Rowland,
     Thanks for the clarification. It appears the member server is 
joined and I have created a share.
[demoshare]
    path = /srv/samba/test
    read only = no
I have enabled ACL support and given 'SeDiskOperatorPrivilege' per the 
wiki. I can navigate to the share using Windows Explorer. If I set the 
share permissions to only me(Full Control). I can't access the share. 
The 'Everyone' and 'Domain Users' group allows me access. On my
DC's
this has worked in the past. Am I missing something? This is the error I 
receive.
\\pfmember1\demoshare is not accessible. You might not have permission 
to use this network resource. Contact the administrator of this server 
to find out if you have access permissions.
Multiple connections to a server or shared resource by the same user, 
using more than one user name, are not allowed. Disconnect all previous 
connections to the server or shared resource and try again.
On 1/2/2015 1:14 PM, Rowland Penny wrote:> On 02/01/15 18:01, James wrote:
>> Rowland,
>>
>>     That did it! Thank you so much. I do have a question regarding 
>> the 'getent' command before setting up file shares. When I run 
>> 'getent group Domain\ Users' I get
>>
>> domain_users:x:10000:user1,user2,user3,user4,user5,user6,user7,user8
>>
>> Why does it show these specific users? I would assume it would only 
>> show my 'tuser'. I don't have uid's set for anyone
else.
>
> When you run 'getent group Domain\ Users' it gets the groups
gidNumber
> (10000 in your case) and the contents any 'member' attributes, so I
> presume if you examine the groups AD object, you would find 8
'member'
> attribute lines.
>
> But if you were to run 'getent passwd user5', you would only get a 
> response if 'user5' has a 'uidNumber'.
>
> Rowland
>
>>
>> On 1/2/2015 12:38 PM, Rowland Penny wrote:
>>> On 02/01/15 17:26, James wrote:
>>>> Rowland,
>>>>
>>>>     I did forget to change it. Is it as simple as renaming now
or
>>>> did I screw up?
>>>>
>>>> On 1/2/2015 12:18 PM, Rowland Penny wrote:
>>>>> On 02/01/15 17:07, James wrote:
>>>>>> Rowland,
>>>>>>
>>>>>>     I had a typo in my hosts file which is the reason
my initial
>>>>>> DNS update failed. Corrected and joined again.
Successfully
>>>>>> joined and updated DNS A record. I then made sure to
give 'Domain
>>>>>> users' a id of 10000. I am now able to run'
getent passwd' and
>>>>>> see all my domain users! YES! However I still see
something that
>>>>>> confuses me. When I run 'id tuser' I get the
following.
>>>>>>
>>>>>> uid=2155(tuser) gid=2002(domain_users) 
>>>>>>
groups=2002(domain_users),2004(remote_desktop_users_group),2001(BUILTIN\users)
>>>>>>
>>>>>> Why is the uid 2155 and not 10001?
>>>>>>
>>>>>>
>>>>>>
>>>>>> On 1/2/2015 12:00 PM, Rowland Penny wrote:
>>>>>>> On 02/01/15 16:57, James wrote:
>>>>>>>> Rowland,
>>>>>>>>
>>>>>>>>     I've gotten a bit further. It appears
my use of '.local' is
>>>>>>>> causing the issue from what I've
researched. I  ran
>>>>>>>> '|/etc/init.d/avahi-daemon stop'. |This
allowed me to
>>>>>>>> successfully join the domain.
>>>>>>>>
>>>>>>>> Enter administrator at DOMAIN.LOCAL's
password:
>>>>>>>> Using short domain name -- DOMAIN
>>>>>>>> Joined 'PFMEMBER1' to dns domain
'domain.local'
>>>>>>>> DNS Update for pfmember1.local failed:
ERROR_DNS_UPDATE_FAILED
>>>>>>>> DNS update failed: NT_STATUS_UNSUCCESSFUL
>>>>>>>> ||
>>>>>>>> On 1/2/2015 8:55 AM, Rowland Penny wrote:
>>>>>>>>> On 02/01/15 13:41, James wrote:
>>>>>>>>>> Hi Rowland,
>>>>>>>>>>
>>>>>>>>>>     If you don't mind I like to
post my member server
>>>>>>>>>> configuration as I attempt again. This
is how my member
>>>>>>>>>> server(Ubuntu 12.04) is configured
after fresh install and
>>>>>>>>>> prior to Samba build. Anything I'm
missing that could cause
>>>>>>>>>> my issue as I proceed? I assume no
other prerequisites must
>>>>>>>>>> be done on the other DC's either?
Thanks.
>>>>>>>>>>
>>>>>>>>>> /*# From Wiki for DC build*/
>>>>>>>>>> apt-get install build-essential
libacl1-dev libattr1-dev
>>>>>>>>>> libblkid-dev libgnutls-dev
libreadline-dev python-dev
>>>>>>>>>> libpam0g-dev python-dnspython gdb
pkg-config libpopt-dev
>>>>>>>>>> libldap2-dev dnsutils libbsd-dev attr
krb5-user docbook-xsl
>>>>>>>>>> libcups2-dev acl
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> /*# Fstab file*/
>>>>>>>>>> ext4
errors=remount-ro,user_xattr,acl,barrier=1 1       1
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> */# Hosts File/*
>>>>>>>>>> 127.0.0.1       localhost
>>>>>>>>>> 172.16.232.25   pfmember1.domain.local
pfmember1
>>>>>>>>>>
>>>>>>>>>> # The following lines are desirable for
IPv6 capable hosts
>>>>>>>>>> ::1     ip6-localhost ip6-loopback
>>>>>>>>>> fe00::0 ip6-localnet
>>>>>>>>>> ff00::0 ip6-mcastprefix
>>>>>>>>>> ff02::1 ip6-allnodes
>>>>>>>>>> ff02::2 ip6-allrouters
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> */# Hostname/* */File/*
>>>>>>>>>> pfmember1.domain.local
>>>>>>>>>
>>>>>>>>> if you are referring to /etc/hostname, then
it should just
>>>>>>>>> contain 'pfmember1'.
>>>>>>>>>
>>>>>>>>> Also, are you fixed on using Ubuntu 12.04,
if you were to use
>>>>>>>>> Debian Wheezy and backports, you
wouldn't have to compile samba4.
>>>>>>>>>
>>>>>>>>> Rowland
>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> */#/network/interfaces/*
>>>>>>>>>> # This file describes the network
interfaces available on
>>>>>>>>>> your system
>>>>>>>>>> # and how to activate them. For more
information, see
>>>>>>>>>> interfaces(5).
>>>>>>>>>>
>>>>>>>>>> # The loopback network interface
>>>>>>>>>> auto lo
>>>>>>>>>> iface lo inet loopback
>>>>>>>>>>
>>>>>>>>>> # The primary network interface
>>>>>>>>>> auto eth0
>>>>>>>>>> iface eth0 inet static
>>>>>>>>>>         address 172.16.232.25
>>>>>>>>>>         netmask 255.255.255.0
>>>>>>>>>>         gateway 172.16.232.201
>>>>>>>>>>         network 172.16.232.0
>>>>>>>>>>         broadcast 172.16.232.255
>>>>>>>>>>         dns-search domain.local
>>>>>>>>>>         dns-nameservers 172.16.232.29
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> On 1/1/2015 4:34 AM, Rowland Penny
wrote:
>>>>>>>>>>> On 01/01/15 00:07, James wrote:
>>>>>>>>>>>> Hi Rowland,
>>>>>>>>>>>>
>>>>>>>>>>>>     I forgot to tell you the
results were from my Domain
>>>>>>>>>>>> Controller and not the member
server. Member server
>>>>>>>>>>>> returned something to the
effect of 'user not found'. I am
>>>>>>>>>>>> only starting the 3
services(smbd,nmbd and windbindd)
>>>>>>>>>>>> listed in the wiki. Should I be
starting Samba with command
>>>>>>>>>>>> line switches to start as a
member server? Is that even
>>>>>>>>>>>> possible?
>>>>>>>>>>>
>>>>>>>>>>> Hi, there are two ways of running
samba4, the classic or
>>>>>>>>>>> original way that samba3 was used,
or as an AD DC. If you
>>>>>>>>>>> run samba4 in the classic way, you
need to start the smbd &
>>>>>>>>>>> nmbd deamons and optionally the
winbind daemon. If you use
>>>>>>>>>>> samba4 as an AD DC, then you only
start the samba daemon,
>>>>>>>>>>> this will start any other required
deamons, you only start
>>>>>>>>>>> the samba daemon on an AD DC.
>>>>>>>>>>>
>>>>>>>>>>> As you are trying to set up a
member server, you must carry
>>>>>>>>>>> out the tests on the member server.
>>>>>>>>>>>
>>>>>>>>>>> Rowland
>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>     Thanks for you smb.conf. I
will attempt again using
>>>>>>>>>>>> your smb.conf as a template and
try again.
>>>>>>>>>>>>
>>>>>>>>>>>> On 12/31/2014 2:20 PM, Rowland
Penny wrote:
>>>>>>>>>>>>> On 31/12/14 19:07, James
wrote:
>>>>>>>>>>>>>> Rowland,
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>     I decided to start
over with a fresh install and
>>>>>>>>>>>>>> attempted again. Only
change I made was to start my
>>>>>>>>>>>>>> mappings at 10000. I
gave 'Domain Users' group gid 10000
>>>>>>>>>>>>>> and 'tuser' has
uid 10001. Still didn't work btw.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>  dn: CN=Test
User,CN=Users,DC=domain,DC=local
>>>>>>>>>>>>>> objectClass: top
>>>>>>>>>>>>>> objectClass: person
>>>>>>>>>>>>>> objectClass:
organizationalPerson
>>>>>>>>>>>>>> objectClass: user
>>>>>>>>>>>>>> cn: Test User
>>>>>>>>>>>>>> sn: User
>>>>>>>>>>>>>> givenName: Test
>>>>>>>>>>>>>> instanceType: 4
>>>>>>>>>>>>>> whenCreated:
20141231172021.0Z
>>>>>>>>>>>>>> displayName: Test User
>>>>>>>>>>>>>> uSNCreated: 477557
>>>>>>>>>>>>>> name: Test User
>>>>>>>>>>>>>> objectGUID:
90f95763-fe52-42b9-af86-8a84a4d5dd78
>>>>>>>>>>>>>> userAccountControl:
66048
>>>>>>>>>>>>>> codePage: 0
>>>>>>>>>>>>>> countryCode: 0
>>>>>>>>>>>>>> pwdLastSet:
130645200220000000
>>>>>>>>>>>>>> primaryGroupID: 513
>>>>>>>>>>>>>> objectSid:
S-1-5-21-940051827-2291820289-3341758437-3126
>>>>>>>>>>>>>> accountExpires:
9223372036854775807
>>>>>>>>>>>>>> sAMAccountName: tuser
>>>>>>>>>>>>>> sAMAccountType:
805306368
>>>>>>>>>>>>>> userPrincipalName:
tuser at domain.local
>>>>>>>>>>>>>> objectCategory: 
>>>>>>>>>>>>>>
CN=Person,CN=Schema,CN=Configuration,DC=domain,DC=local
>>>>>>>>>>>>>> unixUserPassword:
ABCD!efgh12345$67890
>>>>>>>>>>>>>> uid: tuser
>>>>>>>>>>>>>> msSFU30Name: tuser
>>>>>>>>>>>>>> msSFU30NisDomain:
domain
>>>>>>>>>>>>>> uidNumber: 10001
>>>>>>>>>>>>>> loginShell: /bin/sh
>>>>>>>>>>>>>> unixHomeDirectory:
/home/tuser
>>>>>>>>>>>>>> gidNumber: 10000
>>>>>>>>>>>>>> whenChanged:
20141231185807.0Z
>>>>>>>>>>>>>> uSNChanged: 477620
>>>>>>>>>>>>>> distinguishedName:
CN=Test User,CN=Users,DC=domain,DC=local
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> On 12/31/2014 1:50 PM,
Rowland Penny wrote:
>>>>>>>>>>>>>>> On 31/12/14 18:28,
James wrote:
>>>>>>>>>>>>>>>> Hi Rowland,
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>     passwd:    
compat winbind
>>>>>>>>>>>>>>>>     group:     
compat winbind
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> 'getent
passwd tuser' results in a blank terminal line.
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> On 12/31/2014
1:12 PM, Rowland Penny wrote:
>>>>>>>>>>>>>>>>> On 31/12/14
17:55, James wrote:
>>>>>>>>>>>>>>>>>> Hi
Rowland,
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>     I
did. Unfortunately something is still amiss. I
>>>>>>>>>>>>>>>>>> do
receive a response from 'getent group domain
>>>>>>>>>>>>>>>>>>
users'(users:x:100).
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> On
12/31/2014 12:26 PM, Rowland Penny wrote:
>>>>>>>>>>>>>>>>>>> On
31/12/14 17:23, James wrote:
>>>>>>>>>>>>>>>>>>>>
Rowland,
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>
I set a user with a uid and domain users group
>>>>>>>>>>>>>>>>>>>>
with a gid but I'm still unable to view them using
>>>>>>>>>>>>>>>>>>>>
'id'. I do notice a few strange observations. If I
>>>>>>>>>>>>>>>>>>>>
go to another user to attempt to assign a uid. I
>>>>>>>>>>>>>>>>>>>>
get the default value of 10000. I would expect 2001
>>>>>>>>>>>>>>>>>>>>
given I set the first user with uid 2000. Groups
>>>>>>>>>>>>>>>>>>>>
however appear to increment.
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>
On 12/31/2014 10:52 AM, Rowland Penny wrote:
>>>>>>>>>>>>>>>>>>>>>
On 31/12/14 15:42, James wrote:
>>>>>>>>>>>>>>>>>>>>>>
Hello Stefan,
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>
I learned the hard way about .local. I
>>>>>>>>>>>>>>>>>>>>>>
understand going forward.
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>
I do have an issue with the member server.
>>>>>>>>>>>>>>>>>>>>>>
Following along with the wiki I get stuck at
>>>>>>>>>>>>>>>>>>>>>>
'Testing the Winbind user/group mapping'. Wbinfo
>>>>>>>>>>>>>>>>>>>>>>
works as expected but not
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>
#*id DomainUser*
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>
#*getent passwd*
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>
#*getent group*
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>
#*chown DomainUser:DomainGroup file*
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>
#*chgrp DomainGroup file*
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>
etc.
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>
I receive 'id: sambauser: No such user'. It will
>>>>>>>>>>>>>>>>>>>>>>
only retrieve local machine users. Let me preface
>>>>>>>>>>>>>>>>>>>>>>
by saying this is a Ubuntu 12.04 server with
>>>>>>>>>>>>>>>>>>>>>>
Samba 4.1.14. Thanks.
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>
On 12/31/2014 10:00 AM, Stefan Kania wrote:
>>>>>>>>>>>>>>>>>>>>>>>
-----BEGIN PGP SIGNED MESSAGE-----
>>>>>>>>>>>>>>>>>>>>>>>
Hash: SHA1
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>
Hello James,
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>
Am 31.12.2014 um 15:48 schrieb James:> Hello,
>>>>>>>>>>>>>>>>>>>>>>>>
I'm following along with the wiki(Setup a Samba
>>>>>>>>>>>>>>>>>>>>>>>>
AD Member Server)
>>>>>>>>>>>>>>>>>>>>>>>>
and I have a question after reading the 'Set up
>>>>>>>>>>>>>>>>>>>>>>>>
a basic smb.conf'
>>>>>>>>>>>>>>>>>>>>>>>>
section.
>>>>>>>>>>>>>>>>>>>>>>>
Please show us your smb.conf
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>
Do I need to extend the schema in order for my
>>>>>>>>>>>>>>>>>>>>>>>
member server to
>>>>>>>>>>>>>>>>>>>>>>>>
successfully join and service file shares?
>>>>>>>>>>>>>>>>>>>>>>>
No, you dont have to.
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>
Do I need to configure a
>>>>>>>>>>>>>>>>>>>>>>>>
krb5.conf file? Thanks.
>>>>>>>>>>>>>>>>>>>>>>>
If your DC is a samba4 DC just copy krb5.conf to
>>>>>>>>>>>>>>>>>>>>>>>
your new memberserver
>>>>>>>>>>>>>>>>>>>>>>>
Stefan
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>
- -- Stefan Kania
>>>>>>>>>>>>>>>>>>>>>>>
Landweg 13
>>>>>>>>>>>>>>>>>>>>>>>
25693 St. Michaelisdonn
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>
Signieren jeder E-Mail hilft Spam zu reduzieren.
>>>>>>>>>>>>>>>>>>>>>>>
Signieren Sie ihre
>>>>>>>>>>>>>>>>>>>>>>>
E-Mail. Weiter Informationen unter
>>>>>>>>>>>>>>>>>>>>>>>
http://www.gnupg.org
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>
Mein Schl?ssel liegt auf
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>
hkp://subkeys.pgp.net
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>
-----BEGIN PGP SIGNATURE-----
>>>>>>>>>>>>>>>>>>>>>>>
Version: GnuPG v1
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>
iEYEARECAAYFAlSkD3EACgkQ2JOGcNAHDTZdlwCgwsQF0g/pFp65ldcTMWDcJ1O7
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>
LScAoLDzorUJNDCik4FP9dBUxKCbAbGN
>>>>>>>>>>>>>>>>>>>>>>>
=SOSt
>>>>>>>>>>>>>>>>>>>>>>>
-----END PGP SIGNATURE-----
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>
If you followed the wiki, you will be using the
>>>>>>>>>>>>>>>>>>>>>
'ad' backend. For this to work, you need to add
>>>>>>>>>>>>>>>>>>>>>
'uidNumber' attributes to your users and a
>>>>>>>>>>>>>>>>>>>>>
'gidNumber' attribute to at least the Domain Users
>>>>>>>>>>>>>>>>>>>>>
group. the numbers that you add must be between
>>>>>>>>>>>>>>>>>>>>>
the range you set in your smb.conf, again if you
>>>>>>>>>>>>>>>>>>>>>
followed the wiki, this will be between 500-40000.
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>
Rowland
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> You
have restarted samba, haven't you ?
>>>>>>>>>>>>>>>>>>> You
may have to wait a short time, or clear the
>>>>>>>>>>>>>>>>>>>
cache with 'net cache flush'
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>
Rowland
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> OK, can you
post the 'passwd' & 'group' lines from
>>>>>>>>>>>>>>>>>
/etc/nsswitch
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> Do you get
anything from 'getent passwd <a domain user>'
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> Rowland
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> OK, install
ldb-tools if not already installed, then run:
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> ldbedit -e nano -H
/var/lib/samba/private/sam.ldb
>>>>>>>>>>>>>>>
sAMAccountName=tuser
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Post the
(sanitized) result
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Rowland
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> OK, you added that user
with ADUC (RSAT) and as such you
>>>>>>>>>>>>> are using the std windows
start number 10000, which is the
>>>>>>>>>>>>> way I run samba. Here is my
smb.conf from the laptop I am
>>>>>>>>>>>>> writing this on:
>>>>>>>>>>>>>
>>>>>>>>>>>>> [global]
>>>>>>>>>>>>>         workgroup = EXAMPLE
>>>>>>>>>>>>>         security = ADS
>>>>>>>>>>>>>         realm = EXAMPLE.COM
>>>>>>>>>>>>>         dedicated keytab
file = /etc/krb5.keytab
>>>>>>>>>>>>>         kerberos method =
secrets and keytab
>>>>>>>>>>>>>         server string =
Samba 4 Client %h
>>>>>>>>>>>>>         winbind enum users
= yes
>>>>>>>>>>>>>         winbind enum groups
= yes
>>>>>>>>>>>>>         winbind use default
domain = yes
>>>>>>>>>>>>>         winbind expand
groups = 4
>>>>>>>>>>>>>         winbind nss info =
rfc2307
>>>>>>>>>>>>>         winbind refresh
tickets = Yes
>>>>>>>>>>>>>         winbind normalize
names = Yes
>>>>>>>>>>>>>         idmap config * :
backend = tdb
>>>>>>>>>>>>>         idmap config * :
range = 2000-9999
>>>>>>>>>>>>>         idmap config
EXAMPLE : backend  = ad
>>>>>>>>>>>>>         idmap config
EXAMPLE : range = 10000-999999
>>>>>>>>>>>>>         idmap config
EXAMPLE : schema_mode = rfc2307
>>>>>>>>>>>>>         printcap name =
cups
>>>>>>>>>>>>>         cups options = raw
>>>>>>>>>>>>>         usershare allow
guests = yes
>>>>>>>>>>>>>         domain master = no
>>>>>>>>>>>>>         local master = no
>>>>>>>>>>>>>         preferred master =
no
>>>>>>>>>>>>>         os level = 20
>>>>>>>>>>>>>         map to guest = bad
user
>>>>>>>>>>>>>         vfs objects =
acl_xattr
>>>>>>>>>>>>>         map acl inherit =
Yes
>>>>>>>>>>>>>         store dos
attributes = Yes
>>>>>>>>>>>>>
>>>>>>>>>>>>> Compare it with yours, I
can assure you it works.
>>>>>>>>>>>>>
>>>>>>>>>>>>> Rowland
>>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> -- 
>>>>>>>>>> -James
>>>>>>>>>
>>>>>>>>
>>>>>>>> -- 
>>>>>>>> -James
>>>>>>>
>>>>>>> OK, you have *now* found out one of the reasons you
shouldn't
>>>>>>> use the .local suffix
>>>>>>>
>>>>>>> But does anything else work?
>>>>>>>
>>>>>>> Rowland
>>>>>>
>>>>>> -- 
>>>>>> -James
>>>>>
>>>>> OK, well it seems to be a step in the right direction :-)
>>>>>
>>>>> Have you changed 'EXAMPLE' in these lines:
>>>>>
>>>>>         idmap config * : backend = tdb
>>>>>         idmap config * : range = 2000-9999
>>>>>         idmap config EXAMPLE : backend  = ad
>>>>>         idmap config EXAMPLE : range = 10000-999999
>>>>>         idmap config EXAMPLE:schema_mode = rfc2307
>>>>>
>>>>> They need to be changed for your *WORKGROUP* name.
>>>>>
>>>>> Rowland
>>>>>
>>>>>
>>>>
>>>> -- 
>>>> -James
>>>
>>> Just change it, stop samba and winbind, run 'net cache
flush' and
>>> restart samba & winbind.
>>>
>>> Rowland
>>>
>>
>> -- 
>> -James
>
-- 
-James
On 02/01/15 18:35, James wrote:> Rowland, > > Thanks for the clarification. It appears the member server is > joined and I have created a share. > > [demoshare] > path = /srv/samba/test > read only = no > > > I have enabled ACL support and given 'SeDiskOperatorPrivilege' per the > wiki. I can navigate to the share using Windows Explorer. If I set the > share permissions to only me(Full Control). I can't access the share. > The 'Everyone' and 'Domain Users' group allows me access. On my DC's > this has worked in the past. Am I missing something? This is the error > I receive. > > \\pfmember1\demoshare is not accessible. You might not have permission > to use this network resource. Contact the administrator of this server > to find out if you have access permissions. > > Multiple connections to a server or shared resource by the same user, > using more than one user name, are not allowed. Disconnect all > previous connections to the server or shared resource and try again.You seem to have a connection to the share already open, close this and try again. If this fails, post the results of: ls -la /srv/samba/test and getfacl /srv/samba/test Rowland> > On 1/2/2015 1:14 PM, Rowland Penny wrote: >> On 02/01/15 18:01, James wrote: >>> Rowland, >>> >>> That did it! Thank you so much. I do have a question regarding >>> the 'getent' command before setting up file shares. When I run >>> 'getent group Domain\ Users' I get >>> >>> domain_users:x:10000:user1,user2,user3,user4,user5,user6,user7,user8 >>> >>> Why does it show these specific users? I would assume it would only >>> show my 'tuser'. I don't have uid's set for anyone else. >> >> When you run 'getent group Domain\ Users' it gets the groups >> gidNumber (10000 in your case) and the contents any 'member' >> attributes, so I presume if you examine the groups AD object, you >> would find 8 'member' attribute lines. >> >> But if you were to run 'getent passwd user5', you would only get a >> response if 'user5' has a 'uidNumber'. >> >> Rowland >> >>> >>> On 1/2/2015 12:38 PM, Rowland Penny wrote: >>>> On 02/01/15 17:26, James wrote: >>>>> Rowland, >>>>> >>>>> I did forget to change it. Is it as simple as renaming now or >>>>> did I screw up? >>>>> >>>>> On 1/2/2015 12:18 PM, Rowland Penny wrote: >>>>>> On 02/01/15 17:07, James wrote: >>>>>>> Rowland, >>>>>>> >>>>>>> I had a typo in my hosts file which is the reason my initial >>>>>>> DNS update failed. Corrected and joined again. Successfully >>>>>>> joined and updated DNS A record. I then made sure to give >>>>>>> 'Domain users' a id of 10000. I am now able to run' getent >>>>>>> passwd' and see all my domain users! YES! However I still see >>>>>>> something that confuses me. When I run 'id tuser' I get the >>>>>>> following. >>>>>>> >>>>>>> uid=2155(tuser) gid=2002(domain_users) >>>>>>> groups=2002(domain_users),2004(remote_desktop_users_group),2001(BUILTIN\users) >>>>>>> >>>>>>> Why is the uid 2155 and not 10001? >>>>>>> >>>>>>> >>>>>>> >>>>>>> On 1/2/2015 12:00 PM, Rowland Penny wrote: >>>>>>>> On 02/01/15 16:57, James wrote: >>>>>>>>> Rowland, >>>>>>>>> >>>>>>>>> I've gotten a bit further. It appears my use of '.local' >>>>>>>>> is causing the issue from what I've researched. I ran >>>>>>>>> '|/etc/init.d/avahi-daemon stop'. |This allowed me to >>>>>>>>> successfully join the domain. >>>>>>>>> >>>>>>>>> Enter administrator at DOMAIN.LOCAL's password: >>>>>>>>> Using short domain name -- DOMAIN >>>>>>>>> Joined 'PFMEMBER1' to dns domain 'domain.local' >>>>>>>>> DNS Update for pfmember1.local failed: ERROR_DNS_UPDATE_FAILED >>>>>>>>> DNS update failed: NT_STATUS_UNSUCCESSFUL >>>>>>>>> || >>>>>>>>> On 1/2/2015 8:55 AM, Rowland Penny wrote: >>>>>>>>>> On 02/01/15 13:41, James wrote: >>>>>>>>>>> Hi Rowland, >>>>>>>>>>> >>>>>>>>>>> If you don't mind I like to post my member server >>>>>>>>>>> configuration as I attempt again. This is how my member >>>>>>>>>>> server(Ubuntu 12.04) is configured after fresh install and >>>>>>>>>>> prior to Samba build. Anything I'm missing that could cause >>>>>>>>>>> my issue as I proceed? I assume no other prerequisites must >>>>>>>>>>> be done on the other DC's either? Thanks. >>>>>>>>>>> >>>>>>>>>>> /*# From Wiki for DC build*/ >>>>>>>>>>> apt-get install build-essential libacl1-dev libattr1-dev >>>>>>>>>>> libblkid-dev libgnutls-dev libreadline-dev python-dev >>>>>>>>>>> libpam0g-dev python-dnspython gdb pkg-config libpopt-dev >>>>>>>>>>> libldap2-dev dnsutils libbsd-dev attr krb5-user docbook-xsl >>>>>>>>>>> libcups2-dev acl >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> /*# Fstab file*/ >>>>>>>>>>> ext4 errors=remount-ro,user_xattr,acl,barrier=1 1 1 >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> */# Hosts File/* >>>>>>>>>>> 127.0.0.1 localhost >>>>>>>>>>> 172.16.232.25 pfmember1.domain.local pfmember1 >>>>>>>>>>> >>>>>>>>>>> # The following lines are desirable for IPv6 capable hosts >>>>>>>>>>> ::1 ip6-localhost ip6-loopback >>>>>>>>>>> fe00::0 ip6-localnet >>>>>>>>>>> ff00::0 ip6-mcastprefix >>>>>>>>>>> ff02::1 ip6-allnodes >>>>>>>>>>> ff02::2 ip6-allrouters >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> */# Hostname/* */File/* >>>>>>>>>>> pfmember1.domain.local >>>>>>>>>> >>>>>>>>>> if you are referring to /etc/hostname, then it should just >>>>>>>>>> contain 'pfmember1'. >>>>>>>>>> >>>>>>>>>> Also, are you fixed on using Ubuntu 12.04, if you were to use >>>>>>>>>> Debian Wheezy and backports, you wouldn't have to compile samba4. >>>>>>>>>> >>>>>>>>>> Rowland >>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> */#/network/interfaces/* >>>>>>>>>>> # This file describes the network interfaces available on >>>>>>>>>>> your system >>>>>>>>>>> # and how to activate them. For more information, see >>>>>>>>>>> interfaces(5). >>>>>>>>>>> >>>>>>>>>>> # The loopback network interface >>>>>>>>>>> auto lo >>>>>>>>>>> iface lo inet loopback >>>>>>>>>>> >>>>>>>>>>> # The primary network interface >>>>>>>>>>> auto eth0 >>>>>>>>>>> iface eth0 inet static >>>>>>>>>>> address 172.16.232.25 >>>>>>>>>>> netmask 255.255.255.0 >>>>>>>>>>> gateway 172.16.232.201 >>>>>>>>>>> network 172.16.232.0 >>>>>>>>>>> broadcast 172.16.232.255 >>>>>>>>>>> dns-search domain.local >>>>>>>>>>> dns-nameservers 172.16.232.29 >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> On 1/1/2015 4:34 AM, Rowland Penny wrote: >>>>>>>>>>>> On 01/01/15 00:07, James wrote: >>>>>>>>>>>>> Hi Rowland, >>>>>>>>>>>>> >>>>>>>>>>>>> I forgot to tell you the results were from my Domain >>>>>>>>>>>>> Controller and not the member server. Member server >>>>>>>>>>>>> returned something to the effect of 'user not found'. I am >>>>>>>>>>>>> only starting the 3 services(smbd,nmbd and windbindd) >>>>>>>>>>>>> listed in the wiki. Should I be starting Samba with >>>>>>>>>>>>> command line switches to start as a member server? Is that >>>>>>>>>>>>> even possible? >>>>>>>>>>>> >>>>>>>>>>>> Hi, there are two ways of running samba4, the classic or >>>>>>>>>>>> original way that samba3 was used, or as an AD DC. If you >>>>>>>>>>>> run samba4 in the classic way, you need to start the smbd & >>>>>>>>>>>> nmbd deamons and optionally the winbind daemon. If you use >>>>>>>>>>>> samba4 as an AD DC, then you only start the samba daemon, >>>>>>>>>>>> this will start any other required deamons, you only start >>>>>>>>>>>> the samba daemon on an AD DC. >>>>>>>>>>>> >>>>>>>>>>>> As you are trying to set up a member server, you must carry >>>>>>>>>>>> out the tests on the member server. >>>>>>>>>>>> >>>>>>>>>>>> Rowland >>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> Thanks for you smb.conf. I will attempt again using >>>>>>>>>>>>> your smb.conf as a template and try again. >>>>>>>>>>>>> >>>>>>>>>>>>> On 12/31/2014 2:20 PM, Rowland Penny wrote: >>>>>>>>>>>>>> On 31/12/14 19:07, James wrote: >>>>>>>>>>>>>>> Rowland, >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> I decided to start over with a fresh install and >>>>>>>>>>>>>>> attempted again. Only change I made was to start my >>>>>>>>>>>>>>> mappings at 10000. I gave 'Domain Users' group gid 10000 >>>>>>>>>>>>>>> and 'tuser' has uid 10001. Still didn't work btw. >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> dn: CN=Test User,CN=Users,DC=domain,DC=local >>>>>>>>>>>>>>> objectClass: top >>>>>>>>>>>>>>> objectClass: person >>>>>>>>>>>>>>> objectClass: organizationalPerson >>>>>>>>>>>>>>> objectClass: user >>>>>>>>>>>>>>> cn: Test User >>>>>>>>>>>>>>> sn: User >>>>>>>>>>>>>>> givenName: Test >>>>>>>>>>>>>>> instanceType: 4 >>>>>>>>>>>>>>> whenCreated: 20141231172021.0Z >>>>>>>>>>>>>>> displayName: Test User >>>>>>>>>>>>>>> uSNCreated: 477557 >>>>>>>>>>>>>>> name: Test User >>>>>>>>>>>>>>> objectGUID: 90f95763-fe52-42b9-af86-8a84a4d5dd78 >>>>>>>>>>>>>>> userAccountControl: 66048 >>>>>>>>>>>>>>> codePage: 0 >>>>>>>>>>>>>>> countryCode: 0 >>>>>>>>>>>>>>> pwdLastSet: 130645200220000000 >>>>>>>>>>>>>>> primaryGroupID: 513 >>>>>>>>>>>>>>> objectSid: S-1-5-21-940051827-2291820289-3341758437-3126 >>>>>>>>>>>>>>> accountExpires: 9223372036854775807 >>>>>>>>>>>>>>> sAMAccountName: tuser >>>>>>>>>>>>>>> sAMAccountType: 805306368 >>>>>>>>>>>>>>> userPrincipalName: tuser at domain.local >>>>>>>>>>>>>>> objectCategory: >>>>>>>>>>>>>>> CN=Person,CN=Schema,CN=Configuration,DC=domain,DC=local >>>>>>>>>>>>>>> unixUserPassword: ABCD!efgh12345$67890 >>>>>>>>>>>>>>> uid: tuser >>>>>>>>>>>>>>> msSFU30Name: tuser >>>>>>>>>>>>>>> msSFU30NisDomain: domain >>>>>>>>>>>>>>> uidNumber: 10001 >>>>>>>>>>>>>>> loginShell: /bin/sh >>>>>>>>>>>>>>> unixHomeDirectory: /home/tuser >>>>>>>>>>>>>>> gidNumber: 10000 >>>>>>>>>>>>>>> whenChanged: 20141231185807.0Z >>>>>>>>>>>>>>> uSNChanged: 477620 >>>>>>>>>>>>>>> distinguishedName: CN=Test User,CN=Users,DC=domain,DC=local >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> On 12/31/2014 1:50 PM, Rowland Penny wrote: >>>>>>>>>>>>>>>> On 31/12/14 18:28, James wrote: >>>>>>>>>>>>>>>>> Hi Rowland, >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> passwd: compat winbind >>>>>>>>>>>>>>>>> group: compat winbind >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> 'getent passwd tuser' results in a blank terminal line. >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> On 12/31/2014 1:12 PM, Rowland Penny wrote: >>>>>>>>>>>>>>>>>> On 31/12/14 17:55, James wrote: >>>>>>>>>>>>>>>>>>> Hi Rowland, >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> I did. Unfortunately something is still amiss. I >>>>>>>>>>>>>>>>>>> do receive a response from 'getent group domain >>>>>>>>>>>>>>>>>>> users'(users:x:100). >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> On 12/31/2014 12:26 PM, Rowland Penny wrote: >>>>>>>>>>>>>>>>>>>> On 31/12/14 17:23, James wrote: >>>>>>>>>>>>>>>>>>>>> Rowland, >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> I set a user with a uid and domain users group >>>>>>>>>>>>>>>>>>>>> with a gid but I'm still unable to view them using >>>>>>>>>>>>>>>>>>>>> 'id'. I do notice a few strange observations. If I >>>>>>>>>>>>>>>>>>>>> go to another user to attempt to assign a uid. I >>>>>>>>>>>>>>>>>>>>> get the default value of 10000. I would expect >>>>>>>>>>>>>>>>>>>>> 2001 given I set the first user with uid 2000. >>>>>>>>>>>>>>>>>>>>> Groups however appear to increment. >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> On 12/31/2014 10:52 AM, Rowland Penny wrote: >>>>>>>>>>>>>>>>>>>>>> On 31/12/14 15:42, James wrote: >>>>>>>>>>>>>>>>>>>>>>> Hello Stefan, >>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>> I learned the hard way about .local. I >>>>>>>>>>>>>>>>>>>>>>> understand going forward. >>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>> I do have an issue with the member server. >>>>>>>>>>>>>>>>>>>>>>> Following along with the wiki I get stuck at >>>>>>>>>>>>>>>>>>>>>>> 'Testing the Winbind user/group mapping'. Wbinfo >>>>>>>>>>>>>>>>>>>>>>> works as expected but not >>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>> #*id DomainUser* >>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>> #*getent passwd* >>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>> #*getent group* >>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>> #*chown DomainUser:DomainGroup file* >>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>> #*chgrp DomainGroup file* >>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>> etc. >>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>> I receive 'id: sambauser: No such user'. It will >>>>>>>>>>>>>>>>>>>>>>> only retrieve local machine users. Let me >>>>>>>>>>>>>>>>>>>>>>> preface by saying this is a Ubuntu 12.04 server >>>>>>>>>>>>>>>>>>>>>>> with Samba 4.1.14. Thanks. >>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>> On 12/31/2014 10:00 AM, Stefan Kania wrote: >>>>>>>>>>>>>>>>>>>>>>>> -----BEGIN PGP SIGNED MESSAGE----- >>>>>>>>>>>>>>>>>>>>>>>> Hash: SHA1 >>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>> Hello James, >>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>> Am 31.12.2014 um 15:48 schrieb James:> Hello, >>>>>>>>>>>>>>>>>>>>>>>>> I'm following along with the wiki(Setup a >>>>>>>>>>>>>>>>>>>>>>>>> Samba AD Member Server) >>>>>>>>>>>>>>>>>>>>>>>>> and I have a question after reading the 'Set >>>>>>>>>>>>>>>>>>>>>>>>> up a basic smb.conf' >>>>>>>>>>>>>>>>>>>>>>>>> section. >>>>>>>>>>>>>>>>>>>>>>>> Please show us your smb.conf >>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>> Do I need to extend the schema in order for >>>>>>>>>>>>>>>>>>>>>>>> my member server to >>>>>>>>>>>>>>>>>>>>>>>>> successfully join and service file shares? >>>>>>>>>>>>>>>>>>>>>>>> No, you dont have to. >>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>> Do I need to configure a >>>>>>>>>>>>>>>>>>>>>>>>> krb5.conf file? Thanks. >>>>>>>>>>>>>>>>>>>>>>>> If your DC is a samba4 DC just copy krb5.conf >>>>>>>>>>>>>>>>>>>>>>>> to your new memberserver >>>>>>>>>>>>>>>>>>>>>>>> Stefan >>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>> - -- Stefan Kania >>>>>>>>>>>>>>>>>>>>>>>> Landweg 13 >>>>>>>>>>>>>>>>>>>>>>>> 25693 St. Michaelisdonn >>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>> Signieren jeder E-Mail hilft Spam zu >>>>>>>>>>>>>>>>>>>>>>>> reduzieren. Signieren Sie ihre >>>>>>>>>>>>>>>>>>>>>>>> E-Mail. Weiter Informationen unter >>>>>>>>>>>>>>>>>>>>>>>> http://www.gnupg.org >>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>> Mein Schl?ssel liegt auf >>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>> hkp://subkeys.pgp.net >>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>> -----BEGIN PGP SIGNATURE----- >>>>>>>>>>>>>>>>>>>>>>>> Version: GnuPG v1 >>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>> iEYEARECAAYFAlSkD3EACgkQ2JOGcNAHDTZdlwCgwsQF0g/pFp65ldcTMWDcJ1O7 >>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>> LScAoLDzorUJNDCik4FP9dBUxKCbAbGN >>>>>>>>>>>>>>>>>>>>>>>> =SOSt >>>>>>>>>>>>>>>>>>>>>>>> -----END PGP SIGNATURE----- >>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> If you followed the wiki, you will be using the >>>>>>>>>>>>>>>>>>>>>> 'ad' backend. For this to work, you need to add >>>>>>>>>>>>>>>>>>>>>> 'uidNumber' attributes to your users and a >>>>>>>>>>>>>>>>>>>>>> 'gidNumber' attribute to at least the Domain >>>>>>>>>>>>>>>>>>>>>> Users group. the numbers that you add must be >>>>>>>>>>>>>>>>>>>>>> between the range you set in your smb.conf, again >>>>>>>>>>>>>>>>>>>>>> if you followed the wiki, this will be between >>>>>>>>>>>>>>>>>>>>>> 500-40000. >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> Rowland >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> You have restarted samba, haven't you ? >>>>>>>>>>>>>>>>>>>> You may have to wait a short time, or clear the >>>>>>>>>>>>>>>>>>>> cache with 'net cache flush' >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> Rowland >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> OK, can you post the 'passwd' & 'group' lines from >>>>>>>>>>>>>>>>>> /etc/nsswitch >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> Do you get anything from 'getent passwd <a domain user>' >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> Rowland >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> OK, install ldb-tools if not already installed, then run: >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> ldbedit -e nano -H /var/lib/samba/private/sam.ldb >>>>>>>>>>>>>>>> sAMAccountName=tuser >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> Post the (sanitized) result >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> Rowland >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> OK, you added that user with ADUC (RSAT) and as such you >>>>>>>>>>>>>> are using the std windows start number 10000, which is >>>>>>>>>>>>>> the way I run samba. Here is my smb.conf from the laptop >>>>>>>>>>>>>> I am writing this on: >>>>>>>>>>>>>> >>>>>>>>>>>>>> [global] >>>>>>>>>>>>>> workgroup = EXAMPLE >>>>>>>>>>>>>> security = ADS >>>>>>>>>>>>>> realm = EXAMPLE.COM >>>>>>>>>>>>>> dedicated keytab file = /etc/krb5.keytab >>>>>>>>>>>>>> kerberos method = secrets and keytab >>>>>>>>>>>>>> server string = Samba 4 Client %h >>>>>>>>>>>>>> winbind enum users = yes >>>>>>>>>>>>>> winbind enum groups = yes >>>>>>>>>>>>>> winbind use default domain = yes >>>>>>>>>>>>>> winbind expand groups = 4 >>>>>>>>>>>>>> winbind nss info = rfc2307 >>>>>>>>>>>>>> winbind refresh tickets = Yes >>>>>>>>>>>>>> winbind normalize names = Yes >>>>>>>>>>>>>> idmap config * : backend = tdb >>>>>>>>>>>>>> idmap config * : range = 2000-9999 >>>>>>>>>>>>>> idmap config EXAMPLE : backend = ad >>>>>>>>>>>>>> idmap config EXAMPLE : range = 10000-999999 >>>>>>>>>>>>>> idmap config EXAMPLE : schema_mode = rfc2307 >>>>>>>>>>>>>> printcap name = cups >>>>>>>>>>>>>> cups options = raw >>>>>>>>>>>>>> usershare allow guests = yes >>>>>>>>>>>>>> domain master = no >>>>>>>>>>>>>> local master = no >>>>>>>>>>>>>> preferred master = no >>>>>>>>>>>>>> os level = 20 >>>>>>>>>>>>>> map to guest = bad user >>>>>>>>>>>>>> vfs objects = acl_xattr >>>>>>>>>>>>>> map acl inherit = Yes >>>>>>>>>>>>>> store dos attributes = Yes >>>>>>>>>>>>>> >>>>>>>>>>>>>> Compare it with yours, I can assure you it works. >>>>>>>>>>>>>> >>>>>>>>>>>>>> Rowland >>>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> -- >>>>>>>>>>> -James >>>>>>>>>> >>>>>>>>> >>>>>>>>> -- >>>>>>>>> -James >>>>>>>> >>>>>>>> OK, you have *now* found out one of the reasons you shouldn't >>>>>>>> use the .local suffix >>>>>>>> >>>>>>>> But does anything else work? >>>>>>>> >>>>>>>> Rowland >>>>>>> >>>>>>> -- >>>>>>> -James >>>>>> >>>>>> OK, well it seems to be a step in the right direction :-) >>>>>> >>>>>> Have you changed 'EXAMPLE' in these lines: >>>>>> >>>>>> idmap config * : backend = tdb >>>>>> idmap config * : range = 2000-9999 >>>>>> idmap config EXAMPLE : backend = ad >>>>>> idmap config EXAMPLE : range = 10000-999999 >>>>>> idmap config EXAMPLE:schema_mode = rfc2307 >>>>>> >>>>>> They need to be changed for your *WORKGROUP* name. >>>>>> >>>>>> Rowland >>>>>> >>>>>> >>>>> >>>>> -- >>>>> -James >>>> >>>> Just change it, stop samba and winbind, run 'net cache flush' and >>>> restart samba & winbind. >>>> >>>> Rowland >>>> >>> >>> -- >>> -James >> > > -- > -James
Rowland,
     That was the issue. Windows computer management console showed 0 
connections. That obviously wasn't correct. A reboot corrected the 
issue. ACL's working as expected. I probably should have ran a
'netstat'
to verify.
     Any best practices on who should or shouldn't have uid's or
gid's
set in AD? I've read where the Administrator account should not have one 
set.
On 1/2/2015 1:47 PM, Rowland Penny wrote:> On 02/01/15 18:35, James wrote:
>> Rowland,
>>
>>     Thanks for the clarification. It appears the member server is 
>> joined and I have created a share.
>>
>> [demoshare]
>>     path = /srv/samba/test
>>     read only = no
>>
>>
>> I have enabled ACL support and given 'SeDiskOperatorPrivilege'
per
>> the wiki. I can navigate to the share using Windows Explorer. If I 
>> set the share permissions to only me(Full Control). I can't access 
>> the share. The 'Everyone' and 'Domain Users' group
allows me access.
>> On my DC's this has worked in the past. Am I missing something?
This
>> is the error I receive.
>>
>> \\pfmember1\demoshare is not accessible. You might not have 
>> permission to use this network resource. Contact the administrator of 
>> this server to find out if you have access permissions.
>>
>> Multiple connections to a server or shared resource by the same user, 
>> using more than one user name, are not allowed. Disconnect all 
>> previous connections to the server or shared resource and try again.
>
> You seem to have a connection to the share already open, close this 
> and try again.
> If this fails, post the results of:
>
> ls -la /srv/samba/test
>
> and
>
> getfacl /srv/samba/test
>
> Rowland
>
>>
>> On 1/2/2015 1:14 PM, Rowland Penny wrote:
>>> On 02/01/15 18:01, James wrote:
>>>> Rowland,
>>>>
>>>>     That did it! Thank you so much. I do have a question
regarding
>>>> the 'getent' command before setting up file shares.
When I run
>>>> 'getent group Domain\ Users' I get
>>>>
>>>>
domain_users:x:10000:user1,user2,user3,user4,user5,user6,user7,user8
>>>>
>>>> Why does it show these specific users? I would assume it would
only
>>>> show my 'tuser'. I don't have uid's set for
anyone else.
>>>
>>> When you run 'getent group Domain\ Users' it gets the
groups
>>> gidNumber (10000 in your case) and the contents any
'member'
>>> attributes, so I presume if you examine the groups AD object, you 
>>> would find 8 'member' attribute lines.
>>>
>>> But if you were to run 'getent passwd user5', you would
only get a
>>> response if 'user5' has a 'uidNumber'.
>>>
>>> Rowland
>>>
>>>>
>>>> On 1/2/2015 12:38 PM, Rowland Penny wrote:
>>>>> On 02/01/15 17:26, James wrote:
>>>>>> Rowland,
>>>>>>
>>>>>>     I did forget to change it. Is it as simple as
renaming now or
>>>>>> did I screw up?
>>>>>>
>>>>>> On 1/2/2015 12:18 PM, Rowland Penny wrote:
>>>>>>> On 02/01/15 17:07, James wrote:
>>>>>>>> Rowland,
>>>>>>>>
>>>>>>>>     I had a typo in my hosts file which is the
reason my
>>>>>>>> initial DNS update failed. Corrected and joined
again.
>>>>>>>> Successfully joined and updated DNS A record. I
then made sure
>>>>>>>> to give 'Domain users' a id of 10000. I
am now able to run'
>>>>>>>> getent passwd' and see all my domain users!
YES! However I
>>>>>>>> still see something that confuses me. When I
run 'id tuser' I
>>>>>>>> get the following.
>>>>>>>>
>>>>>>>> uid=2155(tuser) gid=2002(domain_users) 
>>>>>>>>
groups=2002(domain_users),2004(remote_desktop_users_group),2001(BUILTIN\users)
>>>>>>>>
>>>>>>>> Why is the uid 2155 and not 10001?
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> On 1/2/2015 12:00 PM, Rowland Penny wrote:
>>>>>>>>> On 02/01/15 16:57, James wrote:
>>>>>>>>>> Rowland,
>>>>>>>>>>
>>>>>>>>>>     I've gotten a bit further. It
appears my use of '.local'
>>>>>>>>>> is causing the issue from what I've
researched. I  ran
>>>>>>>>>> '|/etc/init.d/avahi-daemon
stop'. |This allowed me to
>>>>>>>>>> successfully join the domain.
>>>>>>>>>>
>>>>>>>>>> Enter administrator at
DOMAIN.LOCAL's password:
>>>>>>>>>> Using short domain name -- DOMAIN
>>>>>>>>>> Joined 'PFMEMBER1' to dns
domain 'domain.local'
>>>>>>>>>> DNS Update for pfmember1.local failed:
ERROR_DNS_UPDATE_FAILED
>>>>>>>>>> DNS update failed:
NT_STATUS_UNSUCCESSFUL
>>>>>>>>>> ||
>>>>>>>>>> On 1/2/2015 8:55 AM, Rowland Penny
wrote:
>>>>>>>>>>> On 02/01/15 13:41, James wrote:
>>>>>>>>>>>> Hi Rowland,
>>>>>>>>>>>>
>>>>>>>>>>>>     If you don't mind I
like to post my member server
>>>>>>>>>>>> configuration as I attempt
again. This is how my member
>>>>>>>>>>>> server(Ubuntu 12.04) is
configured after fresh install and
>>>>>>>>>>>> prior to Samba build. Anything
I'm missing that could cause
>>>>>>>>>>>> my issue as I proceed? I assume
no other prerequisites must
>>>>>>>>>>>> be done on the other DC's
either? Thanks.
>>>>>>>>>>>>
>>>>>>>>>>>> /*# From Wiki for DC build*/
>>>>>>>>>>>> apt-get install build-essential
libacl1-dev libattr1-dev
>>>>>>>>>>>> libblkid-dev libgnutls-dev
libreadline-dev python-dev
>>>>>>>>>>>> libpam0g-dev python-dnspython
gdb pkg-config libpopt-dev
>>>>>>>>>>>> libldap2-dev dnsutils
libbsd-dev attr krb5-user docbook-xsl
>>>>>>>>>>>> libcups2-dev acl
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> /*# Fstab file*/
>>>>>>>>>>>> ext4
errors=remount-ro,user_xattr,acl,barrier=1 1       1
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> */# Hosts File/*
>>>>>>>>>>>> 127.0.0.1       localhost
>>>>>>>>>>>> 172.16.232.25  
pfmember1.domain.local pfmember1
>>>>>>>>>>>>
>>>>>>>>>>>> # The following lines are
desirable for IPv6 capable hosts
>>>>>>>>>>>> ::1     ip6-localhost
ip6-loopback
>>>>>>>>>>>> fe00::0 ip6-localnet
>>>>>>>>>>>> ff00::0 ip6-mcastprefix
>>>>>>>>>>>> ff02::1 ip6-allnodes
>>>>>>>>>>>> ff02::2 ip6-allrouters
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> */# Hostname/* */File/*
>>>>>>>>>>>> pfmember1.domain.local
>>>>>>>>>>>
>>>>>>>>>>> if you are referring to
/etc/hostname, then it should just
>>>>>>>>>>> contain 'pfmember1'.
>>>>>>>>>>>
>>>>>>>>>>> Also, are you fixed on using Ubuntu
12.04, if you were to
>>>>>>>>>>> use Debian Wheezy and backports,
you wouldn't have to
>>>>>>>>>>> compile samba4.
>>>>>>>>>>>
>>>>>>>>>>> Rowland
>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> */#/network/interfaces/*
>>>>>>>>>>>> # This file describes the
network interfaces available on
>>>>>>>>>>>> your system
>>>>>>>>>>>> # and how to activate them. For
more information, see
>>>>>>>>>>>> interfaces(5).
>>>>>>>>>>>>
>>>>>>>>>>>> # The loopback network
interface
>>>>>>>>>>>> auto lo
>>>>>>>>>>>> iface lo inet loopback
>>>>>>>>>>>>
>>>>>>>>>>>> # The primary network interface
>>>>>>>>>>>> auto eth0
>>>>>>>>>>>> iface eth0 inet static
>>>>>>>>>>>>         address 172.16.232.25
>>>>>>>>>>>>         netmask 255.255.255.0
>>>>>>>>>>>>         gateway 172.16.232.201
>>>>>>>>>>>>         network 172.16.232.0
>>>>>>>>>>>>         broadcast
172.16.232.255
>>>>>>>>>>>>         dns-search domain.local
>>>>>>>>>>>>         dns-nameservers
172.16.232.29
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> On 1/1/2015 4:34 AM, Rowland
Penny wrote:
>>>>>>>>>>>>> On 01/01/15 00:07, James
wrote:
>>>>>>>>>>>>>> Hi Rowland,
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>     I forgot to tell
you the results were from my Domain
>>>>>>>>>>>>>> Controller and not the
member server. Member server
>>>>>>>>>>>>>> returned something to
the effect of 'user not found'. I
>>>>>>>>>>>>>> am only starting the 3
services(smbd,nmbd and windbindd)
>>>>>>>>>>>>>> listed in the wiki.
Should I be starting Samba with
>>>>>>>>>>>>>> command line switches
to start as a member server? Is
>>>>>>>>>>>>>> that even possible?
>>>>>>>>>>>>>
>>>>>>>>>>>>> Hi, there are two ways of
running samba4, the classic or
>>>>>>>>>>>>> original way that samba3
was used, or as an AD DC. If you
>>>>>>>>>>>>> run samba4 in the classic
way, you need to start the smbd
>>>>>>>>>>>>> & nmbd deamons and
optionally the winbind daemon. If you
>>>>>>>>>>>>> use samba4 as an AD DC,
then you only start the samba
>>>>>>>>>>>>> daemon, this will start any
other required deamons, you
>>>>>>>>>>>>> only start the samba daemon
on an AD DC.
>>>>>>>>>>>>>
>>>>>>>>>>>>> As you are trying to set up
a member server, you must
>>>>>>>>>>>>> carry out the tests on the
member server.
>>>>>>>>>>>>>
>>>>>>>>>>>>> Rowland
>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>     Thanks for you
smb.conf. I will attempt again using
>>>>>>>>>>>>>> your smb.conf as a
template and try again.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> On 12/31/2014 2:20 PM,
Rowland Penny wrote:
>>>>>>>>>>>>>>> On 31/12/14 19:07,
James wrote:
>>>>>>>>>>>>>>>> Rowland,
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>     I decided
to start over with a fresh install and
>>>>>>>>>>>>>>>> attempted
again. Only change I made was to start my
>>>>>>>>>>>>>>>> mappings at
10000. I gave 'Domain Users' group gid
>>>>>>>>>>>>>>>> 10000 and
'tuser' has uid 10001. Still didn't work btw.
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>  dn: CN=Test
User,CN=Users,DC=domain,DC=local
>>>>>>>>>>>>>>>> objectClass:
top
>>>>>>>>>>>>>>>> objectClass:
person
>>>>>>>>>>>>>>>> objectClass:
organizationalPerson
>>>>>>>>>>>>>>>> objectClass:
user
>>>>>>>>>>>>>>>> cn: Test User
>>>>>>>>>>>>>>>> sn: User
>>>>>>>>>>>>>>>> givenName: Test
>>>>>>>>>>>>>>>> instanceType: 4
>>>>>>>>>>>>>>>> whenCreated:
20141231172021.0Z
>>>>>>>>>>>>>>>> displayName:
Test User
>>>>>>>>>>>>>>>> uSNCreated:
477557
>>>>>>>>>>>>>>>> name: Test User
>>>>>>>>>>>>>>>> objectGUID:
90f95763-fe52-42b9-af86-8a84a4d5dd78
>>>>>>>>>>>>>>>>
userAccountControl: 66048
>>>>>>>>>>>>>>>> codePage: 0
>>>>>>>>>>>>>>>> countryCode: 0
>>>>>>>>>>>>>>>> pwdLastSet:
130645200220000000
>>>>>>>>>>>>>>>> primaryGroupID:
513
>>>>>>>>>>>>>>>> objectSid:
S-1-5-21-940051827-2291820289-3341758437-3126
>>>>>>>>>>>>>>>> accountExpires:
9223372036854775807
>>>>>>>>>>>>>>>> sAMAccountName:
tuser
>>>>>>>>>>>>>>>> sAMAccountType:
805306368
>>>>>>>>>>>>>>>>
userPrincipalName: tuser at domain.local
>>>>>>>>>>>>>>>> objectCategory:
>>>>>>>>>>>>>>>>
CN=Person,CN=Schema,CN=Configuration,DC=domain,DC=local
>>>>>>>>>>>>>>>>
unixUserPassword: ABCD!efgh12345$67890
>>>>>>>>>>>>>>>> uid: tuser
>>>>>>>>>>>>>>>> msSFU30Name:
tuser
>>>>>>>>>>>>>>>>
msSFU30NisDomain: domain
>>>>>>>>>>>>>>>> uidNumber:
10001
>>>>>>>>>>>>>>>> loginShell:
/bin/sh
>>>>>>>>>>>>>>>>
unixHomeDirectory: /home/tuser
>>>>>>>>>>>>>>>> gidNumber:
10000
>>>>>>>>>>>>>>>> whenChanged:
20141231185807.0Z
>>>>>>>>>>>>>>>> uSNChanged:
477620
>>>>>>>>>>>>>>>>
distinguishedName: CN=Test
>>>>>>>>>>>>>>>>
User,CN=Users,DC=domain,DC=local
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> On 12/31/2014
1:50 PM, Rowland Penny wrote:
>>>>>>>>>>>>>>>>> On 31/12/14
18:28, James wrote:
>>>>>>>>>>>>>>>>>> Hi
Rowland,
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>    
passwd:         compat winbind
>>>>>>>>>>>>>>>>>>    
group:            compat winbind
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>
'getent passwd tuser' results in a blank terminal line.
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> On
12/31/2014 1:12 PM, Rowland Penny wrote:
>>>>>>>>>>>>>>>>>>> On
31/12/14 17:55, James wrote:
>>>>>>>>>>>>>>>>>>>>
Hi Rowland,
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>
I did. Unfortunately something is still amiss.
>>>>>>>>>>>>>>>>>>>>
I do receive a response from 'getent group domain
>>>>>>>>>>>>>>>>>>>>
users'(users:x:100).
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>
On 12/31/2014 12:26 PM, Rowland Penny wrote:
>>>>>>>>>>>>>>>>>>>>>
On 31/12/14 17:23, James wrote:
>>>>>>>>>>>>>>>>>>>>>>
Rowland,
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>
I set a user with a uid and domain users
>>>>>>>>>>>>>>>>>>>>>>
group with a gid but I'm still unable to view
>>>>>>>>>>>>>>>>>>>>>>
them using 'id'. I do notice a few strange
>>>>>>>>>>>>>>>>>>>>>>
observations. If I go to another user to attempt
>>>>>>>>>>>>>>>>>>>>>>
to assign a uid. I get the default value of
>>>>>>>>>>>>>>>>>>>>>>
10000. I would expect 2001 given I set the first
>>>>>>>>>>>>>>>>>>>>>>
user with uid 2000. Groups however appear to
>>>>>>>>>>>>>>>>>>>>>>
increment.
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>
On 12/31/2014 10:52 AM, Rowland Penny wrote:
>>>>>>>>>>>>>>>>>>>>>>>
On 31/12/14 15:42, James wrote:
>>>>>>>>>>>>>>>>>>>>>>>>
Hello Stefan,
>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>
I learned the hard way about .local. I
>>>>>>>>>>>>>>>>>>>>>>>>
understand going forward.
>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>
I do have an issue with the member server.
>>>>>>>>>>>>>>>>>>>>>>>>
Following along with the wiki I get stuck at
>>>>>>>>>>>>>>>>>>>>>>>>
'Testing the Winbind user/group mapping'.
>>>>>>>>>>>>>>>>>>>>>>>>
Wbinfo works as expected but not
>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>
#*id DomainUser*
>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>
#*getent passwd*
>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>
#*getent group*
>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>
#*chown DomainUser:DomainGroup file*
>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>
#*chgrp DomainGroup file*
>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>
etc.
>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>
I receive 'id: sambauser: No such user'. It
>>>>>>>>>>>>>>>>>>>>>>>>
will only retrieve local machine users. Let me
>>>>>>>>>>>>>>>>>>>>>>>>
preface by saying this is a Ubuntu 12.04 server
>>>>>>>>>>>>>>>>>>>>>>>>
with Samba 4.1.14. Thanks.
>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>
On 12/31/2014 10:00 AM, Stefan Kania wrote:
>>>>>>>>>>>>>>>>>>>>>>>>>
-----BEGIN PGP SIGNED MESSAGE-----
>>>>>>>>>>>>>>>>>>>>>>>>>
Hash: SHA1
>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>
Hello James,
>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>
Am 31.12.2014 um 15:48 schrieb James:> Hello,
>>>>>>>>>>>>>>>>>>>>>>>>>>
I'm following along with the wiki(Setup a
>>>>>>>>>>>>>>>>>>>>>>>>>>
Samba AD Member Server)
>>>>>>>>>>>>>>>>>>>>>>>>>>
and I have a question after reading the 'Set
>>>>>>>>>>>>>>>>>>>>>>>>>>
up a basic smb.conf'
>>>>>>>>>>>>>>>>>>>>>>>>>>
section.
>>>>>>>>>>>>>>>>>>>>>>>>>
Please show us your smb.conf
>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>
Do I need to extend the schema in order for
>>>>>>>>>>>>>>>>>>>>>>>>>
my member server to
>>>>>>>>>>>>>>>>>>>>>>>>>>
successfully join and service file shares?
>>>>>>>>>>>>>>>>>>>>>>>>>
No, you dont have to.
>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>
Do I need to configure a
>>>>>>>>>>>>>>>>>>>>>>>>>>
krb5.conf file? Thanks.
>>>>>>>>>>>>>>>>>>>>>>>>>
If your DC is a samba4 DC just copy krb5.conf
>>>>>>>>>>>>>>>>>>>>>>>>>
to your new memberserver
>>>>>>>>>>>>>>>>>>>>>>>>>
Stefan
>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>
- -- Stefan Kania
>>>>>>>>>>>>>>>>>>>>>>>>>
Landweg 13
>>>>>>>>>>>>>>>>>>>>>>>>>
25693 St. Michaelisdonn
>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>
Signieren jeder E-Mail hilft Spam zu
>>>>>>>>>>>>>>>>>>>>>>>>>
reduzieren. Signieren Sie ihre
>>>>>>>>>>>>>>>>>>>>>>>>>
E-Mail. Weiter Informationen unter
>>>>>>>>>>>>>>>>>>>>>>>>>
http://www.gnupg.org
>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>
Mein Schl?ssel liegt auf
>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>
hkp://subkeys.pgp.net
>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>
-----BEGIN PGP SIGNATURE-----
>>>>>>>>>>>>>>>>>>>>>>>>>
Version: GnuPG v1
>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>
iEYEARECAAYFAlSkD3EACgkQ2JOGcNAHDTZdlwCgwsQF0g/pFp65ldcTMWDcJ1O7
>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>
LScAoLDzorUJNDCik4FP9dBUxKCbAbGN
>>>>>>>>>>>>>>>>>>>>>>>>>
=SOSt
>>>>>>>>>>>>>>>>>>>>>>>>>
-----END PGP SIGNATURE-----
>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>
If you followed the wiki, you will be using the
>>>>>>>>>>>>>>>>>>>>>>>
'ad' backend. For this to work, you need to add
>>>>>>>>>>>>>>>>>>>>>>>
'uidNumber' attributes to your users and a
>>>>>>>>>>>>>>>>>>>>>>>
'gidNumber' attribute to at least the Domain
>>>>>>>>>>>>>>>>>>>>>>>
Users group. the numbers that you add must be
>>>>>>>>>>>>>>>>>>>>>>>
between the range you set in your smb.conf,
>>>>>>>>>>>>>>>>>>>>>>>
again if you followed the wiki, this will be
>>>>>>>>>>>>>>>>>>>>>>>
between 500-40000.
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>
Rowland
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>
You have restarted samba, haven't you ?
>>>>>>>>>>>>>>>>>>>>>
You may have to wait a short time, or clear the
>>>>>>>>>>>>>>>>>>>>>
cache with 'net cache flush'
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>
Rowland
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> OK,
can you post the 'passwd' & 'group' lines from
>>>>>>>>>>>>>>>>>>>
/etc/nsswitch
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> Do
you get anything from 'getent passwd <a domain
>>>>>>>>>>>>>>>>>>>
user>'
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>
Rowland
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> OK, install
ldb-tools if not already installed, then run:
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> ldbedit -e
nano -H /var/lib/samba/private/sam.ldb
>>>>>>>>>>>>>>>>>
sAMAccountName=tuser
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> Post the
(sanitized) result
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> Rowland
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> OK, you added that
user with ADUC (RSAT) and as such you
>>>>>>>>>>>>>>> are using the std
windows start number 10000, which is
>>>>>>>>>>>>>>> the way I run
samba. Here is my smb.conf from the laptop
>>>>>>>>>>>>>>> I am writing this
on:
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> [global]
>>>>>>>>>>>>>>>         workgroup =
EXAMPLE
>>>>>>>>>>>>>>>         security =
ADS
>>>>>>>>>>>>>>>         realm =
EXAMPLE.COM
>>>>>>>>>>>>>>>         dedicated
keytab file = /etc/krb5.keytab
>>>>>>>>>>>>>>>         kerberos
method = secrets and keytab
>>>>>>>>>>>>>>>         server
string = Samba 4 Client %h
>>>>>>>>>>>>>>>         winbind
enum users = yes
>>>>>>>>>>>>>>>         winbind
enum groups = yes
>>>>>>>>>>>>>>>         winbind use
default domain = yes
>>>>>>>>>>>>>>>         winbind
expand groups = 4
>>>>>>>>>>>>>>>         winbind nss
info = rfc2307
>>>>>>>>>>>>>>>         winbind
refresh tickets = Yes
>>>>>>>>>>>>>>>         winbind
normalize names = Yes
>>>>>>>>>>>>>>>         idmap
config * : backend = tdb
>>>>>>>>>>>>>>>         idmap
config * : range = 2000-9999
>>>>>>>>>>>>>>>         idmap
config EXAMPLE : backend  = ad
>>>>>>>>>>>>>>>         idmap
config EXAMPLE : range = 10000-999999
>>>>>>>>>>>>>>>         idmap
config EXAMPLE : schema_mode = rfc2307
>>>>>>>>>>>>>>>         printcap
name = cups
>>>>>>>>>>>>>>>         cups
options = raw
>>>>>>>>>>>>>>>         usershare
allow guests = yes
>>>>>>>>>>>>>>>         domain
master = no
>>>>>>>>>>>>>>>         local
master = no
>>>>>>>>>>>>>>>         preferred
master = no
>>>>>>>>>>>>>>>         os level =
20
>>>>>>>>>>>>>>>         map to
guest = bad user
>>>>>>>>>>>>>>>         vfs objects
= acl_xattr
>>>>>>>>>>>>>>>         map acl
inherit = Yes
>>>>>>>>>>>>>>>         store dos
attributes = Yes
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Compare it with
yours, I can assure you it works.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Rowland
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> -- 
>>>>>>>>>>>> -James
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> -- 
>>>>>>>>>> -James
>>>>>>>>>
>>>>>>>>> OK, you have *now* found out one of the
reasons you shouldn't
>>>>>>>>> use the .local suffix
>>>>>>>>>
>>>>>>>>> But does anything else work?
>>>>>>>>>
>>>>>>>>> Rowland
>>>>>>>>
>>>>>>>> -- 
>>>>>>>> -James
>>>>>>>
>>>>>>> OK, well it seems to be a step in the right
direction :-)
>>>>>>>
>>>>>>> Have you changed 'EXAMPLE' in these lines:
>>>>>>>
>>>>>>>         idmap config * : backend = tdb
>>>>>>>         idmap config * : range = 2000-9999
>>>>>>>         idmap config EXAMPLE : backend  = ad
>>>>>>>         idmap config EXAMPLE : range = 10000-999999
>>>>>>>         idmap config EXAMPLE:schema_mode = rfc2307
>>>>>>>
>>>>>>> They need to be changed for your *WORKGROUP* name.
>>>>>>>
>>>>>>> Rowland
>>>>>>>
>>>>>>>
>>>>>>
>>>>>> -- 
>>>>>> -James
>>>>>
>>>>> Just change it, stop samba and winbind, run 'net cache
flush' and
>>>>> restart samba & winbind.
>>>>>
>>>>> Rowland
>>>>>
>>>>
>>>> -- 
>>>> -James
>>>
>>
>> -- 
>> -James
>
-- 
-James