>> dns-nameservers 172.16.232.29 >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> On 1/1/2015 4:34 AM, Rowland Penny wrote: >>>>>> On 01/01/15 00:07, James wrote: >>>>>>> Hi Rowland, >>>>>>> >>>>>>> I forgot to tell you the results were from my Domain >>>>>>> Controller and not the member server. Member server returned >>>>>>> something to the effect of 'user not found'. I am only starting >>>>>>> the 3 services(smbd,nmbd and windbindd) listed in the wiki. >>>>>>> Should I be starting Samba with command line switches to start >>>>>>> as a member server? Is that even possible? >>>>>> >>>>>> Hi, there are two ways of running samba4, the classic or original >>>>>> way that samba3 was used, or as an AD DC. If you run samba4 in >>>>>> the classic way, you need to start the smbd & nmbd deamons and >>>>>> optionally the winbind daemon. If you use samba4 as an AD DC, >>>>>> then you only start the samba daemon, this will start any other >>>>>> required deamons, you only start the samba daemon on an AD DC. >>>>>> >>>>>> As you are trying to set up a member server, you must carry out >>>>>> the tests on the member server. >>>>>> >>>>>> Rowland >>>>>> >>>>>>> >>>>>>> Thanks for you smb.conf. I will attempt again using your >>>>>>> smb.conf as a template and try again. >>>>>>> >>>>>>> On 12/31/2014 2:20 PM, Rowland Penny wrote: >>>>>>>> On 31/12/14 19:07, James wrote: >>>>>>>>> Rowland, >>>>>>>>> >>>>>>>>> I decided to start over with a fresh install and attempted >>>>>>>>> again. Only change I made was to start my mappings at 10000. I >>>>>>>>> gave 'Domain Users' group gid 10000 and 'tuser' has uid 10001. >>>>>>>>> Still didn't work btw. >>>>>>>>> >>>>>>>>> dn: CN=Test User,CN=Users,DC=domain,DC=local >>>>>>>>> objectClass: top >>>>>>>>> objectClass: person >>>>>>>>> objectClass: organizationalPerson >>>>>>>>> objectClass: user >>>>>>>>> cn: Test User >>>>>>>>> sn: User >>>>>>>>> givenName: Test >>>>>>>>> instanceType: 4 >>>>>>>>> whenCreated: 20141231172021.0Z >>>>>>>>> displayName: Test User >>>>>>>>> uSNCreated: 477557 >>>>>>>>> name: Test User >>>>>>>>> objectGUID: 90f95763-fe52-42b9-af86-8a84a4d5dd78 >>>>>>>>> userAccountControl: 66048 >>>>>>>>> codePage: 0 >>>>>>>>> countryCode: 0 >>>>>>>>> pwdLastSet: 130645200220000000 >>>>>>>>> primaryGroupID: 513 >>>>>>>>> objectSid: S-1-5-21-940051827-2291820289-3341758437-3126 >>>>>>>>> accountExpires: 9223372036854775807 >>>>>>>>> sAMAccountName: tuser >>>>>>>>> sAMAccountType: 805306368 >>>>>>>>> userPrincipalName: tuser at domain.local >>>>>>>>> objectCategory: >>>>>>>>> CN=Person,CN=Schema,CN=Configuration,DC=domain,DC=local >>>>>>>>> unixUserPassword: ABCD!efgh12345$67890 >>>>>>>>> uid: tuser >>>>>>>>> msSFU30Name: tuser >>>>>>>>> msSFU30NisDomain: domain >>>>>>>>> uidNumber: 10001 >>>>>>>>> loginShell: /bin/sh >>>>>>>>> unixHomeDirectory: /home/tuser >>>>>>>>> gidNumber: 10000 >>>>>>>>> whenChanged: 20141231185807.0Z >>>>>>>>> uSNChanged: 477620 >>>>>>>>> distinguishedName: CN=Test User,CN=Users,DC=domain,DC=local >>>>>>>>> >>>>>>>>> >>>>>>>>> On 12/31/2014 1:50 PM, Rowland Penny wrote: >>>>>>>>>> On 31/12/14 18:28, James wrote: >>>>>>>>>>> Hi Rowland, >>>>>>>>>>> >>>>>>>>>>> passwd: compat winbind >>>>>>>>>>> group: compat winbind >>>>>>>>>>> >>>>>>>>>>> 'getent passwd tuser' results in a blank terminal line. >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> On 12/31/2014 1:12 PM, Rowland Penny wrote: >>>>>>>>>>>> On 31/12/14 17:55, James wrote: >>>>>>>>>>>>> Hi Rowland, >>>>>>>>>>>>> >>>>>>>>>>>>> I did. Unfortunately something is still amiss. I do >>>>>>>>>>>>> receive a response from 'getent group domain >>>>>>>>>>>>> users'(users:x:100). >>>>>>>>>>>>> >>>>>>>>>>>>> On 12/31/2014 12:26 PM, Rowland Penny wrote: >>>>>>>>>>>>>> On 31/12/14 17:23, James wrote: >>>>>>>>>>>>>>> Rowland, >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> I set a user with a uid and domain users group with >>>>>>>>>>>>>>> a gid but I'm still unable to view them using 'id'. I do >>>>>>>>>>>>>>> notice a few strange observations. If I go to another >>>>>>>>>>>>>>> user to attempt to assign a uid. I get the default value >>>>>>>>>>>>>>> of 10000. I would expect 2001 given I set the first user >>>>>>>>>>>>>>> with uid 2000. Groups however appear to increment. >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> On 12/31/2014 10:52 AM, Rowland Penny wrote: >>>>>>>>>>>>>>>> On 31/12/14 15:42, James wrote: >>>>>>>>>>>>>>>>> Hello Stefan, >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> I learned the hard way about .local. I understand >>>>>>>>>>>>>>>>> going forward. >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> I do have an issue with the member server. Following >>>>>>>>>>>>>>>>> along with the wiki I get stuck at 'Testing the >>>>>>>>>>>>>>>>> Winbind user/group mapping'. Wbinfo works as expected >>>>>>>>>>>>>>>>> but not >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> #*id DomainUser* >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> #*getent passwd* >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> #*getent group* >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> #*chown DomainUser:DomainGroup file* >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> #*chgrp DomainGroup file* >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> etc. >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> I receive 'id: sambauser: No such user'. It will only >>>>>>>>>>>>>>>>> retrieve local machine users. Let me preface by saying >>>>>>>>>>>>>>>>> this is a Ubuntu 12.04 server with Samba 4.1.14. Thanks. >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> On 12/31/2014 10:00 AM, Stefan Kania wrote: >>>>>>>>>>>>>>>>>> -----BEGIN PGP SIGNED MESSAGE----- >>>>>>>>>>>>>>>>>> Hash: SHA1 >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> Hello James, >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> Am 31.12.2014 um 15:48 schrieb James:> Hello, >>>>>>>>>>>>>>>>>>> I'm following along with the wiki(Setup a Samba AD >>>>>>>>>>>>>>>>>>> Member Server) >>>>>>>>>>>>>>>>>>> and I have a question after reading the 'Set up a >>>>>>>>>>>>>>>>>>> basic smb.conf' >>>>>>>>>>>>>>>>>>> section. >>>>>>>>>>>>>>>>>> Please show us your smb.conf >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> Do I need to extend the schema in order for my >>>>>>>>>>>>>>>>>> member server to >>>>>>>>>>>>>>>>>>> successfully join and service file shares? >>>>>>>>>>>>>>>>>> No, you dont have to. >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> Do I need to configure a >>>>>>>>>>>>>>>>>>> krb5.conf file? Thanks. >>>>>>>>>>>>>>>>>> If your DC is a samba4 DC just copy krb5.conf to your >>>>>>>>>>>>>>>>>> new memberserver >>>>>>>>>>>>>>>>>> Stefan >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> - -- Stefan Kania >>>>>>>>>>>>>>>>>> Landweg 13 >>>>>>>>>>>>>>>>>> 25693 St. Michaelisdonn >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> Signieren jeder E-Mail hilft Spam zu reduzieren. >>>>>>>>>>>>>>>>>> Signieren Sie ihre >>>>>>>>>>>>>>>>>> E-Mail. Weiter Informationen unter http://www.gnupg.org >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> Mein Schl?ssel liegt auf >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> hkp://subkeys.pgp.net >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> -----BEGIN PGP SIGNATURE----- >>>>>>>>>>>>>>>>>> Version: GnuPG v1 >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> iEYEARECAAYFAlSkD3EACgkQ2JOGcNAHDTZdlwCgwsQF0g/pFp65ldcTMWDcJ1O7 >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> LScAoLDzorUJNDCik4FP9dBUxKCbAbGN >>>>>>>>>>>>>>>>>> =SOSt >>>>>>>>>>>>>>>>>> -----END PGP SIGNATURE----- >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> If you followed the wiki, you will be using the 'ad' >>>>>>>>>>>>>>>> backend. For this to work, you need to add 'uidNumber' >>>>>>>>>>>>>>>> attributes to your users and a 'gidNumber' attribute to >>>>>>>>>>>>>>>> at least the Domain Users group. the numbers that you >>>>>>>>>>>>>>>> add must be between the range you set in your smb.conf, >>>>>>>>>>>>>>>> again if you followed the wiki, this will be between >>>>>>>>>>>>>>>> 500-40000. >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> Rowland >>>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> You have restarted samba, haven't you ? >>>>>>>>>>>>>> You may have to wait a short time, or clear the cache >>>>>>>>>>>>>> with 'net cache flush' >>>>>>>>>>>>>> >>>>>>>>>>>>>> Rowland >>>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>> OK, can you post the 'passwd' & 'group' lines from >>>>>>>>>>>> /etc/nsswitch >>>>>>>>>>>> >>>>>>>>>>>> Do you get anything from 'getent passwd <a domain user>' >>>>>>>>>>>> >>>>>>>>>>>> Rowland >>>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>> OK, install ldb-tools if not already installed, then run: >>>>>>>>>> >>>>>>>>>> ldbedit -e nano -H /var/lib/samba/private/sam.ldb >>>>>>>>>> sAMAccountName=tuser >>>>>>>>>> >>>>>>>>>> Post the (sanitized) result >>>>>>>>>> >>>>>>>>>> Rowland >>>>>>>>>> >>>>>>>>> >>>>>>>> >>>>>>>> OK, you added that user with ADUC (RSAT) and as such you are >>>>>>>> using the std windows start number 10000, which is the way I >>>>>>>> run samba. Here is my smb.conf from the laptop I am writing >>>>>>>> this on: >>>>>>>> >>>>>>>> [global] >>>>>>>> workgroup = EXAMPLE >>>>>>>> security = ADS >>>>>>>> realm = EXAMPLE.COM >>>>>>>> dedicated keytab file = /etc/krb5.keytab >>>>>>>> kerberos method = secrets and keytab >>>>>>>> server string = Samba 4 Client %h >>>>>>>> winbind enum users = yes >>>>>>>> winbind enum groups = yes >>>>>>>> winbind use default domain = yes >>>>>>>> winbind expand groups = 4 >>>>>>>> winbind nss info = rfc2307 >>>>>>>> winbind refresh tickets = Yes >>>>>>>> winbind normalize names = Yes >>>>>>>> idmap config * : backend = tdb >>>>>>>> idmap config * : range = 2000-9999 >>>>>>>> idmap config EXAMPLE : backend = ad >>>>>>>> idmap config EXAMPLE : range = 10000-999999 >>>>>>>> idmap config EXAMPLE : schema_mode = rfc2307 >>>>>>>> printcap name = cups >>>>>>>> cups options = raw >>>>>>>> usershare allow guests = yes >>>>>>>> domain master = no >>>>>>>> local master = no >>>>>>>> preferred master = no >>>>>>>> os level = 20 >>>>>>>> map to guest = bad user >>>>>>>> vfs objects = acl_xattr >>>>>>>> map acl inherit = Yes >>>>>>>> store dos attributes = Yes >>>>>>>> >>>>>>>> Compare it with yours, I can assure you it works. >>>>>>>> >>>>>>>> Rowland >>>>>>>> >>>>>>> >>>>>> >>>>> >>>>> -- >>>>> -James >>>> >>> >>> -- >>> -James >> >> OK, you have *now* found out one of the reasons you shouldn't use the >> .local suffix >> >> But does anything else work? >> >> Rowland > > -- > -JamesOK, well it seems to be a step in the right direction :-) Have you changed 'EXAMPLE' in these lines: idmap config * : backend = tdb idmap config * : range = 2000-9999 idmap config EXAMPLE : backend = ad idmap config EXAMPLE : range = 10000-999999 idmap config EXAMPLE:schema_mode = rfc2307 They need to be changed for your *WORKGROUP* name. Rowland
Rowland,
I did forget to change it. Is it as simple as renaming now or did I
screw up?
On 1/2/2015 12:18 PM, Rowland Penny wrote:> On 02/01/15 17:07, James wrote:
>> Rowland,
>>
>> I had a typo in my hosts file which is the reason my initial DNS
>> update failed. Corrected and joined again. Successfully joined and
>> updated DNS A record. I then made sure to give 'Domain users' a
id of
>> 10000. I am now able to run' getent passwd' and see all my
domain
>> users! YES! However I still see something that confuses me. When I
>> run 'id tuser' I get the following.
>>
>> uid=2155(tuser) gid=2002(domain_users)
>>
groups=2002(domain_users),2004(remote_desktop_users_group),2001(BUILTIN\users)
>>
>> Why is the uid 2155 and not 10001?
>>
>>
>>
>> On 1/2/2015 12:00 PM, Rowland Penny wrote:
>>> On 02/01/15 16:57, James wrote:
>>>> Rowland,
>>>>
>>>> I've gotten a bit further. It appears my use of
'.local' is
>>>> causing the issue from what I've researched. I ran
>>>> '|/etc/init.d/avahi-daemon stop'. |This allowed me to
successfully
>>>> join the domain.
>>>>
>>>> Enter administrator at DOMAIN.LOCAL's password:
>>>> Using short domain name -- DOMAIN
>>>> Joined 'PFMEMBER1' to dns domain 'domain.local'
>>>> DNS Update for pfmember1.local failed: ERROR_DNS_UPDATE_FAILED
>>>> DNS update failed: NT_STATUS_UNSUCCESSFUL
>>>> ||
>>>> On 1/2/2015 8:55 AM, Rowland Penny wrote:
>>>>> On 02/01/15 13:41, James wrote:
>>>>>> Hi Rowland,
>>>>>>
>>>>>> If you don't mind I like to post my member
server
>>>>>> configuration as I attempt again. This is how my member
>>>>>> server(Ubuntu 12.04) is configured after fresh install
and prior
>>>>>> to Samba build. Anything I'm missing that could
cause my issue as
>>>>>> I proceed? I assume no other prerequisites must be done
on the
>>>>>> other DC's either? Thanks.
>>>>>>
>>>>>> /*# From Wiki for DC build*/
>>>>>> apt-get install build-essential libacl1-dev
libattr1-dev
>>>>>> libblkid-dev libgnutls-dev libreadline-dev python-dev
>>>>>> libpam0g-dev python-dnspython gdb pkg-config
libpopt-dev
>>>>>> libldap2-dev dnsutils libbsd-dev attr krb5-user
docbook-xsl
>>>>>> libcups2-dev acl
>>>>>>
>>>>>>
>>>>>> /*# Fstab file*/
>>>>>> ext4 errors=remount-ro,user_xattr,acl,barrier=1 1
1
>>>>>>
>>>>>>
>>>>>> */# Hosts File/*
>>>>>> 127.0.0.1 localhost
>>>>>> 172.16.232.25 pfmember1.domain.local pfmember1
>>>>>>
>>>>>> # The following lines are desirable for IPv6 capable
hosts
>>>>>> ::1 ip6-localhost ip6-loopback
>>>>>> fe00::0 ip6-localnet
>>>>>> ff00::0 ip6-mcastprefix
>>>>>> ff02::1 ip6-allnodes
>>>>>> ff02::2 ip6-allrouters
>>>>>>
>>>>>>
>>>>>> */# Hostname/* */File/*
>>>>>> pfmember1.domain.local
>>>>>
>>>>> if you are referring to /etc/hostname, then it should just
contain
>>>>> 'pfmember1'.
>>>>>
>>>>> Also, are you fixed on using Ubuntu 12.04, if you were to
use
>>>>> Debian Wheezy and backports, you wouldn't have to
compile samba4.
>>>>>
>>>>> Rowland
>>>>>
>>>>>>
>>>>>> */#/network/interfaces/*
>>>>>> # This file describes the network interfaces available
on your system
>>>>>> # and how to activate them. For more information, see
interfaces(5).
>>>>>>
>>>>>> # The loopback network interface
>>>>>> auto lo
>>>>>> iface lo inet loopback
>>>>>>
>>>>>> # The primary network interface
>>>>>> auto eth0
>>>>>> iface eth0 inet static
>>>>>> address 172.16.232.25
>>>>>> netmask 255.255.255.0
>>>>>> gateway 172.16.232.201
>>>>>> network 172.16.232.0
>>>>>> broadcast 172.16.232.255
>>>>>> dns-search domain.local
>>>>>> dns-nameservers 172.16.232.29
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> On 1/1/2015 4:34 AM, Rowland Penny wrote:
>>>>>>> On 01/01/15 00:07, James wrote:
>>>>>>>> Hi Rowland,
>>>>>>>>
>>>>>>>> I forgot to tell you the results were from
my Domain
>>>>>>>> Controller and not the member server. Member
server returned
>>>>>>>> something to the effect of 'user not
found'. I am only starting
>>>>>>>> the 3 services(smbd,nmbd and windbindd) listed
in the wiki.
>>>>>>>> Should I be starting Samba with command line
switches to start
>>>>>>>> as a member server? Is that even possible?
>>>>>>>
>>>>>>> Hi, there are two ways of running samba4, the
classic or
>>>>>>> original way that samba3 was used, or as an AD DC.
If you run
>>>>>>> samba4 in the classic way, you need to start the
smbd & nmbd
>>>>>>> deamons and optionally the winbind daemon. If you
use samba4 as
>>>>>>> an AD DC, then you only start the samba daemon,
this will start
>>>>>>> any other required deamons, you only start the
samba daemon on
>>>>>>> an AD DC.
>>>>>>>
>>>>>>> As you are trying to set up a member server, you
must carry out
>>>>>>> the tests on the member server.
>>>>>>>
>>>>>>> Rowland
>>>>>>>
>>>>>>>>
>>>>>>>> Thanks for you smb.conf. I will attempt
again using your
>>>>>>>> smb.conf as a template and try again.
>>>>>>>>
>>>>>>>> On 12/31/2014 2:20 PM, Rowland Penny wrote:
>>>>>>>>> On 31/12/14 19:07, James wrote:
>>>>>>>>>> Rowland,
>>>>>>>>>>
>>>>>>>>>> I decided to start over with a
fresh install and
>>>>>>>>>> attempted again. Only change I made was
to start my mappings
>>>>>>>>>> at 10000. I gave 'Domain Users'
group gid 10000 and 'tuser'
>>>>>>>>>> has uid 10001. Still didn't work
btw.
>>>>>>>>>>
>>>>>>>>>> dn: CN=Test
User,CN=Users,DC=domain,DC=local
>>>>>>>>>> objectClass: top
>>>>>>>>>> objectClass: person
>>>>>>>>>> objectClass: organizationalPerson
>>>>>>>>>> objectClass: user
>>>>>>>>>> cn: Test User
>>>>>>>>>> sn: User
>>>>>>>>>> givenName: Test
>>>>>>>>>> instanceType: 4
>>>>>>>>>> whenCreated: 20141231172021.0Z
>>>>>>>>>> displayName: Test User
>>>>>>>>>> uSNCreated: 477557
>>>>>>>>>> name: Test User
>>>>>>>>>> objectGUID:
90f95763-fe52-42b9-af86-8a84a4d5dd78
>>>>>>>>>> userAccountControl: 66048
>>>>>>>>>> codePage: 0
>>>>>>>>>> countryCode: 0
>>>>>>>>>> pwdLastSet: 130645200220000000
>>>>>>>>>> primaryGroupID: 513
>>>>>>>>>> objectSid:
S-1-5-21-940051827-2291820289-3341758437-3126
>>>>>>>>>> accountExpires: 9223372036854775807
>>>>>>>>>> sAMAccountName: tuser
>>>>>>>>>> sAMAccountType: 805306368
>>>>>>>>>> userPrincipalName: tuser at
domain.local
>>>>>>>>>> objectCategory:
>>>>>>>>>>
CN=Person,CN=Schema,CN=Configuration,DC=domain,DC=local
>>>>>>>>>> unixUserPassword: ABCD!efgh12345$67890
>>>>>>>>>> uid: tuser
>>>>>>>>>> msSFU30Name: tuser
>>>>>>>>>> msSFU30NisDomain: domain
>>>>>>>>>> uidNumber: 10001
>>>>>>>>>> loginShell: /bin/sh
>>>>>>>>>> unixHomeDirectory: /home/tuser
>>>>>>>>>> gidNumber: 10000
>>>>>>>>>> whenChanged: 20141231185807.0Z
>>>>>>>>>> uSNChanged: 477620
>>>>>>>>>> distinguishedName: CN=Test
User,CN=Users,DC=domain,DC=local
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> On 12/31/2014 1:50 PM, Rowland Penny
wrote:
>>>>>>>>>>> On 31/12/14 18:28, James wrote:
>>>>>>>>>>>> Hi Rowland,
>>>>>>>>>>>>
>>>>>>>>>>>> passwd: compat
winbind
>>>>>>>>>>>> group: compat
winbind
>>>>>>>>>>>>
>>>>>>>>>>>> 'getent passwd tuser'
results in a blank terminal line.
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> On 12/31/2014 1:12 PM, Rowland
Penny wrote:
>>>>>>>>>>>>> On 31/12/14 17:55, James
wrote:
>>>>>>>>>>>>>> Hi Rowland,
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> I did.
Unfortunately something is still amiss. I do
>>>>>>>>>>>>>> receive a response from
'getent group domain
>>>>>>>>>>>>>>
users'(users:x:100).
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> On 12/31/2014 12:26 PM,
Rowland Penny wrote:
>>>>>>>>>>>>>>> On 31/12/14 17:23,
James wrote:
>>>>>>>>>>>>>>>> Rowland,
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> I set a
user with a uid and domain users group with
>>>>>>>>>>>>>>>> a gid but
I'm still unable to view them using 'id'. I
>>>>>>>>>>>>>>>> do notice a few
strange observations. If I go to
>>>>>>>>>>>>>>>> another user to
attempt to assign a uid. I get the
>>>>>>>>>>>>>>>> default value
of 10000. I would expect 2001 given I set
>>>>>>>>>>>>>>>> the first user
with uid 2000. Groups however appear to
>>>>>>>>>>>>>>>> increment.
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> On 12/31/2014
10:52 AM, Rowland Penny wrote:
>>>>>>>>>>>>>>>>> On 31/12/14
15:42, James wrote:
>>>>>>>>>>>>>>>>>> Hello
Stefan,
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> I
learned the hard way about .local. I understand
>>>>>>>>>>>>>>>>>> going
forward.
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> I do
have an issue with the member server. Following
>>>>>>>>>>>>>>>>>> along
with the wiki I get stuck at 'Testing the
>>>>>>>>>>>>>>>>>> Winbind
user/group mapping'. Wbinfo works as expected
>>>>>>>>>>>>>>>>>> but not
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> #*id
DomainUser*
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>
#*getent passwd*
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>
#*getent group*
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> #*chown
DomainUser:DomainGroup file*
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> #*chgrp
DomainGroup file*
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> etc.
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> I
receive 'id: sambauser: No such user'. It will only
>>>>>>>>>>>>>>>>>>
retrieve local machine users. Let me preface by
>>>>>>>>>>>>>>>>>> saying
this is a Ubuntu 12.04 server with Samba
>>>>>>>>>>>>>>>>>> 4.1.14.
Thanks.
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> On
12/31/2014 10:00 AM, Stefan Kania wrote:
>>>>>>>>>>>>>>>>>>>
-----BEGIN PGP SIGNED MESSAGE-----
>>>>>>>>>>>>>>>>>>>
Hash: SHA1
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>
Hello James,
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> Am
31.12.2014 um 15:48 schrieb James:> Hello,
>>>>>>>>>>>>>>>>>>>>
I'm following along with the wiki(Setup a Samba AD
>>>>>>>>>>>>>>>>>>>>
Member Server)
>>>>>>>>>>>>>>>>>>>>
and I have a question after reading the 'Set up a
>>>>>>>>>>>>>>>>>>>>
basic smb.conf'
>>>>>>>>>>>>>>>>>>>>
section.
>>>>>>>>>>>>>>>>>>>
Please show us your smb.conf
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>
Do I need to extend the schema in order for my
>>>>>>>>>>>>>>>>>>>
member server to
>>>>>>>>>>>>>>>>>>>>
successfully join and service file shares?
>>>>>>>>>>>>>>>>>>> No,
you dont have to.
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> Do
I need to configure a
>>>>>>>>>>>>>>>>>>>>
krb5.conf file? Thanks.
>>>>>>>>>>>>>>>>>>> If
your DC is a samba4 DC just copy krb5.conf to
>>>>>>>>>>>>>>>>>>>
your new memberserver
>>>>>>>>>>>>>>>>>>>
Stefan
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> -
-- Stefan Kania
>>>>>>>>>>>>>>>>>>>
Landweg 13
>>>>>>>>>>>>>>>>>>>
25693 St. Michaelisdonn
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>
Signieren jeder E-Mail hilft Spam zu reduzieren.
>>>>>>>>>>>>>>>>>>>
Signieren Sie ihre
>>>>>>>>>>>>>>>>>>>
E-Mail. Weiter Informationen unter http://www.gnupg.org
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>
Mein Schl?ssel liegt auf
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>
hkp://subkeys.pgp.net
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>
-----BEGIN PGP SIGNATURE-----
>>>>>>>>>>>>>>>>>>>
Version: GnuPG v1
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>
iEYEARECAAYFAlSkD3EACgkQ2JOGcNAHDTZdlwCgwsQF0g/pFp65ldcTMWDcJ1O7
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>
LScAoLDzorUJNDCik4FP9dBUxKCbAbGN
>>>>>>>>>>>>>>>>>>>
=SOSt
>>>>>>>>>>>>>>>>>>>
-----END PGP SIGNATURE-----
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> If you
followed the wiki, you will be using the 'ad'
>>>>>>>>>>>>>>>>> backend.
For this to work, you need to add 'uidNumber'
>>>>>>>>>>>>>>>>> attributes
to your users and a 'gidNumber' attribute
>>>>>>>>>>>>>>>>> to at least
the Domain Users group. the numbers that
>>>>>>>>>>>>>>>>> you add
must be between the range you set in your
>>>>>>>>>>>>>>>>> smb.conf,
again if you followed the wiki, this will be
>>>>>>>>>>>>>>>>> between
500-40000.
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> Rowland
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> You have restarted
samba, haven't you ?
>>>>>>>>>>>>>>> You may have to
wait a short time, or clear the cache
>>>>>>>>>>>>>>> with 'net cache
flush'
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Rowland
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>> OK, can you post the
'passwd' & 'group' lines from
>>>>>>>>>>>>> /etc/nsswitch
>>>>>>>>>>>>>
>>>>>>>>>>>>> Do you get anything from
'getent passwd <a domain user>'
>>>>>>>>>>>>>
>>>>>>>>>>>>> Rowland
>>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>> OK, install ldb-tools if not
already installed, then run:
>>>>>>>>>>>
>>>>>>>>>>> ldbedit -e nano -H
/var/lib/samba/private/sam.ldb
>>>>>>>>>>> sAMAccountName=tuser
>>>>>>>>>>>
>>>>>>>>>>> Post the (sanitized) result
>>>>>>>>>>>
>>>>>>>>>>> Rowland
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>> OK, you added that user with ADUC (RSAT)
and as such you are
>>>>>>>>> using the std windows start number 10000,
which is the way I
>>>>>>>>> run samba. Here is my smb.conf from the
laptop I am writing
>>>>>>>>> this on:
>>>>>>>>>
>>>>>>>>> [global]
>>>>>>>>> workgroup = EXAMPLE
>>>>>>>>> security = ADS
>>>>>>>>> realm = EXAMPLE.COM
>>>>>>>>> dedicated keytab file =
/etc/krb5.keytab
>>>>>>>>> kerberos method = secrets and
keytab
>>>>>>>>> server string = Samba 4 Client %h
>>>>>>>>> winbind enum users = yes
>>>>>>>>> winbind enum groups = yes
>>>>>>>>> winbind use default domain = yes
>>>>>>>>> winbind expand groups = 4
>>>>>>>>> winbind nss info = rfc2307
>>>>>>>>> winbind refresh tickets = Yes
>>>>>>>>> winbind normalize names = Yes
>>>>>>>>> idmap config * : backend = tdb
>>>>>>>>> idmap config * : range = 2000-9999
>>>>>>>>> idmap config EXAMPLE : backend =
ad
>>>>>>>>> idmap config EXAMPLE : range =
10000-999999
>>>>>>>>> idmap config EXAMPLE : schema_mode
= rfc2307
>>>>>>>>> printcap name = cups
>>>>>>>>> cups options = raw
>>>>>>>>> usershare allow guests = yes
>>>>>>>>> domain master = no
>>>>>>>>> local master = no
>>>>>>>>> preferred master = no
>>>>>>>>> os level = 20
>>>>>>>>> map to guest = bad user
>>>>>>>>> vfs objects = acl_xattr
>>>>>>>>> map acl inherit = Yes
>>>>>>>>> store dos attributes = Yes
>>>>>>>>>
>>>>>>>>> Compare it with yours, I can assure you it
works.
>>>>>>>>>
>>>>>>>>> Rowland
>>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>
>>>>>> --
>>>>>> -James
>>>>>
>>>>
>>>> --
>>>> -James
>>>
>>> OK, you have *now* found out one of the reasons you shouldn't
use
>>> the .local suffix
>>>
>>> But does anything else work?
>>>
>>> Rowland
>>
>> --
>> -James
>
> OK, well it seems to be a step in the right direction :-)
>
> Have you changed 'EXAMPLE' in these lines:
>
> idmap config * : backend = tdb
> idmap config * : range = 2000-9999
> idmap config EXAMPLE : backend = ad
> idmap config EXAMPLE : range = 10000-999999
> idmap config EXAMPLE:schema_mode = rfc2307
>
> They need to be changed for your *WORKGROUP* name.
>
> Rowland
>
>
--
-James